Skip to main content

SERVICE SCHEDULE for DOCUSIGN PROTECT & SIGN ETSI QES

Service Schedule revision date: March 20, 2019. Unless otherwise defined in this Service Schedule, capitalized terms will have the meaning given to them in the Agreement.

1. DEFINITIONS

Archiving Policy” means the legal, functional, operational, technical, and security rules Customer must establish, implement, and comply with to ensure the reliability of the Proof Files (e.g., conservation period, accessibility of archives, procedures for restoration, destruction, etc.).

Archiving Service” means the DocuSign services for the archiving of Proof Files during the Archiving Period. 

“Conformity Assessment Body” (or “CAB”) is a third party accredited by a European Member State to perform conformity assessments of the CA and RA. The current applicable standard for the issuance of a qualified Certificate is ETSI EN 319 411-2 QCP-n-qscd and French ANSSI requirements (Agence Nationale de la Sécurité des Systèmes d’Information).

Certification Authority” (or “CA”) means the entity issuing the Certificates to Customer pursuant to the rules and practices that the Certification Authority has established in its Certification Policy.

Certificate Revocation List” (or “CRL”) means the list digitally signed by a CA containing the identities of Certificates that are no longer valid. 

Certification Policy” means the set of rules published by the CA, identified by an object identifier (“OID”), and describing the general characteristics of the Certificates it issues. A Certification Policy describes the obligations and responsibilities of the CA, the RA, Signers, Certificate requesters, and any other PKI component involved in the management of a Certificate life cycle. The Certification Policy(ies) of DocuSign France and its(their) successive update(s) can be accessed on DocuSign France’s website, https://www.docusign.fr/societe/politiques-de-certifications, and are an integral part of this Agreement. The applicable OID for this current document is 1.3.6.1.4.1.22234.2.14.3.31.

“Consent Protocol” means the technical process within the Service accessible via the Protect & Sign ETSI QES Personal Signature Service to collect the consent from Signer to receive a Certificate, to sign the eDocument and the TOU by clicking a check box.

Customer Application” means the software or technology owned and controlled by Customer and made available to third-party end-users for the purpose of offering the Service.

Customer Connector” means the software that connects the Customer Application to the applicable Protect & Sign ETSI QES Personal Signature Service. 

Delegated Registration Authority” (or “DRA”) means any entity expressly designated by the Registration Authority (or “RA”) in order to perform all or part of the RA tasks in accordance with the applicable Certification Policy and Registration Policy. For purposes of the Protect & Sign ETSI QES Personal Signature Service, the RA is the Customer. A DRA is optional depending on the RA organization.

Private Key” means the secret electronic data associated with the Certificate and managed by DocuSign in order to create electronic signature via Protect & Sign ETSI QES.

Proof File” means a file generated, signed, and time-stamped by DocuSign France that contains all the information related to data sent by the RA, including consent collection and signature activation and operations. A dedicated Proof File is associated with each RA request and Transaction for the purpose of proving the validity of the electronic signature in case of a legal proceeding. 

Protect & Sign ETSI QES Personal Signature Service(or “Service”) means the on-demand DocuSign Service for generating DocuSign Qualified Electronic Signatures on eDocuments and to prepare Proof Files relating to transactions through Customer’s Application.

Public Key Infrastructure” (or “PKI”) means the infrastructure required to produce, distribute, manage, and archive keys, Certificates, and CRL, as well as the basis on which the Certificates and the CRL must be published. 

QES” means Qualified Electronic Signature and the security level used for Certificates lifecycle management as defined by ETSI in EN 319 411-2 standard and eIDAS regulation.

Registration Policy” means the procedures and rules defined and introduced by the Registration Authority to identify and authenticate Signers, verify and keep the Signers' proof of registration, and register the issue, renewal, and revocation of Certificates. The Registration Authority is the Customer.

