SERVICE ATTACHMENT of SECURITY ATTACHMENT for DOCUSIGN SIGNATURE
This Service Attachment was last updated on: January 12, 2017.
This Service Attachment of Security Attachment for DocuSign Signature (“Security Attachment”) is made part of the Agreement between DocuSign and Customer for the use of the DocuSign Signature Service to which Customer has subscribed to in an Order Form with DocuSign. This Security Attachment applies separately to each DocuSign Signature Account. In the event of any inconsistency or conflict between the Agreement and this Security Attachment, the terms of this Security shall control with respect to DocuSign Signature. The terms of this Security Attachment are limited to the scope of this Security Attachment and shall not be applicable to any other Service Schedules or DocuSign Services.
Except as otherwise defined in this Security Attachment, capitalized terms will have the meaning given to them in the Agreement:
“Personnel” means all employees and agents of DocuSign involved in the performance of DocuSign Signature service.
"Process” or “Processing” means, with respect to this Security Attachment, any operation or set of operations that is performed upon Customer Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
“Production Environment” means the System setting where software, hardware, data, processes, and programs are executed for their final and intended operations by end users of DocuSign Signature.
“Subcontractor” means a third party that DocuSign has engaged to performs DocuSign Signature service on behalf of DocuSign.
2. USE AND DISCLOSURE OF CUSTOMER DATA
2.1 Permitted Use and Disclosure of Customer Data. This Security Attachment sets forth DocuSign’s commitments for the protection of Customer Data. DocuSign will not Process Customer Data in any manner other than as permitted or required by the Agreement.
2.2 Acknowledgement of Shared Responsibilities. Security and privacy with respect to data and information that is accessed, stored, shared, or otherwise Processed via a multi-tenant cloud service such as DocuSign Signature are shared responsibilities between a cloud service provider and its customers. DocuSign is responsible for the implementation and operation of the Information Security Program and the protection measures described in the Agreement and this Security Attachment. Customer acknowledges that, as set forth in more detail in the Agreement, it is responsible using and enforcing the controls made available in connection with DocuSign Signature to maintain, as Customer deems adequate, appropriate access to and the protection and storage of Customer Data.
2.3 Applicability. This Security Attachment applies specifically to the Customer Data Processed via DocuSign Signature. To the extent Customer exchanges data and information with DocuSign that does not meet the definition of “Customer Data,” DocuSign will treat such data and information in accordance with the confidentiality terms set forth in the Agreement.
3. SECURITY MANAGEMENT
3.1 Information Security Program. As described in the Agreement, DocuSign will maintain a written Information Security Program that includes written policies, procedures, and controls governing the Processing of Customer Data via DocuSign Signature in accordance with the terms of the Agreement. DocuSign’s Information Security Program is designed to protect the confidentiality, integrity, and availability of Customer Data by using a multi-tiered technical, procedural, and people-related control approach in accordance with industry best practices and applicable laws and regulations.
3.2 Background Checks and Training. DocuSign will conduct reasonable and appropriate background investigations on all Personnel in accordance with applicable laws and regulations. Personnel must pass DocuSign’s background checks prior to being assigned to positions in which they will, or DocuSign reasonably expects them to, have access to Customer Data. DocuSign will conduct annual mandatory security awareness training to inform its Personnel on procedures and policies relevant to the Information Security Program and of the consequences of violating such procedures and policies.
3.3 Subcontractors. DocuSign will evaluate all Subcontractors to ensure that Subcontractors maintain appropriate physical, technical, organizational, and administrative controls that are consistent with the requirements of the Agreement and this Security Attachment. All Subcontractors fall into scope for independent audit assessment as part of DocuSign’s ISO 27001, or equivalent, audit, where their roles and activities are reviewed per control requirements. DocuSign will remain responsible for the acts and omissions of its Subcontractors as they relate to the services performed under the Agreement as if it had performed the acts or omissions itself and any subcontracting will not reduce DocuSign’s obligations to Customer under the Agreement.
4. PHYSICAL SECURITY MEASURES
4.1 General. DocuSign will maintain appropriate physical security measures designed to protect the tangible items, such as physical computer systems, networks, servers, and devices, that Process Customer Data. DocuSign will utilize commercial grade security software and hardware to protect the DocuSign Signature service and the Production Environment.
