Exhibit A – Security Standards to Supplier DPA
EXHIBIT A TO THE DATA PROCESSING AGREEMENTOR SUPPLIERS SECURITY STANDARDS
1. APPLICABILITY. These terms form part of the Data Processing Agreement for Suppliers and, if applicable, the Standard Contractual Clauses between DocuSign and Supplier.
“Applicable Laws and Regulations” means any applicable data protection, privacy, or information security laws, codes, and regulations, or other binding restrictions governing Processing of DocuSign Data, including Personal Data that are applicable to or required by the jurisdiction in which Supplier or its affiliates, partners, or contractors are located.
“Security Breach” means (i) a compromise of Supplier’s systems in which DocuSign Data has been accessed or acquired by one or more unauthorized parties or where Supplier or DocuSign reasonably suspects that such a breach of security may have occurred or (ii) any other unlawful or unauthorized access, acquisition, use, or disclosure of DocuSign Data.
“DocuSign Data” means data or information (regardless of form, e.g. electronic, paper, etc.) that is:
(a) “Confidential Information,” as defined in the Agreement but which, in any event, includes all information that a reasonable person would understand to be confidential given the nature of the information and the circumstances of disclosure; and
(b) “Personal Data,” which is any information provided by DocuSign to Supplier that relates to an identified or identifiable individual; an identifiable individual is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Processing”, “Processes”; or “Process” means any operation or set of operations which is performed upon DocuSign Data, whether by automatic means or not, including by not limited to collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise make available, alignment or combination, blocking, erasure or destruction.
“Subcontractor” means a third party that Supplier has engaged to perform all or a portion of the Services on behalf of Supplier.
“Supplier Personnel” means all employees, agents, independent contractors, or subcontractors of Supplier.
3. INFORMATION SECURITY PROGRAM. Supplier will implement, maintain, and monitor a comprehensive written information security program that (i) is designed to protect DocuSign Data against anticipated threats or hazards to its confidentiality, integrity, or availability (e.g. unauthorized access, collection, use, copying, modification, disposal, or disclosure, unauthorized, unlawful, or accidental loss, destruction, acquisition, or damage, or any other form of unauthorized Processing); and (ii) contains appropriate administrative, technical, and physical safeguards (“Information Security Program”). The safeguards will meet or exceed each applicable third-party security assurance standard, such as ISO 27001, SSAE 18, SOC 2, ISAE 3402. The Information Security Program shall be designed and implemented to:
(a) Prevent unauthorized persons from gaining physical access to DocuSign Data Processing systems (e.g. physical access controls);
(b) Prevent DocuSign Data Processing systems from being used without authorization (e.g. logical access control);
(c) Ensure that Supplier Personnel gain access only to such DocuSign Data as they are entitled to access (e.g. in accordance with their access rights) and that, in the course of Processing or use and after storage, DocuSign Data cannot be read, copied, modified, or deleted without authorization (e.g. data access controls);
(d) Ensure that DocuSign Data cannot be read, copied, modified, or deleted without authorization during electronic transmission, transport or storage, and that the recipients of any transfer of DocuSign Data by means of data transmission facilities can be established and verified (e.g. data transfer controls);
(e) Ensure the establishment of an audit trail to document whether and by whom DocuSign Data has been accessed, modified, or removed from DocuSign Data Processing (e.g. entry controls);
(f) Ensure that DocuSign Data is Processed solely in accordance with DocuSign’s instructions (e.g. control of instructions);
(g) Ensure that DocuSign Data is protected against accidental destruction or loss (e.g. availability controls);
(h) Ensure that DocuSign Data collected for different purposes can be Processed separately (e.g. separation controls);
(i) Ensure that DocuSign Data maintained or processed for different customers is Processed in logically separate locations (e.g. data segregation);
(j) Ensure that all systems that Process DocuSign Data are subject to a secure software developmental lifecycle; and
(k) Ensure that all systems that Process DocuSign Data are the subject of a vulnerability management program that includes without limitation internal and external vulnerability scanning with risk rating findings and formal remediation plans to address any identified vulnerabilities.
4. PHYSICAL SECURITY
(a) Supplier will maintain commercially reasonable security systems at all Supplier sites at which an information system that uses or stores DocuSign Data is located (“Processing Locations”) and will reasonably restrict access to such Processing Locations.