“Signer(s)” means any individual who signs the eDocument(s) presented thereto after giving consent in accordance with the Service Consent Protocol. 

Signer Certificate” (or “Certificate”) means an electronic file issued by the Certification Authority and attesting the link between an identity and the public key of the person holding the Certificate. In this case, the term "Certificate" means the Certificate generated by DocuSign on behalf of a Signer, and used for the electronic signature by that Signer, via the Service, of an eDocument addressed to it by Customer. Each Certificate contains information, such as part of Signer Identity, Signer's public key, Certificate lifetime, and the signature of the CA issuing it.

Signer Identity” means the personal data (e.g., name(s), email address, telephone number) identifying the Signer(s) that is collected and defined by the RA on the Service.

“Terms Of Use” (or “TOU”) means the legal conditions relating to the use of the Service. These Terms Of Use are signed during the Consent Protocol.

“Time stamps” means the time-stamp tokens affixed to Proof Files and further described at https://www.docusign.fr/societe/politiques-de-certifications

“Transaction(s)” means the performance of a signature process, defined by a set of eDocuments submitted to the Service for electronic signature with a Consent Protocol by one or more Signers.

“TSP” means Trust Service Provider under the definition of eIDAS.

2. PROTECT & SIGN ETSI QES

During the Term and subject to the terms of conditions of the Agreement, Customer will have the right to send eDocuments to Signers to be signed with the Service using the DocuSign Signature application. Certificates issued to Signers by DocuSign France (hereinafter, “DocuSign”) as part of the Service are provided and managed through DocuSign's online qualified electronic signature service. This Certificate associated with the signing service of DocuSign allows the Signer to electronically sign the Document(s) with a qualified level in accordance with Article 3 (12) of the European Regulation N ° 910/2014 (Regulation eIDAS) and ETSI 319 411-2 (QCP-n-qscd) norm.

3. CUSTOMER RESPONSIBILITIES

Customer agrees to and acknowledges the following:

3.1 Customer Application and Connector. 

(a) Customer is responsible for: 

(i) configuring Customer’s Applications; 

(ii) integrating the Customer Connector and technical key pairs of the Customer Connector; and 

(iii) ensuring the security of the connection between the Customer Connector and the Customer Applications that are required to access the Service. 

(b) Customer must also ensure, during the installation of the Service, the protection, confidentiality, and security of the environment that will safeguard the Private Keys used by the Customer Connector. 

(c) Customer shall be solely liable for any damaging consequences that may result from the use, by a third party having received disclosure, by any means whatsoever, of Private Keys and Customer certificate enabling access to the Service.

3.2 Production Launch Testing and Validation. 

(a) Customer acknowledges that the use of the Service is subject to a DocuSign-specified testing and validation process.  

(b) The production launch of the Service will be completed within fifteen (15) business days of receipt of the production launch document, duly completed and signed by Customer. 

(c) Upon completion of the production of the Service, since DocuSign does not have access to the Service via Customer's environment, Customer undertakes to carefully monitor the first signatures made with the Service platform in order to confirm to DocuSign that use of the Service in production is operational. Failing this, DocuSign shall not be responsible for the malfunctioning of the Service in Customer's environment.

3.3 Electronic Certification. Customer is solely responsible for managing Certificates issued through the Service and must comply with the Certification Policy for each such Certificate.

3.4 Restrictions on Use. During the Term and subject to the terms and conditions of the Agreement, Customer will have the right to submit eDocuments to the Service. The right to use the Service is limited to Signers, and Customer may not resell or otherwise provide or assist with the provision of the Service for the benefit of another party or as a part of a service Customer offers to third parties or as a sublicensed or service bureau arrangement.   

4. DOCUSIGN RESPONSIBLITIES

4.1 Electronic Certification. DocuSign will ensure the proper functioning of the PKI components as further described in the Certification Policy. DocuSign provides the certificates to be used with the Customer Connector to access and use the Service.

