1. DEFINITIONS. Certain terms defined in this section are used only within this section (in the definition for other terms).
“Authorized Representative” (or “AR”) means any private individual who is legally empowered to represent the Technical Contact’s Legal Entity. The Authorized Representative is referred to as the “Legal Representative” in the CP.
“Certification Authority” (or “CA”) means one of the members of the Public Key Infrastructures (PKI) that generates Certificates and manages the Certificate life cycle at the request of the Registration Authority, in accordance with the rules defined in its Certificate Policy (CP) and the practices defined in the associated Certification Practice Statement (CPS). The Certification Authority that issues the Certificate shall be indicated in the Certificate Request.
“Certificate” means an electronic file that attests to the link between a Seal Server Identity associated with a Legal Entity and the Public Key associated with the Private Key contained in the Device. The Certificate is signed electronically by the CA.
“Certificate Request” means an application for issuance or renewal of Certificates made by the Technical Contact on the form provided for this purpose via the Registration Portal. A Certificate Request shall be signed electronically in the Registration Portal by the Technical Contact and, where applicable, the designated Authorized Representative or Certification Representative.
“Certificate Management Procedures” means the procedures established by the Registration Authority with which the DRA, DRA Central Operators, Technical Contacts, Legal Entities via their Authorized Representatives, or CRs must comply in order to register, renew, or revoke Certificates.
“Certificate Validation” means an operation designed to confirm that the Certificate has been checked by one or several authorities of trust and is still valid. Certificate Validation includes the verification of its validity period, its status (revoked or not), the identity of the CAs of the issue chain, and the verification of the Electronic Signature of all the CAs contained in the Certification Path.
“Certification Path” (or “chain of trust”, or “certification chain”) means the whole CA chain wherein each CA is certified by a higher-level CA. For example, a CA issuing Certificates to Technical Contacts may be certified by an intermediary CA, which, in turn, may be certified by another intermediary CA, and so on up until the CA of the highest level, self-certified, and known as the “root CA.”
“Certification Policy“ (or “CP”) means the document that describes the requirements of the Regulation, the rules of the CA, and the general characteristics of Certificates (https://www.docusign.fr/societe/politiques-de-certifications).
“Certification Practice Statement” (or “CPS”) means a statement of the practices used by DocuSign France as the Certification Authority to approve or reject Certificate Requests (issue, renewal, and revocation), it being specified that the CPS is not a public document.
“Certification Representative” (or “CR”) means a private individual that the Technical Contact may, at its option, appoint to (i) submit Certificate Requests, in the name and on behalf of the Technical Contact, to the RA or DRA and (ii) receive the Certificates, in the name and on behalf of the Technical Contact.
“Certificate Signing Request” (or “CSR”) means an electronic file that contains the Public Key generated by the Technical Contact when applying for a Certificate Request.
“Delegated Registration Authority” (or “DRA”) means any legal entity under contract with DocuSign France that interacts with the Technical Contact on behalf of the DocuSign France Registration Authority. The DRA is the intermediary between the RA and the Technical Contact.
“DRA Central Operator” means any individual expressly appointed by the DRA in accordance with DocuSign France Certificate Management Procedures. The DRA Central Operator is also a DRA Operator.
“DRA Operator” means any private individual who is employed by the Registration Authority for vetting and processing the Certificate Requests and operating the RA in accordance with the Certificate Management Procedures defined by DocuSign France.
“Device” means a physical device containing a set of software components that are used to implement the Private Key and enable cryptographic operations, e.g. signature, signature verification, and generation of a Key-Pair. A Device shall be certified as a cryptographic material resource to the level that is defined in the Certificate Request Form.
“DocuSign Signature Web Portal” means the web interface used by the Technical Contact, the Authorized Representative of the Technical Contact Legal Entity, the CR, and the RA Operator for electronically signing the Forms required to obtain Certificates. The Forms are signed with an Electronic Signature using a Private Key associated with a Signer Certificate issued further to the Signer typing in a temporary password that the latter received previously (by SMS to the phone number indicated on the Form, or by email to the address indicated on the Form), in accordance with the Consent Protocol indicated on the DocuSign Signature Web Portal.
“Electronic Signature” means, in accordance with Article 1316-4 of the French Civil Code, “the use of a reliable identification process guaranteeing its link with the deed to which it is attached” and aims at identifying the person placing the signature and demonstrating the person’s acceptance of the obligations resulting from the signed deed.
