ID CHECK FOR AES ATTACHMENT FOR DOCUSIGN ESIGNATURE

Service Attachment version date: January 10, 2020

Unless otherwise defined in this Service Attachment, capitalized terms will have the meaning given to them in the Agreement.

1. DEFINITIONS

“Advanced Electronic Signature” (or “AES”) means advanced electronic signature as defined in Article 3-11 of eIDAS.

“Certificate(s)” means the Certificate generated by the CA via the Service for a Signer, which attests the unique link between the Signer Information and a Public Key. The Public Key is uniquely associated with a Private Key managed by Docusign France. In this case, the term “Certificate” means the certificate for electronic signature, as defined in Article 3-14 of eIDAS, generated by Docusign France to the benefit of a Signer.

“Certification Authority” (or “CA”) is Docusign France, the authority that generates Certificates and manages the Certificate lifecycle (issuance, renewal, revocation) on the request of the Registration Authority, in accordance with the rules and practices defined in its Certificate Policy(ies) and the associated Certification Practice Statement.

“Certificate Policy(ies)” (or “CP”) means the set of rules published by the CA. A Certificate Policy describes the general characteristics of the Certificates as well as the obligations and responsibilities of the CA, the RA, Signers, Certificate requesters, and any other PKI component involved in the management of a Certificate lifecycle. The Certificate Policy(ies) of Docusign and its (their) successive update(s) can be accessed on Docusign’s website (https://www.docusign.fr/societe/certification-policies), and are an integral part of this Service Attachment. For the purposes of this Service Attachment, the applicable OID is 1.3.6.1.4.1.22234.2.14.3.32.

“Certificate Revocation List” (or “CRL”) means the list of invalid Certificates that have been revoked before their expiration date. CRLs are issued periodically and are digitally signed by the CA that issued the Certificates in the list. The URL for where to find the CRL is contained in the Certificate.

“Documentation” means the commercial, functional, and technical documentation relating to the Service and provided by Docusign to Customer, including Certificate Policies. Documentation can be in a paper format, on a magnetic storage medium or in any other format used by Docusign.

“Docusign France” (or “DSF”) means Docusign France SAS, an Affiliate of Docusign.

“eIDAS” means EU Regulation No. 910/2014.

“ID Check for AES” (or “Service”) means the Docusign ID Check for AES service which provides (i) Advanced Electronic Signatures, (ii) the RA online interface and (iii) evidence storage services. The Service is accessible via Docusign eSignature.

“Major Security Incident” means activity on or affecting: (i) the Service and/or (ii) Signer’s data, that is likely to result in a loss of integrity, confidentiality, availability and/or proof in the Service, including the Signer identification operation made by CA, Signer revocation requests made by Customer, personal data storage in Docusign eSignature and the Docusign eSignature and Signer signing operation.

“Private Key” means a mathematical key, associated to the Public Key, that is secret, uniquely contained within a hardware security module (HSM), and remotely activated by the Signer to sign eDocuments. For the purposes of this Service Attachment, the Private Keys are generated for only the purpose of a single Transaction and are erased after the completion of such Transaction.

“Registration Authority (or “RA”) is Docusign France, the entity that registers requests for the issuance, renewal, and revocation of Certificates. The RA collects electronic copies of Signer’s ID document to verify the name of the Signer and to constitute evidence of the Signer’s identity. The RA interacts directly with the CA and uses Docusign eSignature to interact with the Signer.

“Registration Policy” means the procedures and rules defined and implemented by the Registration Authority in order to identify and authenticate Signers, to verify and store supporting documents for Signers’ registration, and to register requests to issue, renew, and revoke Signer Certificates.

“Signer(s)” means any individual who signs eDocuments with the Service.

“Signer Information” means the set of personal data (including name, email address, mobile phone number, and copy of an official ID document) used to identify a Signer.

“Transaction(s)” means the performance of a signature process, defined by a set of eDocuments submitted for electronic signature, by one or more Signers via Docusign eSignature.

