Binding Corporate Rules: Processor Policy

Effective date:  January 26, 2023

• PART I: INTRODUCTION

• PART II: OUR OBLIGATIONS

• PART III: DELIVERING COMPLIANCE IN PRACTICE

• PART IV: THIRD PARTY BENEFICIARY RIGHTS

• PART V: RELATED POLICIES AND PROCEDURES

  • APPENDIX 1 - LIST OF DOCUSIGN GROUP MEMBERS

  • APPENDIX 2 - MATERIAL SCOPE OF THIS PROCESSOR POLICY

  • APPENDIX 3 - FAIR INFORMATION DISCLOSURES

  • APPENDIX 4 - DATA PROTECTION RIGHTS PROCEDURE

  • APPENDIX 5 - PRIVACY COMPLIANCE STRUCTURE

  • APPENDIX 6 - PRIVACY TRAINING REQUIREMENTS

  • APPENDIX 7 - AUDIT PROTOCOL

  • APPENDIX 8 - COMPLAINT HANDLING PROCEDURE

  • APPENDIX 9 - CO-OPERATION PROCEDURE

  • APPENDIX 10 - UPDATING PROCEDURE

  • APPENDIX 11 - GOVERNMENT DATA REQUEST PROCEDURE

  • APPENDIX 12 - TRANSFER IMPACT ASSESSMENT POLICY

PART I: INTRODUCTION

This Binding Corporate Rules: Processor Policy (“Processor Policy”) establishes Docusign's approach to compliance with applicable data protection laws (and, in particular, European laws) when processing personal information on behalf of a third-party controller.

Scope of this Processor Policy

This Processor Policy applies when we process personal information as a processor on behalf of a third-party controller, including when the personal information is transferred to a group member for processing. This Processor Policy applies regardless of whether our group members process personal information by manual or automated means.

The standards described in the Processor Policy are worldwide standards that apply to all group members when processing any personal information as a processor. As such, this Processor Policy applies regardless of the origin of the personal information that we process, the country in which we process personal information, or the country in which a group member is established.

For an explanation of some of the terms used in this Processor Policy, like "controller", "process", and "personal information", please see the section headed "Important terms used in this Processor Policy" below.

The material scope of this Processor Policy

The material scope of this Processor PolicyThe material scope of this Processor Policy is set out in Appendix 2. This describes the types of personal information, data subjects, and transfers that are protected by this Processor Policy. However, we must apply the standards described in this Processor Policy to all transfers of personal information to and between group members, even if they are not explicitly listed in Appendix 2.

Our collective responsibility to comply with this Processor Policy

All group members and their staff must comply with this Processor Policy when processing personal information as a processor on behalf of a Customer, irrespective of the country in which they are located.

In particular, all group members who process personal information as a processor must comply with:

• the rules set out in Part II of this Processor Policy;

• the practical commitments set out in Part III of this Processor Policy;

• the third party beneficiary rights set out in Part IV ; and

• the related policies and procedures appended in Part V of this Processor Policy.
  

Responsibility towards the Customer

As a data processor, Docusign will have a number of direct legal obligations under applicable data protection laws. In addition, the Customer will also pass certain data protection obligations on to Docusign in its contract appointing Docusign as its processor. If Docusign fails to comply with the terms of its processor appointment, this may put the Customer in breach of its applicable data protection laws and Customer may initiate proceedings against Docusign for breach of contract, resulting in the payment of compensation or other judicial remedies.

A Customer may enforce this Processor Policy against any group member that is in breach of it. Where a non-European group member (or a non-European third-party processor appointed by a group member) processes personal information for which the Customer is a controller in breach of this Processor Policy, that Customer may enforce the Processor Policy against DocuSign International (EMEA) Ltd. In such event, DocuSign International (EMEA) Ltd will be responsible for demonstrating that such group member (or third-party processor) is not responsible for the breach, or that no such breach took place.

When a Customer transfers personal information to a group member for processing in accordance with this Processor Policy, a copy of this Processor Policy shall be incorporated into the contract with that Customer. If a Customer chooses not to rely upon this Processor Policy when transferring personal information to a group member outside Europe, that Customer is responsible for implementing other appropriate safeguards in accordance with applicable data protection laws.

Management commitment and consequences of non-compliance

Docusign's management is fully committed to ensuring that all group members and their staff comply with this Processor Policy at all times.

Non-compliance may cause Docusign to be subject to sanctions imposed by competent data protection authorities and courts, and may cause harm or distress to individuals whose personal information has not been protected in accordance with the standards described in this Processor Policy.

In recognition of the gravity of these risks, staff members who do not comply with this Processor Policy will be subject to disciplinary action, up to and including dismissal.

Relationship with Docusign's Binding Corporate Rules: Controller Policy

This Processor Policy applies only to personal information that Docusign processes as a processor in order to provide a service to a Customer.

Docusign has a separate Binding Corporate Rules: Controller Policy that applies when it processes personal information as a controller (i.e. for its own purposes). When a Docusign group member processes personal information as a controller, it must comply with the Controller Policy.

In some situations, group members may act as both a controller and a processor. Where this is the case, they must comply both with this Controller Policy and also the Processor Policy as appropriate. If in any doubt which policy applies to you, please speak with the Office of the Chief Privacy Officer whose contact details are provided below.

