“Certificate(s)” means an electronic file issued by the CA that attests the link between the Signer Identity and the Public Key of the person associated with the Private Key of the Signer managed by DocuSign. In this case, the term “Certificate” means the qualified certificate, as per definition of European Regulation 2014/910 “eIDAS” (Art 3, definition 15), generated by DocuSign to the benefit of a Signer, and used for electronic signature by that Signer, via the Service, of these GTU and of an eDocument addressed thereto. Each Certificate contains information such as the Signer Identity, the Public Key of the Signer, the term of the Certificate, the identity of the RA, and the signature of the issuing CA. The Signer identity is used to authenticate a natural person only.
“Certification Authority (or CA)” means one of the Trust Service Provider (TSP) authorities generating Certificates under the RA’s request and managing the Certificate lifecycle in accordance with the rules and practices defined in its Certificate Policy. In this case, DocuSign is the CA.
“Certificate Policy(cies) (or CP)” means the set of rules identified by an OID (unique identifier) and published by the CA, describing the general characteristics of the Certificates it delivers. This document describes the obligations and responsibilities of the CA, the RA, the Signer, relying party, and all the TSP components involved in the overall lifecycle of a Certificate. The applicable version of the DocuSign CP can be viewed at the following address: www.docusign.fr/societe/certification-policies, and includes the successive versions published on this site. For the present GTU, applicable OID is 126.96.36.199.4.1.22188.8.131.52.31.
“Consent Protocol” means the procedure according to which You consent to receive a Certificate with the Signer Identity, to accept signing the eDocument via the Service and to accept signing this GTU collected via the DocuSign Signature Application. The Consent Protocol is executed by the Signer within the DocuSign Signature Application.
“Customer(s)” means any legal entity or person(s) authorized as a DocuSign customer to use the Service that delivers an eDocument(s) to be signed to the Signer via the Service. The Customer, as the Registration Authority, has been delegated the responsibility to manage the identity verification of a Signer and of the signature process of the eDocument by a Signer. The Customer, as described herein, is distinguishable from You as the Signer.
“DocuSign Qualified Signature” or the “Service” means DocuSign on-demand electronic signature service, which provides online display, certified delivery, acknowledgement, electronic signature, and storage services for eDocuments via the Internet. The Customer connects itself to the Service in order to produce the eDocuments and present them to Signatories for signature.
“DocuSign Signature Application” means DocuSign, Inc. Transaction service, which provides online eDocument management, Signer’s Identity (first name, last name, email and mobile phone) registration, RA role management, eDocument viewer, creation of COC and connection with the CA in order to ensure the Signer signs the eDocument and the GTU. Only DocuSign Signature Application platforms in Europe are used for the Service.
“eDocument(s)” means any document(s) in electronic form that is deposited by the Customer via the Service and submitted to the Signer via the DocuSign Signature Application in order to be signed by the Signer. The eDocument may also be signed by other signatories and by the Customer.
“Private Key” means a mathematical key, associated with the Public Key that is uniquely contained within a certified remote qualified signature creation device, hosted by DocuSign France, and remotely activated by the Signer to sign eDocuments and related GTU based on a qualified signature according eIDAS regulation.
“Proof File(s)” means a file generated, signed, and time stamped by DocuSign France that contains all the information related to the authentication during Consent Protocol of the Signer and related information of the eDocument to be signed by Signer. A dedicated Proof File is associated to each signed eDocument and GTU in the purpose of proving the validity of the electronic signature in case of legal proceeding. Proof file is only available to the RA on a justified request, only for trial or contest of the signature operation.
“Certificate of Completion (or COC”) means a file generated by the DocuSign Signature Application that contains all the information related to the Signer and the sender of the eDocument, and being the unique identifier of the transaction used to manage the eDocument. A dedicated COC associated to each eDocument, Signer, and sender is generated in order to prove the validity of a Transaction. The COC is sealed by DocuSign, Inc.
“Public Key” means a mathematical key that is made public and is used to verify the electronic signature of an eDocument or GTU signed with a Private Key.
“Registration Authority (or RA)” means the entity approved by and in contractual relationship with the CA, in order to register requests for issuance, renewal, and revocation of Certificates, and to validate or reject them in accordance with the Registration Policy. The RA uses the DocuSign Signature Application to interact with the CA and to manage Signers. In the present GTU the RA is the Customer.
