EU ADVANCED SIGNATURE ATTACHMENT for DOCUSIGN SIGNATURE
Service Attachment revision date: September 29, 2017. Unless otherwise defined in this Service Attachment, capitalized terms will have the meaning given to them in the Agreement.
“Archiving Policy” means all legal, functional, operational, technical, and security rules that Customer must establish, implement, and respect for the management of Signer identification.
“Certificate(s)” means the Certificate generated by DocuSign France via the Service for a Signer, used by that Signer to electronically sign an eDocument addressed thereto by an Authorized User, via the Service. Each Certificate contains information such as the identity of the Signer that includes the name and/or alias, the Public Key of the Signer, the lifecycle of the Certificate, the identity of the RA, and the signature of the issuing CA.
“Certification Authority” (or “CA”) is DocuSign France, the authority that generates Certificates and manages the Certificate lifecycle (issuance, renewal, revocation) on the request of the Registration Authority, in accordance with the rules and practices defined in its Certificate Policy(ies) and the associated Certification Practice Statement. The DocuSign contracting entity described in Section 12 (Contracting Entity, Governing Law and Venue) of the MSA acts as agent for DocuSign France as CA hereunder.
“Certificate Policy(ies)” means the set of rules published by the CA, and describing the general characteristics of the Certificates that it issues. A Certificate Policy describes the obligations and responsibilities of the CA, the RA, Signers, Certificate requesters and any other PKI component involved in the management of a Certificate lifecycle. The Certificate Policy(ies) of DocuSign France and its(their) successive update(s) can be accessed on DocuSign France’s website (https://www.docusign.fr/societe/certification-policies), and are an integral part of this Agreement.
“Delegated Registration Authority” (or “DRA”) means any entity expressly designated by the RA in order to perform all or part of RA tasks in accordance with the applicable Certificate Policy and Registration Policy.
“Documentation” means the commercial, functional, and technical documentation relating to the Service and provided by DocuSign to Customer, including DocuSign France's applicable Certificate Policies. Documentation can be in a paper format, on a magnetic storage medium or in any other format used by DocuSign. Documentation provided by DocuSign may be offered in either English and/or French.
“DocuSign France” means DocuSign France SAS, an Affiliate of DocuSign.
“DocuSign Signature” means DocuSign’s on-demand electronic signature service, which provides online display, certified delivery, acknowledgement, electronic signature, and storage services for eDocuments via the Internet.
“eIDAS” means EU Regulation No. 910/2014.
“Private Key” means a mathematical key that is secret and that is uniquely contained within a device and remotely activated by the Signer to sign eDocuments. In the context of the Service, the Private Keys are generated for the only purpose of a single transaction and are erased after the completion of such transaction.
“Registration Authority” (or “RA”) means the entity in a contractual relationship with the CA to register requests for issuance, renewal, or revoking of Certificates, and to validate or reject them. The RA applies Signer identification and authentication procedures in accordance with the rules and practices defined in the Certificate Policy(ies). For the purposes herein, the RA is Customer.
“Registration Policy” means the procedures and rules defined and implemented by the Registration Authority in order to identify and authenticate Signers, to verify and store supporting documents for Signers’ registration, and to register requests to issue, renew, and revoke Signer Certificates.
“Service” means the DocuSign EU Advanced Signature service provided to the Customer by DocuSign France as trust service provider to offer Signers a service via DocuSign Signature to electronically sign eDocuments.
“Signer(s)” (or “Signatory”) means any individual who signs the eDocument(s) presented thereto after giving consent in accordance with the Service consent protocol.
“Signer Identity” means the personal data (such as names, email addresses, telephone numbers) identifying the Signers that are collected and defined by the Customer on the Service within DocuSign Signature.
“Transaction(s)” means the performance of a signature process, defined by a set of eDocuments submitted for electronic Signature by one or more Signers.
