SERVICE SCHEDULE for K.SIGN CERTIFICATES
Service Schedule revision date: March 1, 2018. Unless otherwise defined in this Service Schedule or in an applicable Attachment related to the Certificate type(s) procured by the Customer, capitalized terms will have the meaning given to them in the Agreement.
"Attachment" is incorporated into this Service Schedule and stipulates any Service specificity related to the Certificate.
“Authorized Representative” means any private individual who is legally empowered to represent the Technical Contact’s Legal Entity. The Authorized Representative is referred to as the “Legal Representative” in the CP.
“Authorized User” means the individual who manages a Certificate on behalf of a Legal Entity and acts as a Certificate Manager as per Regulation. In the Attachment, the Authorized User can be named Technical Contact or Holder.
“Certificate” means an electronic file that attests to the link between an Identity associated with a Legal Entity and the Public Key associated with the Private Key contained in the Device. The Certificate is signed electronically by the CA.
“Certification Authority (CA)” means one of the members of the Public Key Infrastructures (PKI) that generates Certificates and manages the Certificate lifecycle at the request of the Registration Authority, in accordance with the rules defined in its Certificate Policy (CP) and the practices defined in the associated Certification Practice Statements (CPS). The Certification Authority issues Certificates as per indication in the Certificate Request Form.
“Certification Representative (CR)” means a private individual appointed by the Legal Entity to (i) submit Certificate Requests, in the name and on behalf of the Authorized Representative, to the RA or DRA and (ii) receive the Certificates, in the name and on behalf of the Authorized Representative. The use of a Certification Representative (CR) is optional.
“Certificate Management Procedures” means the procedures established by the RA with which the DRA, DRA Central Operators, and any Parties must comply to register, to renew, or to revoke Certificates.
“Certificate Policy (CP)” means the document that describes the requirements of the Regulation, the rules of the CA and the general characteristics of Certificates located at https://www.docusign.fr/societe/certification-policies.
“Certification Practice Statements (CPS)”means a statement of the practices used by DocuSign France as the Certification Authority to approve or reject Certificate Requests (issue, renewal, and revocation), it being specified that the CPS is not a public document.
“Certificate Request” means an application for issuance or renewal of Certificates made by the owner on the form provided for this purpose via the Registration Portal made available. A Certificate Request shall be signed electronically by the identified Parties using the DocuSign Signature Web Portal.
“Delegated Registration Authority (or DRA)” means any legal entity under contract with DocuSign France that interacts with the Technical Contact on behalf of the DocuSign France Registration Authority. When existing, the DRA is the intermediary between the RA and the Technical Contact.
“DocuSign Signature Web Portal”means the web interface used by the Technical Contact, the Authorized Representative of the Technical Contact Legal Entity, the CR when appropriate, the DRA when existing, and the RA Operator for electronically signing the Forms required to obtain Certificates. The Forms are signed with an Electronic Signature using a Private Key associated with a Signer Certificate issued further to the Signer typing in a temporary password that the latter received previously (by SMS to the phone number indicated on the Form, or by email to the address indicated on the Form), in accordance with the Consent Protocol indicated on the DocuSign Signature Web Portal.
“K.Sign Service” or “Service” means the set of services provided by DocuSign France under this Service Schedule, in particular those enabling the use of Certificates and the device, including the availability of a DocuSign Signature Web Portal. The K.Sign Service is described under the applicable Order Form and Attachment to this Service Schedule.
“Legal Entity” means the legal entity indicated in the Certificate Request. A User is associated with the Legal Entity and the Technical Contact who uses the Certificates on behalf of the Legal Entity through his or her Professional Identity.
“Party (Parties)” shall represent any natural person acting in the Certificate management procedures.
“Registration Authority (RA)” means one of the members of the Public Key Infrastructure approved by the Certification Authority and who applies the identification and authentication procedures in accordance with the rules set forth in the applicable Certificate Policy, the associated CPS, and the Certificate Management Procedures defined by DocuSign France.