Where will this Processor Policy be made available?

This Processor Policy is accessible on Docusign's corporate website at www.docusign.com/trust/privacy.

Important terms used in this Processor Policy

For the purposes of this Processor Policy:

• the term applicable data protection laws includes the data protection laws in force in the territory in which the controller of the personal information is located. Where a group member processes personal information on behalf of a European controller under this Processor Policy, the term applicable data protection laws shall include the European data protection laws applicable to that controller (including Europe's General Data Protection Regulation, when applicable);

• the term controller means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal information. For example, Docusign is a controller of its Customer data and staff data;

• the term Controller Policy refers to Docusign’s Binding Corporate Rules: Controller Policy, which is available on Docusign's website at www.docusign.com/trust/privacy. The Controller Policy applies where Docusign processes personal information as a controller (i.e. for its own purposes);

• the term Customer refers to the third-party controller on whose behalf Docusign processes personal information. This includes Docusign's third-party customers, when we process personal information on their behalf in the course of providing data processing services to them;

• the term Docusign Platform is defined in Appendix 2 (Processor);

• the term Europe (and European) as used in this Policy refers to the Member States of the European Economic Area – that is, the Member States of the European Union plus Norway, Liechtenstein and Iceland;

• the term group member means the members of Docusign's group of companies listed in Appendix 1;

• the term personal information means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The term personal information shall include any information that is "personal data", "personally identifiable information", "personal information" and any analogous concept under applicable data protection laws;

• the term processing means any operation or set of operations which is performed on personal information or on sets of personal information, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

• the term processor means a natural or legal person which processes personal information on behalf of a controller. For example, Docusign is a processor of the personal information it processes to provide services to its Customers;

• the term Processor Policy refers to this Binding Corporate Rules: Processor Policy. The Processor Policy applies where Docusign processes personal information as a processor on behalf of a third party controller;

• the term sensitive personal information means information that relates to an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation. It also includes information about an individual's criminal offences or convictions, as well as any other information deemed sensitive under applicable data protection laws;

• the term staff refers to all employees, new hires, individual contractors and consultants, and temporary staff engaged by any Docusign group member. All staff must comply with this Processor Policy; and

• the term transfer impact assessment is further defined in Rule 11 of this Controller Policy and relates to the assessment carried out by Docusign and applicable Docusign group members in accordance with Appendix 12 (Transfer Impact Assessment Policy).

How to raise questions or concerns

If you have any questions regarding this Processor Policy, your rights under this Processor Policy or applicable data protection laws, or any other data protection issues, you can contact the Office of the Chief Privacy Officer using the details below. The Office of the Chief Privacy Officer will either deal with the matter directly or forward it to the appropriate person or department within Docusign to respond.

The Office of the Chief Privacy Officer will ensure that changes to this Policy are notified to the group members and to individuals whose personal information is processed by Docusign in accordance with Appendix 10.

If you want to exercise any of your data protection rights, please see the data protection rights procedure set out in Appendix 4. Alternatively, if you are unhappy about the way in which Docusign has used your personal information, you can raise a complaint in accordance with our complaint handling procedure set out in Appendix 8.

Return to top

PART II: OUR OBLIGATIONS

This Processor Policy applies in all situations where a group member processes personal information as a processor anywhere in the world. All staff and group members must comply with the following obligations:

Return to top

PART III: DELIVERING COMPLIANCE IN PRACTICE

To ensure we follow the rules set out in our Processor Policy, in particular the obligations set out in Part II, Docusign and all of its group members must also comply with the following practical commitments:

Return to top

PART IV: THIRD PARTY BENEFICIARY RIGHTS

Application of this Part IV

This Part IV applies where individuals’ personal information are protected under European data protection laws (including the General Data Protection Regulation). This is the case when:

• those individuals’ personal information are processed in the context of the activities of a third-party controller or a group member (acting as processor) established in Europe;

• a non-European Customer (acting as controller) or group member (acting as processor) offers goods and services (including free goods and services) to those individuals in Europe; or

• a non-European Customer (acting as controller) or group member (acting as processor) monitors the behaviour of those individuals, as far as their behaviour takes place in Europe;

and that Customer or group member (as applicable) then transfers those individuals’ personal information to a non-European group member (or its sub-processor) for processing under the Processor Policy.

Entitlement to effective remedies

When this Part IV applies, individuals have the right to pursue effective remedies in the event their personal information is processed by Docusign in breach of the following provisions of this Processor Policy:

• Part II (Our Obligations) of this Processor Policy;

• Paragraphs 5 (Complaints Handling), 6 (Cooperation with Competent Data Protection Authorities), 8 (Conflicts between this Processor Policy and national legislation) and 9 (Government requests for disclosure of personal information) under Part III of this Processor Policy; and

• Part IV (Third Party Beneficiary Rights) of this Processor Policy.

Individuals’ third party beneficiary rights

When this Part IV applies, the right for individuals to pursue effective remedies against Docusign apply only if either (i) the requirements at stake are specifically directed at Docusign as a processor in accordance with applicable data protection law (and in accordance with the guidance published by competent data protection authorities), or (ii) the individuals cannot bring a claim against a Customer because:

• the Customer has factually disappeared or ceased to exist in law or has become insolvent; and

• no successor entity has assumed the entire legal obligations of the Customer by contract or by operation of law.

