SERVICE SCHEDULE for DOCUSIGN PROTECT & SIGN ADVANCED SIGNATURE
Service Schedule revision date: March 15, 2018. Unless otherwise defined in this Service Schedule, capitalized terms will have the meaning given to them in the Agreement.
“Archiving Policy” means all legal, functional, operational, technical, and security rules the Customer must establish, implement, and comply with to ensure the reliability of the Proof Files (conservation period, accessibility of archives, procedures for restoration, destruction etc.).
“Archiving Service” means the DocuSign services for the archiving of Proof Files during the Archive Period.
“Certification Authority (or CA)” means the entity issuing the Electronic Certificates to the Customer pursuant to the rules and practices that the Certification Authority has established in its Certification Policy.
“Certificate Revocation List (CRL)” means the list digitally signed by a CA containing the identities of Certificates that are no longer valid.
“Certification Policy” means the set of rules published by the CA, and describing the general characteristics of the Certificates that it issues. A Certificate Policy describes the obligations and responsibilities of the CA, the RA, Signers, Certificate requesters, and any other PKI component involved in the management of a Certificate lifecycle. The Certificate Policy(ies) of DocuSign France and its(their) successive update(s) can be accessed on DocuSign France’s website, https://www.docusign.fr/societe/politiques-de-certifications, and are an integral part of this Agreement.
“Customer Application” means the software or technology owned and controlled by the Customer and made available to third party end-users for the purpose of offering the Service.
“Customer Connector” means the software that connects the Customer Application to the applicable Protect & Sign Service.
“Delegated Registration Authority (DRA)” means any entity expressly designated by the RA (Customer) in order to perform all or part of the RA tasks in accordance with the applicable Certification Policy and Registration Policy.
“Electronic Certificate” or “Certificate” means an electronic file issued by the Certification Authority and attesting to the link between an identity and the Public Key of the person holding the Certificate. In this case, the term "Certificate" means the Certificate generated by DocuSign on behalf of a Signer, and used for the electronic signature by that Signer, via the Service, of an eDocument addressed to it by an Authorized User. Each Certificate contains information, such as Signer Identity, Signer's public key, Certificate lifetime, and the signature of the CA issuing it.
“Private Key” means the secret electronic data intended for the Customer, associated with the Certificate and managed by DocuSign in order to create Personal Signatures.
“Proof File” means the information and data associated with the eDocument to: (i) validate that the eDocument has been electronically signed (using Personal Signature); and (ii) detect whether the content of such eDocument has been tampered with or otherwise modified.
“Protect & Sign Service” or “Service” refers to the Protect & Sign Personal Signature.
“Protect & Sign Personal Signature” means the on-demand DocuSign Service for generating DocuSign Advanced Electronic Signatures on eDocuments and to prepare Proof Files relating to transactions through Customer’s Application.
“Public Key Infrastructure (PKI)” means the infrastructure required to produce, distribute, manage, and archive keys, Certificates, and CRL, as well as the basis on which the Certificates and the CRL must be published.
“Registration Policy” means the procedures and rules defined and introduced by the Registration Authority to identify and authenticate Users, verify and keep the Users' proof of registration, and register the issue, renewal, and revocation of Certificates. The Registration Authority is the Customer.
“Signer(s)” means any individual who signs the eDocument(s) presented thereto after giving consent in accordance with the Service consent protocol.
“Time-stamps” means the time-stamp tokens affixed to Proof Files and further described at https://www.docusign.fr/societe/politiques-de-certifications.
2. CUSTOMER RESPONSIBILITIES
2.1 Customer Application and Connector. Customer is responsible for: (i) configuring Customer’s Applications; (ii) integrating the Customer Connector and technical key pairs of the Customer Connector; and (iii) the security of the connection between the Customer Connector and the Customer Applications that are required to access the Protect & Sign Service.
The Customer must also ensure, during the installation of the Service, protection, confidentiality, and security of the environment that will safeguard the Private Keys used by the Customer Connector.
In this regard, the Customer shall be solely liable for any damaging consequences that may result from the use, by a third party having received disclosure, by any means whatsoever, of Private Keys and Customer Certificate enabling access to the Service.
2.2 Production Launch Testing and Validation. Customer acknowledges that the use of the Protect & Sign Service is subject to a DocuSign-specified testing and validation process.
The production launch of the Service will be completed within fifteen (15) business days of receipt of the production launch document, duly completed and signed by the Customer.
Upon completion of the production of the Service, since DocuSign does not have access to the Service via the Customer's environment, the latter undertakes to carefully monitor the first signatures made with the Service platform in order to confirm to DocuSign that the putting into production is operational. Failing this, DocuSign shall not be responsible for the malfunctioning of the Service in the Customer's environment.
