SECURITY ATTACHMENT FOR DOCUSIGN SERVICES

Version date: March 9, 2026

This Security Attachment for Docusign Services (“Security Attachment”) sets forth Docusign’s commitments for the protection of Customer Data and is made part of Agreement. Unless otherwise defined in this Security Attachment, capitalized terms will have the meaning given to them in the Agreement.

1. DEFINITIONS

“Applicable Laws” means all applicable laws, regulations, and other legally binding requirements in any jurisdiction relating to data protection, data security, or breach notification, that apply to Docusign’s Processing of Customer Data.

“Data Incident” means any confirmed breach of Docusign’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, exfiltration of or access to Customer Data that is reasonably likely to cause material harm to Customer, except that Data Incidents do not include unsuccessful attempts, everyday security alerts, or other events that do not materially compromise the security, availability or confidentiality of Customer Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

“Personnel” means all employees and agents of Docusign engaged in the performance of the Docusign Services to Customer.

“Process” or “Processing” means, with respect to this Security Attachment, any operation or set of operations that is performed upon Customer Data, whether or not by automatic means, such as, without limitation, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

“Production Environment” means the System setting where software, hardware, data, processes, and programs are executed for their final and intended operations by end users of the Docusign Services.

“Subcontractor” means a third party that Docusign has engaged to perform all or a portion of the Docusign Services on behalf of Docusign.

2. INFORMATION SECURITY PROGRAM

2.1 Information Security Program.

(a) Docusign maintains and will continue to maintain a written information security program that includes policies, procedures, and controls governing the Processing of Customer Data through the Docusign Services (“Information Security Program”).

(b) The Information Security Program is designed to protect the security, availability and confidentiality of Customer Data by using a multi-tiered technical, procedural, and people-related controls approach in accordance with industry best practices and applicable laws and regulations.

2.2 Permitted Use of Customer Data. Docusign will not Process Customer Data in any manner other than as permitted or required by the Agreement.

2.3 Acknowledgement of Shared Responsibilities.

(a) The security of Customer Data that is accessed, stored, shared, or otherwise Processed via the Docusign Services is a shared responsibility between Docusign and Customer.

(b) Docusign is responsible for the implementation and operation of the Information Security Program and the data protection measures described in the Agreement and this Security Attachment.

(c) Customer is responsible for properly implementing access and use controls and configuring certain features and functionalities of the Docusign Services that Customer may elect to use in a manner that Customer deems adequate to maintain appropriate security, protection, deletion, and backup of Customer Data, consistent with any legal requirements applicable to Customer.

(d) Customer is responsible for ensuring the accuracy of the Customer Data they upload and process via the Docusign Services.

(e) Docusign represents that it is not, and is not under the direction or control of, a “covered person,” as that term is defined under 28 CFR 202, the Department of Justice Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (the “DOJ Rule”). Docusign shall not knowingly transfer any bulk U.S. sensitive personal data or government-related data to covered persons or countries of concern in violation of the DOJ Rule.

2.4 Applicability to Customer Data. This Security Attachment and the Information Security Program apply specifically to the Customer Data Processed via the Docusign Services and does not extend to data held on Customer systems or environments, processing through third-party services used by the Customer (including third-party services that integrate with the Docusign Services), or to any on-premise solutions that may be offered by Docusign to Customer.

3. SECURITY MANAGEMENT

3.1 Maintenance of Information Security Program.

(a) Docusign will implement appropriate technical and organizational measures to protect Customer Data located in the Docusign Services and will maintain the Information Security Program in accordance with industry standards such as ISO/IEC 27001 or such other alternative standards that are substantially equivalent to ISO/IEC 27001, and in accordance with applicable law.

(b) Docusign will maintain a written, enterprise-wide Information Security Policy framework which establishes standards and guidelines regarding information security in Docusign’s operations and the conduct of its Personnel, including, but not limited to, those related to acceptable use; asset management; business continuity and disaster recovery; change management; configuration management; data classification and handling; device security; encryption; governance and compliance; identity and access management; incident management and response; independent audits and certifications; network security and protection; environment segregation; personnel security and management; physical security; risk management; secure software development; systems monitoring, logging and alerting; third party management; training and awareness; and vulnerability management; among others.

(c) Docusign may update or modify the Information Security Program from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Docusign Services.