“Registration Policy (or RP)” means the procedures and rules defined and implemented by the Registration Authority in order to identify and authenticate Signers, to verify and to store supporting documents for Signer’s registration and to register requests to issue, renew, and revoke Signer Certificates. The Registration Policy must comply with the requirements of the Certificate Policies related to the management of the Certificate requests, renewal, and revocation.
“Service” means all of the services provided by DocuSign as mentioned under this GTU, and particularly to enable the issuance and use of the Certificate and associated Private Key in order to permit the signature of an eDocument and GTU in accordance with the Consent Protocol.
“Signer(s)” mean(s) any individual who uses the Service in order to sign the eDocument(s) that is prepared by the RA and at the request of the RA presented via the Service thereto after giving his/her/their consent according the Consent Protocol and to whom a Certificate is delivered to that extent by the Service.
“Signer Identity” means the electronic identity built by the RA by using the data defined and collected by the RA from the Signer (e.g., name(s), e-mail address, telephone number). This identity contained in the Certificate permits identifying a Signer. The Signer’s identity is registered and verified by the RA before the signature transaction being performed by the Signer.
“Transaction(s)” mean(s) the performance of a signature process, defined by a set of eDocuments submitted for electronic Signature by one or more Signer(s).
2. PROCEDURE FOR REQUESTING CERTIFICATES VIA THE SERVICE
2.1 You are informed and You accept that DocuSign, following the execution of the Consent Protocol, generates the signature necessary to establish a signed and time-stamped eDocument and a signed and time-stamped GTU.
2.2 And You understand that:
(a) Your Signer identity (Your first name and last name as written on an official government ID) is verified by the RA and then registered in the DocuSign Signature Application.
(b) The information to contact and authenticate You (email, telephone number, or other authentication method that may be allowed) required for the Consent Protocol is verified by the RA and then registered in the DocuSign Signature Application.
(c) An eDocument has been transmitted to DocuSign Signature Application by the RA. eDocument is viewed by You in DocuSign Signature Application before being signed by using the Consent Protocol.
(d) After having verified all Signer information in DocuSign Signature Application, RA shall request from the DocuSign Signature Application to send You an e-mail to invite You to sign the eDocument and the GTU.
(e) Email contains a unique internet address to be used by You to connect to DocuSign Signature Application, view the eDocument and execute the Consent Protocol presented by the Service in order to collect Your acceptation or refusal to sign the eDocument and the GTU (GTU are viewable in the Consent Protocol).
(f) A signing Private Key is uniquely generated and in a secure way assigned to You for the duration of the eDocument and GTU signature transaction. The Private Key is generated, stored and destroyed after the signature transaction in a way that it cannot be used for any other transaction. The activation of the Private Key to sign the eDocument is kept under Your sole control by verification in Consent Protocol of a unique temporary code, generated and sent by SMS on Your mobile phone by DocuSign.
(g) The CA generates and archives a Proof File associated to the signature of the eDocument and GTU. For each eDocument, DocuSign, acting as the CA, shall provide the Customer with the Proof File and the COC in order to permit the Signer to have the proofing elements related to the eDocument signed via the Service. The Proof File contains:
- The reference of the eDocument and GTU presented to the Signer before signature;
- The signature of the eDocument and GTU;
- The date and time of the signature operation;
- The Consent Protocol as executed between the Signer and the CA;
- Registration information used to run Consent Protocol and to fill the Certificate.
(h) DocuSign Signature Application builds and stores the COC. COC can be downloaded with the eDocument by the Signer in DocuSign Signature Application.
(i) Once signed, the eDocument can be downloaded from DocuSign Signature Application by the RA immediately after the signature process. In any case, the signed eDocument and the COC are transmitted to You on Your email after having been signed.
(j) Once signed, the GTU is sent by email to You immediately after the signature process. Used email address is the one indicated in the Consent Protocol.
3. CERTIFICATE ISSUANCE
You must verify the content of the information that is presented to You through the Consent Protocol (primarily Your complete First and Last Name as the Signer to be set in the "subject" field of the Certificate, and also your email address and mobile phone number). In case of any problem during the verification of information process in the Consent Protocol, You shall cancel the signature operation and inform the RA. If You also notice a problem in the Certificate content after issuance, You shall immediately report it to the RA.
