Skip to main content

Docusign Digital Signature Service Attachment

Version Date: November 18, 2025

Unless otherwise defined in this Digital Signature Attachment (the “Service Attachment”), capitalized terms will have the meaning given to them in the Agreement. 

This Service Attachment outlines provisions required for the delivery of the Digital Signature (“Digital Signature Services”) noted in Sections 3 through 7 below. The Digital Signature Services are provided to Customer via Docusign eSignature and are jointly referred to as “Services” or separately as a “Service” in this Service Attachment. 

1. DEFINITIONS 

“EU Advanced Electronic Signature” (or “AES”) means Advanced Electronic Signature as defined in Article 3(11) and Article 26 eIDAS.

"Certificate(s)” means a certificate for electronic signature generated to confirm the link between Signer’s Identity and Electronic Signature Creation Data (as defined in eIDAS article 3 point 13). 

“Certification Authority” (or “CA”) means the technical Certificate generation and management service of the TSP that generates and manages Certificates in accordance with the rules and practices defined in the applicable Certificate Policy(ies). The technical Certificate generation and management service of DSF, acting as CA for the relevant Services is listed below and as set forth on the DocuSign website referred to in the definition of CP:

  • QES: “Docusign Premium Cloud Signing CA - G2”

  • AES: “Docusign Cloud Signing CA - G2”

“Certificate of Completion” means the record of a Transaction created using the Service.

“Certificate Policy(ies)” (or “CP”) means the set of security rules for the TSP defining the characteristics of Certificates as well as the terms and conditions applying to the management of their life cycles. They are identified by unique OID identification numbers and published by the TSP. DocuSign’s Certificate Policy(ies) and any successive updates are available at: https://www.docusign.com/fr-fr/societe/certification-policies. According to the relevant service, the following OID identifiers apply:

  • QES :1.3.6.1.4.1.22234.2.14.3.45

  • AES : 1.3.6.1.4.1.22234.2.14.3.41

Certificate Revocation List” (or “CRL”) means the list of invalid Certificates that have been revoked. CRLs are issued every 24 hours, valid for 6 days, and are digitally signed by the CA that issued the Certificates in the list.  

“Customer Verification” means configuration for Signer Identification set by the Customer that a) deviates from the settings established by the IDV Service or the Identity Provider; or b) validates the identity of a Signer when the IDV Service or the Identity Provider has rejected a Signer Identification.

“Delegated Registration Authority” (or “DRA”) means any entity expressly designated by the RA to perform all or part of the RA’s tasks in accordance with the applicable RP.

Digital Signature” means digital signatures which are not AES or QES, as those terms are defined herein.

“Docusign France” (or “DSF”) means Docusign France SAS which is a TSP providing one or more trust services either as a non-qualified or a qualified TSP and that meets the applicable requirements including those published by European Telecommunications Standards Institute (ETSI) and ANSSI.

“Docusign ID Verification” (or the “IDV Service”) means the Docusign Service that provides identification verification services to parties executing eDocuments. Specifically, the IDV Service allows a Customer to verify Signer Identity of a Signer prior to Signer executing an eDocument.

“eIDAS” means Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.  

“ID Document” (or “ID”) means a passport, national identity card, residence permit, or driving license for purposes of the relevant Service. 

“ID Evidence” means an optional DocuSign service that allows Customer to store in DocuSign eSignature Signer Information collected via IDV Service based on selection made by Customer. Regarding deletion and access point of view such information shall be stored and managed like eDocuments. Customer can export such information from DocuSign eSignature in PDF format sealed by DocuSign.

“Identity Provider(s)” (or “IDP”) means the third-party service authorized to confirm the Signer’s Identity filled by sender or Signer in Docusign eSignature by performing its authentication process as part of the IDV Service. IDP may also collect some Signer Information to be stored in the ID Evidence based on Customer choice and IDP capabilities.

“Proof File(s)” means a file generated, sealed and time-stamped by the TSP that contains information related to the signature generated by the relevant Service. A dedicated Proof File is associated with each signed eDocument proving the validity of the electronic signature. Proof File shall only be available to Customer’s availing of the services at 1.1 below and only in the event of a justified request relating to the trial or contest of the signature operation. 

Qualified Electronic Signature” (or “QES”) means qualified electronic signature as defined in Article 3(12) eIDAS.

“Registration Authority” (or “RA”) means the legal entity in a contractual relationship with the CA to collect Signer Information, verify Signer Information used to create Signer Identity, transmit Signer Identity and some Signer Information to CA for Certificate issuance and signature creation and store the Signer Information as a proof of Signer identification. The RA shall perform its obligations in accordance with its RP. 

