DATA PROTECTION ATTACHMENT for SPRINGCM
Service Attachment version date: March 4, 2019
This Data Protection Attachment for SpringCM (“DPA”) is incorporated into and made part of the Service Schedule for SpringCM (https://www.docusign.com/company/terms-and-conditions/schedule-springcm) and governs the Processing of Personal Data by DocuSign as a Processor on behalf of Customer or Customer Affiliates, as applicable. Unless otherwise defined in this DPA, capitalized terms will have the meaning given to them in the Agreement.
General. The terms “Personal Data,” “Personal Data Breach,” “Process/Processing,” “Controller,” “Processor,” and “Data Subject” have the meanings ascribed to them under the General Data Protection Regulation; provided that the term “Personal Data” as used herein only applies to Personal Data for which DocuSign is a Processor.
“EEA” means the European Economic Area.
“General Data Protection Regulation” or “the GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
“Subprocessor” means a third-party Processor engaged by DocuSign to Process Personal Data as a sub-processor.
“Standard Contractual Clauses” or “SCC” means the standard contractual clauses for the transfer of personal data from the EEA to third countries (controller to processor transfers) set out in European Commission Decision 2010/87/EU and which are hereby incorporated into this DPA. For the purposes of the Standard Contractual Clauses, (a) Customer shall be the 'data exporter' and DocuSign the 'data importer' (even if DocuSign is an entity located outside the EEA); (b) Exhibit 1 to this DPA shall take the place of Appendix 1 of the SCC; (c) the security terms of the Agreement and/or security attachment to the applicable Service Schedule shall take the place of Appendix 2 of the SCC.
2. DATA PROCESSING AND PROTECTION OF PERSONAL DATA.
2.1. Scope of Data Processing. The duration of the Processing of Personal Data will be the same as the duration of the Agreement, except as otherwise agreed to in writing by the parties. The subject matter of the Processing of Personal Data is set out in the Agreement and this DPA. The nature and purpose of the Processing of Personal Data involve the provision of SpringCM to Customer, as set out in the Agreement and this DPA.
2.2. Data Processing Limitations. With respect to Personal Data Processed by DocuSign or DocuSign Affiliate as a Processor on behalf of Customer or Customer Affiliate or as a Subprocessor where Customer Processes such Personal Data on behalf of its customers (or both), DocuSign will: (a) Process Personal Data only as necessary to provide SpringCM in accordance with the terms of the Agreement or as instructed by Customer in writing, including in electronic form, and consistent with the terms of the Agreement; and (b) not disclose Personal Data to third parties except: (i) to employees, service providers, or advisers who have a need to know the Personal Data and are under confidentiality obligations at least as restrictive as those described under this DPA, or (ii) as required to comply with valid legal process in accordance with the terms of the Agreement. If DocuSign has reason to believe Customer’s instructions infringe the GDPR or other EEA data protection provisions, then DocuSign will immediately notify Customer.
2.3. Assistance to Customer and Regulatory Investigation. Upon written request, DocuSign will provide reasonable assistance and information to Customer in fulfilling any regulatory obligations that Customer may have regarding data protection impact assessments, data and systems inventory, records of Processing, and related consultations of data protection authorities, or in the event of an investigation by any governmental authorities, if and to the extent that such investigation relates to Personal Data Processed by DocuSign in accordance with the Agreement. Such assistance will be at Customer’s sole expense, except where such an investigation was required due to DocuSign’s failure to act in accordance with the Agreement.
2.4. Transfers of Personal Data from EEA. In providing SpringCM, DocuSign may transfer and access Personal Data to and from countries where DocuSign has operations or Subprocessors, or as otherwise required by applicable law.
2.4.1. The parties will rely on the Standard Contractual Clauses as the data transfer mechanism ensuring adequate protection for Personal Data, and both the SCC and the additional terms in this DPA will apply to DocuSign’s Processing of Personal Data on Customer’s behalf as a data processor in providing SpringCM, where such Personal Data is: (i) subject to any restriction under the GDPR or other applicable EEA data protection laws regarding outbound transfers of Personal Data, and (ii) Processed by DocuSign in a country outside of the EEA. In the event of any conflict or inconsistency between the SCC and this DPA, the SCC shall govern. DocuSign will at all times remain solely liable to Customer or Customer Affiliate for DocuSign’s obligations (and those of its Affiliates, if applicable) under this DPA, and in no event will any other DocuSign Affiliate owe liability to Customer or Customer Affiliate under this DPA, except where and to the extent required by applicable law.
2.4.2. DocuSign reserves the right to amend or replace the data transfer mechanisms referred to Section 2.4.1 with a different data transfer mechanism that has been approved by the European Commission as providing adequate protection for Personal Data. In the event that DocuSign elects to rely on another transfer mechanism, DocuSign shall notify Customer of such new mechanism.