4. CERTIFICATE PUBLICATION
The Certificate is not published by the CA or the RA. The Certificate is contained in the signed eDocument and GTU.
5. CERTIFICATE OF VALIDITY
Certificates shall be valid for ten (10) days. Said period shall begin on the date the Certificate is created by the CA. Upon expiry of this Certificate period of validity, the signatures of eDocuments and GTU may be verified with the verification software indicated by the RA (usually Adobe Reader), notably in order to verify that on the eDocument and GTU date of signature, the Certificate was valid.
6. CERTIFICATE TERMS OF REVOCATION
6.1 Revocation at the initiative of the Signer
You may revoke the Certificate by submitting a request to the RA.
The Signer can submit a revocation to the RA in the following cases:
- Your identity information has been filled incorrectly;
- The Certificate corresponding to the private key has been compromised or is suspected to be (e.g., Signer lost his mobile phone and its email box has been hacked);
- The RA failed to comply with its obligations and with the security rules described in the CP and RP.
The Signer will have up to eight (8) days following the issuance of the Certificate to submit to the RA a revocation request. After this eight-day deadline, the Certificate cannot be revoked.
RA shall explain to the Signer the revocation procedure to be applied by the Signer.
The Certificate shall be revoked within twenty-four (24) hours after the request verification date and will be contained in the CRL published by CA. The Signer shall be informed of the Certificate revocation by the RA.
6.2 Revocation at the initiative of the CA
The Certificate shall be revoked immediately by the CA in the event of one of the following circumstances:
The CA is revoked;
- Signer or RA failed to comply with the necessary obligations and security rules defined in the CP and RP and in the present GTU;
- The Certificate corresponding to the Private Key has been or is suspected to be lost or compromised;
- Any other reasons legitimately indicated by the CA.
The concerned Signer shall be informed of the Certificate revocation by RA. RA shall explain to the Signer the revocation procedure to be applied by Signer.
6.3 Revocation at the initiative of the RA
The Certificate shall be revoked immediately by the RA in the event of one of the following circumstances:
Signer identity information has been filled incorrectly;
- The Certificate corresponding to the private key has been compromised or is suspected to be (e.g., Signer lost his mobile phone and its email box has been hacked);
- The RA failed to comply with its obligations and with the security rules described in the CP, the RP and in the present GTU.
The concerned Signer shall be informed of the Certificate revocation by RA. RA gives and explains the revocation procedure to be applied by Signer.
7. EFFECTIVE DATE AND DURATION
The present GTU shall take effect from the Effective Date, coinciding with the Certificate request date and shall apply for a period similar to the life cycle of the Certificates issued for the Signer and shall come to an end on the validity end date of that said Certificate.
8. OBLIGATIONS OF SIGNER
By accepting this GTU, You acknowledge and agree to:
(a) Ensure the security and confidentiality of the temporary code received by SMS which You shall use to sign the eDocument.
(b) If applicable, ensure the security and confidentiality of the login and password provided by RA in order for You to use Your dedicated area in the DocuSign Signature Application.
(c) Verify the content of the Certificate and alert RA in case of issue noticed on such content.
(d) Verify the authenticity and accuracy of the information relative to the Signer Identity presented by DocuSign during the Consent protocol and contained in the Certificate.
(e) Promptly request the revocation of a Certificate to the RA when necessary, and notably in case of theft, disclosure, suspicion of compromise or compromise of his or her means of authentication.
(f) Promptly inform the RA of any change of the information to be set in the Certificates and/or eDocuments.
(g) Promptly inform the RA of any change to the authentication means used by the Signer to receive the temporary code (e.g., Signer’s mobile number) and identity and supporting documents used by the RA in order to verify and register the Signer identity.
(h) Stay informed, via the RA and DocuSign websites, of any changes to Certificate Authority and CRL status.
9. LIMITATIONS OF Liability
DocuSign acts on behalf and in the name of the Registration Authority both as a service provider and as a Certification Authority subject to legal and regulatory obligations. Any liability arising from the use of the Service, including without limitation any liability related to the use of the Public and Private Keys, the Certificates and/or the eDocuments contents shall fall to the Registration Authority and is subject to the terms agreed between You and the Registration Authority.