“Registration Policy” (or “RP”) means the procedures and rules defined and implemented by the RA to perform its obligations as defined in this Service Attachment.

“Security Incident” means any event, compromising from security point of view the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems and affecting (i) the Service and/or (ii) Signer’s data, that may result in a loss of integrity, security, confidentiality, availability and/or proof in the Service, including the Signer identification made by RA, Signer revocation requests made by Signer or Customer, Personal Data storage in Docusign eSignature and the Docusign eSignature and Signer signing. 

“Signer” means the person signing the eDocument which has been sent by the Customer. 

“Signer Identity” is the name officially recorded on the Signer’s ID. It cannot be an alias or a pseudonym. It shall be composed of at least one first name and one last name as stated on the Signer’s ID.

“Signer Information” means any Signer’s Personal Data that is collected by Customer either through the Service or IDV Service (or both services together) for the purpose of confirming the Signer Identity and contacting the Signer. Such data may include a government-issued ID (e.g., a passport), ID issued to a Signer by a bank or national authority (e.g., an electronic ID) and/or name, email address and mobile phone number.

“Supervisory Body” means the French Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI), the supervisory body of DSF.

“Transaction(s)” means the performance of an electronic signature on eDocument uploaded in Docusign eSignature by Customer or its Authorized Users.

“TSP” means Trust Service Provider. 

“Third-Party TSP” means a Trust Service Provider other than DSF.

2. QUALIFIED ELECTRONIC SIGNATURE (QES) 

There is one option in which Signers can leverage qualified Certificates to apply a Qualified Electronic Signature using the Docusign Services: 

2.1 Docusign France as a qualified TSP, acting as CA and RA providing the Certificate, with Docusign IDV

(a) Docusign enables signing via Docusign France which is a Certification Authority by issuing Signer with a qualified Certificate after an identification verification by the RA so that Signer may apply a Qualified Electronic Signature. 

(b) The IDP used by DSF is an IDP, certified by ANSSI, a partner integrated into the offering.

(c) Customer acknowledges and agrees that:

(i) Docusign is authorized to act as an agent for and on behalf of Docusign France for the purpose of contracting with Customer.

(ii) Docusign France can only issue a Certificate following ID verification performed by an IDP. 

(iii) Docusign France is the entity providing the actual delivery of any Qualified Electronic Signature and Certificates. 

(iv) In its capacity as CA, Docusign France shall create a Proof Files to be retained for regulatory purposes for 7 years and 10 days. 

(v) Customer and Signer cannot request deletion or modification to the Proof File as it is an audit proof for the TSP. 

(vi) Proof Files may contain at least the following data: First name, last name, ID serial number, ID issuing state, ID type and validity period, and Signer date of birth extracted from the ID used by Signer, email and mobile phone number of Signer, as collected and transmitted by the Identity Provider(s) and IP address. 

(vii) Docusign makes no representation or warranty regarding the validity or authenticity of any Signer Identification processed as part of the transaction between Signer and Customer using the IDV Service and disclaims all liability regarding the accuracy of any Signer Identification.

(viii) Customer shall securely store and archive the Certificates of Completion for Transactions leveraging this offering at least 5 (five) years. 

(ix) The IDP interface constitutes Third Party Services and is subject to certain technical limitations and/or requirements including, but not limited to, the languages used, minimum system and connectivity requirements to use the IDP’s services, and the ID supported by the RA’s system. 

3. ADVANCED ELECTRONIC SIGNATURE (AES) There are two options in which Signers may apply an Advanced Electronic Signature using the Docusign Services: 

3.1 DSF as TSP acting as CA issuing the Certificate with Docusign IDV Service as the RA

(a) For this Service the CA is DSF which issues Certificate to the Signer to enable AES after an identity verification check has been performed by IDP selected by Customer or by Signer using Docusign IDV Service.

(b) TSP shall make commercially reasonable efforts to verify that the IDP meets the applicable requirements within the IDV service.

(c) Customer acknowledges and agrees that: 

(i) DS shall make commercially reasonable efforts to verify each Signer’s name against the result of identification of the Signer performed by IDP within the Service.

(ii) To deliver the Services, the TSP shall create proof and retain them for regulatory purposes for 5 years. Customer and Signer are not allowed to request deletion or modification to the proof as it is an audit proof for the TSP.

(iii) The IDP interface constitutes Third Party Services and is subject to certain technical limitations and/or requirements including, but not limited to, the languages used, minimum system and connectivity requirements to use the IDP’s services, and the ID supported by the RA’s system. 

