SERVICE SCHEDULE for TIME-STAMPING
Service Schedule revision date: March 1, 2018. Unless otherwise defined in this Service Schedule, capitalized terms will have the meaning given to them in the Agreement.
“Archiving Service” means a service for the archiving of the Time-Stamping Tokens.
“Authentication Certificate” means a certificate provided by DocuSign to the Customer and used to connect to the Service.
“Certification Authority (or CA)” means the entity issuing the electronic Certificates to the TSUs managed by the Time-Stamping Authority. The issuance of these Certificates is done pursuant to the rules and practices the Certification Authority has established in its Certification Policy.
“Certification Policy (or CP)” means the set of rules published by an OID (Object Identifier), and describing the general characteristics of the TSU Certificates that the TSCA delivers. A Certification Policy describes the obligations and responsibilities of the TSCA, the TSA, Signers, Certificate requesters, and any other PKI component involved in the management of a TSU Certificate lifecycle.
“Certificate Revocation List (CRL)” means the list digitally signed by a TSCA containing the identities of TSU Certificates that are no longer valid.
“Customer Application” means the software or technology owned and controlled by the Customer and used by them to complete their Time-Stamping Token Requests made to the Time-Stamping Authority. The Customer Application is the exclusive responsibility of the Customer.
“Customer Connector” means the software that connects the Customer Application to the applicable Time-Stamping Service.
“Digital Fingerprint” (or “Hash”) means a sequence of alphanumeric characters of a set length representing the content of a message without revealing it, produced by a hash algorithm, and used to create a digital signature. This one-way encryption algorithm means that even the slightest modification to the original message would result in the modification of the digital fingerprint obtained by the hash algorithm. The digital fingerprint is designed to authenticate a message and/or verify the identity of its author.
“Private Key” means the secret electronic data used for the Customer, associated with the Time-Stamping Certificate and managed by DocuSign.
“Production Center” means the physical and secure computer environment (software and hardware) of DocuSign for the production and management of the Authentication Certificates and Time-Stamping Tokens.
“Public Key” means a mathematical key publicly disclosed and used when implementing a cryptographic user application access protocol.
“Public Key Infrastructure (PKI)” means the infrastructure required to produce, distribute, manage, and archive keys, certificates, and the CRL, as well as the basis on which the certificates and the CRL must be published.
“Time-stamps” means the time-stamp tokens further described at https://www.docusign.fr/societe/certification-policies.
“Time-Stamping Authority” (or “TSA”) means the entity that generates and delivers the Time-Stamping Tokens and is responsible for the application of at least one Time-Stamping Policy. In the context of the Agreement, the Time-Stamping Authority designates DocuSign France and is established in France.
“Time-Stamping Certification Authority” or “TSCA” means the entity issuing and delivering Electronic Certificates to the Time-Stamping Units implemented by the Time-Stamping Authority. The TSCA also manages the list of certificates revoked from Time-Stamping Units. The TSCA applies its Certification Policy for managing Time-Stamping Unit (TSU) certificates.
“Time-Stamping Policy” or “TSP” means all rules, identified by an OID and published on the DocuSign France website, defining the requirements that a Time-Stamping Authority must comply with for generating Time-Stamping Tokens. The TSP and any subsequent updates form an integral part of this Service Schedule. The Time-Stamping Service shall be operated by DocuSign from its Production Center in accordance with the applicable TSP.
“Time-Stamping Service” or “Service” means all services provided by DocuSign necessary for generating and managing Time-Stamping Tokens.
“Time-Stamping Token(s)” means data signed by the TSA that links a Digital Fingerprint of electronic data to a date and time, in any given instant. The Time-Stamping Token is electronically signed by a Time-Stamping Unit and delivered in the RFC 3161 format. It makes it possible to establish proof that the Digital Fingerprint existed at the date and time featured in the Time-Stamping Token. A Time-Stamping Token also includes the identifier of the Time-Stamping Unit (TSU) Certificate, the OID of the TSP used, a unique identifier, and the representation of the information to be time-stamped.
“Time-Stamping Tokens Request” or “Request” means a request for generating a Time-Stamping Token made by the Customer Application through the Time-Stamping Authority of DocuSign using a secure interface. This Request contains at least the Digital Fingerprint to be time-stamped.
“Time-Stamping Unit (TSU) Certificate” or “Certificate” means an electronic file delivered by the Time-Stamping Certification Authority certifying the link between an identity associated with an Authorized User and the Public Key of the (natural or legal) person owning the Certificate. In the context of this Service Schedule the TSU Certificates are used to create the Time-Stamping Tokens requested by the Customer Application.
“UTC” means the designation of the timescale related to the second as defined in the ITU-R Recommendation TF.460-5 [TF.460-5] “Standard-Frequency and Time-signal emissions.”