2.3 Restrictions on Use. During the Term and subject to the terms and conditions of the Agreement, Customer will have the right to submit eDocuments to the Service. The right to use the Service is limited to Authorized Users, and Customer may not resell or otherwise provide or assist with the provision of the Service for the benefit of another party or as a part of a service Customer offers to third parties or as a sublicensed or service bureau arrangement.
3. DOCUSIGN RESPONSIBLITIES
3.1 Electronic Certification. DocuSign will ensure the proper functioning of the PKI components as further described in the Certification Policy. Customer is solely responsible for managing Certificates issued through the Protect & Sign Service and must comply with the Certification Policy for each such Certificate.
3.2 Service for providing the Protect & Sign Personal Signature. Unless otherwise set forth on the applicable Order Form, DocuSign agrees that the Protect & Sign Personal Signature service will perform the following functions:
- affix DocuSign Signatures to eDocuments electronically signed using the Protect & Sign Personal Signature service;
- create Proof Files of such DocuSign Signatures;
- send Proof Files of such DocuSign Signatures to the Electronic Archiving Service as designated by Customer (if subscribed by the Customer); and
- enable the viewing Personal Signature Proof Files.
3.3 Electronic Archiving Service. If Customer purchases the Electronic Archiving Service under the applicable Order Form, DocuSign will make available a secure storage environment for Customer’s use for archiving Proof Files created as part of the Customer’s use of the Protect & Sign Service. The Proof Files will be archived for a period of ten (10) years from their receipt by the Electronic Archiving Service, unless their return is explicitly requested by the Customer (“Archiving Period”). Upon expiration of the Archiving Period, Customer will have sixty (60) days to notify DocuSign of its intent to extend the Archiving Period (subject to a written agreement between the Parties) or request that DocuSign return their Proof Files. In the event this Agreement expires or is terminated prior to the expiration of the Archiving Period, DocuSign will continue to maintain the Electronic Archiving Service for the duration of the Archiving Period for any eDocuments archived prior to the expiration or termination of the Agreement.
Unless otherwise requested by the Customer in accordance with the stipulations of section 3.4, DocuSign is not authorized to access the archived Proof Files.
3.4 Physical Copies of Proof Files. If Customer purchases the Electronic Archiving Service through DocuSign, Customer may request (as an additional service for an additional fee) DocuSign to provide physical copies of Proof Files generated through the Protect & Sign Service and archived by DocuSign. Upon such request, DocuSign will de-archive the nominated Proof File(s), extract and print the underlying eDocument(s), and affix a stamp certifying that the printed eDocument is the one signed and archived through the Service.
3.5 Deletion of Proof Files. Unless otherwise set forth on the applicable Order Form and except if Customer has purchased the Electronic Archiving Service, DocuSign will delete Proof Files generated by the Protect & Sign Service after 10 days.
4. ADDITIONAL RESTRICTIONS AND OBLIGATIONS
4.1 Size Limitations. Customer acknowledges that eDocuments submitted to the Protect & Sign Service may not exceed seven hundred and fifty kilobytes (750 KB) each.
4.2 Additional Conditions for Protect & Sign Personal Signature. The Customer must ensure that each Authorized User complies with the terms and conditions of this Agreement, including compliance with the Certification Policy. Customer must ensure that each Authorized User uses the Private Keys and Certificates solely for the purposes authorized under the applicable Certification Policy and in accordance with applicable laws and regulations. Customer is solely responsible for providing Authorized Users with the Proof File, secured Envelope, or the eDocument.
Customer must make each Authorized User aware, in advance, of the conditions and consequences of using the Service.
Customer must inform Authorized Users of the requirements of the Certification Policy applicable to them as referenced above, as well as the internal procedures it has implemented. Moreover, Customer must inform them that the use of their Private Keys and Certificates must be limited exclusively to the purposes authorized under the applicable Certification Policy and in accordance with current laws and regulations.