3. CUSTOMER RESPONSIBILITIES. Customer acknowledges that it is responsible for properly implementing access and use controls and configuring certain features and functionalities of SpringCM that Customer may elect to use and that it will do so in such manner that Customer deems adequate to maintain appropriate security, protection, deletion, and backup of Personal Data. DocuSign will be entitled to rely solely on Customer or Customer Affiliate’s instructions relating to Personal Data Processed by DocuSign. Customer is responsible for coordinating all communication with DocuSign under this DPA, including, without limitation, any communication in relation to this DPA on behalf of its Affiliates.
4. INFORMATION SECURITY. DocuSign will safeguard Personal Data with appropriate technical, physical, and organizational measures as described more fully in the applicable Service Schedule for the provision of SpringCM. The parties agree that the audit reports and audit rights provided under the Service Schedule will be used to satisfy any audit or inspection requests by or on behalf of Customer and to demonstrate compliance with applicable obligations of DocuSign under this DPA.
5. PERSONAL DATA BREACH. DocuSign will notify Customer without undue delay if DocuSign becomes aware of a Personal Data Breach affecting the Personal Data. Taking into account the nature of Processing and the information available to DocuSign and in accordance with the Agreement, DocuSign will assist Customer at Customer’s request in complying with Customer’s notification obligations regarding Personal Data Breaches as required by the GDPR.
6. DATA PRIVACY CONTACT. DocuSign’s data privacy officer can be reached at the following address:
Attn: Chief Privacy Officer
221 Main Street, Suite 1000
San Francisco, CA 94105
7. DATA SUBJECT RIGHTS – ACCESS, CORRECTION, RESTRICTION, AND DELETION. Taking into account the nature of the Processing, SpringCM provides functionality to assist Customer by appropriate technical and organizational measures, insofar as this is possible, to access, correct, amend, restrict, or delete Personal Data contained in SpringCM to address requests by a Data Subject under the GDPR. To the extent Customer, in its use of SpringCM, is not familiar with SpringCM functionality that may be used for these purposes, DocuSign will provide Customer with additional Documentation or customer support assistance to educate the Customer on how to take such actions in a manner consistent with the functionality of SpringCM and in accordance with the terms of the Agreement. If DocuSign receives any request from any Data Subject to access, correct, restrict, or delete Personal Data, DocuSign will advise such Data Subject to submit its request to Customer and Customer will be responsible for responding to any such request using the functionality of SpringCM.
8. SUBPROCESSORS. DocuSign may engage Subprocessors to provide parts of SpringCM, subject to the restrictions of the Agreement and this DPA. DocuSign will ensure that Subprocessors Process Personal Data only in accordance with the terms of this DPA and that Subprocessors are bound by written agreements that require them to provide at least the level of data protection required by this DPA. DocuSign will provide notice to Customer of any new Subprocessors engaged by DocuSign for the delivery of SpringCM by updating the appropriate DocuSign website made available to Customer. Within thirty (30) days of such notice, Customer may object to the involvement of such Subprocessors in the delivery of SpringCM by providing written notice of its objection to DocuSign. In the event the objection is reasonable, and DocuSign is unable to provide a commercially reasonable alternative to avoid the Processing of Personal Data by the new Subprocessor, Customer may, as its sole and exclusive remedy, terminate any SpringCM service to which the Processing applies in accordance with the terms of the Agreement.
9. RETURN OR DISPOSAL. Prior to termination or expiration of the Agreement for any reason, Customer may retrieve Personal Data processed by SpringCM in accordance with the terms of the Agreement, and at Customer’s request provided in writing to DocuSign, DocuSign will promptly return or delete Personal Data from SpringCM, unless applicable law requires storage of the Personal Data.
EXHIBIT 1 – DESCRIPTION OF PROCESSING
The Customer identified under the Agreement.
DocuSign, Inc. is a provider of enterprise cloud computing solutions for digital transaction management.
Data exporter may submit through electronic transfer Personal Data to the applicable SpringCM service, to the extent of which is determined and controlled by the data exporter in its sole discretion. Some examples of Data Subjects could be the data exporter’s representatives and end-users including employees, contractors, collaborators, and customers.
Categories of data
Data exporter may submit through electronic transfer Personal Data to the applicable SpringCM service, to the extent of which is determined and controlled by the data exporter in its sole discretion. Some examples of Personal Data could be: personal details, contact details, family details, lifestyle and social circumstances, financial or payment details, employment information, marketing information, data analytics, images or video, technical identifiers.
Special categories of data
Personal Data may be processed upon the instruction of the data exporter, to the extent inputted into SpringCM by the data exporter or contained within the data exporter’s documents, in accordance with the terms of the Agreement, and in connection with the data importer making available to data exporter the SpringCM service.