In such cases, individuals may exercise the following rights:

• Complaints: Individuals may complain to a group member and/or to a European data protection authority, in accordance with the Complaints Handling Procedure at Appendix 8;

• Proceedings: Individuals may commence proceedings against a group member for violations of this Processor Policy, in accordance the Complaints Handling Procedure at Appendix 8;

• Compensation: Individuals who have suffered material or non-material damage as a result of an infringement of this Processor Policy have the right to receive compensation from Docusign for the damage suffered.

• Transparency: Individuals also have the right to obtain a copy of the Processor Policy, which they may exercise by making a request to the Office of the Chief Privacy Officer at privacy@docusign.com or by directly accessing the Processor Policy as published on www.docusign.com/trust/privacy.

Responsibility for breaches by non-European group members

DocuSign International (EMEA) Ltd will be responsible for ensuring that any action necessary is taken to remedy any breach of the Processor Policy by a non-European group member (or any non-European sub-processor appointed by a group member).

In particular:

• If an individual or a Customer (acting as controller) can demonstrate damage it has suffered likely occurred because of a breach of this Processor Policy by a non-European group member (or a non-European sub-processor appointed by a group member), DocuSign International (EMEA) Ltd will have the burden of proof to show that the non-European group member (or non-European sub-processor) is not responsible for the breach, or that no such breach took place.

• where a non-European group member (or any non-European third-party sub-processor acting on behalf of a group member) fails to comply with this Processor Policy, individuals may exercise their rights and remedies above against DocuSign International (EMEA) Ltd and, where appropriate, receive compensation (as determined by a competent court or other competent authority) from DocuSign International (EMEA) Ltd for any material or non-material damage suffered as a result of a breach of this Processor Policy.

Shared liability for breaches with controllers

Where Docusign is engaged by a Customer to conduct processing and both are responsible for harm caused by the processing in breach of this Processor Policy, Docusign accepts that both Docusign and the Customer may be held liable for the entire damage in order to ensure effective compensation of the individual.

Return to top

PART V: RELATED POLICIES AND PROCEDURES

APPENDIX 1 - LIST OF DOCUSIGN GROUP MEMBERS

The table below lists the Docusign group members which are bound by Docusign’s “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy”.

Return to top

APPENDIX 2 - MATERIAL SCOPE OF THIS PROCESSOR POLICY

1. Background

   1. Docusign’s “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") provide a framework for the transfer of personal information between Docusign group members.

   2. This document sets out the material scope of the Processor Policy. It specifies the data transfers or set of transfers, including the nature and categories of personal information, the type of processing and its purposes, the types of individuals affected, the identification of the third country or countries and lists the Docusign products that are covered by the Processor Policy.

2. Important terms used within this Appendix

The following terms have the following meanings:

"Customer Services" means services provided by Docusign to Customers through the Docusign Platform. Such services include hosting and processing contract documentation and other documents of Customers on the DocuSign Platform on behalf of Customers.

"Docusign Platform" means the digital transaction management platform provided by Docusign to its Customers, which is used by Customers to facilitate digital transactions that include the signing process of contractual documents and other documents of the Customer. Specifically, the Docusign Platform is comprised of the Docusign products listed in paragraph 4.

3. Content data

4. Docusign products

The Docusign Platform covered by this Processor Policy will include all Docusign products and services, including but not limited to the following Docusign Products:

• Docusign eSignature and Docusign eSignature-based products and services (including Rooms, Docusign Gen and Docusign Negotiate)

• Docusign CLM (Contract Lifecycle Management) service

• SpringCM (Contract Management) service

• Intelligent Seal-branded software and service, and other Docusign products and services based on Seal technology

• Liveoak digital software service and other Docusign products and services based on the Liveoak technology

Return to top

APPENDIX 3 - FAIR INFORMATION DISCLOSURES

1. Background

   1. Docusign’s “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") provide a framework for the transfer of personal information between Docusign group members.

   2. This Fair Information Disclosure document sets out the transparency information that Docusign must provide to individuals when processing their personal information.

2. Information to be provided where Docusign collects personal information directly from individuals

   1. When Docusign collects personal information directly from individuals, it must provide the following transparency information:

      1. the identity and contact details of the data controller and, where applicable, of its representative;

      2. the contact details of the data protection officer, where applicable;

      3. the purposes of the processing for which the personal information are intended as well as the legal basis for the processing;

      4. where the processing is based on Docusign's or a third party's legitimate interests, the legitimate interests pursued by Docusign or by the third party;

      5. the recipients or categories of recipients of the personal information, if any; and

      6. where applicable, the fact that a group member in Europe intends to transfer personal information to a third country or international organisation outside of Europe, and the measures that the group member will take to ensure the personal information remains protected in accordance with applicable data protection laws and how to obtain a copy of such measures.