(iv) DocuSign ID Verification is associated with the optional ID Evidence service that could be used to securely record (with an equivalent level of security as eDocuments) some Signer’s Information collected by the IDP(s). Customer shall decide whether to use ID Evidence and select the type of Signer’s Information it desires to record as a proof of Signer Identification.

(v) Customer shall, prior to the use of this Service, purchase the DocuSign ID Verification service. Customer may configure the DocuSign ID Verification with the country(ies) and type of IDP(s), according to type of IDV service it desires to use or not to identify the Signer. Customer can also enable or disable the Customer Verification.

(vi) In instances of Customer Verification applied on one or several Transactions, sections 2.2 shall apply for those Transactions.

3.2 DSF as TSP acting as CA issuing the Certificate with Customer as the RA

(a) DSF acts as the TSP and issues the Certificate to the Signer enabling the AES only after the Customer verifies the Signer’s identity in its capacity as RA. 

(b) Customer acknowledges and agrees that it cannot act as RA until it successfully passes an audit conducted by Docusign verifying the following: (i) Customer’s processes for proper identity verification; (ii) Customer’s mechanism for provisioning and blocking admin or users; and (iii) any other reasonable technical matters required by Docusign. 

(c) Customer acknowledges and agrees that Docusign may conduct such audit on a periodic basis throughout the Term if there is a reasonable basis for the audit, including Customer acts or omissions which would prejudice DSF’s position as a TSP.

(d) Customer shall act as RA and accepts the responsibilities set forth herein. Customer shall develop a RP that will at a minimum detail the responsibilities and procedures for RA set forth in this Service Attachment including its identification and authentication requirements under Article 26 eIDAS in a manner reasonably designed to meet the obligations in the Agreement. In this capacity, Customer shall implement procedures to: 

(i) identify and authenticate Signers as required under Article 26 eIDAS;

(ii) validate the accuracy of the information in requests prior to submitting Signer Certificate requests to CA via the Service; and 

(iii) protect Signer Identity and Signer Information provided by Signers in this process. 

(e) In its capacity as RA, Customer shall:

(i) comply with all applicable laws and standards (such as technical specification ETSI TS 119 461 or ETSI 319 411), its RP and provide written proof to DSF, Docusign, or any accredited auditing body appointed by Docusign, to verify the compliance of RA with its RP and communicate the requested information to Docusign;

(ii) seek approval from DSF prior to designating a DRA;

(iii) establish a written enforceable agreement with all DRAs that defines their obligations and responsibilities in accordance with the applicable RP;

(iv) take appropriate technical and organizational measures to manage the risks associated with its IT systems and networks; and

(v) securely store and archive Signer Information used for Signer Identification and authentication, and Certificates of Completion associated these Transactions for at least five (5) years and, in the event of a request from a regulatory body to DSF or Docusign, or for DSF’s or Docusign’s internal audit, make such documentation available to Docusign.

(f) Customer Signer Registration. The registration of Signers for the issuance of Signer Certificates is the exclusive responsibility of Customer in its capacity as RA. Customer is responsible for the accuracy and completeness of the information sent to Docusign for issuance of Signer Certificates. Docusign does not verify Signer Identity and Signer Information and Docusign (including DSF) disclaims all liability regarding the accuracy of Signer Identity and Signer Information communicated by Customer and contained in the Signer Certificates.

(g) Customer Incident Report. As TSP, DSF must report certain Security Incidents to the Supervisory Body. Customer shall notify Docusign within twenty-four (24) hours of discovering a Security Incident (“Incident Report”).

(h) Customer Incident Report Details.  Each Incident Report shall, at a minimum, and as applicable, include the following information:

(i) Name, description, and exact location of the compromised system;

(ii) Description, impact, current status, and list of individuals, including Signers, affected by the Security Incident;

(iii) Date and time of when the Security Incident occurred and when Customer first discovered the Security Incident;

(iv) Description of Customer’s remediation efforts, current status of such remediation efforts, and the date the Customer initiated remediation efforts;

(v) Type of compromise:

(1) In the case of a hack, the source of the attack;

(2) In the case of an accident, a description of the cause of the accident;

(3) Whether Customer has filed a complaint or report to any applicable authority;

(4) Name of any law enforcement agency contacted about the Security Incident;

(5) List of Customer’s customers/Signers using the Service along with their locations; and

(6) Exact type of information exposed during the Security Incident.