3.2 Risk management

(a) Docusign will implement a security risk management program to identify, assess and treat risks to Docusign’s information assets and operations. Risk management is integrated into business processes and is updated regularly.

(b) Docusign will conduct formal security risk assessments at least annually and upon significant changes. These assessments identify and evaluate risks to information assets and inform decisions on risk mitigation or acceptance. Results are integrated into the risk management process for follow-up and remediation.

3.3 Security Assurance Customer Contact.

(a) Customer’s account management team at Docusign will be Customer’s first point of contact for information and support related to the Information Security Program.

(b) Customer’s account management team will work directly with Customer to escalate Customer’s questions, issues, and requests to Docusign’s internal teams as necessary.

4. PERSONNEL SECURITY

4.1 Background Checks and Training.

(a) Docusign will ensure that reasonable and appropriate background checks are conducted on all Personnel in accordance with applicable laws and regulations.

(b) Personnel must pass Docusign’s background check requirements prior to being assigned to positions in which they will, or Docusign reasonably expects them to, have access to Customer Data.

(c) Docusign will conduct mandatory security and privacy awareness training (and additional role-based training as required) on-hire and at least annually thereafter to inform its Personnel on procedures and policies relevant to the Information Security Program and of the consequences of violating such procedures and policies, as required by industry standards and applicable laws.

5. THIRD-PARTY RISK MANAGEMENT

(a) Docusign will evaluate all Subcontractors to ensure that Subcontractors maintain adequate physical, technical, organizational, and administrative controls, based on the risk tier appropriate to their subcontracted services, that support Docusign’s compliance with the requirements of the Agreement and this Security Attachment and applicable laws.

(b) Docusign will ensure that all Subcontractors are subject to obligations to report Data Incidents to Docusign within timeframes that enable Docusign to meet its obligations to notify Customers of Data Incidents within the timeframes set forth in Section 10.2 and per applicable law.

(b) Docusign will remain responsible for the acts and omissions of its Subcontractors as they relate to the Docusign Services performed under the Agreement as if it had performed the acts or omissions itself, and any subcontracting will not reduce Docusign’s obligations to Customer under the Agreement.

6. PHYSICAL SECURITY MEASURES

6.1 General. Docusign will maintain appropriate physical security measures designed to protect tangible items, such as physical computer systems, networks, servers, and devices, that Process Customer Data. To the extent Docusign relies on third-party providers, including but not limited to cloud service providers, to host the Docusign Services, Docusign will ensure that such third-party providers maintain appropriate physical security measures and data management and protection controls designed to protect Customer Data.

6.2 Facility Access. Docusign will ensure that:

(a) access to Docusign’s corporate facilities is tightly controlled through, at a minimum, physical access card identification;

(b) all visitors to its corporate facilities must sign in, agree to confidentiality obligations, and be escorted by Personnel at all times while on premises; and

(c) visitor logs are reviewed by Docusign’s security team on a regular basis.

Docusign will revoke Personnel’s physical access to Docusign’s corporate facilities upon termination of employment.

6.3 Data Centers.

(a) Docusign will use third-party data center service providers in providing the Docusign Services, and will ensure that all data centers conform to ISO/IEC 27001 or equivalent standards and have appropriate physical, environmental and data protection controls.

(b) At a minimum, all data centers must meet the following requirements:

(i) Multi-factor physical security measures, including auditable entry/exit mechanisms that record identity of all individuals entering/exiting the facility.

(ii) Access must be limited to authorized Personnel.

(iii) Third-party vendors and guests must be escorted by authorized Personnel at all times while in the data center.

(c) Environmental security controls will be in place at all data centers, including:

(i) Uninterruptible power supplies and secondary power supplies on all key systems;

(ii) Temperature and humidity controls for the heating, ventilation, and air conditioning equipment;

(iii) Heat and smoke detection devices and fire suppression systems; and

(iv) Periodic inspections by appropriate safety officials.

7. LOGICAL SECURITY

7.1 Access Controls.

(a) Docusign will maintain a formal access control policy and employ a centralized access management system to control Personnel access to the Production Environment.

(b) Docusign will ensure that all access to the Production Environment is subject to successful multi-factor authentication globally from both corporate and remote locations and is restricted to authorized Personnel who demonstrate a legitimate business need for such access.

(c) Docusign will maintain an associated access control process for reviewing and implementing Personnel access requests.

(d) Docusign will regularly review the access rights of authorized Personnel and, upon employment termination or change in scope of employment, will remove or modify such access rights as appropriate.