   2. In addition to the information above, Docusign shall also provide individuals with the following further information necessary to ensure fair and transparent processing, at the time of collection:

      1. the period for which the personal information will be stored, or if that is not possible, the criteria used to determine that period;

      2. information about the individuals' rights to request access to, rectify or erase their personal information, as well as the right to restrict or object to the processing, and the right to data portability;

      3. where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

      4. the right to lodge a complaint with the competent supervisory authority;

      5. whether the provision of personal information is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the individual is obliged to provide the personal information and of the possible consequences of failure to provide such information; and

      6. the existence of automated decision-making, including profiling, where such decisions may have a legal effect or significantly affect the individuals whose personal information are collected, together with any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for those individuals.

   3. The transparency information described in this paragraph must be provided at the time that Docusign obtains the personal information from the individual.

3. Information to be provided where Docusign collects personal information about individuals from a third party source

   1. When Docusign collects personal information from a third party source (that is, someone other than the individual him- or herself), it must provide the following transparency information:

      1. the information described in paragraphs 2.1 and 2.2 above;

      2. the categories of personal information that are being processed; and

      3. details of the third party source from which Docusign obtained the personal information including, if applicable, identifying whether the personal information came from publicly accessible sources.

   2. The transparency information described in this paragraph must be provided within a reasonable period after Docusign obtains the personal information and, at the latest, within one month, having regard to the specific circumstances in which the personal information are processed. In addition:

      1. if the personal information are to be used for communication with the individual, the transparency information described in this paragraph must be provided at the latest at the time of the first communication to that individual; and

      2. if a disclosure of the personal information to another recipient is envisaged, the transparency information described in this paragraph must be provided at the latest when the personal information are first disclosed.

4. Derogations from providing transparency disclosures

   1. The requirements to provide transparency information as described in this Fair Information Disclosures document shall not apply where and insofar as:

      1. the individual already has the information;

      2. the provision of such information provides impossible or would involve a disproportionate effort, and Docusign takes appropriate measures, consistent with the requirements of applicable data protection laws, to protect the individual’s rights and freedoms and legitimate interests, including by making the transparency information publicly available;

      3. obtaining or disclosure is expressly laid down by applicable laws to which Docusign is subject and these laws provide appropriate measures to protect the individual’s legitimate interests; or

      4. where the personal information must remain confidential subject to an obligation of professional secrecy regulated by applicable laws to which Docusign is subject, including a statutory obligation of secrecy.

Return to top

APPENDIX 4 - DATA PROTECTION RIGHTS PROCEDURE

1. Background

   1. Docusign's "Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") safeguard personal information transferred between the Docusign group members.

   2. Individuals whose personal information are processed by Docusign under the Policies have certain data protection rights, which they may exercise by making a request to the controller of their information (whether the controller is Docusign or a Customer) (a “Data Protection Rights Request”).

   3. This Binding Corporate Rules: Data Protection Rights Procedure (“Procedure”) describes how Docusign will respond to any Data Protection Rights Requests it receives from individuals whose personal information are processed and transferred under the Policies.

2. Individual’s data protection rights

   1. Docusign must assist individuals to exercise the following data protection rights, consistent with the requirements of applicable data protection laws:

      1. The right of access: This is the right for individuals to obtain confirmation whether a controller processes personal information about them and, if so, to be provided with access to, and a copy of, that personal information. This process for handling this type of request is described further in paragraph 4 below.

      2. The right to rectification: This is the right for individuals to require a controller to rectify without undue delay any inaccurate personal information a controller may be processing about them. The process for handling this type of request is described further in paragraph 5 below.

      3. The right to erasure: This is the right for individuals to require a controller to erase personal information about them on certain grounds – for example, where the personal information is no longer necessary to fulfil the purposes for which it was collected. The process for handling this type of request is described further in paragraph 5 below.

      4. The right to restriction: This is the right for individuals to require a controller to restrict processing of personal information about them on certain grounds. The process for handling this type of request is described further in paragraph 5 below.

      5. The right to object: This is the right for individuals to object, on grounds relating to their particular situation, to a controller’s processing of personal information about them, if certain grounds apply. The process for handling this type of request is described further in paragraph 5 below.

      6. The right to data portability: This is the right for individuals to receive personal information concerning them from a controller in a structured, commonly used and machine-readable format and to transmit that information to another controller, if certain grounds apply. The process for handling this type of request is described further in paragraph 6 below.

3. Responsibility to respond to a Data Protection Rights Request

   1. Overview

      1. The controller of an individual’s personal information is primarily responsible for responding to a Data Protection Rights Request and for helping the individual concerned to exercise his or her rights under applicable data protection laws.

      2. As such, when an individual contacts Docusign to make any Data Protection Rights Request then:

         1. where Docusign is the controller of that individual’s personal information under the Controller Policy, it must help the individual to exercise his or her data protection rights directly in accordance with this Procedure; and

         2. where Docusign processes that individual’s personal information as a processor on behalf of a Customer under the Processor Policy, Docusign must inform the relevant Customer promptly and provide it with reasonable assistance (which may include in-product self-service functionality) to help the individual to exercise his or her rights in accordance with the Customer’s duties under applicable data protection laws.

   2. Assessing responsibility to respond to a Data Protection Rights Request

      1. If a group member receives a Data Protection Rights Request from an individual, it must pass the request to the Office of the Chief Privacy Officer at privacy@docusign.com immediately upon receipt indicating the date on which it was received together with any other information which may assist the Office of the Chief Privacy Officer to deal with the request.