10. FORCE MAJEURE
Neither party shall be liable for any non-fulfilment or delay in the fulfilment of one or more obligations under this GTU due to a case of force majeure as defined under article 1218 of the French civil code.
11. PROTECTION OF PERSONAL DATA
The personal data is collected from the Signer by Customer, acting as RA, and is processed by the Customer for the sole purposes of (a) authentication and identification of the Signer, (b) creation of the Signer Identity filled in on the Certificate and (c) authentication of the Signer during the Consent Protocol. Your personal data is stored in the DocuSign Signature Application for the sole purposes of (i) creation of the Signer Identity filled in on the Certificate and (ii) authentication of the Signer during the Consent Protocol. Your personal data can be also stored in the RA system (e.g., a copy of your official government ID).
Any opposition to the retention of Your personal data shall prevent the issuance of a Certificate. Your personal data is also retained by the Certification Authority, as per the RA’s request. The RA defines its own personal data retention period, depending on the legal requirements in regard to the eDocuments. Personal data is contained in the COC, DocuSign Signature Application, RA system and Proof File.
Personal data is stored by:
- The CA in the Proof File for a proper term, based on the legal and regulatory requirements, and in order notably to ensure the Service’s continuity and to provide any proof required in case of dispute.
- The RA for a proper term necessary for the Signer’s use of the Service and fixed by the RA based on the legal and regulatory requirements as regard to its own domain of activity relating to the RA Registration Policy including COC; DocuSign Signature Application and RA system.
12. INTELLECTUAL PROPERTY
You acknowledge and agree that DocuSign shall retain all intellectual property rights (patents, registered trademarks and other rights) for the elements comprising the Service as well as the documentation, concepts, techniques, inventions, processes, software or work performed in connection with the Certificates and related Services made available by DocuSign, irrespective of the form, programming language, program medium or language used. This GTU does not confer to You and/or Customer any intellectual property right with regard to the Certificates and the related Services.
13. GOVERNING LAW
This GTU and any disputes or claims arising out of or in connection with it or its subject matter or formation are governed by and construed in accordance with the law of France. The French courts as identified by the applicable rules for jurisdiction where a consumer is a party to a dispute shall have exclusive authority to settle any dispute or claim arising out of or in connection with this Agreement or its subject matter or formation.
14. CUSTOMER SUPPORT
The Customer is responsible to provide You the technical support that could be necessary and to deal with any request in this respect.
The waiver by either party of any breach of any provision of this GTU does not waive any other breach. The failure of any party to insist on strict performance of any covenant or obligation in accordance with this GTU will not be a waiver of such party’s right to demand strict compliance in the future, nor will the same be construed as a novation of this GTU.
If any part of this GTU is found to be illegal, unenforceable, or invalid, the remaining portions of this GTU will remain in full force and effect, unless such unenforceable or illegal provision was an essential obligation of DocuSign, in which case, these GTU will terminate automatically.
17. MODIFICATION OF GTU
DocuSign shall have the right, to change, modify, or amend any portion of this GTU at any time by posting sufficient prior notification on the DocuSign website or otherwise communicating the notification to You to the sole extent that it implies a substantial modification of the GTU. The changes will become effective after expiration of the notification period, and shall be deemed accepted by You if You continue using the Service after such period. In the event that You do not agree with any such modification, You shall discontinue Your use of EU Qualified Signature.
18. ENTIRE AGREEMENT
This GTU, which includes the language and paragraphs preceding Section 1, is the final, complete, and exclusive expression of the agreement between these parties regarding the EU Qualified Signature provided under this GTU. This GTU supersedes, and the parties disclaim any reliance on, all previous oral and written communications (including any confidentiality agreements pertaining to EU Qualified Signature under this GTU, representations, proposals, understandings, and negotiations with respect to the matter hereof) and apply to the exclusion of any other terms that You seek to impose or incorporate, or which are implied by trade, custom, practice or course of dealing.
19. LANGUAGES AND TRANSLATIONS
DocuSign may provide translations of this GTU or other terms or policies. Translations are provided for informational purposes and if there is an inconsistency or conflict between a translation and the French version, the French version will control.