Exhibit D – Country Specific Provisions to Supplier DPA
EXHIBIT D TO THE DATA PROCESSING AGREEMENT FOR SUPPLIERS
COUNTRY SPECIFIC PROVISIONS
These terms form part of the Data Processing Agreement for Suppliers between DocuSign and Supplier.
If Supplier’s Services include transfers of Personal Information from a DocuSign Affiliate located in a country listed in the Processing requirements for specific jurisdictions available below (“Country-Specific Provisions”), then the Processing requirements and terms of the Country-Specific Provisions below will apply to such transfers where:
- the Personal Information is received or accessed by Supplier from the relevant country or jurisdiction; or
- DocuSign notifies Supplier that the Personal Information is subject to the Processing requirements related to the relevant country or jurisdiction.
Terms used in this provision and not otherwise defined in this Agreement have the meaning set forth in the Country-Specific Provisions.
A. The following provisions apply to all transfers of Personal Information where the Personal Information is received or accessed by the Supplier from a DocuSign Affiliate that is located in Australia, or DocuSign notifies the Supplier that the Personal Information is subject to these Processing requirements.
B. For purposes of these Australia-specific provisions, “Sensitive Information” also includes Personal Information about an Individual’s membership in a professional or trade association in addition to the types of information identified in Section 2(g) of the Agreement.
C. The following requirements apply in addition to any Processing requirements in the Agreement.
- Anonymity/Pseudonymity. Where the Supplier is informed that the Data Subject wishes to be dealt with on an anonymous or pseudonymous basis, the Supplier will handle the request in accordance with section 4(f) of the Agreement.
- Note of use or disclosure for enforcement purposes. If the Supplier uses or discloses Personal Information for one or more enforcement activities conducted by, or on behalf of, a Governmental Authority, the Supplier must keep a written record of the use and disclosure and promptly provide a copy of the record to DocuSign, unless such notice is prohibited by law applicable to Supplier.
- Where the Personal Information includes Australian government-related identifiers, the Supplier must not:
3.1 adopt the Australian government-related identifier for an Individual as its own identifier of the Individual unless expressly directed to do so by DocuSign; or
3.2 use or disclose the Australian government-related identifier except where it is reasonably necessary to verify the identity of the Individual, or otherwise where directed to do so by DocuSign.
- Where DocuSign is a contracted service provider to an Australian government entity at the federal, state or territory level, and to the extent DocuSign is bound to comply with additional data protection obligations by virtue of an agreement with the relevant government entity, DocuSign will impose equivalent obligations upon Supplier, as required under applicable Australian law. DocuSign and Supplier agree to enter into additional agreements, if needed, to reflect those obligations.
A. These provisions apply to all transfers of Personal Information controlled by DocuSign in Israel where the Personal Information is received or accessed by the Supplier from a DocuSign Affiliate that is located in Israel, or DocuSign notifies the Supplier that the Personal Information is subject to these Processing requirements:
B. Supplier will comply with the conditions for holding, using, and otherwise Processing Personal Information; namely, Supplier will:
- Maintain an updated list of authorized users and the scope of their authorization.
- Implement a binding instrument (such as an agreement, internal rule or internal policy) that requires authorized users to maintain the confidentiality of the Personal Information and to comply with Data Importer’s instructions regarding the collection, verification, processing, and distribution of Personal Information.
- If Supplier requests information from Individuals as part of the service, Supplier will: (a) provide notice to Individuals; (b) permit Individuals to exercise their rights to access and correct Personal Information relating to them; and (c) except as required by law or for the purpose of defending against a lawsuit, delete Personal Information when the term of the period for provision of Services has expired.
- Keep databases containing Personal Information obtained from DocuSign separate from information obtained from any other third party.
- Appoint a data security officer responsible for Supplier’s compliance with the requirements of this Agreement.
- To the extent provided by DocuSign, comply with DocuSign’s Personal Information security policy.
- Upon termination of the Agreement, erase Personal Information received from DocuSign and certify to DocuSign that it has completed such erasure or other destruction of Personal Information.
C. Supplier will ensure that the Personal Information will not be transferred to a third party, whether in the Supplier’s jurisdiction, or elsewhere, other than to third-party data processors that have executed an agreement with DocuSign.
D. Supplier will comply with the following security obligations to the extent Supplier Processes restricted data. For purposes of this section, “restricted data” means, as applicable, (i) data about a person’s health situation or private matters about his personality; or (ii) data subject to the provisions of section 13(e) of the Protection of Privacy Law, 5741-1981 (the “Law”) (primarily databases related to security, law enforcement, taxation, and money laundering).