“Form(s)” means a single form or set of forms provided by the DRA or RA and required for managing the Certificate Requests.
“Legal Entity” means the legal entity indicated in the Certificate Request. A User associated with the Legal Entity or Technical Contact also uses the Certificates on behalf of the Legal Entity through his or her Seal Server Identity.
“OCSP Service” means the Online Certificate Status Protocol supported by DocuSign France to permit checks of the validity of the Certificates.
“Public Key” means a mathematical key that is made public and which is used when implementing a cryptographic protocol to check a signature.
“Private Key” means a mathematical key that is kept secret and which is uniquely owned by a Technical Contact, stored in a Device and used for signing electronic documents.
“Registration Authority” (or “RA”) means one of the members of the Public Key Infrastructure approved by the Certification Authority. The RA applies the identification and authentication procedures in accordance with the rules set forth in the applicable Certificate Policy, the associated CPS, and the Certificate Management Procedures defined by DocuSign France.
“RA Operator” means any private individual who is designated by the RA to: (i) vet and process Certificate Requests; and (ii) operate the RA in accordance with the Certificate Management Procedures defined by DocuSign France.
“Registration Portal” means the web interface used by the Technical Contact, or the Authorized Representative of the Technical Contact’s Legal Entity or of the Certification Representative, to complete web forms and submit a Certificate Request.
“Regulation” means all standards and regional or national frameworks that regulate the Certificate. Regulation requirements are reflected in Certification Policy.
“Renewal” means the operation performed at the end of the validity period of a Certificate that results in generating a new Certificate for a Technical Contact.
“Revocation” means the operation requested by the Technical Contact, the CA, RA or DRA in accordance with the Certificate Policy, which results in withdrawal of the CA’s guarantee on a given Certificate before the end of its validity period.
“Revocation Code” means the code defined and sent by the Registration Authority’s software or application to the Technical Contact and to the Authorized Representative (or CR) and the RA by email to the email addresses indicated in the Certificate Request Form, thus enabling the User and the Authorized Representative (or CR) to independently revoke his or her Certificate on the Revocation URL on the RA’s software interface.
“Revocation Reasons” means the conditions that obligate Users to request Revocation or that allow the CA to revoke a Certificate.
“Revocation URL” means the address of the DocuSign France Website that enables a party to revoke a Certificate by entering the associated Revocation Code.
“Seal Server Identity” means the identity built using the data collected by the DRA from the Technical Contact as well as data defined by DocuSign France. This identity is used to authenticate the Legal Entity as well as a Legal Entity service in compliance with the Regulation.
“Service” means the services provided by DocuSign France to enable the use of the Certificates and the Key-Pair, including the provision of a Registration Portal, a DocuSign Signature Web Portal, and an RA portal for online Revocation.
“Signer Certificate(s)” means the Certificates generated by the DocuSign France CA on behalf of the person authenticated (e.g., Technical Contact, Certification Representative, Authorized Representative of the TC Legal Entity or of the RA) according to a password provided by the DocuSign Signature Web Portal or the DRA and a Consent Protocol, and whose associated Private Key is used to electronically sign the Certificate Request via the DocuSign Signature Web Portal. Each Signer Certificate contains data, such as the Signer’s surname and first name.
“Signature Policy” means a set of rules established by DocuSign France for the creation or validation of an Electronic Signature via the Signature Web Portal (https://www.docusign.fr/societe/politiques-de-certifications), under which an Electronic Signature can be determined as valid. A Signature Policy includes in particular the following elements: (i) identification of one or several trust elements (https://www.docusign.fr/societe/politiques-de-certifications) and rules that support creation of a Certification Path between the Signer Certificate and one of these trust elements; (ii) the means to be implemented in order to obtain a time reference that fixes the Electronic Signature of the Signer and the validation data in time; (iii) the means to be used for checking the revocation status of each Certificate of the Certification Path in relation to this time reference; (iv) the characteristics that the Signer Certificate must include; (v) all of the validation data that the Signer must provide; (vi) the cryptographic algorithms (signature and hash) to be used in relation to checking the digital signature of the document and the validation data.
“Signer” means any individual notified by the Signature Web Portal to perform an Electronic Signature operation.