(e) Docusign will monitor and assess the efficacy of access restrictions applicable to the control of Docusign's system administrators in the Production Environment, which will entail generating individual system administrators’ activity and retaining such information for a period of at least twelve (12) months.

(f) Docusign will conduct an offboarding or exit process with respect to any Personnel upon termination of employment, which will include removal of the terminated Personnel’s access to Customer Data and Docusign’s sensitive systems and assets.

7.2 Auditing and Logging. With respect to system auditing and logging in the Production Environment:

(a) Docusign will use and maintain an auditing and logging mechanism that, at a minimum, captures and records successful and failed user logons and logoffs (with a date and time stamp, user ID, application name, and pass/fail indicator).

(b) User access activities will be logged and audited periodically by Docusign to identify unauthorized access and to determine possible flaws in Docusign’s access control system.

(c) All application components that have logging capabilities (such as operating systems, databases, web servers, and applications) will be configured to produce a security audit log.

(d) Audit logs will be configured for sufficient log storage capacity.

(e) Each log will be configured so that it cannot be disabled without proper authorization and will send alerts for the success or failure of each auditable event.

(f) Access to security log files will be limited to authorized Personnel.

7.3 Network Security.

(a) Docusign will maintain a defense-in-depth approach to hardening the Production Environment against exposure and attack.

(b) Docusign will maintain reasonably isolated Production Environments for the Docusign Services that include network management controls such as load balancers, firewalls, intrusion detection systems distributed across production networks, and malware protections.

(c) Docusign will complement its Production Environment architecture with prevention and detection technologies that monitor all activity generated and send risk-based alerts to the relevant security groups.

7.4 Malware Protection. Docusign will ensure that:

(a) its information systems and file transfer operations have effective and operational anti-malware software;

(b) extended detection and response solutions and enterprise anti-malware software are implemented, maintained, and kept up-to date;

(c) all anti-malware software is configured for deployment and automatic update; and

(d) applicable anti-malware software is integrated with processes and will automatically generate alerts to Docusign’s Security Incident Response Team if potentially harmful code is detected, for investigation and analysis.

7.5 Secure Software Development Lifecycle.

(a) Docusign will maintain a formal software development lifecycle that includes secure coding practices in accordance with OWASP and related standards, and will perform both manual and automated code reviews.

(b) Docusign’s engineering, product development, and product operations teams will review changes included in software releases to the Production Environment to verify that developers have performed automated and manual code reviews designed to minimize associated risks.

(c) In the event that a significant vulnerability is identified in a code review, such vulnerability will be resolved prior to release into the Production Environment.

7.6 Vulnerability Scans and Penetration Tests.

(a) Docusign will perform both internal and external vulnerability scanning and application scanning on a regular basis.

(b) External scans and penetration tests against the Production Environment will be conducted only by external, qualified, credentialed, and industry recognized organizations engaged by Docusign, on a frequency based on risk but, at a minimum, on an annual basis.

(c) Docusign will remedy relevant vulnerabilities identified during scans and penetration tests in a commercially reasonable manner and timeframe based upon classified and prioritized severity level. Remediation of vulnerabilities may be accelerated based on assessed criticality and/or potential impact. Remediation timelines are subject to review, internal risk assessment and approval if extended timeframes are required.

(d) Docusign may make available to Customer relevant, non-privileged, third-party attestations resulting from vulnerability scans and penetration tests performed by independent external auditors.

(e) For clarification, under no circumstance will Customer be permitted to conduct any vulnerability scans or penetration testing against the Docusign Production Environment.

7.7 Asset management. Docusign will manage its information assets through their lifecycle and implement procedures for secure commission, transport, retrieval, regularly scheduled maintenance (including servicing, inspection and repair), decommission and disposal.

7.8 Configuration management. Docusign will maintain hardening and baseline configuration standards which are documented and regularly reviewed to ensure consistency with industry-accepted systems hardening standards and to address known security vulnerabilities. These standards are updated annually or whenever a material change occurs.

8. STORAGE, ENCRYPTION, AND DISPOSAL

8.1 Storage & Separation.

(a) Customer Data will be stored within secure Docusign-controlled environments, encompassing both cloud-based infrastructure and physical and logical infrastructure at Docusign’s colocation or data center facilities.

