Exhibit A – Security Standards to Supplier DPA
EXHIBIT A TO THE DATA PROCESSING AGREEMENTOR SUPPLIERS SECURITY STANDARDS
These terms form part of the Data Processing Agreement for Suppliers and, if applicable, the Standard Contractual Clauses between DocuSign and Supplier.
1. Supplier has agreed to employ appropriate technical and organizational measures to protect against unauthorized or unlawful processing of Personal Information (as defined in the Data Processing Agreement) (“Information Security Program”) and against accidental loss or destruction of, or damage to, Personal Information.
2. Supplier’s Information Security Program shall include specific security requirements for its personnel and all subcontractors, suppliers, or agents who have access to DocuSign Information (“Data Personnel”). Supplier’s security requirements shall cover the following areas:
A. Information Security Policies and Standards
i. Supplier will maintain information security policies, standards and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store DocuSign Information. These policies, standards, and procedures shall be designed and implemented to:
a. Prevent unauthorized persons from gaining physical access to Personal Data Processing systems (e.g. physical access controls);
b. Prevent Personal Data Processing systems from being used without authorization (e.g. logical access control);
c. Ensure that Data Personnel gain access only to such Personal Data as they are entitled to access (e.g. in accordance with their access rights) and that, in the course of Processing or use and after storage, DocuSign Information cannot be read, copied, modified or deleted without authorization (e.g. data access controls);
d. Ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the recipients of any transfer of DocuSign Information by means of data transmission facilities can be established and verified (e.g. data transfer controls);
e. Ensure the establishment of an audit trail to document whether and by whom Personal Data has been entered into, modified in, or removed from Personal Data Processing (e.g. entry controls);
f. Ensure that Personal Data is Processed solely in accordance with DocuSign’s Instructions (e.g. control of instructions);
g. Ensure that DocuSign Information is protected against accidental destruction or loss (e.g. availability controls);
h. Ensure that Personal Data collected for different purposes can be Processed separately (e.g. separation controls);
i. Ensure that Personal Data maintained or processed for different customers is Processed in logically separate locations (e.g. data segregation);
j. Ensure that all systems that Process DocuSign Information are subject to a secure software developmental lifecycle; and
k. Ensure that all systems that Process DocuSign Information are the subject of a vulnerability management program that includes without limitation internal and external vulnerability scanning with risk rating findings and formal remediation plans to address any identified vulnerabilities.
B. Physical Security
i. General. Supplier will maintain commercially reasonable security systems at all Supplier sites at which an information system that uses or stores DocuSign Information is located (“Processing Locations”) and will reasonably restrict access to such Processing Locations.
ii. Data Centers. In addition to the requirements above for any Processing Location, for a data center (“Data Center”), meaning any Processing Location that any facility that primarily contains electronic equipment used to process, store, and transmit digital information, Supplier will prevent unauthorized access through enhanced physical security measures, including at a minimum, 24x7 onsite staff, biometric scanning, and security camera monitoring. Supplier will regularly audit the physical security of its Data Center(s) using an independent firm.
C. Organizational Security
i. Supplier will maintain information security policies and procedures addressing:
a. Data Disposal. Procedures for when media are to be disposed or reused have been implemented to prevent any subsequent retrieval of any DocuSign Information stored on media before they are withdrawn from the Supplier’s inventory or control.
b. Data Minimization. Procedures for when media are to leave the premises at which the files are located as a result of maintenance operations have been implemented to prevent undue retrieval of Personal Data stored on media.
c. Data Classification. Policies and procedures to classify sensitive information assets, clarify security responsibilities, and promote awareness for all employees have been implemented and are maintained.
d. Incident Response. All Personal Data security incidents are managed in accordance with appropriate incident response procedures.
e. Encryption. All DocuSign Information is stored and transmitted using industry standard encryption mechanisms and strong cipher suites (AES 256-bit is recommended).
D. Network Security
i. Supplier maintains information security policies and procedures addressing network security.
ii. Supplier secures its networks employing a defense-in-depth approach that utilizes commercially available equipment and industry standard techniques, including without limitation firewalls, intrusion detection systems, access control lists, and routing protocols.
E. Access Control (Governance)
i. Supplier governs access to information systems that Process DocuSign Information.
ii. Only authorized Supplier staff can grant, modify or revoke access to an information system that Processes DocuSign Information.
iii. User administration procedures are used by Supplier to: (i) define user roles and their privileges; (ii) govern how access is granted, changed, and terminated; (iii) address appropriate segregation of duties; and (iv) define the requirements and mechanisms for logging/monitoring.
iv. All Data Personnel are assigned unique User IDs.
v. Access rights are implemented adhering to the “least privilege” approach.
vi. Supplier implements commercially reasonable physical and technical safeguards to create and protect passwords.
F. Virus and Malware Controls
i. Supplier protects DocuSign Information from malicious code and will install and maintain anti-virus and malware protection software on any system that handles DocuSign Information.
i. Supplier has implemented and maintains a security awareness program to train all employees about their security obligations. This program includes training about data classification obligations, physical security controls, security practices, and security incident reporting.
ii. Supplier has clearly defined roles and responsibilities for employees.
iii. Prospective employees are screened, including background checks for Data Personnel or individuals supporting DocuSign’s technical environment or infrastructure, before employment and the terms and conditions of employment are applied appropriately.
iv. Data Personnel strictly follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.
v. Supplier shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may Process Personal Data.
H. Business Continuity
i. Supplier implements disaster recovery and business resumption plans. Business continuity plans are tested and updated regularly to ensure that they are up to date and effective.