(i) Customer Incident Response Accuracy. Customer shall ensure that Incident Reports are accurate. If an Incident Report contains inaccurate information, Customer shall promptly notify Docusign and update the Incident Report without undue delay but not later than twenty-four (24) hours of discovering such inaccuracies or as otherwise agreed upon between Customer and Docusign.

(j) CA Inspection. In its capacity as CA, DSF has a duty to inspect Customer in its role as RA to confirm its compliance with the terms of the Agreement, including applicable standards (such as technical specification ETSI TS 119 461 or ETSI 319 411), and the RP applicable to Signer Certificates. For this inspection, CA may carry out, or select a mutually agreeable inspector to carry out, an annual compliance inspection on Customer’s premises or remotely. Depending on DSF choice, the inspection may cover the following areas:

(a) Customer’s performance of obligations under section 4.2 (DSF as TSP with Customer as the RA);

(b) Availability and content of agreements between Customer and potential sub-contracting entities involved in the performance of Customer’s obligations;

(c) Management of eDocuments made available to Signers in connection with signature workflows;

(d) In the event that the RA designated one or more DRA(s):

(1) Monitoring of DRAs in accordance with the RP defined by the RA and the contract between RA and each DRA; and

(2) Requirements to be met by DRAs regarding Signer authentication and identification and the secure transmission of Signer Information to Customer by DRA(s).

(k) Non-Compliance.  If the inspection reveals a noncompliance (such as indication that Certificates have or may have been issued to Signer that has not been properly identified), Customer shall correct its procedures immediately and, in any event, no later than within the timeframe set by DSF. If the correction has not been made within the timeframe set by DSF, then DSF (or Docusign) may suspend activities included in the operation of this Service until full compliance is achieved. In such event, Customer shall not claim a breach by DSF (or by Docusign) of its contractual obligations under the Agreement or claim any indemnity of any kind due to such suspension. Docusign is also permitted to suspend the performance of the Service whenever Customer is reasonably believed to be out of compliance with its obligations as RA, and such suspension may continue until DSF in its sole discretion determines that the compliance failures have been remedied.

(l) Regulatory Audit.  In the event of a suspicion that RA and/or DRA(s) are in breach of the Agreement, or if a certification or regulatory body issues such express request, DSF shall have the right to conduct at any time an inspection on the premises of RA and/or DRA(s) to determine any noncompliance with the Agreement and/or the applicable Certificate Policy(ies).

(m) Indemnity. In addition to the third-party claims obligations set forth in the Agreement, Customer will indemnify DSF and Docusign and their Indemnified Parties from, and defend them against, any Claim to the extent arising from or related to non-performance of any obligations by Customer, in its capacity as RA and arising from the applicable Certificate Policy(ies).

(n) The obligations set forth in this section shall survive the termination or expiry of this Service Attachment.

4. CERTIFICATE POLICIES  

4.1 Customer agrees that the:

(a) Services at Sections 2.1, 3.1, and 3.2 are based on DSF’s applicable Certificate Policies;

(b) Certificate Policies constitute essential commitments from DSF and its RA and DRA and to any third-party relying on the Services; and

(c) Certificate Policies are available and can be accessed on Docusign’s website.

4.2 Customer is responsible for the accuracy and completeness of the Signer Information sent to Docusign for issuance of Certificates. Docusign disclaims all liability regarding the accuracy of the Signer Information communicated by Customer or Signers.

5. CERTIFICATION SERVICES AND REVOCATION

5.1 Except for instances of Customer Verification, DSF, in its capacity as CA, and Docusign for IDV Service and Docusign France for QES, in its capacity as RA, shall be responsible for (i) the proper functioning of the Service (ii) the compliance of its Certificates and Signer Identity and (iii) Signer Information management system and procedures with the terms of the applicable Certificate Policy(ies). DSF and Docusign shall technically manage the Certificate life cycle and its associated Signer Identity and Signer Information throughout their validity period to meet the requirements of the Services, in accordance with the applicable Certificate Policy(ies).

5.2 For AES services provided under Sections 3.1 and 3.2, “Certificate(s)” means a certificate for electronic signature as defined in Article 3(14) eIDAS and generated by Docusign to confirm the link between Signer’s Identity and electronic signature creation Data. Certificate has a validity period of 1 hour and 5 minutes for AES. The Certificate is used as validation data as defined in Article 3(40) eIDAS to validate an electronic signature.

5.3 For QES services provided under Section 2.1 above, “Certificate(s)” means a qualified certificate for electronic signature as defined in Article 3(15) eIDAS and generated by Docusign to confirm the link between Signer’s Identity and electronic signature creation Data. Certificate has a validity period of 10 days. The Certificate is used as validation data as defined in Article 3(40) eIDAS to validate an electronic signature.