4.2 Providing Protect & Sign ETSI QES Personal Signature. Unless otherwise set forth on the applicable Order Form, DocuSign shall ensure that the Service performs the following functions:

(a) Allows Signers to electronically sign eDocuments and TOU using the Service and the Consent Protocol defined with Customer and approved by DocuSign;

(b) Creates Proof Files for each Transaction involving at least one electronic signature;

(c) Sends Proof Files of such DocuSign Signatures to the electronic Archiving Service as designated by Customer (if subscribed to by Customer);

(d) Makes the signed eDocument and TOU available for the benefit of Customer; and 

(e) Enables the viewing of the Proof Files. 

4.3 Electronic Archiving Service. In the event Customer purchases the electronic Archiving Service under a valid and applicable Order Form, DocuSign will make available a secure storage environment for Customer’s use for archiving Proof Files created as part of Customer’s use of the Service. The Proof Files will be archived for a period of ten (10) years from their receipt by the electronic Archiving Service, unless their return is explicitly requested by Customer (“Archiving Period”). Upon expiration of the Archiving Period, Customer will have sixty (60) days to notify DocuSign of its intent to extend the Archiving Period (subject to a written agreement between the parties) or request that DocuSign return their Proof Files. In the event this Agreement expires or is terminated prior to the expiration of the Archiving Period, DocuSign will continue to maintain the electronic Archiving Service for the duration of the Archiving Period for any eDocuments archived prior to the expiration or termination of the Agreement. Unless otherwise requested by Customer in accordance with the terms of Section 4.4, DocuSign is not authorized to access the archived Proof Files.

4.4 Physical Copies of Proof Files. If Customer purchases the electronic Archiving Service through DocuSign, Customer may request (as an additional service for an additional fee) DocuSign to provide physical copies of Proof Files generated through the Service and archived by DocuSign. Upon such request, DocuSign will de-archive the nominated Proof File(s), extract and print the underlying eDocument(s), and affix a stamp certifying that the printed eDocument is the one signed and archived through the Service. 

4.5 Deletion of Proof Files. Unless otherwise set forth on the applicable Order Form and except if Customer has purchased the electronic Archiving Service, DocuSign will delete Proof Files generated by the Service after 10 days. 

4.6 DocuSign Certification. During the term of the applicable Order Form, DocuSign shall maintain its certification under ETSI 319 411-2 (QCP-n-qscd) for the issuance of signing Certificates in the context of the Service.

5. ADDITIONAL RESTRICTIONS AND OBLIGATIONS

5.1 Size Limitations. Customer acknowledges that eDocuments submitted to the Service shall not exceed five megabytes (5 MB) each. 

5.2 Additional Conditions for Protect & Sign ETSI QES Personal Signature. 

(a) Customer must ensure that each Signer complies with the terms and conditions of this Agreement, including compliance with the Certification Policy and TOU. 

(b) Customer must ensure that each Signer uses the Private Keys and Certificates solely for the purposes authorized by the TOU under the applicable Certification Policy and in accordance with applicable laws and regulations. 

(c) Customer is solely responsible for providing the Proof File, the eDocument and/or TOU to appropriate recipients.

(d) Customer must advise each Signer in advance and in writing of the Signer obligations imposed on Signer when using the Service.

(e) Customer must advise Signers in advance and in writing  of the requirements of the Certification Policy applicable to them as referenced above, as well as the internal procedures it has implemented. Moreover, Customer must inform Signers that the use of their Private Keys and Certificates must be limited exclusively to the purposes authorized under the applicable TOU and in accordance with current laws, Certification Policy and regulations.

(f) The TOU are established by Customer and DocuSign and validated by DocuSign at its election.

5.3 Appointment as Registration Authority.  For the Protect & Sign ETSI QES Personal Signature Service, DocuSign appoints Customer as the RA. Customer may designate a DRA and implement procedures for identifying, authenticating, and validating requests for issuing Certificates to Signers in accordance with the Registration Policy. 