“Technical Contact” (or “TC”) means the individual who manages a Certificate on behalf of a Legal Entity and acts as a Certificate Manager as per Regulation.
“Time-stamping Service” means the services performed by DocuSign France that support generation of timing stamps (or time-stamp tokens) in accordance with the Time-stamping Policy.
“Uniform Resource Locator” (or “URL”) means the Internet address of a website or of a file available online.
“User” means any natural person involved in a Certificate Request or use of a Certificate. A User may be any of: Technical Contact, Authorized Representative, Certification Representative, or DRA operators (central or not).
This GTU shall take effect upon the commencement of a Certificate Request. This GTU shall apply for at least as long as a Certificate is in use and any portions that obligate a party to act after expiration or Revocation of a Certificate shall apply after expiration or Revocation of a Certificate.
3. CERTIFICATE REQUEST PROCEDURE
The Legal Entity shall designate a Technical Contact in accordance with its internal procedures.
A Technical Contact or Authorized Representative or the Certification Representative may submit a Certificate Request via the Registration Portal in accordance with the instructions provided by the Registration Authority or the DRA.
If a Certification Representative is designated by the Authorized Representative, the Authorized Representative shall indicate this fact in the Certificate Request.
The Technical Contact and the Authorized Representative or the Certification Representative shall provide the information required to submit a Certificate Request. The applicable parties, such as DRA, Technical Contact, or Authorized Representative and Registration Authority, shall apply Electronic Signatures to the Certificate Request. The Registration Authority or its DRA shall verify the information in the Certificate Request before signing.
The following signatures to the Certificate Request are required:
- Signature by the Registration Authority or its DRA;
- Registration Authority verification and signature (if a DRA is present);
- Signature by the Technical Contact;
- Signature by the Authorized Representative or Certification Representative.
Each signature is realized as follows:
- Based on the information contained within the Certificate Request Form;
- Each Signer receives an email sent from the DocuSign Signature Web Portal containing the link to the signature web page;
- Each Signer receives a password transmitted via email or SMS;
- Signers enter their passwords to access the signature operation;
- Signers approve content by clicking on the box provided for each part;
- Validation of Consent with regards to digital signature, which triggers Signature of the Certificate Request Form using a Signer Certificate.
Upon signature the form is time-stamped by the Time-stamping Service, which prevents any modification of the data included.
After each Signer has affixed his or her signature, each Signer receives the signed Certificate Request Form on his or her registered email. The Technical Contact and Authorized Representative or Certification Representative shall save the form on their own systems.
The Technical Contact, Authorized Representative, or Certification Representative shall immediately inform DocuSign France in writing of any misuse of or unauthorized access to the Registration Portal or DocuSign Signature Web Portal that could compromise the security of either the portal or the Certificate.
The parties acknowledge and agree that affixation of an Electronic Signature on a Certificate Request Form constitutes acceptance of this GTU.
The Signatures provided on the Forms by the Technical Contact, Certification Representative, or Authorized Representative as well as the applicable Terms, acquire, in respect of the Regulation, legal value following authentication checks conducted by the DRA and RA.
If a Certificate Request is rejected by the Registration Authority, the Technical Contact may submit additional information within thirty (30) days. If the Technical Contact does not submit additional information within thirty (30) days, the Certificate Request shall expire.
4. ISSUE OF CERTIFICATE
Following a Certificate Request, and provided that DocuSign France does not identify any problems with the applicable request, such as invalid identification documents or an inability to verify the Legal Entity, the Certificate shall be made available by the Registration Authority to the Technical Contact.
The Registration Authority will send: (a) the file containing the Certificate to the Technical Contact; and (b) the Revocation Code to the Technical Contact, the Authorized Representative, or the Certification Representative as well as the DRA Central Operator.
The Technical Contact shall check the contents of the Certificate, including the "subject" field of the Certificate that contains the complete identity. The Technical Contact shall have a period of fifteen (15) calendar days within which it may cancel the Certificate due to inaccurate content and submit a new Certificate Request without penalty. After this period, the Certificate will be deemed accepted by the Technical Contact. The canceled Certificate Request will lead to Certificate Revocation.