4.3 Appointment as Registration Authority. For Protect & Sign Personal Signature, DocuSign appoints Customer as a Registration Authority (RA), and Customer hereby accepts such duties and responsibilities. In this capacity, Customer can designate a DRA and Customer shall implement procedures to: (a) identify and authenticate Authorized Users as required under Article 26 of eIDAS; (b) validate the accuracy of information in requests prior to submitting Certificates to Authorized Users (“User Certificates”) requests to the CA via a Customer Connector; and (c) protect all identity and authentication data provided by Authorized Users in this process. Customer will develop a Registration Policy that will at minimum detail the responsibilities and procedures for an RA set forth in this Service Schedule, that includes but is not limited to its identification and authentication requirements under Article 26 of eIDAS, in a manner reasonably designed to meet the obligations set forth hereunder. Customer, as a Registration Authority, shall:
- allow DocuSign or its nominee to audit all aspects of Customer’s use of Protect & Sign Personal Signature, including as it relates to Customer’s obligations under this Agreement, issuance of User Certificates, and appointment as a Registration Authority;
- comply with its Registration Policy and provide written proof to DocuSign, or any accredited auditing body appointed by DocuSign, to verify the compliance of the RA and/or DRA with its Registration Policy procedures and communicate the requested information to DocuSign;
- coordinate and manage User Certificate requests;
- identify and authenticate Authorized Users prior to establishing and sending User Certificates to the CA via a Customer Connector;
- retain for at least five (5) years the User's registration file (proof of identity of the User) and the proof file;
- identify and authenticate the DRA;
- ensure the DRA complies with the Certification Policy and Registration Policy in accordance with a signed contract between Customer and the DRA;
- prepare and transmit User Certificates to the CA; and
- protect the confidentiality and integrity of information relating to Authorized Users’ personal information.
4.4 Onsite Audit of Customer. DocuSign, in its capacity as CA, is responsible for auditing and monitoring the Customer, and, as an RA and Signature Authority, for verifying compliance of the Certification Policy applicable to User Certificates and all related procedures that must be formally recognized and implemented by the Customer in line with this Schedule.
To this end, DocuSign may carry out or ask an auditor selected by DocuSign to carry out, on an annual basis, a compliance assessment on the premises of the Customer. In order to do this, DocuSign will provide the Customer with fifteen (15) days’ advance notice. This audit will cover a sampling of DRA and DRA operators designated by the Customer to complete all or part of the RA missions assigned to it under this Schedule.
The object of this audit will be based on the following aspects:
- The management by the Customer of Private Keys and Customer Certificates used for the Customer Connector;
- The use and the implementation of the Customer Connector by the Customer and the interconnection with the Customer Application;
- The use and implementation of the Customer Connector by the Customer;
- Where applicable, the connection between the Customer application and those of the DRA;
- The digital and physical protection of the environment where the Customer Connector is stored and the Customer Application (and that of the DRA, where applicable);
- The management of identification and authentication information of Authorized Users by the Customer;
- Authentication and identification of Authorized Users by the Customer during the completion of a transaction with the Authorized User and the Protocol for approval;
- The management of documents presented and made available by the Authorized User with regards to Signature workflow;
- The recovery of identities of Authorized Users and their transmission to DocuSign via the Customer Connector;
- The conditions for access and use of the Archiving Service for the recovery of the Proof Files;
- The control of the DRA by the Customer (where the Customer has designated the DRA) using the Registration Policy and the agreement between the Customer and the DRA; and
- The requirements imposed on the DRA in relation to the Authorized User authentication and identification procedures, and the secure transmission of Authorized Users’ identifying information to the Customer by the DRA.
In the case of a major noncompliance found during the audit process, the Customer shall rectify it immediately. Failing regularization within the time limit set by DocuSign, the Service may be suspended by DocuSign until fully rectified, in which case the Customer cannot purport any breach by DocuSign of their contractual obligations nor claim any compensation.
If Customer or the DRA violates or is suspected to violate its duties as a Registration Authority, or if a certification organization or a governmental body makes the request expressly in writing, DocuSign may audit, at any time and without prior notice, at the premises of the RA and the DRA to assess any potential noncompliance with the Agreement and the applicable Certification Policy.
5. DOCUSIGN WARRANTIES
5.1 Protect & Sign Personal Signature Warranties. DocuSign represents and warrants that when operated in accordance with the Documentation:
- the Electronic Signatures generated by the Protect & Sign Personal Signature service are admissible in accordance with article 1366 of the French Civil Code; provided however only insofar as: (i) the signatory is clearly identified in the User Certificate and based on the identification elements sent by the Customer in its capacity as a Registration Authority; and (ii) the User Certificate is established and stored under conditions likely to ensure the integrity (formation of a Proof File signed and time-stamped by DocuSign and archived in accordance with section 3.3 of this Schedule) and to the extent the Electronic Signature is linked with the eDocument;
- the Electronic Signature generated by the Protect & Sign Personal Signature Service meets the definition of “advanced” level under European Directive 1999/93 and EU Regulation no. 910/2014 (eIDAS); and
- DocuSign is a Trust Service Provider under the definition of eIDAS in the context of the provision of the Service.
Upon the expiration or termination of this Service Schedule for any reason, Customer shall promptly return to DocuSign, as of the expiry and/or effective termination date, any Documentation made available by DocuSign for the performance of this Service Schedule and any copies of any nature stored in any medium, including a digital medium, or, if applicable and if expressly requested by DocuSign, destroy the Documentation and any copies made in any medium.