(b) Data Centers. In addition to the requirements above for any Processing Location, for a data center (“Data Center”), meaning any Processing Location that any facility that primarily contains electronic equipment used to process, store, and transmit digital information, Supplier will prevent unauthorized access through enhanced physical security measures, including at a minimum, 24x7 onsite staff, biometric scanning, and security camera monitoring. Supplier will regularly audit the physical security of its Data Center(s) using an independent firm.
5. ORGANIZATIONAL SECURITY. Supplier will maintain information security policies and procedures addressing:
(a) Data Disposal. Procedures for when media are to be disposed or reused have been implemented to prevent any subsequent retrieval of any DocuSign Data stored on media before they are withdrawn from the Supplier’s inventory or control.
(b) Data Minimization. Procedures for when media are to leave the premises at which the files are located as a result of maintenance operations have been implemented to prevent undue retrieval of DocuSign Data stored on media.
(c) Data Classification. Policies and procedures to classify sensitive information assets, clarify security responsibilities, and promote awareness for all employees have been implemented and are maintained.
(d) Incident Response. All DocuSign Data security incidents are managed in accordance with appropriate incident response procedures.
(e) Encryption. All DocuSign Data is stored and transmitted using industry-standard encryption mechanisms and strong cipher suites (AES 256-bit is recommended).
6. NETWORK SECURITY
(a) Supplier will maintain information security policies and procedures addressing network security.
(b) Supplier will secure its networks employing a defense-in-depth approach that utilizes commercially available equipment and industry-standard techniques, including without limitation firewalls, intrusion detection systems, access control lists, and routing protocols.
7. LOGICAL SECURITY
(a) Supplier will govern access to information systems that Process DocuSign Data.
(b) Supplier will ensure that only authorized Supplier staff can grant, modify, or revoke access to an information system that Processes DocuSign Data.
(c) Supplier will implement user administration procedures that are used by Supplier to: (i) define user roles and their privileges; (ii) govern how access is granted, changed, and terminated; (iii) address appropriate segregation of duties; and (iv) define the requirements and mechanisms for logging/monitoring.
(d) Suppler will ensure that all Supplier Personnel are assigned unique User IDs.
(e) Supplier will ensure that access rights are implemented adhering to the “least privilege” approach.
(f) Supplier will implement commercially reasonable physical and technical safeguards to create and protect passwords.
8. PERSONNEL AND SUBCONTRACTORS
(a) Supplier Personnel. If Supplier or its Personnel or Subcontractors are on DocuSign’s premises, Supplier agrees to comply with all instructions given by DocuSign and with DocuSign’s then-current access rules and procedures, including, without limitation, those rules and procedures pertaining to safety, information technology systems, security, and confidentiality. Supplier shall be solely responsible for ensuring that Supplier Personnel are appropriate to perform the Services and Supplier agrees to promptly replace any Supplier Personnel that DocuSign reasonably identifies as not satisfactory with alternative personnel of sufficient skill, training, and experience to fill the position.
(b) Subcontractors. Supplier will maintain a security process to conduct appropriate due diligence prior to utilizing Subcontractors to provide the Services, provided Supplier will seek DocuSign’s prior written approval for any subcontractors Processing Personal Data. Subject to this Section, notice to DocuSign of at least fourteen (14) days in advance of each instance, and DocuSign’s written consent, Supplier may subcontract all or any part of the performance of the Services to be provided to DocuSign hereunder to a Subcontractor. If Supplier utilizes Subcontractors, Supplier will be responsible for the acts and omissions of such Subcontractors hereunder as if it had performed the acts or omissions itself, and a permitted subcontracting will not in any way reduce Supplier’s obligations to DocuSign under the Agreement. In addition, Supplier will retain suitable Subcontractors who are capable of maintaining the security and confidentiality of DocuSign Data as required under the Agreement. Supplier will conduct reasonable due diligence and security assessments of the Subcontractors who will have access to DocuSign Data. Supplier will have a written agreement with its Subcontractors, and such subcontracting agreement will: (i) hold the Subcontractors to the same duties and obligations as those contained in the Agreement, including confidentiality, data protection, and security obligations; and (ii) include a provision whereby DocuSign has no obligations to the Subcontractors, and the Subcontractor has no rights or remedies against DocuSign.