5. USE OF THE CERTIFICATE
The Technical Contact must take all necessary measures to protect its Public Key. Certificates may be used only as set forth in this GTU or in the Certification Policy. The Technical Contact assumes liability for any other use of the Certificates. The Technical Contact agrees to read, before signing a Certificate Request, the available documentation, including the technical requirements concerning the certificate and the technical specifications for the use of that certificate. The Technical Contact shall ensure that its equipment (hardware and software) is capable of supporting proper use of the Certificate.
6. DURATION OF THE CERTIFICATE
The Certificate may be valid for up to three years (“Validity Period”). This Validity Period starts from the date of issue by the Certification Authority identified in the form. At the end of the Validity Period of the Certificate, verification of the signature of the documents will be possible with the verification software indicated by the entities deploying the user applications of the Certificate, in particular to verify that at the date of signature the document was signed electronically by a valid Certificate issued by the Certificate Authority. As such, an expired Certificate is no longer contained in the CRL produced by the Certificate Authority, regardless of its status. Certificate Validation is performed using the Revocation URL or the OCSP service.
7. CERTIFICATE RENEWAL
When a Certificate expires, the Technical Contact may initiate renewal of the Certificate by submitting a new Certificate Request to the Registration Authority or the DRA in accordance with the applicable procedure at the time of Renewal.
If no information from the initial application, except for the CSR, has been modified, the first Renewal is performed in a simplified manner. The first Renewal application is signed by the Technical Contact of the Legal Entity including its key management delegation. This simplified Renewal procedure cannot be carried out twice in succession. If one of the elements of the previous application is changed (Technical Contact information, credential Legal Entity and TC, Certificate information), a request in accordance with the procedure described in paragraph "Certificate request Procedure” is carried out.
Each Renewal application must be signed by the Registration Authority.
Following a (renewed) Certificate Request, and provided that DocuSign France does not identify any problems with the applicable request, the Certificate and Revocation Code shall be made available by the Registration Authority to the Technical Contact.
8. REVOCATION TERMS
8.1 Revocation by the Technical Contact or Authorized Representative
The Technical Contact or the Authorized Representative shall inform the Registration Authority or its DRA of a Certificate Revocation request as soon as either learns of Revocation Reasons. Revocation Reasons exist and a request for Revocation of the Certificate shall be issued if:
- The security of the Private Key is compromised or reasonably suspected to be compromised;
- An error is identified in the information contained in the Certificate;
- The Registration Authority suspends its business activities or the service corresponding to the Certificate; or
- There is a change of information contained in the certificate.
Revocation may be requested by the Technical Contact or Authorized Representative or the Certification Representative in the following ways:
Notice to the Registration Authority or its DRA during business hours by completing an application for Revocation and following the instructions given by the DRA or RA by email or by telephone; or
Notice from the website using the Revocation Code and Revocation URL.
Revocation requests made available at the web interface are typically performed within 24 hours.
If the Technical Contact or Authorized Representative or the Certification Representative performs a Revocation request from a DRA by any other means, the Revocation request will be considered promptly by DocuSign Customer Service following receipt of the request for Revocation transmitted by the DRA.
The revoked Certificate will be entered in the CRL no later than twenty-four (24) hours following its Revocation.
The Technical Contact acknowledges that if the service contract between the DRA and Registration Authority (or between Registration Authority and Certificate Authority) expires or is terminated, the Technical Contact can revoke its Certificate via the website using its Revocation Code and Revocation URL.
8.2 Revocation by the Certificate Authority, Registration Authority, or Delegated Registration Authority
The CA, RA, or DRA shall immediately submit a request for Revocation upon learning of any of the following Revocation Reasons:
- A failure by the Technical Contact, Certification Representative, or Authorized Representative in observing the information security rules and conditions of the Certificate in accordance with applicable CP and herein;
- Revocation of the CA Certificate, resulting in Revocation of Certificates issued and signed by the CA;
- Certain material adverse impacts to the CA, such as loss of accreditation, bankruptcy, or expiry of corporate entity;
- An error (intentional or unintentional) in the Certificate request file or in the Technical Contact registration process;
- Change of information regarding the identity of the Technical Contact;
- Change to the information on the identity of the application service (Seal Server Identity);
- Failure by the Registration Authority to observe the procedures or the Certification Policy;
- Loss, theft, or compromise (or reasonable suspicion thereof) of the Technical Contact’s Private Key; and
- Changes in key size imposed by Regulation or authorized authorities (national or international).
