DATA PROTECTION ATTACHMENT for DOCUSIGN SIGNATURE
Service Attachment version date: September 29, 2017
This Data Protection Attachment for DocuSign Signature (“DPA”) is made part of the Service Schedule for DocuSign Signature (https://www.docusign.com/company/terms-and-conditions/schedule-docusign-signature) and governs the Processing of Personal Data by DocuSign as a Processor on behalf of Customer under EU Data Protection Law (defined below). This DPA does not apply to Personal Data for which DocuSign is a Controller. Unless otherwise defined in this DPA, capitalized terms will have the meaning given to them in the Agreement.
General. The terms “Personal Data,” “Process/Processing,” “Controller,” “Processor,” “Subprocessor,” and “Data Subject” have the meanings ascribed to them under EU Data Protection Law; provided that the term “Personal Data” as used herein only applies to Personal Data for which DocuSign is a Processor.
“EU Directive” means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the Processing of personal data and on the free movement of such data.
“EU Data Protection Law” means: (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “General Data Protection Regulation” or “GDPR”).
2. INTERNATIONAL DATA TRANSFERS
2.1. Data Storage/Transfer. If Customer is established in the United Kingdom, the European Economic Area or Switzerland (collectively "Europe"), Customer acknowledges that DocuSign will transfer Personal Data outside of Europe for Processing. DocuSign shall ensure appropriate safeguards for the transfer and Processing of Personal Data outside of Europe in accordance with the requirements of EU Data Protection Law. The Parties acknowledge and agree that, in transferring and Processing Personal Data outside of Europe under this Agreement: (i) Customer is the Controller of Personal Data; (ii) DocuSign is a Processor of such Personal Data; (iii) Customer will comply with its obligations as a Controller under EU Data Protection Law; and (iv) DocuSign will comply with its obligations as a Processor under EU Data Protection Law and this DPA.
2.2. Customer SCCs. If Customer is established in Europe and is contracting with DocuSign under the Order Form, DocuSign and Customer agree to Controller-to-Processor Standard Contractual Clauses approved by the European Commission for the benefit of the Customer set forth in the Service Attachment of the Standard Contractual Clauses (Processors) (https://www.docusign.com/company/terms-and-conditions/schedule-docusign-signature/attachment-standard-contractual-clauses) (“Customer SCCs”). Customer agrees that the execution of the Agreement by the Parties will be deemed (a) Customer’s execution of the Customer SCCs as data exporter (including all attached appendices to the Customer SCCs) and (b) DocuSign’s execution of the Customer SCCs as data importer. DocuSign shall at all times remain solely liable to Customer for DocuSign’s obligations (and those of its Affiliates, if any) under the Customer SCCs and in no event shall any other DocuSign Affiliate owe liability to Customer or any Customer Affiliate under the Customer SCCs, except where and to the extent required by applicable law.
2.3. Binding Corporate Rules. Customer acknowledges that DocuSign has applied for Binding Corporate Rules ("BCRs") for Processors and agrees that, with effect from the date that DocuSign’s BCRs are approved by a competent data protection authority, the Customer SCCs shall immediately terminate and all Personal Data transfers made to DocuSign or by DocuSign as a Processor under this Agreement shall be conducted under, and in full compliance with, DocuSign’s BCRs.
2.4. GDPR. The Parties agree to negotiate in good faith an appropriate amendment to this DPA that will allow the Parties to meet any additional requirements that will be placed on Controllers and Processors of Personal Data under GDPR, which will be enforced as of May 25, 2018.
3. CUSTOMER RESPONSIBILITIES. Customer acknowledges that it is responsible for properly implementing access and use controls and configuring certain features and functionalities of DocuSign Signature that Customer may elect to use such DocuSign Signature and in such manner that Customer deems adequate to maintain appropriate security, protection, deletion, and backup of Personal Data.