2. CUSTOMER RESPONSIBILITIES
2.1 Customer Application and Connector. Customer is responsible for: (i) configuring Customer’s Applications; (ii) integrating the Customer Connector and technical key pairs of the Customer Connector; and (iii) the security of the connection between the Customer Connector and the Customer Applications that are required to access the Time-Stamping Service.
2.2 Production Launch Testing and Validation. Customer acknowledges that the use of the Time-Stamping Service is subject to a DocuSign-specified testing and validation process.
2.3 Transmission of Time-Stamping Token Requests. Customer will forward to DocuSign, via its Customer Application and the URL for access to the Service, a Time-Stamping Token Request matching a Digital Fingerprint for the electronic documents or data to be time-stamped. It is up to the Customer, before making any request, to calculate the Digital Fingerprint of the electronic data they wish to time-stamp using the Service.
2.4 Conditions for using the Service.
Under the terms of this Service Schedule, the Customer shall:
- Comply with the stipulations of DocuSign’s Time-Stamping Policy, this Service Schedule, and the Agreement;
- Identify Authorized Users who submit Time-Stamping Token Requests to the TSA via their Customer Applications;
- Complete or arrange for the calculation of the Digital Fingerprint of the electronic data and documents they wish to have time-stamped, and indicate in the Time-Stamping Tokens the Hash algorithm it has used to calculate the Digital Fingerprint;
- Guarantee completeness and accuracy of the information contained in the Time-Stamping Token Request and comply with the format for Time-Stamping Token Requests required under the applicable TSP;
- Safeguard the security, integrity, and confidentiality of authentication data required for the transmission of Time-Stamping Token Requests to the Service;
- Verify the following when obtaining a Time-Stamping Token: (i) the signature of the Time-Stamping Token; (ii) the date and time contained in the Time-Stamping Token; (iii) the validity of the TSU Certificate enabling the time-stamping of the Digital Fingerprint, while ensuring that the TSU Certificate has not been revoked and that it has been delivered by the TSCA; (iv) the date on which the Time-Stamping Token was issued falls within the certificate validity period of the TSU issuing the Time-Stamping Token; and (v) the Time-Stamping Token is prior to any possible revocation of the certificate of the TSU that has issued the Time-Stamping Token.
- Be responsible for the identification of Customer Applications and Time-Stamping Token Users as part of the Service. No verification of identification data is carried out by DocuSign. Consequently, DocuSign refuses any liability with respect to the accuracy of identification details provided by the Customer.
- Be responsible for the proper functioning (failure, error, incompatibility, etc.) of Customer’s hardware and software, and of Customer’s IT environment, to the extent that DocuSign will not be held liable for any consequences due to the installation, through fault or negligence, of any software packages, software, or operating systems not compatible with the Service.
- Continue to have sole responsibility for any information required for the configuration of the Service.
- Be responsible for all hardware and software Customer uses, as well as the related risks, and Customer has sole responsibility for damage caused to themselves, Customer’s employees, or third parties, including consequences that may be due to a malfunction in the Service, if such malfunctions may be attributed to the components provided by the Customer. The Customer also remains solely responsible for any use of the Service and any resulting damage.
- Be responsible for managing Authentication Certificates issued through the Time-Stamping Service and must comply with the Certification Policy for each such Certificate.
2.5 Restrictions on Use. During the Term and subject to the terms and conditions of the Agreement, Customer will have the right to submit Time-Stamping Token Requests to the Service. The right to use the Service is limited to Authorized Users, and Customer may not resell or otherwise provide or assist with the provision of the Service for the benefit of another party or as a part of a service Customer offers to third parties or as a sublicensed or service bureau arrangement.
3. DOCUSIGN RESPONSIBLITIES
3.1 DocuSign shall provide the Time-Stamping Service in accordance with the provisions stipulated herein and the Time-Stamping Policy of DocuSign.
3.2 DocuSign is responsible for: (i) the synchronization of the TSA clock with UTC time; (ii) the integrity and the return of Digital Fingerprints transmitted by the Customer; and (iii) publication of the CRL.
3.3 Electronic Certification. DocuSign will ensure the proper functioning of the PKI components as further described in the Certification Policy and TSP.
3.4 Time-Stamping. Unless otherwise set forth on the applicable Order Form, DocuSign agrees that the Time-Stamping Service will perform the following functions:
- The authentication of Time-Stamping Token Requests using Authentication Certificates;
- The generation and the signature of Time-Stamping Tokens using a TSU, on the Digital Fingerprint transmitted by the Customer’s user application, in line with the Time-Stamping Policy and the related TSPD; and
- The management of the life-cycle of TSU Certificates used for generating, signing and verifying Time-Stamping Tokens.