9. OBLIGATIONS FOR SPECIFIC PARTIES
9.1. Signers. Each Signer (to the Certificate Request) agrees to comply with the provisions of this GTU and the Certification Policy. Each Signer shall also be responsible for:
- Security and confidentiality of the temporary password allowing the signature of the Form;
- Requesting, without delay, Revocation of a Certificate with the DRA when Grounds for Revocation are present;
- Maintaining the confidentiality, integrity, and accessibility of the Revocation code and e-mail containing the Revocation URL;
- Providing true and accurate information in the Certificate Request and in any accompanying documents;
- Verifying the signatures affixed to the forms sent by the DRA and used in Certificate Requests and Revocation;
- Informing the DRA without delay of any changes to the information provided in the Certificate Request and accompanying documents; and
- Complying with Regulation requirements for Seal Server Certificates and obligations applicable to it below.
9.2 Authorized Representative. The Authorized Representative agrees to comply with the provisions of this GTU and the Certification Policy. Each Authorized Representative shall also be responsible for:
- Participating in the Consent Protocol;
- Delegating (at its option) the management of the Key-Pair;
- Securely disposing of each password provided to a Signer in the Certificate Request process;
- Informing the DRA, following receipt of the email from the DRA, of its agreement or refusal to renew a Certificate during a first Certificate renewal;
- Appointing, where necessary, the Certification Representatives and signing Contract of Certification Representative Creation Forms; and
- Alerting the RA or DRA in case of a change of either the Certification Representative or the Technical Contact.
9.3 Certification Representative. The Certification Representative agrees to comply with the provisions of this GTU and the Certification Policy. Each Certification Representative shall also be responsible for:
- Participating in the Consent Protocol;
- Signing the Certification Representative Creation Forms sent from the DRA;
- Transmitting the Certificate Request of the Legal Entity he or she represents;
- Providing justification documents of the Technical Contact in order to obtain a Certificate from the DRA; and
- Alerting the RA or DRA in case of a change of either the Certification Representative or the Technical Contact.
9.4 Technical Contact of the Legal Entity. The Technical Contact agrees to comply with the provisions of this GTU and the Certification Policy. The Technical Contact shall also be responsible for:
- Participating in the Consent Protocol;
- Completing the Form on the Registration Portal, and attaching supporting documents;
- Verifying the truth and accuracy of the information provided as part of a Certificate Request;
- Submitting to the Registration Portal only the Forms that are provided by the Registration Authority or the DRA;
- Generating the Key-Pair and transmitting it within a Certificate Request Form using the Registration Portal; or delegating the management of the Key-Pair to the DocuSign France Technical Contact by indicating this preference in Certificate Request Form;
- Employing all measures necessary to protect the Key-Pair;
- Maintaining the confidentiality, integrity, and accessibility of the Public Key associated with the Public Key;
- Using the Certificate and Public Keys associated in accordance with the stipulations of the article "Use of the Certificate" above and the Certification Policy;
- Requesting, without delay, the Revocation of a Certificate when Revocation Reasons arise, especially in case of theft, disclosure, compromise or suspected compromise of the Public Key of a Certificate. The Technical Contact agrees not to use a Certificate following the later of either a Revocation request or notification of the Revocation of the Certificate; and
- Revoking the Certificate and informing the DRA or RA if the information in the Certificate is no longer truthful or accurate and instructing them not use the related Certificate for any reason.
9.5 Registration Authority. The Registration Authority agrees to comply with the provisions of this GTU and the Certification Policy. The Registration Authority shall also be responsible for:
- Identifying and authenticating the DRA, the Technical Contact’s Legal Entity and, where appropriate, the Certification Representative;
- Registering Certificate Requests for Issuance, Renewal, or Revocation and accepting or rejecting such requests;
- Collecting the CSR from an accepted Certificate Request;
- Managing the Key-Pair with its own Technical Contacts when delegation is requested in the Certificate Request;
- Uploading the Certificate(s) issued on the Devices; and
- Making available or delivering the Certificates to the Technical Contact following appropriate procedure depending on the Certificate type.