4.2 Facility Access. DocuSign will ensure that: (a) access to DocuSign’s corporate facilities is tightly controlled; (b) all visitors to its corporate facilities sign in, agree to confidentiality obligations, and be escorted by Personnel while on premises at all times; and (c) visitor logs are reviewed by DocuSign’s security team on a regular basis. DocuSign will promptly revoke Personnel’s physical access to DocuSign’s corporate facilities upon termination of employment.
4.3 Data Center Access. DocuSign will ensure that its commercial-grade data center service providers used in the provision of DocuSign Signature maintain an on-site security operation that is responsible for all physical data center security functions and formal physical access procedures in accordance with SOC1 and SOC 2, or equivalent, standards. DocuSign’s data centers are included in DocuSign’s ISO 27001 or equivalent certification.
5. LOGICAL SECURITY
5.1 Access Controls. DocuSign will maintain a formal access control policy and employ a centralized access management system to control Personnel access to the Production Environment.
- (a) DocuSign will ensure that all Personnel access to the Production Environment is subject to successful two-factor authentication globally from both corporate and remote locations and is restricted to authorized Personnel who demonstrate a legitimate business need for such access. DocuSign will maintain associated access control process for reviewing and implementing Personnel access requests. DocuSign will regularly review the access rights of authorized Personnel and, upon change in scope of employment necessitating removal or employment termination, remove or modify such access rights as appropriate.
- (b) DocuSign will monitor and assess the efficacy of access restrictions applicable to the control of DocuSign's system administrators in the Production Environment, which will entail generating system individual administrator activity information and retaining such information for a period of at least 12 months.
5.2 Network Security. DocuSign will maintain a defense-in-depth approach to hardening the Production Environment against exposure and attack. DocuSign will maintain an isolated Production Environment that includes commercial grade network management controls such as load balancers, firewalls, intrusion detection systems distributed across production networks, and malware protections. DocuSign will complement its Production Environment architecture with prevention and detection technologies that monitor all activity-generated and send risk-based alerts to the relevant security groups.
5.3 Malicious Code Protection. DocuSign will ensure that: (a) its information systems and file transfer operations have effective and operational anti-virus software; (b) all anti-virus software is configured for deployment and automatic update; and (c) applicable anti-virus software is integrated with processes and will automatically generate alerts to DocuSign’s Cyber Incident Response Team if potentially harmful code is dedicated for their investigation and analysis.
5.4 Code Reviews. DocuSign will maintain a formal software development lifecycle that includes secure coding practices against OWASP and related standards and will perform both manual and automated code reviews. DocuSign’s engineering, product development, and product operations management teams will review changes included in production releases to verify that developers have performed automated and manual code reviews designed to minimize associated risks. In the event that a significant issue is identified in a code review, such issue will be brought to DocuSign senior management’s attention and will be closely monitored until resolution prior to release into the Production Environment.
5.5 Vulnerability Scans and Penetration Tests. DocuSign will perform both internal and external vulnerability scanning and application scanning. Quarterly external scans and annual penetration tests against DocuSign Signature and the Production Environment will be conducted by external qualified, credentialed, and industry recognized organizations. DocuSign will remedy vulnerabilities identified during scans and penetration tests in a commercially reasonable manner and timeframe based on severity. Upon Customer’s reasonable written request, DocuSign will provide third party attestations resulting from vulnerability scans and penetration tests per independent external audit reports. For clarification, under no circumstance will Customer be permitted to conduct any vulnerability scans or penetration testing against the Production Environment.
6. STORAGE, ENCRYPTION, AND DISPOSAL
6.1 Separation. DocuSign will logically separate Customer Data located in the Production Environment from other DocuSign customer data.
6.2 Encryption Technologies. DocuSign will encrypt Customer Data in accordance with industry best practice standards. All access and transfer of data to and from DocuSign Signature will be via HTTPS and DocuSign will only support industry recognized and best practice cipher suites. DocuSign will encrypt all eDocuments persisted on the Production Environment with an AES 256-bit, or equivalent, encryption key.
6.3 Disposal. DocuSign will maintain a data disposal and re-use policy for managing assets and implement
industry recognized processes and procedures for equipment management and secure media disposal.