“Regulation” shall refer to all standards, regulations, and framework that DocuSign France TSP complies with and that the issued Certificates are qualified for.
“Security Code” means any code that is required for accessing the Certificate for its usage Access codes or PIN Codes.
2. CUSTOMER RESPONSIBILITIES
Under the terms of this Service Schedule, the Customer shall act as a Delegated Registration Authority.
2.1 Conditions for Using the Service
Under the terms of this Service Schedule, the Customer shall:
- Comply with the stipulations of DocuSign France’s Certificate Policy and this Service Schedule, Attachments, and Appendices;
- Take responsibility for the accuracy of the information entered in the Certificate Request Forms that it submits to the RA;
- Deliver the Certificate and Devices (if any) to the Authorized User or CR when it exists;
- Accept the use of the Registration Portal and Forms for submitting Certificate Requests to the RA on behalf of the Legal Entity’s Authorized Representative;
- Accept the use of the Electronic Signature via the DocuSign Signature Web Portal;
- Provide Level 1 Customer Service to Authorized Users or CR when appropriate;
- Take sole responsibility for any information required for the configuration of the Service;
- Assume responsibility for all hardware and software it uses, as well as the related risks, and take sole responsibility for damage caused to themselves, their employees, or third parties including consequences that may be due to a malfunction in the Service, if such malfunctions may be attributed to the components provided by the Customer. The Customer also remains solely responsible for any use of the Service and any resulting damage; and
- Take sole responsibility as the DRA and DRA Central Operators for the physical and logical security of accessing the Service, as defined in the Order Form, as well as for any consequences or actions that may result from unauthorized use of the Service.
2.2 Responsibilities of Delegated Registration Authority
As DRA, the Customer shall undertake the following responsibilities:
- Generate formal rules that comply with the applicable Certificate Policies and Certificate Management Procedures, including: registering requests to issue, renew, or revoke Certificates, delivering Certificates, Security Codes, applicable GTU, conditions for accessing the DocuSign Signature Web Portal, passwords, conditions for revoking Certificates;
- Verify the completeness of Certificate Requests submitted by Authorized Representatives or CR when appropriate, prior to their transmission to the RA. In this regard, the DRA must verify (i) that the Certificate Request is complete (including required Forms and supporting evidence), (ii) that the Legal Entity stated in the Certificate Request is legal (Company Register excerpt or administrative supporting evidence), and (iii) that the person authorizing the Certificate Request belongs to the entity stated in the Certificate Request Form. If a CR is used, the DRA must verify that the CR Creation Form exists and is still valid;
- Identify Authorized Users, or CRs if applicable:
- Verify that the Authorized User or CR ID document is an original document that is valid,
- Verify that the identity provided by the Authorized User or CR matches the identity stated in the Certificate Request;
- When required by the Regulation, conduct face-to-face identity verification of the Authorized User, or CRs where applicable, and authentication thereof during the Certificate Request processing. Also, verify that the ID document provided by the Authorized User (or CR) during the Certificate registration or withdrawal phase bears the same serial number as that provided at the time of the Certificate Request; and
- Communicate regularly an updated List of DRA Central Operators to the RA, using the dedicated DRA Central Operator Designation Form provided by the RA.
2.3 Identifying Authorized Users
When applicable and depending on the Certificate type (refer to the applicable Attachment), the Customer shall be responsible as follows:
- Identification and authentication of Authorized Users (or CR, if applicable) during face-to-face delivery of the Device whenever required by the Regulation. The DRA Operator shall perform the identification verifications required before delivering the Device; or
- Identification and authentication of Authorized Users (or CR, if applicable) during face-to-face registration of the Certificate Request. The DRA Operator shall perform the identification verifications required before approving the Certificate Request.