9.6. Delegated Registration Authority. The DRA agrees to comply with the provisions of this GTU and the Certification Policy. The DRA shall also be responsible for:
- Appointing and managing the DRA Central Operators in relation to DocuSign France RA services;
- Appointing DRA operators within the DRA’s Legal Entity;
- Registering the Technical Contact(s), whether or not via a Certification Representative (CR) in accordance with the DocuSign France RA’s Certificate Management Procedures;
- Confirming that each Certificate Request is complete before sending the request to the RA (DocuSign France);
- Verifying the identity of the Technical Contact before sending the requests to the RA (DocuSign France);
- Informing the Technical Contact in the event that the relevant service contract between the DRA and RA (or between RA and CA) expires or is terminated; and
- Performing these and any other tasks in accordance with the CA’s Certificate Policy, the CPS, the Certificate Management Procedures, and any applicable agreements or policies (including this GTU) provided by DocuSign France.
9.7 DRA Central Operator. The DRA Central Operator agrees to comply with the provisions of this GTU and the Certification Policy. The DRA Central Operator shall also be responsible for:
- Serving as the primary point of contact in relation to managing the DRA Operators and Technical Contacts’ Certificates.
9.8 DocuSign France. DocuSign France shall:
- Employ reasonable measures to retain the qualifications obtained for the Certificate for the term of the Certificate and this GTU; and
- Assign a Technical Contact, when management of the Key-Pair has been delegated to DocuSign France by the Authorized Representative, and that Technical Contact shall be responsible for generating the Key-Pair and the CSR and transmitting it to the Registration Authority so that it may be integrated into the CSR in the Certificate Request Form.
10. CUSTOMER SERVICE AND THE DRA QUALITY OF SERVICE
Customer service is provided by the Registration Authority, which shall address issues relating to the use of the Certificate. Only the Authorized Representative, the Certification Representative, or the Technical Contact may contact the Registration Authority for customer service. However, if the Technical Contact contracts with a DRA, the DRA shall be the only interface for all customer service matters relating to the Certificates. The Technical Contact shall not contact the Registration Authority after contracting with a DRA. The RA’s customer service hours are described in the Certificate Request Form.
The RA shall provide to either the DRA Central Operator or the Technical Contact, as applicable, a service incident tracking service, with service incidents limited to the on-line revocation capabilities of the Certificates, as well as the OCSP service when signing documents.
11.1 “Confidential Information” means (a) the DocuSign Services and Documentation, including the Private Key associated with the Certificate, the Activation Codes, the Revocation Codes, the temporary signature password for the Signature Web Portal, the software that generates it and all documentation related thereto; (b) any other information disclosed by DocuSign whether in writing or orally that is designated as confidential or proprietary at the time of disclosure to the party receiving the Confidential Information (and, in the case of oral disclosures, summarized in writing within thirty (30) days of the initial disclosure and delivered to the Recipient), or that due to the nature of the information the Recipient would clearly understand it to be Confidential Information of DocuSign. Confidential Information shall not include any information that: (i) was or becomes generally known to the public through no fault or breach of this GTU by the Recipient; (ii) was rightfully in the Recipient’s possession at the time of disclosure without restriction on use or disclosure; (iii) was independently developed by the Recipient without use of the DocuSign Confidential Information; or (iv) was rightfully obtained by the Recipient from a third party not under a duty of confidentiality and without restriction on use or disclosure.
11.2 During and after the term of this GTU for no less than 5 years, a party receiving Confidential Information (“Recipient”) will: (a) use the Confidential Information solely for the purpose for which it is provided; (b) not disclose such Confidential Information to a third party, except on a need-to-know basis to its attorneys, auditors, consultants, and service providers (collectively, “Representatives”) who are under confidentiality obligations at least as restrictive as those contained herein; and (c) protect such Confidential Information from unauthorized use and disclosure to the same extent (but using no less than a reasonable degree of care) that it protects its own Confidential Information of a similar nature.
11.3 Recipient acknowledges that any actual or threatened breach of this Section 11 (Confidentiality) may cause irreparable, non-monetary injury to DocuSign, the extent of which may be difficult to ascertain. Accordingly, DocuSign is entitled to (but not required to) seek injunctive relief in addition to all remedies available at law and/or in equity, to prevent or mitigate any breaches of this GTU or damages that may otherwise result from those breaches. Absent written consent of DocuSign to the disclosure, the Recipient, in the case of a breach of this Section 11 (Confidentiality), has the burden of proving that the DocuSign Confidential Information is not, or is no longer, confidential or a trade secret and that the disclosure does not otherwise violate this Section 11 (Confidentiality).