(b) Exceptions with respect to storage may only be made with Customer’s written authorization for specific purposes, such as, for example, extraction of Customer Data for storage on encrypted portable media.

(c) Docusign will logically separate Customer Data located in the Production Environment from other Docusign customer data.

(d) Docusign will not use Customer Data from the Production Environment in non-production environments without Customer’s express permission.

8.2 Encryption Technologies.

(a) Docusign will encrypt Customer Data using industry-recognized encryption standards and protocols, including cryptographic algorithms that meet or exceed current best practices and secure key management practices.

(b) Electronic transmission or exchange of Customer Data with the Docusign Services will be conducted via secure means.

8.3 Disposal. To the extent that Docusign manages physical equipment or media that stores Customer Data, Docusign will implement industry recognized processes and procedures for equipment management and secure data disposal under the guidelines identified in the National Institute of Standards’ Guidelines for Media Sanitization, SP 800-88.

9. BUSINESS CONTINUITY AND DISASTER RECOVERY

9.1 Continuity Plan.

(a) Docusign will maintain written business continuity and disaster recovery plans that support the availability of the Docusign Services (“Continuity Plans”).

(b) The Continuity Plans will include elements such as:

(i) crisis management, plan and team activation, event and communication process documentation;

(ii) business recovery, alternative site locations, and call tree testing; and

(iii) infrastructure, technology, system(s) details, recovery activities, and identification of the Personnel and teams required for such recovery.

(c) Docusign will conduct a test of the Continuity Plans on at least an annual basis.

(d) Docusign’s Continuity Plans shall provide for remediation of any deficiencies discovered during any such Continuity Plans testing within timeframes reasonably commensurate with the level of risk posed by the deficiency.

(e) The internal and independent audit reports described in Section 11.1 (Independent Assurances) will evidence or report on the execution of Docusign’s Continuity Plans’ tests and any resulting remedial actions.

9.2 Docusign Service Continuity.

(a) Docusign’s production architecture for the Docusign Services is designed to perform secure replication in near real-time to multiple active systems in geographically distributed and physically secure data centers.

(b) Docusign will ensure that:

(i) infrastructure systems for the Docusign Services have been designed to eliminate single points of failure and to minimize the impact of anticipated environmental risks;

(ii) each data center supporting the Docusign Services includes full redundancy and fault tolerance infrastructure for electrical, cooling, and network systems; and

(iii) Production Environment servers are enterprise scale servers with redundant power to ensure maximum service availability.

9.3 Disaster Recovery.

(a) In the event of a failure of critical services or material business disruption, Docusign will promptly invoke its Continuity Plans and will restore critical service capability and the critical information technology infrastructure of the Docusign Services (including, but not limited to, data centers, hardware, software and power systems, and critical voice, data, and communications links).

(b) Except as otherwise provided in the applicable Continuity Plans, Docusign will use commercially reasonable efforts to promptly notify Customer’s Account Administrators of any failure of critical services or material business disruption.

(c) It is Docusign’s responsibility to require that its Subcontractors performing activities that could impact critical processes of the Docusign Services have plans in place that meet the same standards as required of Docusign hereunder.

(d) Notwithstanding anything to the contrary in the Agreement (including this Security Attachment) and without limiting any of Docusign’s responsibilities thereunder:

(i) Docusign will not be required to provide business continuity or disaster recovery plans for its colocation or data center facilities to Customer.

(ii) However, publicly available information and references to the capabilities of any such colocation or data center facility will be provided by Docusign upon request.

10. DATA INCIDENT RESPONSE AND NOTIFICATION

10.1 Data Incident Response Program

(a) Docusign will maintain a tested incident response program, which will be managed and run by Docusign’s dedicated Security Incident Response Team.

(b) Docusign’s Security Incident Response Team will follow an industry standard framework that includes incident management and breach notification policies and associated processes.

(c) Docusign’s incident response program will include, at a minimum, the following incident lifecycle phases: preparation, detection and analysis, containment, eradication and recovery, and post-incident activity.

10.2 Data Incident Notification.

(a) Docusign will comply with applicable security breach notification laws and regulations in its provision of the Docusign Services.

(b) Docusign will notify Customer without undue delay and within timeframes required by applicable law, upon becoming aware of a Data Incident. Docusign shall not make any such notifications if prohibited by law or if Docusign is otherwise instructed by law enforcement or other regulatory body, or to the extent such notification would negatively impact Docusign’s ability to investigate and remediate the Data Incident.