4. INFORMATION SECURITY. DocuSign will safeguard Personal Data with appropriate organizational and technical measures as described more fully in the Service Schedule for DocuSign Signature (https://www.docusign.com/company/terms-and-conditions/schedule-docusign-signature) and, if executed by the parties, Appendix 2 of the Customer SCC’s.
5. DATA PRIVACY CONTACT. DocuSign’s data privacy officer can be reached at the following address:
Attn: Chief Privacy Officer
221 Main Street, Suite 1000
San Francisco, CA 94105
6. DATA SUBJECT RIGHTS – ACCESS, CORRECTION, RESTRICTION, AND DELETION. To the extent Customer, in its use of DocuSign Signature, is not familiar with DocuSign Signature functionality that may be used to access, correct, amend, restrict, or delete Personal Data located in DocuSign Signature as required by EU Data Protection Law or requested by a Data Subject, DocuSign will provide Customer with additional Documentation or customer support assistance to educate the Customer on how to take such actions in a manner consistent with the functionality of DocuSign Signature and in accordance with the terms of the Agreement. If DocuSign receives any request from any Data Subject to access, correct, restrict, or delete Personal Data, DocuSign will advise such Data Subject to submit its request to Customer and Customer will be responsible for responding to any such request using the functionality of DocuSign Signature.
7. SUBPROCESSORS. DocuSign may engage Subprocessors to provide parts of DocuSign Signature and related technical support services, subject to the restrictions of the Agreement and this DPA. DocuSign will ensure that Subprocessors only Process Personal Data in accordance with the terms of this DPA and that Subprocessors are bound by written agreements that require them to provide at least the level of data protection required by this DPA. Customer consents to DocuSign subcontracting the Processing of Personal Data located in DocuSign Signature to Subprocessors identified in Appendix 3 of the Customer SCCs. For the sake of clarity, Subprocessors will not have access to or use Personal Data within eDocuments. Before appointing any new Subprocessors, DocuSign will inform Customer of the appointment (including the name and location of such Subprocessor and the activities it will perform) either by electronic mail or via DocuSign Signature. If Customer objects to DocuSign’s use of any new Subprocessor by giving written notice to DocuSign within thirty (30) days of being informed by DocuSign of the appointment of such Subprocessor and DocuSign fails to provide a commercially reasonable alternative to avoid the Processing of Personal Data by such Subprocessor within thirty (30) days of DocuSign’s receipt of Customer’s objection, Customer may, as its sole and exclusive remedy, terminate any DocuSign Signature services to which this DPA applies.
8. Authentication Measures. Customer acknowledges that if it uses or enables authentication measures for use with DocuSign Signature such as, for example, knowledge-based authentication and SMS code-based measures (“Authentication Measures”), DocuSign Signature may allow such Authentication Measures to access Personal Data located in DocuSign Signature for the interoperation of those Authentication Measures with DocuSign Signature. This Agreement does not apply to the Processing of Personal Data transmitted to or from such Authentication Measures that are provided by a third-party service provider. This Agreement does, however, apply to the Processing of Personal Data transmitted to or from any Authentication Measures provided by DocuSign (e.g. email and access code-based Authentication Measures). Customer can enable or disable Authentication Measures. Customer is not required to use Authentication Measures in order to use DocuSign Signature.
9. NON-COMPLIANCE. If DocuSign is unable to materially comply with the requirements of this DPA, Customer may, as its sole and exclusive remedy, suspend the transfer of Personal Data within eDocuments to DocuSign, and/or terminate the DocuSign Services to which this DPA applies by giving written notice to DocuSign, unless DocuSign cures such failure to comply within thirty (30) days after receiving such notice.
10. LIMITATION OF LIABILITY. Each Party’s (and their Affiliates’) total liability under the Agreement (including this DPA and the Customer SCCs) shall be subject to, and not exceed, the limitations of liability that have been agreed between DocuSign and the Customer in the Agreement.