2. EU ADVANCED SIGNATURE.
2.1 The parties acknowledge and agree that: (a) DocuSign France is a “trust service provider” for the purpose of providing Certificates under the Service and related certification services under eIDAS; and (b) where Customer contracts with DocuSign for the provision of a Certificate under the Service and related certification services, DocuSign is authorized to act as an agent for and on behalf of DocuSign France for the purpose of contracting with Customer while DocuSign France is the entity providing the actual delivery of any Certificate under the Service; and (c) the use of the Certificate under the Service is conditional upon Customer adhering to the terms of this Service Attachment.
2.2 During the Term and subject to the terms and conditions of the Agreement, Customer will have the right to send eDocuments to Signers to be signed with the Service via the DocuSign Signature application. The right to use the Service is limited to Authorized Users, and Customer may not resell or otherwise provide or assist with the provision of the Service: (a) for the benefit of another party; (b) as a part of a service Customer offers to third parties; or (c) as a sublicensed or service bureau arrangement.
2.3 Certificate Policies. Customer acknowledges and agrees it has been or hereby is fully informed by DocuSign that:
(a) the Service is based on DocuSign France’s applicable Certificate Policies;
(b) that the Certificate Policies constitute essential commitments from DocuSign France and its delegated Registration Authorities to any third party relying on the Service;
(c) that the Certificate Policies have been or will be made available to Customer before the Order Start Date of the Service and can be accessed on DocuSign’s website, https://www.docusign.fr/societe/certification-policies; and
(d) that without limiting other provisions of the Agreement, these terms and conditions contain the essential commitments deriving from the Certificate Policies and are applicable to both Customer and DocuSign France in the context of the use of the Service.
2.4 Certification Services. DocuSign France, in its capacity as Certificate Authority, shall be responsible for the proper functioning of the Service’s components and the compliance of its Certificate management system and procedures with the provisions set forth in applicable Certificate Policy(ies). DocuSign France shall technically manage the lifecycle of Signer Certificates throughout their validity period to meet the needs relating to the use of the Service, in accordance with the terms and conditions defined in the applicable Certificate Policies. The characteristics of the Signer Certificates as well as the terms and conditions applying to the management of their lifecycles are defined in the applicable Certificate Policy(ies).
3. CUSTOMER RESPONSIBILITIES.
3.1 Customer expressly acknowledges having received from DocuSign France (or DocuSign) all of the information it requires to assess whether the Service meets its needs and to take all necessary precautions for the implementation and operation of the Service.
3.2 This Agreement designates Customer as Registration Authority, and Customer hereby accepts such duties and responsibilities. In this capacity, Customer shall implement procedures to: (a) identify and authenticate Signers; (b) validate the accuracy of the information in requests prior to submitting Signer Certificate requests to the CA via the Service; and (c) protect all identity and authentication data provided by Signer in this process. Customer will develop a Registration Policy based on the template provided by DocuSign. Customer will comply with its Registration Policy at all times and will provide a copy of the final Registration Policy to DocuSign France (or DocuSign). Customer’s Registration Policy shall at minimum detail the responsibilities and procedures for an RA set forth in this Service Attachment in a manner reasonably designed to meet the obligations set forth hereunder.
3.3 In its capacity as RA, Customer shall:
(a) Provide written proof to DocuSign France, DocuSign, or any accredited auditing body appointed by DocuSign, to verify the compliance of the RA with its Registration Policy procedures and communicate the requested information to DocuSign;
(b) Promptly alert DocuSign when there is a security incident involving or relating to the RA services;
(c) Seek prior approval from DocuSign prior to designating any DRAs;
(d) Establish a written enforceable agreement with any DRAs that defines their obligations and responsibilities in accordance with the applicable Certificate Policies and Registration Policy;
(e) Take appropriate technical and organizational measures to manage the risks associated with its IT systems and networks; and
(f) Securely store and archive all supporting documents used for Signer identification, authentication, and registration for at least five (5) years.
3.4 The Service can be accessed by Customer by means of a secure remote connection. Accordingly, CUSTOMER is solely responsible for any AND ALL consequences arising from the UNAUTHORIZED use by a third party of its Private Keys and Customer Certificates enabling access TO the Service, regardless of the means by which they were obtained FROM Customer.