2.4 Communicating to Authorized Users
The Customer shall formalize and communicate to Authorized Users the rules applicable to the use of Certificates, including those regarding:
- Access to and use of the Registration Portal for submitting Certificate Requests;
- Certificate Requests (for issuance, renewal, revocation);
- Acquiring Certificates and related Security Codes (if any);
- Protection of Certificates from fraudulent or improper access;
- Protection of Security Codes and the manner in which they are provided;
- Revocation Reasons, including procedure and how the Revocation Code is provided;
- Face-to-face verifications (whenever required) with valid ID documents;
- Control of and responsibility for K.Sign Identity associated with the Certificate;
- DocuSign Signature Web Portal and its usage during the Certificate Request, including use of the Security Codes received and their usage during the signature process;
- Responsibility for each Certificate and its Key-Pair, including safeguarding it from loss and misuse;
- DocuSign France’s authority to revoke some or all Certificates if a general audit identifies misuse or a failure to comply with applicable rules; and
- Limits on DocuSign France’s liability, such as in the case of failure of the DRA or the Authorized User to comply with the Agreement, Certificate Management Procedures and the applicable CP and CPS.
2.5 Designating DRA Central Operators and DRA Operators
The Customer, acting as a DRA, shall designate DRA Central Operators and DRA Operators who shall perform the duties assigned to them in the Agreement.
The Customer shall:
- Provide a list of the designated DRA Central Operators at the Agreement signature date by filing the appropriate Appendix;
- Inform DocuSign France about any change related to the DRA Central Operator list during the duration of the Agreement by filing the appropriate DRA Central Operator Form;
- Manage the training of the DRA Operators;
- Ensure that DRA Operators observe their duties as expressed in the Agreement, the related Certificate Management Procedures, and the CP; and
- Inform the DRA Central Operators and DRA Operators who will need to participate in any audit DocuSign France may conduct.
2.6 Restrictions on Use
During the Term and subject to the terms and conditions of the Agreement, Customer will have the right to submit eDocuments to the Service. The right to use the Service is limited to the Parties.
Unless the Parties have entered into a separate partnership agreement that permits the following, Customer may not resell or otherwise provide or assist with the provision of the Service for the benefit of another party or as a part of a service Customer offers to third parties or as a sublicensed or service arrangement.
3 DOCUSIGN RESPONSIBILITIES
3.1 K.Sign Service
DocuSign France shall provide the Customer and the Parties with the Service as described in the Order Form, including to:
- Allow Authorized Users to sign electronic documents and messages;
- Allow Authorized Users to authenticate themselves during access control tests, when the Certificate permits; and
- Following complete and valid Certificate Requests received from the DRA:
- Issue, renew, and revoke Certificates;
- Deliver Certificates or Devices with a duration of up to three (3) years after the date of issuance that comply with the Regulation.
To the Customer as a DRA, DocuSign France shall:
- Grant a limited, internal, non-transferable and non-exclusive right to market, sell, and support provision of the K.Sign Service to Authorized Users;
- Provide a DocuSign Signature Web Portal available only to the Parties designated by the Customer as DRA;
- Delegate the duties of recording Certificate Requests, as well as delivering K.Sign Devices;
- Delegate the duties of authenticating Authorized Users, or CRs if applicable, at the time of such requests and/or of such delivery;
- Provide documentation describing the K.Sign Service;
- Provide Forms that regulate the Certificate Requests and CR designation;
- Provide personalized, authenticated access to the Registration Portal to the DRA for performing operations related to the Certificate Requests; and
- Provide Level 2 Customer Service as described in the Customer Support Attachment.
3.2 Responsibilities of Registration Authority
As RA, DocuSign France shall make reasonable efforts to:
- Verify consistency between the ID document of the Certificate applicant sent by the DRA and the last and first names of the Authorized Users contained in the Certificate Request;
- Verify consistency between the supporting evidence for the legal existence of the entity and the name and registration number of the Legal Entity stated in the Certificate Request (e.g. K-bis excerpt for France);
- Verify completeness of all Forms; and
- During the use of the DocuSign Signature Web Portal, communicate to all persons using the DocuSign Signature Web Portal (Authorized Users, Authorized Representatives or Certification Representatives) the URL and passwords to be used for accessing the DocuSign Signature Web Portal and further authenticating during the Electronic Signature process.