(c) Without limiting the generality of the foregoing, Customer acknowledges and agrees that Data Incidents do not include unsuccessful attempts, everyday security alerts, or other events that do not materially compromise the security, availability or confidentiality of Customer Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or network systems.

(d) Docusign’s notification of a Data Incident under this section is not an acknowledgement by Docusign of any fault or liability with respect to the Data Incident.

10.3 Data Incident Response.

(a) Docusign shall take reasonable measures to mitigate the cause of any Data Incident, and shall take reasonable corrective measures to prevent the same Data Incident from occurring in the future.

(b) As information is collected or otherwise becomes available to Docusign and unless prohibited by law, Docusign shall provide information regarding the nature and consequences of the Data Incident that are reasonably requested to allow Customer to notify affected individuals or government agencies, as applicable.

(c) Due to the encryption configuration and security controls associated with the Docusign Services, Docusign may not have access to or know the nature of the information contained within Customer Data and, as such, Customer acknowledges that it may not be possible for Docusign to provide Customer with a description of the type of information or the identity of individuals who may be affected by a Data Incident.

(d) Customer is solely responsible for determining whether to notify impacted individuals and for providing such notice, and for determining if regulatory bodies applicable to Customer or Customer’s use of the Docusign Services need to be notified of a Data Incident. Docusign shall not identify Customer in external communications related to a Data Incident unless required by law or valid judicial process.

11. INDEPENDENT ASSURANCES AND AUDITS

11.1 Independent Assurances.

(a) Docusign uses independent external auditors to verify the adequacy of its Information Security Program.

(b) Docusign will provide or make available to Customer non-privileged, third party attestations, certifications, and reports relevant to the establishment, implementation, and controls of the Information Security Program, including, where applicable, ISO/IEC 27001 certifications, PCI DSS certifications, and Service Organization Controls (SOC) reports.

11.2 Additional Requirements. To the extent Customer requires additional audit information or assistance from Docusign beyond those set forth in Section 11.1 (Independent Assurances) as may be required under applicable laws and regulations:

(a) Customer may submit its request for such additional information and assistance, which shall include information regarding the applicable laws or regulations forming the basis of the request, to its account management representative.

(b) Docusign will work with Customer to reach mutually agreed upon terms regarding the scope, timing, duration, cost, and other details regarding such additionally requested information and assistance.

11.3 Audit for Data Incident. Following a Data Incident, Docusign will, within a reasonable timeframe:

(a) engage a third-party independent auditor, selected by Docusign and at Docusign’s expense, to conduct an audit of Docusign’s Information Security Program, as applicable.

(b) Upon request, Docusign may provide or make available non-privileged parts of such audit report or pertinent non-privileged information derived from the audit report to Customer.

11.4 Conditions of Audit by Customer.

(a) Any audits conducted pursuant to this Security Attachment must:

(i) be conducted during reasonable times and be of reasonable duration;

(ii) not occur more than once per year, except as set forth in Section 11.3;

(iii) not unreasonably interfere with Docusign’s day-to-day operations; and

(iv) be conducted under mutually agreed upon terms and in accordance with Docusign’s security policies and procedures.

(b) Docusign reserves the right to limit an audit of configuration settings, sensors, monitors, network devices and equipment, files, or other items if Docusign, in its reasonable discretion, determines that such an audit may compromise the security of the Docusign Services or the data of other Docusign customers.

(c) Customer’s audit rights do not include penetration testing or active vulnerability assessments of the Production Environment or Docusign Systems within its scope.

(d) In the event Customer conducts an audit through a third-party independent auditor, all terms set forth in 11.4(a) apply, and:

(i) such independent auditor must enter into a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the Agreement to protect Docusign’s Confidential Information.

(ii) Customer must promptly provide Docusign with any audit, security assessment, compliance assessment reports, and associated findings prepared by it or its third-party auditor for comment and input prior to formalization and/or sharing such information with a third party.

11.5 Remediation and Response Timeline. If any audit performed pursuant to this Security Attachment reveals or identifies any material non-compliance by Docusign of its obligations under the Agreement and this Security Attachment, and Docusign confirms the existence of such material non-compliance, then:

(a) Docusign will work to correct such issues within a reasonable timeframe; and

(b) Customer may request feedback and information regarding corrective and remedial actions taken in relation to such audit.