3.5 The registration of Signers for the issue of Signer Certificates is the exclusive responsibility of Customer in its capacity as Registration Authority. Customer is responsible for the accuracy and completeness of the information sent to DocuSign for the issuing of Signer Certificates. DocuSign does not verify any identification information and DocuSign (including DocuSign France) disclaims all liability regarding the accuracy of the Signer identification information communicated by Customer and contained in the Signer Certificates.
4. DOCUSIGN RESPONSIBILITIES.
4.1 Trust Service Provider. DocuSign shall ensure: (a) its and its Affiliates’ data centers are secured and trustworthy in accordance with industry standards and use high-performance products in terms of reliability, security, and confidentiality; and (b) that electronic signatures created with the Service, subject to the Customer fulfilling its responsibilities under the Agreement, will conform with the definition of Advanced Electronic Signature set out in Article 26 of eIDAS.
5.1 In its capacity as CA, DocuSign France has a duty to inspect Customer in its role as RA in order to confirm its compliance with the Registration Policy applicable to Signer Certificates. For this inspection, the CA may carry out, or select a mutually agreeable inspector to carry out, an annual compliance inspection on the Customer’s premises. Depending on inspector choice, the inspection may cover the following areas:
(a) Any obligation under Sections 3.2 or 3.3;
(b) Content and availability of the agreement between Customer and potential sub-contracting entities involved in the performance of Customer’s obligations;
(c) Management of eDocuments presented and made available to the Signer in connection with the signature workflow;
(d) If and only if RA has designated one or more Delegated Registration Authority pursuant to Section 3.3 above):
(i) Monitoring of DRAs in accordance with the Registration Policy defined by RA and the contract between the RA and each DRA; and
(ii) Requirements to be met by DRAs regarding Signer authentication and identification and the secure transmission of Signer identification data to the Customer by DRAs.
5.2 If the inspection reveals a major case of non-compliance, Customer shall correct its procedures as soon as reasonably possible and, in any event, no later than the timeframe set by DocuSign France. If the correction has not been made within the timeframe set by DocuSign France, DocuSign France (or DocuSign as its agent and upon its instructions) may suspend services included in the operation of the Service until compliance is achieved. In this case, Customer cannot claim a breach by DocuSign France (or by DocuSign acting as DocuSign France agent) of its contractual obligations under this Agreement or claim any indemnity of any kind due to this suspension. Customer acknowledges and agrees that DocuSign France is permitted to suspend its performance under this Agreement whenever Customer is reasonably believed to be out of compliance with its obligations as RA, and such suspension may continue until DocuSign France in its sole good faith discretion determines that the compliance failures have been remedied.
5.3 If it is suspected that the RA and/or one or more DRA are in breach of this Agreement, or if a certification body or government authority makes the express request, DocuSign France also reserves the right to conduct, with reasonable advanced notice, an inspection on the premises of the RA and the relevant DRAs at any time, to determine any noncompliance with this Agreement and/or the applicable Certificate Policies.
Upon the expiration or termination of this Service Attachment for any reason: Customer shall promptly return to DocuSign, as of the expiry and/or effective termination date, any Documentation made available by DocuSign for the performance of this Service Attachment and any copies of any nature stored in any medium, including a digital medium, or, if applicable and if expressly requested by DocuSign, destroy the Documentation and any copies made in any medium.
7. THIRD PARTY CLAIMS.
In addition to the third party claims obligations set forth in the Agreement, Customer will indemnify DocuSign and its Indemnified Parties from, and defend DocuSign and the Indemnified Parties against, any Claim to the extent arising from or related to: (a) any representations or warranties regarding the Service made by Customer to any third parties (including without limitation Signers) not authorized by DocuSign; and (b) non-performance of any of obligations by Customer, in its capacity as Registration Authority, defined under this Agreement and the applicable Certificate Policy .