Customer, as a Registration Authority, must:

(a) Allow DocuSign (or its nominee) and CAB to audit all aspects of Customer’s use of the Service, including as it relates to Customer’s and, if applicable, DRA’s obligations under this Agreement, issuance of Signer Certificates, and appointment as a Registration Authority;

(b) Prepare and implement a Registration Policy. This Registration Policy must be validated by DocuSign prior to Customer's use of the Service;

(c) Coordinate and manage Signer Certificate requests (assimilated to the signature request made via the Customer Connector) by providing accurate and complete data allowing the CA to issue the Certificates;

(d) Identify and authenticate Signers according to the relevant Registration Policy prior to establishing and sending a signature request to the Service via a Customer Connector;

(e) Retain for at least seven (7) years after Certificate expiration the Signer's registration file (proof of identity of the Signer produced by RA) of RA and the Proof file;

(f) Identify and authenticate the DRA;

(g) Ensure that the DRA complies with the Certification Policy and Registration Policy in accordance with a signed agreement between Customer and the DRA;

(h) Prepare and transmit signature request to the Service;

(i) Establish a DRA contract with a DRA, if applicable, to oversee the operations delegated by the RA. Such contract must be validated by DocuSign before the DRA can be used by the RA as part of the Service;

(j) Notify DocuSign in the event of a security incident and, where applicable, the DRA, and on the personal data managed by the RA and, where applicable, the DRA in accordance with the requirements described in the present document;

(k) Manage and protect personal data in accordance with all applicable data protection laws (including GDPR) and the TOU;

(l) Close the Proof File in the Service as soon as one or more signature(s) is or are created via the Service for each Transaction;

(m) Notify DocuSign of any major changes in the RA information system and/or in the RA procedures. These changes must be validated by DocuSign before they can be used by Customer. Customer is informed that certain changes may, depending on their nature (for example, a new registration method), have to be validated by ANSSI and may necessitate a new audit before their use;

(n) Protect the confidentiality and integrity of information relating to Signers’ personal information;

(o) Report the following major service changes to DocuSign:

  • Change due to security policy, TOU and/or contract related to the Service;

  • Change of sub-contractor providing one or more parts of the RA or DRA service;

  • Change of hosting the RA or DRA service;

  • Change in security protocol (e.g., Signer enrollment procedure);

  • Change of the architecture used to run the RA or DRA service;

  • Change in the roles management procedure for RA or DRA roles;

  • Change of owner of the legal entity which provides the RA or DRA service;

(p) As to any of the above-referenced major service changes, RA shall report the following information:

  • Legal entity impacted by the change;

  • Type of modification based on the items listed above;

  • Reason and explanation of the change;

  • Detailed description of the change;

  • System impacted by the change;

  • Description of the security impact;

(q) The RA shall submit to DocuSign’s Security Officer a signed report regarding any of the above-referenced major changes.

5.4 Onsite Audit of Customer. DocuSign, in its capacity as CA, is responsible for auditing and monitoring Customer as an RA and its DRA(s). To this end, DocuSign may carry out or direct an auditor selected by DocuSign to carry out, on an annual basis, a compliance assessment on the premises of Customer and if applicable DRA(s). In order to do this, DocuSign will provide Customer with fifteen (15) days’ advance notice of such audit. This audit will cover a cross-section of DRA and DRA operators designated by Customer to complete all or part of the RA functions assigned to it under this Schedule. The audit may govern the following:

(a) The management by Customer of private keys and Customer’s certificates used for the Customer Connector;

(b) The use and the implementation of the Customer Connector by Customer and the interconnection with the Customer Application;

(c) The use and implementation of the Customer Connector by Customer;

(d) The content and provision of TOU to the Signers;

(e) Where applicable, the connection between the Customer application and those of the DRA;