3.5 Generating and signing Time-Stamping Tokens. Upon receipt of the Time-Stamping Token Request from the DocuSign Production Center, the Time-Stamping Authority will generate the Time-Stamping Token required for the Digital Fingerprint transmitted by the Customer, by applying an electronic signature using a Time-Stamping Unit. DocuSign agrees that the Time-Stamping Token generated will be compliant with the atomic clock (UTC) to within 1 second.
3.6 Synchronization of the TSU clock with UTC time. The synchronization of the TSU clock is maintained in such a way that it cannot deviate from the declared accuracy. Similarly, DocuSign warrants that the synchronization of the TSU clock is maintained when a leap second is programmed. However, in the case where a de-synchronization with UTC time is reported, DocuSign will immediately proceed to suspend the Service in order to reset the synchronization. DocuSign shall undertake to provide information in the event of loss of calibration potentially affecting the Time-Stamping Tokens.
3.7 Time-Stamping Archiving Service. Time-Stamping Tokens will be archived by the Customer with the stipulation that DocuSign will not retain a copy of the Time-Stamping Token, although it will keep secure logs of its Time-Stamping Service.
3.8 Time-Stamping Authority. DocuSign, in its role as TSA, will not be held liable in case of validation and use of a Time-Stamping Token with cryptography no longer considered as valid by the ANSSI (Cf. [ANSSI_ALGO]). The TSA issues Time-Stamping Tokens that are valid at the time of issue, from a cryptographic perspective in relation to the ANSSI standard. The TSA follows the recommendations made by the ANSSI in only issuing Time-Stamping Tokens for which the validation of certificates and signatures is based on cryptographic parameters and algorithms that are in line with the ANSSI standard. However, as attacks evolve, the reference standards evolve accordingly.
4. ADDITIONAL RESTRICTIONS AND OBLIGATIONS
4.1 Validity and operational period of Time-Stamping Tokens. All Time-Stamping Tokens are considered valid once issued by DocuSign’s TSA, on the stipulation that the validity of the Time-Stamping Token is linked with the validity of the Time-Stamping Unit that has signed the Time-Stamping Token.
4.2 Conservation of TSA audit files. The TSA keeps the audit files of its Time-Stamping Service for a period of five (5) years from the expiry of the TSU certificate that has generated the Time-Stamping Token.
4.3 Technical Contact. The Customer must appoint a technical contact who will sign the requests for an Authentication Certificate and Customer Connectors, and who may, in turn, appoint a replacement technical contact person unless otherwise indicated by the Customer. Customer undertakes to preserve and protect the integrity, availability, and confidentiality of Private Keys under its control and shall be solely liable for any unauthorized use, access, or disclosure of the Private Keys and Customer Certificate while under the control of Customer.
4.4 Additional Conditions for Customer’s Use of Time-Stamping. The Customer must ensure that each Authorized User complies with the terms and conditions of this Agreement, including compliance with the Certification Policy. Customer must ensure that each Authorized User uses the Private Keys and Authentication Certificates solely for the purposes authorized under the applicable Certification Policy and in accordance with applicable laws and regulations and this Agreement.
- Customer shall be solely liable for any damaging consequences that may result from use by a third-party having received disclosure, by any means whatsoever, of Private Keys and Authentication Certificates;
- Customer shall be solely responsible for the physical and logical security of access to the Service and for any consequences or actions which may result from unauthorized use of the Service by a third party resulting from a security fault of the Customer;
- Customer shall immediately inform DocuSign in writing of any misuse or unauthorized use of the Service and the Time-Stamping Token, and any attempted security breach which may result from it; and
- DocuSign is not responsible for the content, form, adequacy, accuracy, authenticity, forgery, or the legal effect of data and information transmitted as part of Time-Stamping Token Requests, particularly Digital Fingerprints signed and time-stamped using the Time-Stamping Service.
5. DOCUSIGN WARRANTIES
5.1 Time-Stamping Warranties.DocuSign represents and warrants that when operated in accordance with the Documentation:
- The requests for time-stamping tokens are made as part of the Time-Stamping Service in accordance with the RFC 3161 protocol. This compliance is related to the format of the Time-Stamping Tokens produced and the interfacing mode used to request the Time-Stamping Tokens;
- DocuSign provides a first-class time-stamping service. The security measures required to host this service confer a high level of security that DocuSign undertakes to maintain.
- The warranties mentioned in this Service Schedule are exclusive of any other warranties, whether express or implied, particularly including warranties of adaptation to a specific use.
Upon the expiration or termination of this Service Schedule for any reason, Customer shall promptly return to DocuSign, as of the expiry and/or effective termination date, any Documentation made available by DocuSign for the performance of this Service Schedule and any copies of any nature stored in any medium, including a digital medium, or, if applicable and if expressly requested by DocuSign, destroy the Documentation and any copies made in any medium.