DATA PROTECTION ATTACHMENT for DOCUSIGN SIGNATURE v.180525

Service Attachment version date: May 25, 2018​

This Data Protection Attachment for DocuSign Signature (“DPA”), including the Customer SCCs (defined below), is incorporated into and made part of the Service Schedule for DocuSign Signature (https://www.docusign.com/company/terms-and-conditions/schedule-docusign-signature) and governs the Processing of Personal Data by DocuSign as a Processor on behalf of Customer or Customer Affiliates, as applicable, under the General Data Protection Regulation (defined below). This DPA does not apply to Personal Data for which DocuSign is a Controller. Unless otherwise defined in this DPA, capitalized terms will have the meaning given to them in the Agreement.

1. DEFINITIONS

General. The terms “Personal Data,” “Process/Processing,” “Controller,” “Processor,” “Subprocessor,” and “Data Subject” have the meanings ascribed to them under the General Data Protection Regulation; provided that the term “Personal Data” as used herein only applies to Personal Data for which DocuSign is a Processor.  “General Data Protection Regulation” or “the GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

2. DATA PROCESSING AND PROTECTION OF PERSONAL DATA

2.1 Data Processing Limitations and Regulatory Investigation. With respect to Personal Data Processed by DocuSign or DocuSign Affiliate as a Processor on behalf of Customer or Customer Affiliate or as a Subprocessor where Customer Processes such Personal Data on behalf of its customers (or both), DocuSign will: (a) Process Personal Data only as necessary to provide the Services in accordance with the terms of the Agreement or as instructed by Customer in writing, including in electronic form; (b) not disclose Personal Data to third parties except: (i) to employees, service providers or advisers who have a need to know the Personal Data and are under confidentiality obligations at least as restrictive as those described under the Agreement or (ii) as required to comply with valid legal process in accordance with the terms of the Agreement; and (c) upon notice to DocuSign, provide reasonable support to Customer in the event of an investigation by any governmental authorities, if and to the extent that such investigation relates to Personal Data Processed by DocuSign in accordance with the Agreement. Such assistance will be at Customer’s sole expense, except where the investigation was required due to DocuSign’s failure to act in accordance with the Agreement. DocuSign will abide by any binding decision by a governmental authority issued to Customer that may affect Processing of Personal Data under this Agreement.

2.2 Restricted Transfers from EEA or Similar Country. This Section 2.2 applies solely when Customer or Customer Affiliate, located in the United Kingdom, a Member State of the European Economic Area, or Switzerland (collectively "EEA or Similar Country"), transfers or discloses Personal Data to DocuSign or DocuSign Affiliate in a location other than (a) the country from which the Customer or Customer Affiliate is transferring or disclosing the Personal Data or (b) the EEA or Similar Country. Such transfers will be governed by the Standard Contractual Clauses (Controller to Processor) approved by the European Commission set forth in the Service Attachment of the Standard Contractual Clauses (Processors) (https://www.docusign.com/company/terms-and-conditions/schedule-docusign-signature/attachment-standard-contractual-clauses) (“Customer SCCs”), unless (x) the transfer is to a country covered by an adequacy determination by a competent authority with jurisdiction over Customer or Customer Affiliate; (y) the transfer is subject to another approved transfer mechanism that provides an adequate level of protection in accordance with the GDPR, such as Binding Corporate Rules approved pursuant to the GDPR; or (z) Customer is self-certified to the EU-US and/or Swiss-US Privacy Shield Framework as administered by the U.S. Department of Commerce (“Privacy Shield”), in which case (under this subsection (z)) this DPA represents the necessary agreement between Customer and DocuSign to ascertain that, among other things, DocuSign is obligated to provide at least the same level of privacy protection as is required by the Privacy Shield. For purposes of the Customer SCCs (i) the Customer or Customer Affiliate located in the EEA or Similar Country will be referred to as the “data exporter” and (ii) DocuSign will be referred to as the “data importer.” Customer, acting on behalf of itself and its Affiliate(s), and DocuSign agrees that the execution of the Agreement by the Parties includes execution of the Customer SCCs (including all attached appendices to the Customer SCCs). DocuSign will at all times remain solely liable to Customer or Customer Affiliate for DocuSign’s obligations (and those of its Affiliates, if any) under this DPA and in no event will any other DocuSign Affiliate owe liability to Customer or Customer Affiliate under this DPA, except where and to the extent required by applicable law. 