12. LIMITATIONS ON LIABILITY
DocuSign acts on behalf and in the name of the Registration Authority both as a service provider and as a Certification Authority subject to legal and regulatory obligations as described in the CP. DocuSign's sole liability towards any party to this GTU shall be for direct and foreseeable damages in case of breach of its statutory obligations, provided that the party seeking damages has taken reasonable measures to mitigate its damages. DocuSign’s maximum liability to any party to this GTU shall not exceed 5,000 EUR.
13. FORCE MAJEURE
No party to this GTU shall be liable for any non-fulfillment or delay in the fulfilment of one or more obligations under this GTU due to a case of force majeure as defined under article 1218 of the French civil code.
14. PROTECTION OF PERSONAL DATA
The personal data collected from Users, Authorized Representatives, and CRs during a Certificate Request is processed by computer by DocuSign France and the DRA (where a DRA is used) for the purposes of (a) allowing Users to be authenticated and identified by the DRA, RA and/or the CR, as appropriate; (b) performing the checks required for issuing and, as appropriate, revoking Certificates; and (c) creating the Professional Identity entered in the Certificate. DocuSign France shall employ reasonable and appropriate technical and organizational measures to safeguard the personal data.
Any opposition to the retention of personal data shall prevent the issuance of a Certificate. Personal data is also retained by the Certification Authority, as per the RA request. The RA defines its own personal data retention period.
15. INTELLECTUAL PROPERTY
Each party acknowledges and agrees that DocuSign shall retain all intellectual property rights (patents, registered trademarks and other rights) for the elements comprising the Service as well as the documentation, concepts, techniques, inventions, processes, software or work performed in connection with the Certificates and related Services made available by DocuSign, irrespective of the form, programming language, program medium, or language used. This GTU does not confer on a party any intellectual property right with regard to the Certificates and the related Services.
16. GOVERNING LAW
This GTU and any disputes or claims arising out of or in connection with it or its subject matter or formation are governed by and construed in accordance with the law of France. Each party irrevocably agrees that the commercial courts of Paris shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this GTU or its subject matter or formation. The provisions of the 1980 U.N. Convention on Contracts for the International Sale of Goods are expressly excluded and do not apply to this GTU. Any legal action arising under this GTU must be initiated within two years after the cause of action arises.
The waiver by either party of any breach of any provision of this GTU does not waive any other breach. The failure of any party to insist on strict performance of any covenant or obligation in accordance with this GTU will not be a waiver of such party’s right to demand strict compliance in the future, nor will the same be construed as a novation of this GTU.
If any part of this GTU is found to be illegal, unenforceable, or invalid, the remaining portions of this GTU will remain in full force and effect, unless such illegal, unenforceable, or invalid provision was an essential obligation of DocuSign, in which case, this GTU will terminate automatically.
19. MODIFICATION OF GTU
DocuSign shall have the right to change, modify, or amend any portion of this GTU at any time by posting notice of such modifications or otherwise communicating the notification to the parties. The changes will become effective after expiration of the notification period, and shall be deemed accepted by the parties if the parties continue using a Certificate or the Service after such period. In the event that a party does not agree with any such modification, that party may discontinue its use of the Certificates and Service.
The parties to this GTU may not assign their rights or obligations under this GTU without DocuSign France’s prior written consent. Any attempt by a party to transfer its rights or obligations under this GTU, except as described above, will be void.
21. ENTIRE AGREEMENT
This GTU and the CP represent the final, complete, and exclusive expression of the agreement between these parties regarding the applicable subject matter. Except as otherwise provided herein, no modification or amendment of this GTU shall be effective unless it is in writing and signed by an authorized agent of the party against whom the modification or amendment is being asserted. In the event of an inconsistency or conflict between the CP, this GTU, and any other applicable terms, the order of precedence is as follows: (a) the CP; (b) this GTU; (c) other applicable term (e.g. agreements entered into by the Legal Entity and a DocuSign entity).
22. LANGUAGES AND TRANSLATIONS
DocuSign may provide translations of this GTU or other terms or policies. Translations are provided for informational purposes and if there is an inconsistency or conflict between a translation and the French version, the French version will control.