      2. The Office of the Chief Privacy Officer will make an initial assessment of the request as follows:

         1. the Office of the Chief Privacy Officer will determine whether Docusign is a controller or processor of the personal information that is the subject of the request;

         2. where the Office of the Chief Privacy Officer determines that Docusign is a controller of the personal information, it will then determine whether the request has been made validly under applicable data protection laws (in accordance with section 3.3 below), whether an exemption applies (in accordance with section 3.4 below) and respond to the Request (in accordance with section 3.5 below); and

         3. where the Office of the Chief Privacy Officer determines that Docusign is a processor of the personal information on behalf of a Customer, it shall pass the request promptly to the relevant Customer in accordance with its contract terms with that Customer.

   3. Assessing the validity of a Data Protection Rights Request

      1. If the Office of the Chief Privacy Officer determines that Docusign is the controller of the personal information that is the subject of the request, it will contact the individual promptly in writing to confirm receipt of the Data Protection Rights Request.

      2. A Data Protection Rights Request must generally be made in writing, which can include email, unless applicable data protection laws allow a request to be made orally (for example under Europe's General Data Protection Regulation). A Data Protection Rights Request does not have to be official or mention data protection law to qualify as a valid request.

      3. If Docusign has reasonable doubts concerning the identity of the individual making a request, it may request such additional information as is necessary to confirm the identity of the individual making the request. Docusign may also request any further information which is necessary to action the individual's request.

   4. Exemptions to a Data Protection Rights Request

      1. Docusign will not refuse to act on Data Protection Rights Request unless it can demonstrate that an exemption applies under applicable data protection laws.

      2. Docusign may be exempt under applicable data protection laws from fulfilling the Data Protection Rights Request (or be permitted to charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested) if it can demonstrate that the individual has made a manifestly unfounded or excessive request (in particular, because of the repetitive character of the request).

      3. If Docusign decides not to take action on the Data Protection Rights Request, Docusign will inform the individual without delay and at the latest within one (1) month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with the competent supervisory authority and lodging a claim before the court

   5. Responding to a Data Protection Rights Request

      1. Where Docusign is the controller of the personal information that is the subject of the Data Protection Rights Request, and Docusign has already confirmed the identity of the requestor and has sufficient information to enable it to fulfil the request (and no exemption applies under applicable data protection laws), then Docusign shall handle the Data Protection Rights Request in accordance with paragraph 4, 5 or 6 below (as appropriate).

      2. Docusign will respond to a Data Protection Rights Request without undue delay and in no case later than one (1) month of receipt of that request. This one (1) month period may be extended by two (2) further months where necessary, if the request is complex or due to the number of requests that have been made.

4. Requests for access to personal information

   1. Overview

      1. An individual may require a controller to provide the following information concerning processing of his or her personal information:

         1. confirmation as to whether the controller holds and is processing personal information about that individual;

         2. if so, a description of the purposes of the processing, the categories of personal information concerned, the recipients or categories of recipients to whom the information is, or may be, disclosed, the envisaged period(s) (or the criteria used for determining those period(s)) for which the personal information will be stored;

         3. information about the individual’s right to request rectification or erasure of his or her personal information or to restrict or object to its processing;

         4. information about the individual’s right to lodge a complaint with a competent data protection authority;

         5. information about the source of the personal information if it was not collected from the individual;

         6. details about whether the personal information is subject to automated decision-making (including automated decision-making based on profiling); and

         7. where personal information is transferred outside Europe, the appropriate safeguards that Docusign has put in place relating to such transfers in accordance with applicable data protection laws.

      2. An individual is also entitled to request a copy of his or her personal information from the controller. Where an individual makes such a request, the controller must provide that personal information to the individual in intelligible form.

   2. Process for responding to access requests from individuals

      1. If Docusign receives an access request from an individual, this must be passed to the Office of the Chief Privacy Officer at privacy@docusign.com immediately to make an initial assessment of responsibility consistent with the requirements of paragraph 3.2 above.

      2. Where Docusign determines it is the controller of the personal information and responsible for responding to the individual directly (and that no exemption to the right of access applies under applicable data protection laws), the Office of the Chief Privacy Officer will arrange a search of all relevant electronic and paper filing systems.

      3. The Office of the Chief Privacy Officer may refer any complex cases to the Chief Privacy Officer for advice, particularly where the request concerns information relating to third parties or where the release of personal information may prejudice commercial confidentiality or legal proceedings.

      4. The personal information that must be disclosed to the individual will be collated by the Office of the Chief Privacy Officer into a readily understandable format. A covering letter will be prepared by the Office of the Chief Privacy Officer which includes all information required to be provided in response to an individual's access request (including the information described in paragraph 4.1.1).

   3. Exemptions to the right of access

      1. A valid request may be refused on the following grounds:

         1. if the refusal to provide the information is consistent with applicable data protection law (for example, where a European group member transfers personal information under the Controller Policy, if the refusal to provide the information is consistent with the applicable data protection law in the European Member State where the group member is located);

         2. where the personal information is held by Docusign in non-automated form that is not or will not become part of a filing system; or

         3. the personal information does not originate from Europe, has not been processed by any European group member, and the provision of the personal information requires Docusign to use disproportionate effort.