(c) Background Checks. Prior to assigning any Supplier Personnel or contractors to positions in which they will, or Supplier or DocuSign reasonably expects them to, have access to DocuSign Data, Supplier will conduct background checks on such Supplier Personnel, except where expressly prohibited by law. DocuSign reserves the right, in certain circumstances and at its sole and absolute discretion, to conduct its own background check on all Supplier Personnel at DocuSign’s expense and Supplier agrees to ensure that all such Supplier Personnel agree to, cooperate with, and submit to DocuSign’s background check and any other DocuSign security and credentialing requirements (collectively, the “DocuSign Background Check”). For the avoidance of doubt, such DocuSign Background Check does not eliminate Supplier’s responsibility to perform a background check as set forth above. DocuSign reserves the right, in its sole and absolute discretion, to prohibit Supplier Personnel from providing any Services if such Supplier Personnel do not pass the DocuSign Background Check, Supplier’s background check, or if DocuSign learns information that it considers would adversely affect such Supplier Personnel’s suitability to perform Services, in which case DocuSign will promptly advise Supplier and remove such Supplier Personnel from performing Services. Supplier Personnel providing the Services must display all appropriate credentials at DocuSign events or on DocuSign sites. If Supplier Personnel do not display the appropriate credentials, DocuSign may refuse to give such Supplier Personnel access to DocuSign events, DocuSign sites, or access to any DocuSign information system or DocuSign Data.
9. BUSINESS CONTINUITY AND DISASTER RECOVERY. Supplier shall maintain a robust business continuity management program that meets the needs of the business and services provided to DocuSign, including crisis management, business continuity, and disaster recovery planning. Supplier shall test and update its business continuity and disaster recovery plans regularly to ensure that they are up to date and effective.
10. INCIDENT RESPONSE AND BREACH NOTIFICATION
(a) Supplier will maintain an incident response function capable of identifying, mitigating the effects of, and preventing the recurrence of any impairment to the security of DocuSign Data (e.g. a Security Breach). Upon discovering or otherwise becoming aware of a Security Breach, Supplier shall take all reasonable measures to mitigate the harmful effects of the Breach. Supplier shall also immediately notify DocuSign of the Breach, unless otherwise prohibited by Applicable Laws and Regulations, but in no event later than twenty-four (24) hours after the Breach. Unless prohibited by applicable law, Supplier will provide periodic updates relating to the investigation and resolution of the Security Breach to DocuSign until it has been resolved, and upon reasonable request, cooperate with DocuSign in investigating such Security Breach, including providing reasonably requested information regarding the nature, details, investigation, or resolution thereof.
(b) Upon DocuSign’s request, Supplier will permit DocuSign or its designee to review and verify records, systems, sites, access logs, and data pertaining to any Security Breach investigation.
(c) Where applicable law requires notice to data subjects whose data was improperly disclosed or accessed, or imposes other required remedial actions, Supplier will bear the cost of the legally required actions and notices to data subjects and government entities, and will bear the cost of related actions that are in accordance with prevailing industry best practices, including credit monitoring services and establishing a call center to respond to inquiries from data subjects, as reasonably required by DocuSign.
(a) Upon written request by DocuSign, Supplier will (i) provide DocuSign with Supplier’s most recent AICPA Service Organizational Control Type 2 (or the equivalent successor thereto) (“SOC”) Reports, and (ii) engage a third-party audit firm to conduct regular vulnerability and penetration testing of the Supplier’s network that contains DocuSign Data, and shall, upon DocuSign’s request, provide a copy of the summary results to DocuSign.
(b) Supplier agrees that, not more than once annually, DocuSign or an auditor selected by DocuSign may perform, at DocuSign’s expense, an on-site security audit of Supplier’s facilities and systems that it uses for the Processing of DocuSign Data under the Agreement, in order to confirm Supplier’s compliance with the terms of the Agreement, and Applicable Laws and Regulations. Supplier will ensure that adequate steps are taken to address breaches of the Agreement identified during such an audit. In the event that noncompliance cannot be promptly remedied, DocuSign will have the right to terminate the Agreement, in accordance with the applicable terms of the Agreement.