(f) The digital and physical protection of the environment where the Customer Connector is stored and the Customer Application of the RA (and that of the DRA, where applicable);

(g) The management of identification and authentication information of Signers by Customer;

(h) The process for authentication and identification of Signers by Customer during the completion of a transaction with the Signer and the Consent Protocol for approval;

(i) The management of documents presented and made available by the Customer with regards to Signature workflow;

(j) The recovery of Signer identities and their transmission to DocuSign via the Customer Connector;

(k) The conditions for access, storage, and use of an archiving service for the recovery of the Proof Files;

(l) The control of the DRA by Customer (where Customer has designated the DRA) using the Registration Policy and the agreement between Customer and the DRA; 

(m) The requirements imposed on the DRA in relation to the Signer authentication and identification procedures, and the secure transmission of Signers’ identifying information to Customer by the DRA;

(n) Training modalities for RA and DRA personnel;

(o) Management of revocation by the RA and the DRA;

(p) Management of RA and DRA logs and Signer identification verification operations;

(q) Issuance of signed Documents and TOU to the Signers;

(r) Management of the Signer's personal data by the RA and the DRA; and

(s) Management and reporting of incidents and major service changes to DocuSign.

In the case of any major noncompliance found during the audit process, Customer shall rectify it immediately. Failing rectification within the time limit set by DocuSign, the Service may be suspended by DocuSign until fully rectified, in which case Customer cannot purport any breach by DocuSign of their contractual obligations, nor claim any compensation.

If Customer or the DRA violates or is suspected of violating its duties as a Registration Authority, or if a CAB or a governmental body makes the request expressly in writing, DocuSign may audit, at any time and without prior notice, the premises of the RA and the DRA to assess any potential noncompliance with the Agreement and the applicable Certification Policy.

5.5 Onsite CAB Audit. Customer must be audited prior to use of the Service by a Conformity Assessment Body throughout its DRA perimeter to manage Signer registration, renewal, and revocation operation for Certificates in accordance with the requirements of the ETSI 319 411-2 QCP-n-qscd.

Following this audit, Customer must send the audit report to DocuSign for verification of the audit report. If the verification is conclusive, then Customer is recognized as ETSI-certified for ETSI 319 411-2 QCP-n-qscd.

This audit must be renewed every two (2) years. After each audit, Customer must send the audit report to DocuSign no later than 10 days after such report is completed.

5.6 Incident Report. Customer acknowledges that DocuSign, as TSP, must report certain incidents to its supervisory body (ANSSI). Customer shall notify DocuSign within 24 hours of discovering a Major Security Incident or Vulnerability (both defined below) that: a) exist in a DRA system; and/or b) involve Signer personal data. If a patch for the Vulnerability exists and Customer can deploy the patch to all affected systems within three (3) days, Customer need not report the Vulnerability to DocuSign.

Each incident report from Customer to DocuSign shall, at a minimum and as applicable, describe:

(a) Name and short description of the compromised system;

(b) Date and time of discovery of the incident;

(c) Estimated date for the start of the incident;

(d) Date for the start of the remediation against the incident;

(e) Exact location of the system and impact of the incident;

(f) Description of the incident;

(g) Current status of the incident;

(h) Current status of the remediation;

(i) Type of compromise;

  1. In case of a hack, source of the attack;

  2. In case of an accident, description of reason causing the incident;

(j) Impact of the incident;

(k) Identity of those affected by the incident;

(l) Description of the remediation to solve the incident or to be implemented;

(m) Decision process with respect to raising a complaint to a competent authority;

(n) Name of the law enforcement agency contacted about the incident;

(o) List of customers and their locations using the Service impacted by the incident; and

(p) Exact type of information exposed during the incident.

Customer must provide as much information as is known at the time within the above time frames. If there is any missing information in the initial report, Customer must send a follow-up report within 72 hours. If there is still information missing after this deadline, Customer and DocuSign’s Security Officer shall set a follow-on deadline for submission of additional information.