      2. The Office of the Chief Privacy Officer will assess each request individually to determine whether any of the above-mentioned exemptions applies. A group member must never apply an exemption unless this has been discussed and agreed with the Office of the Chief Privacy Officer.

5. Requests to correct, update or erase personal information, or to restrict, cease or object to processing personal information

   1. If Docusign receives a request to correct, update or erase personal information, or to restrict or cease processing of an individual’s personal information, this must be passed to the Office of the Chief Privacy Officer at privacy@docusign.com immediately to make an initial assessment of responsibility consistent with the requirements of paragraph 3.2 above.

   2. Once an initial assessment of responsibility has been made then:

      1. where Docusign is the controller of that personal information, the request must be notified to the Office of the Chief Privacy Officer promptly for it to consider and deal with as appropriate in accordance with applicable data protection laws.

      2. where a Customer is the controller of that personal information, the request must be notified to the Customer promptly for it to consider and deal with as appropriate in accordance with its duties under applicable data protection laws. Docusign shall assist the Customer to fulfill the request in accordance with the terms of its contract with the Customer.

   3. To assist the Office of the Chief Privacy Officer in assessing an individual's objection to processing of his or her personal information, the grounds upon which an individual may object are when:

      1. Docusign processes the personal information on grounds that:

         1. the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Docusign;

         2. the processing is necessary for the purposes of legitimate interests pursued by Docusign or by a third party; or

         3. including profiling based on those grounds. When an individual raises an objection in such circumstances, Docusign shall no longer process the personal information unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual or for the establishment, exercise or defence of legal claims.

      2. Docusign processes the personal information for direct marketing purposes, including profiling to the extent that it is related to direct marketing. When an individual raises an objection in such circumstances, Docusign shall no longer process the personal information for such direct marketing purposes.

   4. To assist the Office of the Chief Privacy Officer in assessing an individual's request for restriction of processing of his or her personal information, the grounds upon which an individual may request restriction are when:

      1. the accuracy of the personal information is contested by the individual, for a period enabling Docusign to verify the accuracy of the personal information;

      2. the processing is unlawful and the individual opposes the erasure of the personal information and requests the restriction of its use instead;

      3. Docusign no longer needs the personal information for the purposes of the processing, but it is required by the individual for the establishment, exercise or defence of legal claims; or

      4. the individual has exercised his or her right to object pending the verification whether the legitimate grounds of the controller override his or her objection right.

   5. To assist the Office of the Chief Privacy Officer in assessing an individual's request for erasure of his or her personal information, the grounds upon which an individual may request erasure are when:

      1. the personal information are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

      2. the individual withdraws consent on which the processing is based and there is no other legal ground for the processing;

      3. the individual exercises its right to object to processing of his or her personal information and there are no overriding legitimate grounds for continue processing;

      4. the personal information have been unlawfully processed;

      5. the personal information have to be erased for compliance with a legal obligation to which the controller is subject; or

      6. the personal information have been collected in relation to the offer of information society services to a child under the age of 16 and a parent or guardian has not consented to the processing.

   6. When Docusign must rectify or erase personal information, either in its capacity as controller or on instruction of a Customer when it is acting as a processor, Docusign will notify other group members and any sub-processor to whom the personal information has been disclosed so that they can also update their records accordingly.

   7. Where Docusign acting as a controller must restrict processing of an individual's personal information, it must inform the individual before it subsequently lifts any such restriction.

   8. If Docusign acting as controller has made the personal information public, and is obliged to erase the personal data pursuant to a Data Protection Rights Request, it must take reasonable steps, including technical measures (taking account of available technology and the cost of implementation), to inform controllers which are processing the personal information that the individual has requested the erasure by such controllers of any links to, or copy or replication of, the personal information.

6. Requests for data portability

   1. If an individual makes a Data Protection Rights Request to Docusign acting as controller to receive the personal information that he or she has provided to Docusign in a structured, commonly used and machine-readable format and/or to transmit directly such information to another controller (where technically feasible), the Office of the Chief Privacy Officer will consider and deal with the request appropriately in accordance with applicable data protection laws insofar as the processing is based on that individual's consent or on the performance of, or steps taken at the request of the individual prior to entry into, a contract.

7. Questions about this Data Protection Rights Procedure

   1. All queries relating to this Procedure are to be addressed to the Office of the Chief Privacy Officer or at privacy@docusign.com.

Return to top

APPENDIX 5 - PRIVACY COMPLIANCE STRUCTURE

1. Background

   Docusign's compliance with global data protection laws and the “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") is overseen and managed throughout all levels of the business by a global, multi-layered, cross-functional Privacy Compliance Structure.

   Docusign’s Privacy Compliance Structure has the full support of Docusign’s executive management. Further information about Docusign's Privacy Compliance Structure is set out below and in the structure chart provided at Annex 1.

2. Chief Privacy Officer

   Docusign has appointed a Chief Privacy Officer who provides executive-level oversight of, and has responsibility for, ensuring Docusign's compliance with applicable data protection laws and the Policies.

   The Chief Privacy Officer has direct line reporting to Docusign's Board of Directors on all material or strategic issues relating to Docusign's compliance with data protection laws and the Policies, and is also accountable to Docusign's independent audit committee.