“Vulnerability” means a path in the Service, data or in the Customer system that may lead to a Major Security Incident.

2. ADVANCED SIGNATURE

2.1  The parties acknowledge and agree that: (a) Docusign France is a "trust service provider" for the purpose of providing the Service; (b) where Customer contracts with Docusign for the provision of the Service and related certification services, Docusign is authorized to act as an agent for and on behalf of Docusign France for the purpose of contracting with Customer while Docusign France is the entity providing the actual delivery of any Advanced Electronic Signature and Certificates; and (c) the use of the Service is conditional upon Customer adhering to the terms of this Service Attachment.

2.2  During the Term and subject to the terms and conditions of this Service Attachment, Customer will have the limited right to send eDocuments to Signers to be signed with the Service via Docusign eSignature. The right to use the Service is limited to Customer’s authorized Signers. Customer and its agents may not resell or otherwise provide or assist with the provision of the Service: (a) for the benefit of another party; (b) as a part of a service Customer offers to third parties; or (c) as a sublicensed or service bureau arrangement.

2.3  Customer acknowledges and agrees it has been or hereby is fully informed by Docusign that:

(a) the Service is based on Docusign’s applicable Certificate Policies;

(b) The Certificate Policies constitute essential commitments from Docusign to any third party relying on the Service; and

(c) The Certificate Policies have been or will be made available to Customer before the Order Start Date of the Service and can be accessed on Docusign’s website, https://www.docusign.fr/societe/certification-policies.

3. CUSTOMER RESPONSIBILITIES.

3.1  Customer acknowledges having received from Docusign all of the information it requires to assess whether the Service meets its needs and to take all necessary precautions for the implementation and operation of the Service.

3.2  Customer shall employ measures to send information to RA supporting the issuance of Certificates that is accurate and complete. Customer acknowledges that Docusign does not verify Signer’s mobile phone number and email address information.

3.3  Customer is responsible for the accuracy and completeness of the information sent to Docusign for the issuing of Certificates. Docusign disclaims all liability regarding the accuracy of the Signer Information communicated by Customer and Signer.

3.4  The Service can be accessed by Customer by means of a secure remote connection. ACCORDINGLY, CUSTOMER IS SOLELY RESPONSIBLE FOR ANY AND ALL CONSEQUENCES ARISING FROM THE UNAUTHORIZED USE BY A THIRD PARTY OF ITS PRIVATE KEYS AND CERTIFICATES ENABLING ACCESS TO THE SERVICE, REGARDLESS OF THE MEANS BY WHICH THEY WERE OBTAINED FROM CUSTOMER.

4. DOCUSIGN RESPONSIBILITIES

4.1  Trust Service Provider (TSP). Docusign shall make commercially reasonable efforts to: (a) ensure it and its Affiliates’ data centers and information technology are secure and trustworthy; (b) verify each Signer’s name against a copy of a valid official ID document provided by Signer within the Service; and (c) ensure that electronic signatures created with the Service, subject to the Customer fulfilling its responsibilities under this Service Attachment, will conform with the definitions of advanced electronic signature set out in Article 3-11 of eIDAS.

4.2  Certification Services. Docusign France, in its capacity as CA and RA, shall be responsible for the proper functioning of the Service’s components and the compliance of its Certificate management system and procedures with the provisions set forth in applicable Certificate Policy(ies). Docusign France shall technically manage the lifecycle of Certificates throughout their validity period in accordance with the terms and conditions defined in the applicable Certificate Policies.

5. REVOCATION

5.1  Revocation Generally. In its capacity as CA, Docusign France enables Signer to report inaccurate Signer Information. These reports are revocation requests. If Docusign receives an authenticated online revocation request through the Personal Certificate Revocation Request Form (located at https://www.docusign.fr/revocation) from the Signer within the first ten (10) days after a Certificate is issued, Docusign shall add the Signer’s Certificate to the Certificate Revocation List maintained and published by the CA. If the DRA is made aware of inaccurate Signer Information, the DRA must report the incident as described in Section 6.