3.3 Responsibilities of Certification Authority
As CA, DocuSign France shall make reasonable efforts to provide:
- The Service (availability of LRCs) to the Customer until the end of the term of validity of the CA; and
- Revocation capability to the Authorized User, from the Revocation URL made available by the DRA and the RA, using the Revocation Code provided by DocuSign France.
4 ADDITIONAL RESTRICTIONS AND OBLIGATIONS
4.1 General Audit
Customer acknowledges and agrees that DocuSign France may conduct, on an annual basis, a conformity evaluation audit. DocuSign France shall notify the Customer, via its DRA Central Operators, not less than ten (10) days in advance of an impending audit. An audit shall be conducted expeditiously and shall not endure for more than 3 days. If the audit identifies a major nonconformity, the Customer shall bring its procedures into conformity without delay, but in no event longer than fifteen (15) days. If Customer does not address each nonconformity within fifteen (15) days, DocuSign France may suspend full compliance until each nonconformity is satisfactorily addressed. DocuSign France may also revoke, in its sole discretion, Certificates managed by the DRA, if the audit identifies nonconformities described in the CP.
4.2 Operational Services
DocuSign shall issue Certificates, personalizing the cryptographic Device when a Certificate is delivered using a Device in accordance with the Certificate Requests verified and submitted by the DRA Central Operators, and provide technical management of the Certificate life cycles throughout their term of validity. The Parties acknowledge and agree that the K.Sign Service does not cover escrow or recovery of the Key-Pairs associated with the Certificates delivered to Authorized Users.
4.3 Access and Use of K.Sign Service
DRA Central Operators shall use the Certificate they were provided by DocuSign France, which shall enable them to access the Registration Portal to manage the Certificate Requests.
The DRA agrees to ensure the security and confidentiality of the K.Sign Certificate and of Private Keys of the DRA Central Operators.
The DRA Central Operators shall be solely liable for any loss, compromise, alteration, theft, or disclosure of their own K.Sign Certificates.
4.4 Misuse of the Service
Customer shall be solely liable for any damaging consequences that may result from use by a third party having received access to the K.Sign Service, directly or indirectly, by any means whatsoever. In any event, the DRA agrees to immediately notify DocuSign France in writing of any fraudulent or unauthorized use of the Service of which it may become aware and of any security breach which may result therefrom.
4.5 DocuSign Signature Web Portal
The DocuSign Signature Web Portal shall be accessible by the Customer through a remote connection using a login and password. In this regard, DocuSign cannot be held responsible for any damaging consequences that may result from the use of the DocuSign Signature Web Portal by an unauthorized third party following a fault or an act of negligence by a User acting under the security of his/her password received via SMS or email and of the login and/or password provided to him/her by the DRA Central Operator.
Customer agrees to comply with the applicable provisions of the Certificate GTU incorporated in the Agreement.
5.1 Post-Termination Obligations
Upon the expiration or termination of this Service Schedule for any reason, Customer shall promptly return to DocuSign France, as of the expiry and/or effective termination date, any Documentation made available by DocuSign for the performance of this Service Schedule and any copies of any nature stored in any medium, including a digital medium, or, if applicable and if expressly requested by DocuSign France, destroy the Documentation and any copies made in any medium.
5.2 Loss of Qualification
The Customer is hereby explicitly made aware that loss of the Service qualification may occur at any time during the performance of the Agreement and that this shall result in termination of all Certificate sales as well as termination of the Agreement, subject to a notification period of three (3) months, and the Customer shall not be entitled to claim any compensation on such grounds. The Parties may, however, agree on continuation of Service per terms and procedures defined by DocuSign France.