7. BUSINESS CONTINUITY AND DISASTER RECOVERY
7.1 Continuity Plan. DocuSign will maintain a written business continuity and disaster recovery plan that addresses the availability of DocuSign Signature (“Continuity Plan”). The Continuity Plan will include elements such as: (a) crisis management, plan and team activation, event and communication process documentation; (b) business recovery, alternative site locations, and call tree testing; and (c) infrastructure, technology, system(s) details, recovery activities, and identification of the Personnel and teams required for such recovery. DocuSign will, at a minimum, conduct a test of the Continuity Plan on an annual basis.
7.2 DocuSign Signature Continuity. DocuSign’s production architecture for DocuSign Signature is designed to perform secure replication in near real-time to multiple active systems in geographically distributed and physically secure data centers. DocuSign will ensure that: (a) infrastructure systems for DocuSign Signature have been designed to eliminate single points of failure and to minimize the impact of anticipated environmental risks; (b) each data center supporting DocuSign Signature includes full redundancy and fault tolerance infrastructure for electrical, cooling, and network systems; and (c) Production Environment servers are enterprise scale servers with redundant power to ensure maximum uptime and service availability.
8. INCIDENT RESPONSE AND BREACH NOTIFICATION
DocuSign will report and respond to a Data Breach in accordance with the terms of the Agreement. In add addition DocuSign will maintain a tested incident response program that is managed and run by DocuSign’s dedicated Global Incident Response Team. DocuSign’s incident response team will operate to a mature framework that includes incident management and breach notification policies and associated processes. DocuSign’s incident response program will include, at a minimum, initial detection; initial tactical response; initial briefing; incident briefing; refined response; communication and message; formal containment; formal incident report; and post mortem/trend analysis.
9. CUSTOMER AUDIT RIGHTS
9.1 Regulatory Audit. If Customer’s governmental regulators require that Customer perform an on-site audit of DocuSign’s Information Security Program, as supported by evidence provided by Customer, Customer may, either through itself or a third party independent contractor selected by Customer at Customer’s sole expense, conduct an on-site audit of DocuSign’s Information Security Program, including DocuSign’s data centers and corporate facilities relevant to the security of Customer Data (“Regulatory Audit”). Unless a different notice or frequency is required by Customer’s governmental regulators, a Regulatory Audit may be conducted by Customer once per year with at least 60 days’ advance written notice to DocuSign. If a Regulatory Audit requires the equivalent of more than two business days of DocuSign Personnel’s time to support such audit, DocuSign may charge Customer an audit fee at DocuSign’s then-current rates for each day thereafter.
9.2 Audit for Data Breach. Following a Data Breach, DocuSign will, upon Customer’s written request, promptly engage a third party independent auditor, selected by DocuSign and at DocuSign’s expense, to conduct an on-site audit of DocuSign’s Information Security Program, including DocuSign’s data centers and corporate facilities relevant to the security of Customer Data. DocuSign will promptly provide Customer with the report of such audit.
9.3 Conditions of Audit.
- (a) Audits conducted pursuant to this Section (Customer Audit Rights) must: (i) be conducted during reasonable times and be of reasonable duration; (ii) not unreasonably interfere with DocuSign’s day-to-day operations; and (iii) be conducted upon mutually agreed upon terms and in accordance with DocuSign’s security policies and procedures. DocuSign reserves the right to limit an audit of configuration settings, sensors, monitors, network devices and equipment, files, or other items if DocuSign, in its reasonable discretion, determines that such an audit may compromise the security of DocuSign Signature or the data of other DocuSign customers. Customer’s audit rights do not include penetration testing or active vulnerability assessments of the Production Environment or DocuSign Systems within their scope.
- (b) In the event that Customer conducts an audit through a third party independent contractor, such independent contractor must enter into a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the Agreement to protect DocuSign’s confidential information.
- (c) Customer must promptly provide DocuSign with any audit, security assessment, compliance assessment reports and associated findings prepared by it or its third party contractors for comment and input prior to formalization and/or sharing such information with a third party.
9.4 Remediation and Response Timeline. If any audit performed pursuant to this section (Customer Audit Rights) reveals or identifies any non-compliance by DocuSign of its obligations under the Agreement and this Security Attachment, then (a) DocuSign will work to promptly correct such issues; and (b) Customer may request feedback and information regarding corrective and remedial actions taken in relation to such audit for no more than 60 days after the date upon which such audit was conducted.