3. CUSTOMER RESPONSIBILITIES. Customer acknowledges that it is responsible for properly implementing access and use controls and configuring certain features and functionalities of DocuSign Signature that Customer may elect to use and that it will do so in such manner that Customer deems adequate to maintain appropriate security, protection, deletion, and backup of Personal Data. DocuSign will be entitled to rely solely on Customer or Customer Affiliate’s instructions relating to Personal Data Processed by DocuSign. Customer is responsible for coordinating all communication with DocuSign under this DPA, including, without limitation, any communication in relation to this DPA on behalf of its Affiliates.

4. INFORMATION SECURITY. DocuSign will safeguard Personal Data with appropriate organizational and technical measures as described more fully in the Service Schedule for DocuSign Signature (https://www.docusign.com/company/terms-and-conditions/schedule-docusign-signature) and, if executed by the Parties, Appendix 2 of the Customer SCCs. In accordance with the terms and conditions of the aforementioned Service Schedule, DocuSign will make available all information necessary to demonstrate compliance with the GDPR and provide assistance to Customer in audits conducted by Customer or Customer’s appointed auditor.

5. DATA PRIVACY CONTACT. DocuSign’s data privacy officer can be reached at the following address:

DocuSign, Inc.Attn: Chief Privacy Officer221 Main Street, Suite 1000San Francisco, CA 94105

6. DATA SUBJECT RIGHTS – ACCESS, CORRECTION, RESTRICTION, AND DELETION. To the extent Customer, in its use of DocuSign Signature, is not familiar with DocuSign Signature functionality that may be used to access, correct, amend, restrict, or delete Personal Data located in DocuSign Signature as required by the GDPR or requested by a Data Subject, DocuSign will provide Customer with additional Documentation or customer support assistance to educate the Customer on how to take such actions in a manner consistent with the functionality of DocuSign Signature and in accordance with the terms of the Agreement. If DocuSign receives any request from any Data Subject to access, correct, restrict, or delete Personal Data, DocuSign will advise such Data Subject to submit its request to Customer and Customer will be responsible for responding to any such request using the functionality of DocuSign Signature.

7. SUBPROCESSORS. DocuSign may engage Subprocessors to provide parts of DocuSign Signature, subject to the restrictions of the Agreement and this DPA. DocuSign will ensure that Subprocessors Process Personal Data only in accordance with the terms of this DPA and that Subprocessors are bound by written agreements that require them to provide at least the level of data protection required by this DPA. Before appointing any new Subprocessors, DocuSign will inform Customer of the appointment (including the name and location of such Subprocessor and the activities it will perform) either by electronic mail, via DocuSign Signature, or by publication to a DocuSign website provided to Customer prior to any appointment. Customer may object to DocuSign’s appointment by giving written notice to DocuSign within thirty (30) days of being informed by DocuSign of such appointment, and if, within thirty (30) days of DocuSign’s receipt of Customer’s objection, DocuSign fails to provide a commercially reasonable alternative to avoid the Processing of Personal Data by the appointed Subprocessor, Customer may, as its sole and exclusive remedy, terminate any DocuSign Signature services to which this DPA applies.

8. NON-COMPLIANCE. If DocuSign has reason to believe Customer’s instructions infringe the GDPR or other EEA or Similar Country’s data protection provisions, then DocuSign will immediately notify Customer and Customer may, as its sole and exclusive remedy, suspend the transfer of Personal Data within eDocuments to DocuSign, and/or terminate the DocuSign Signature service to which this DPA applies by giving written notice to DocuSign, unless the non-complying Party cures such failure to comply within thirty (30) days after receiving such notice.