5.2 A revocation recorded after the execution of an AES does not invalidate de facto that AES. Revocation information will always be available from the CA that publishes a CRL. In the event of the CA's end of life or the Service stopping with this CA or even in the event of a compromised CA key, a last CRL is generated and archived at Docusign France. The CRL is published on the Docusign France website until the TSP ends its activity. It is also published on the CRL distribution URL contained in the Certificate until the last Certificate issued by the CA expires.

6. INCIDENT REPORT

6.1  Customer acknowledges that Docusign France, as TSP, must report certain incidents to its supervisory body (ANSSI). Customer shall notify Docusign within twenty-four (24) hours of discovering a Major Security Incident or Vulnerability (“Incident Report”). Notwithstanding this Section 6.1, Customer is not obligated to report a Vulnerability to Docusign if a patch to the Vulnerability exists and Customer deploys such patch to all affected systems within three (3) days of discovering such Vulnerability.

6.2  Incident Report. Each Incident Report shall, at a minimum and as applicable, include:

(a) Name, description, and exact location of the compromised system;

(b) Description, impact, current status, and list of individuals affected by the incident;

(c) Date and time of when the incident occurred and when Customer first discovered the incident;

(d) Description of Customer’s remediation efforts, current status of such remediation efforts, and the date the Customer initiated remediation efforts;

(e) Type of compromise;

• In the case of a hack, the source of the attack;

• In the case of an accident, a description of the cause of the accident;

(f) Whether Customer has filed a complaint or report to any applicable authority;

(g) Name of any law enforcement agency contacted about the incident;

(h) List of customers using the Service and their locations; and

(i) Exact type of information exposed during the incident.

6.3  Customer shall ensure that Incident Reports are accurate. If an Incident Report contains inaccurate information, Customer shall promptly notify Docusign and update the Incident Report within seventy-two (72) hours of discovering such inaccuracies or as otherwise agreed upon between Customer and Docusign.

7. AGREEMENT ON PROOF

7.1  Except where provisions to the contrary exist, computerized records stored in the information systems of Docusign and its Affiliates using reasonable security measures are accepted as proof of the communications and agreements between the Parties.

7.2  Docusign may use, including for the purposes of providing evidence or establishing an invoice, any document, file, recording, monitoring report or statistic in any medium, including an electronic medium that has been directly or indirectly created, received or stored by Docusign in a database.

8. WARRANTIES AND DISCLAIMERS

8.1  Docusign Service Warranties. Docusign warrants that during the applicable Term, the Service, when used as authorized under this Service Attachment, will perform substantially in conformance with associated Documentation. Customer’s sole and exclusive remedy for any breach of this warranty by Docusign is for Docusign to repair or replace the affected Service to make it conform, or, if Docusign determines that the foregoing remedy is not commercially reasonable, then either Party may terminate this Service Attachment.

8.2  Disclaimer. Except for the express representations and warranties stated in this Section 8 (Warranties and Disclaimers), Docusign: (a) makes no additional representation or warranty of any kind as to any matter whatsoever; (b) disclaims all implied warranties, including but not limited to merchantability, and fitness for a particular purpose, and title; and (c) does not warrant that the Service is or will be error-free or meet Customer’s requirements. Customer has no right to make or pass on any representation or warranty on behalf of Docusign to any third party.

9. THIRD PARTY CLAIMS. In addition to the third party claims obligations set forth in the Agreement, Customer shall indemnify Docusign and its employees, Affiliates, directors, agents, and representatives (“Indemnified Parties”) from, and defend Docusign and the Indemnified Parties against, any Claim to the extent arising from or related to: (a) any representations or warranties regarding the Service made by Customer to any third parties (including without limitation Signers) not authorized by Docusign; and (b) non-performance of any obligations by Customer defined under this Service Attachment and the applicable Certificate Policy.