5.4 Revocation. In its capacity as CA, DSF enables Signers to report inaccurate Certificate information or issuance only for QES. These reports are authenticated revocation requests and can be submitted by Signers or legal persons through the online revocation portals located on the following website: https://ps-ws.dsf.docusign.net/ds-server/s/noauth/psm/revocation/step1, and if Docusign receives such authenticated online revocation request from Signer within the validity period of a Signer Certificate, Docusign shall add the relevant Signer Certificate(s) to the CRL maintained and published by the CA.

5.5 Revocation After Signing. Certificate revocation performed after the execution of an electronic signature does not invalidate such electronic signature. Revocation information will be available from CA in CRL. CRL shall be published on DSF website until it ceases its activity as TSP. CRL shall also be published on CRL distribution URL contained in Certificates until the last Certificate issued by CA expires. In the event of CA ceasing to do business, the Service being discontinued by CA or a compromise of CA key, the last CRL shall be generated, published and archived by TSP. 

5.6 Online Certificate status:

(a) For AES, an expired and revoked Certificate shall no longer be in CRL but shall have a revoked status given by the online Certificate status of TSP.

(b) For QES, an unexpired Certificate with a revoked status given by the online Certificate status of TSP may have a valid status in CRL because the online Certificate status of TSP remains on CA database while CRL is issued every 24 hours. Such a difference in status can only last a maximum of 24 hours. CRL issued shall contain expired and revoked Certificates with an extension "expiredCertsOnCR”. 

6. GENERAL 

6.1 Incident Report. Customer agrees that, as TSP, DSF shall report Security Incidents including the relevant Customer and Signer Information to the Supervisory Body.

6.2 Timestamps. eDocuments signed using the Services AES and QES only shall contain a qualified timestamp generated by DSF within the meaning of Article 3(34) eIDAS and certified under standard ETSI EN 319 421. The timestamp policy applicable to the Services is identified by the OID 1.3.6.1.4.1.22234.2.6.5.8 and is available on the DocuSign website, currently at https://www.docusign.com/fr-fr/societe/politiques-de-certifications.

7. DIGITAL SIGNATURES (NON AES/QES)  

Additional Definitions

“Signer Information” for the purposes of this Section 7 means any Signer’s Personal Data that is collected either by external TSP or contained in the Signer held certificate for the purpose of confirming the Signer Identity and contacting the Signer. Such data may include a government-issued ID (e.g., a passport), ID issued to Signer by a bank or national authority (e.g., an electronic ID) and/or name, email address and mobile phone number.

“DS Express Service” means the integration feature within the Docusign eSignature platform that enables Customers to utilize Digital Signature services through either (a) Docusign Inc as a Third Party TSP (b) a Third-Party TSP selected by the Customer, or (c) a Third-Party TSP made available by Docusign as a resold service. 

7.1 Signers may leverage its existing digital certificate or a digital certificate issued by a Third-Party TSP to apply a Digital Signature to an eDocument using the DS Express Service in the following ways:

(a) The Signer can sign the eDocument using their existing Signer held digital certificate either stored locally (such as USB or Wallet), accessed via the cloud with a Third-Party TSP that Docusign partners with or as is stored in its Docusign Identity Wallet.

(b) The Signer can leverage a Third-Party TSP that Docusign partners with which will issue the signer a digital certificate to sign with. 

7.2 Where the Signer leverages its digital certificate as outlined in Sections 7.1(a) and 7.1(b) then in that event, the Customer acknowledges and agrees that Docusign: 

(a) is facilitating the interoperability and integration with the Third-Party TSP for Customer’s Signers; 

(b) is not liable for the acts or omissions of the Third-Party TSP; 

(c) disclaims all liability regarding the accuracy of any documentation provided by the Third-Party TSP; 

(d) makes no representation or warranty of the legal validity of resulting e-signature and/or certificate; and

(e) makes no representation or warranty regarding the validity or authenticity of any Signer Identification processed as part of the transaction between Signer and Customer using this Service and disclaims all liability regarding the accuracy of any Signer Identification.

7.3 Customer shall securely store and archive the Certificates of Completion for Transactions leveraging this offering. 

7.4 The Third-Party TSP is a Third-Party Service and the Customer and Signers will be subject to separate terms and conditions of the Third-Party TSP. For further information on the Third-Party TSP’s terms and conditions - including its trust service policy, limitations, or otherwise please contact or visit the website of the Third-Party TSP.