   The Chief Privacy Officer is supported in the exercise of its responsibilities by the office of the Chief Privacy Officer, the Security & Privacy Council, and any other personnel that the Chief Privacy Officer may designate from time to time to provide such support.

3. The Office of the Chief Privacy Officer

   The Office of the Chief Privacy Officer is comprised of members of the Legal department and supports the Chief Privacy Officer in the exercise of his/her responsibilities.

   The activities of the Office of the Chief Privacy Officer include:

   • maintaining a comprehensive privacy program that defines, develops, maintains and implements Policies and processes to comply with data protection laws.

   • supervising compliance with the Policies;

   • providing periodic reports, as appropriate, to the Chief Executive Officer and other business executives and staff on data protection risks and compliance issues;

   • overseeing privacy program activities, including privacy impact assessment, data protection impact assessment, and records of processing activities;

   • ensuring that effective data privacy controls as implemented across Docusign are in place for any third party with which Docusign share personal information or any third party from whom Docusign receives personal information;

   • deciding on complaints as described the Complaint Handling Procedure; and

   • overseeing official investigations or inquiries into the processing of personal information by a public authority or employee representative body.

4. Security & Privacy Council

   The Docusign Security & Privacy Council comprises representatives from key functional groups for Docusign’s business, including the office of the Chief Privacy Officer, Information Security, Risk & Compliance, Legal, Engineering, Technical Operations, Finance and Information Technology to ensure appropriate oversight for privacy controls implemented across the business and ensuring business ownership for applicable aspects of DocuSign's data protection compliance.

   The Security & Privacy Council is accountable for assessing privacy controls and identifying potential areas of improvement for Docusign's data privacy program internally . In this way, the Security & Privacy Council is actively engaged in addressing matters relating to Docusign's privacy compliance across such key functional groups of Docusign.

5. Docusign Staff

   All staff members within Docusign are responsible for supporting the functional Security & Privacy Council members on a day-to-day basis and adhering to Docusign privacy policies.

   In addition, Docusign personnel are responsible for escalating and communicating any potential violation of the privacy policies to the appropriate Security & Privacy Council member, or, if they prefer, the office of the Chief Privacy Officer. On receipt of a notification of a potential violation of the privacy policy the issue will be investigated to determine if an actual violation occurred. Results of such investigations will be documented.

Annex 1: Overview of Docusign's Privacy Compliance Structure

Return to top

APPENDIX 6 - PRIVACY TRAINING REQUIREMENTS

1. Background

   1. The “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") provide a framework for the transfer of personal information between Docusign group members. The document sets out the requirements for Docusign to train its staff members on the requirements of the Policies.

   2. Docusign must train staff members (including new hires, temporary staff and individual contractors whose roles bring them into contact with personal information) on the basic principles of data protection, confidentiality and information security awareness. This must include training on applicable data protection laws, including European data protection laws and may include training on any other relevant data protection laws that apply to Docusign. Training may also include guidance on data protection best practices and any security standards controls applicable to Docusign (such as ISO 27001 and SSAE 18).

   3. Staff members who have permanent or regular access to personal information and who are involved in the processing of personal information or in the development of tools to process personal information must receive additional, tailored training on the Policies and specific data protection issues relevant to their role. This training is further described below and is repeated on a regular basis.

2. Responsibility for the Privacy Training Program

   1. Docusign's Office of the Chief Privacy Officer has overall responsibility for privacy training at Docusign, with input with colleagues from other functional areas including Information Security, HR and other departments, as appropriate. They will review training from time to time to ensure it addresses all relevant aspects of the Policies and that it is appropriate for individuals who have permanent or regular access to personal information, who are involved in the processing of personal information or in the development of tools to process personal information.

   2. Docusign's senior management is committed to the delivery of data protection training courses, and will ensure that staff are required to participate, and given appropriate time to attend, such courses. Course attendance will be recorded and monitored via regular audits of the training process. These audits are performed by Docusign's internal training administration team and/or independent third-party auditors.

   3. If these training audits reveal persistent non-attendance, this will be escalated to the Office of the Chief Privacy Officer for action. Such action may include escalation of non-attendance to appropriate managers within Docusign who will be responsible and held accountable for ensuring that the individual(s) concerned attend and actively participate in such training.

3. Delivery of the training courses

   1. Docusign will deliver mandatory electronic training courses, supplemented by live training for staff members in appropriate cases. The courses are designed to be both informative and user-friendly, generating interest in the topics covered.

   2. All Docusign staff members must complete data protection training (including training on the Policies):

      1. as part of their onboarding activities;

      2. as part of a regular refresher training at least once every calendar year;

      3. as and when necessary to stay aware of changes in the law; and

      4. as and when necessary to address any compliance issues arising from time to time.

   3. Certain staff members may be required to receive supplemental specialist training, such as staff members who work in Marketing, Sales, and Customer Support or whose business activities include processing sensitive personal data. Specialist training shall be delivered as additional modules to the basic training package, and may be tailored as necessary to the course participants.