For purposes of this Schedule, a “Security Incident” means:

Any attack, penetration, accident, activity, or other event or circumstances, whether resulting from a normal or non-normal activity, realized on any network, computer, system, device, application, or databases that compromises either the security, confidentiality, integrity, or availability, or any technical, administrative, or organization safeguards put in place by the RA and DRA or any of its subcontractors, with respect to the RA and DRA operations (including those applicable to any identity verification, Signer Identity management and/or technical key used with the Customer Connector, signature requests and/or Proof File data) or which results in a loss of integrity, confidentiality, availability and/or proof relating in any manner to the RA and DRA operation and/or personal data of Signer.

For purposes of this Schedule, a “Vulnerability” means:

A path (technical interaction, procedure, data, etc.) in the RA and DRA operation run by machine or a physical person and/or in data managed by the RA and/or DRA and/or in the RA and/or DRA system which could possibly lead to a Security Incident (including, according to one or several scenarios of attack, voluntary or not, a hack). Only a Vulnerability that has no immediate patch that is deployed in less than three (3) days on all data/systems exposed by the Vulnerability is subject to reporting to DocuSign.

5.7 Revocation. In its capacity as CA, DocuSign enables a Signer or an RA to report a potential or actual incorrect Signer Identity. These reports are considered revocation requests by the CA. If a Signer or an RA submits a valid revocation request in the first nine (9) days after a Certificate is issued, DocuSign shall add Signer’s Certificate into the Certificate Revocation List maintained and published by the CA.

A revocation of a Certificate does not invalidate de facto the signed eDocument attached to the relevant Certificate. The RA shall develop and adhere to procedures to respond to revocation requests from a Signer it has identified. Customer’s procedures shall:

(a) Allow Customer to authenticate a revocation request and transmit it in time to DocuSign within a period of not longer than 18 hours after receipt and authentication made by the RA;

(b) Be designed to prevent revocation by any individual other than the actual or legitimate Signer, and require Customer to authenticate each Signer who requests the revocation of his or her Certificate; and

(c) Be consistent with the procedures defined by DocuSign. Customer must transmit to DocuSign's Customer Support trusted contacts to handle Customer’s revocation request to DocuSign.

The RA transmits, and accepts from Signer, revocation requests only for the revocation reason defined in the TOU. DocuSign transmits the procedure for revocation and its successive updates to Customer.

6. DOCUSIGN WARRANTIES

6.1 Protect & Sign ETSI QES Personal Signature Warranties. DocuSign represents and warrants that when operated in accordance with the Documentation:

(a) the electronic signatures generated by the Service are admissible in accordance with Article 1366 of the French Civil Code; provided however only insofar as: 

(i) the signatory is clearly identified in the Signer Certificate and based on the identification elements sent by Customer in its capacity as a Registration Authority; and 

(ii) the Signer Certificate is established and stored under conditions likely to ensure the integrity (formation of a Proof File signed and time-stamped by DocuSign and archived in accordance with section 4.3 of this Schedule) and to the extent the electronic signature is linked with the eDocument; 

(b) the electronic signature generated by the Service meets the definition of “qualified” level under EU Regulation no. 910/2014 (eIDAS); and 

(c) DocuSign is a Trust Service Provider under the definition of eIDAS in the context of the provision of the Service.

7. TERMINATION

Upon the expiration or termination of this Service Schedule for any reason, Customer shall promptly return to DocuSign, as of the expiry and/or effective termination date, any Documentation made available by DocuSign for the performance of this Service Schedule and any copies of any nature stored in any medium, including a digital medium, or, if applicable and if expressly requested by DocuSign, destroy the Documentation and any copies made in any medium. Customer, as RA, also undertakes to return all logs governing Signer authentication and identity verification and Proof Files that the RA has in its possession according to the procedure and means defined in its agreement with DocuSign.