- Any print-outs containing restricted data that are distributed by a public body must state on each page that the information contains data protected by law and that unauthorized distribution is a crime.
- Supplier will maintain a list of the persons who have accessed restricted information, and a list of those permitted access to the data (including their identification numbers, access codes and the type of information to which they are permitted access); the access codes must be changed periodically and not less than once every six months or upon a change of employees.
- Supplier will restrict access to backup copies of restricted information.
- Documents and magnetic records used for intermediate processing activities (e.g., portable disks used to upload restricted data to the server) must be burned, shredded or otherwise destroyed.
- Supplier will log atypical events (for example, a computerized removal of a significant volume of restricted data) and maintain the log for three years.
A. The following provisions apply to all transfers and provisions of Personal Information by DocuSign from Japan where the Personal Information is received or accessed by the Supplier from a DocuSign Affiliate that is located in Japan, or DocuSign notifies the Supplier that the Personal Information is subject to these Processing requirements:
- Supplier will appoint and designate a Personal Information protection manager from among its regular employees as the person responsible for handling data.
- Supplier will obtain prior written consent from DocuSign if Supplier discloses or transfers Personal Information to any third party (including any Affiliate) that is not a party to this Agreement.
- Supplier will take necessary and appropriate action for the secure control of Personal Information including preventing the leakage, loss or damage of Personal Information.
- Supplier will exercise necessary and appropriate supervision over its employees who handle Personal Information.
- Supplier will not reproduce or copy Personal Information beyond the minimum scope necessary to provide services.
B. For transfers of Personal Information concerning DocuSign employees, Supplier will take the following additional measures to protect Personal Information relating to employment management as provided by Ministry of Health, Labor and Welfare (“MHLW”) Employment Management Guidelines. Supplier will:
- Ensure that its employees will not divulge or misappropriate the Personal Information learned through their employment.
- Cease Processing and return or appropriately and definitively destroy Personal Information in its possession when it has achieved the purpose for which it was collected.
- Not copy or reproduce Personal Information except for backup purposes.
C. For all transfers and provisions of Personal Information by Supplier to DocuSign from Japan, Supplier agrees to provide DocuSign the circumstances under which Personal Information was acquired by the Supplier.IV. Korea
A. The following provisions apply to all transfers and provisions of Personal Information by DocuSign from Korea where the Personal Information is received or accessed by the Supplier from a DocuSign Affiliate that is located in Korea, or DocuSign notifies the Supplier that the Personal Information is subject to these Processing requirements.
- Supplier will not use or disclose Personal Information for any purpose other than the purposes specified in the Agreement. Supplier will use and disclose Personal Information only in a manner and to the extent permitted in the Agreement and Exhibits.
- Supplier will protect Personal Information in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks.
- Supplier will not assign any of its obligations herein without DocuSign’s prior written consent.
- Supplier will take technical and managerial measures to protect Personal Information.
- DocuSign has the right to audit Supplier’s handling of Personal Information and to perform on-site monitoring at Supplier’s premises for the purpose of reviewing Supplier’s processes, standards, and procedures for handling Personal Information. Such audits and on-site monitoring may be made at any time during Supplier’s business hours with DocuSign’s prior notice, and each party shall bear its own costs and expenses related to such audits and/or on-site monitoring. Supplier shall cooperate with all reasonable requests made by DocuSign and make all appropriate preparations for such audits and/or on-site monitoring.
- In the event of breach of any applicable laws or regulations or the security standards by Supplier or its officers, employees or agents, Supplier shall be responsible for any such breach and for any loss, cost, damage, expense (including, without limitation, attorneys’ fees and disbursements), liability, penalty or claim of any nature whatsoever suffered by DocuSign in connection with such breach.
A. The following provisions apply to all transfers of Personal Information by DocuSign from Singapore where the Personal Information is received or accessed by the Supplier from a DocuSign Affiliate that is located in Singapore, or DocuSign notifies the Supplier that the Personal Information is subject to these Processing requirements.
- Supplier will protect Personal Information by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal.
- Supplier will not retain Personal Information transferred by DocuSign (i) any longer than necessary for legal or business purposes; or (ii) as otherwise notified by DocuSign.
- Supplier will transfer Personal Information only to the countries and territories below: United States of America; Singapore.