4. Training on data protection

   1. Docusign's training on data protection and the Policies will cover the following main areas:

      1. What is data protection law?

      2. What are key data protection terminology and concepts?

      3. What are the data protection principles?

      4. How does data protection law affect Docusign globally?

      5. An overview of the Controller and Processor Policies

      6. Practical examples of how and when the Controller and Processor Policies apply

Return to top

APPENDIX 7 - AUDIT PROTOCOL

1. Background

   1. Docusign's “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") safeguard personal information transferred between the Docusign group members. Roles are defined in Appendix 5.

   2. Docusign must audit its compliance with the Policies on a regular basis and this document describes how and when Docusign must perform such audits. Although this Audit Protocol describes the formal assessment process by which Docusign will audit its compliance with the Policies, this is only one way in which DocuSign ensures that the provisions of the Policies are observed and corrective actions taken as required.

   3. In particular, Docusign's Privacy Team provides ongoing guidance about the processing of personal information and must continually assess the processing of personal information by group members for potential privacy-related risks and compliance with these Policies.

2. Conduct of an audit

   1. Overview of audit requirements

      1. Compliance with the Policies is overseen on a day to day basis by the office of the Chief Privacy Officer. The internal audit team (for itself or through its delegate) is responsible for performing independent audits of compliance with the Policies periodically and will ensure that such audits address all aspects of the Policies, to be overseen by the office of the Chief Privacy Officer. The Chief Privacy Officer will determine the specific privacy controls that the internal audit team will audit in advance of any such audit.

      2. The internal audit team is responsible for ensuring that any issues or instances of non-compliance with the Policies are brought to the attention of the Chief Privacy Officer and that any corrective actions are determined and implemented within a reasonable time. Serious non-compliance issues will be escalated to the Board of Directors in accordance with paragraph 2.5.1. Any non-compliance with the Policies will be reported back to the Responsible Executive.

      3. Where Docusign acts as a processor, the Customer (or auditors acting on its behalf) may audit Docusign for compliance with the commitments made in the Processor Policy and may extend such audits to any sub-processors acting on Docusign's behalf in respect of such processing. Such audits shall be conducted in accordance with the terms of Customer's contract with Docusign. Where the Customer agrees, Docusign and its sub-processors may fulfill such Customer audit requirements by providing relevant, complete and accurate evidence of recent data protection and information security audits to which they have been subject.

      4. All audits shall be conducted by an inspections body composed of independent members and in possession of the required professional qualifications, bound by a duty of confidentiality.

   2. Frequency of audit

      1. Audits of compliance with the Policies are conducted:

         1. at least annually in accordance with Docusign's audit procedures;

         2. at the request of the Chief Privacy Officer and/or the Board of Directors;

         3. as may be determined necessary by the office of the Chief Privacy Officer (for example, in response to a specific incident); and/or

         4. (with respect to audits of the Processor Policy), as required by the terms of the Customer's contract with Docusign.

   3. Scope of audit

      1. The Chief Privacy Officer will determine the scope of an audit following a risk-based analysis, taking into account relevant criteria such as:

         1. areas of current regulatory focus;

         2. areas of specific or new risk for the business;

         3. areas with changes to the systems or processes used to safeguard information;

         4. use of innovative new tools, systems or technologies

         5. areas where there have been previous audit findings or complaints;

         6. the period since the last review; and

         7. the nature and location of the personal information processed.

      2. If a Customer exercises its right to audit Docusign for compliance with the Processor Policy, the scope of the audit shall be limited to the data processing facilities, data files and documentation relating to Docusign's processing of Personal Information for that Customer under the Processor Policy. Docusign will not provide a Customer with access to systems which process personal information of another Customer.

   4. Auditors

      1. Audit of the Policies (including any related procedures and controls) will be undertaken by the internal audit team and/or the office of the Chief Privacy Officer. In addition, Docusign may appoint independent and experienced professional auditors acting under a duty of confidence and in possession of the required professional qualifications as necessary to perform audits of the Policies (including any related procedures and controls).

      2. If a Customer exercises its right to audit Docusign for compliance with the Processor Policy, such audit may be undertaken by that Customer, or by independent and suitably experienced auditors approved by that Customer, in accordance with the terms of the Customer's contract with DocuSign.

   5. Reporting

      1. Data protection audit reports must be submitted to the Office of the Chief Privacy Officer and, if the report reveals breaches or the potential for breaches of a serious nature (for example, presenting a risk of potential harm to individuals or to the business), to the Board of Directors.

      2. Upon request and subject to applicable law, Docusign will:

         1. provide copies of the results of data protection audits of the Policies (including any related procedures and controls) to the competent data protection authorities; and

         2. to the extent that an audit of compliance with the Processor Policy relates to personal information Docusign processes on behalf of a Customer, to that Customer.

      3. The Office of the Chief Privacy Officer is responsible for liaising with the competent data protection authorities for the purpose of providing the information outlined in paragraph 2.5.2.

   6. Data protection authority audits

      1. The competent data protection authorities audit group members for compliance with the Policies (including any related procedures and controls) in accordance with the Binding Corporate Rules: Cooperation Procedure (see Appendix 9).

Return to top

APPENDIX 8 - COMPLAINT HANDLING PROCEDURE

1. Background

   1. Docusign's "Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") safeguard personal information transferred between the Docusign group members.

   2. This Complaint Handling Procedure describes how complaints brought by an individual whose personal information is processed by Docusign under the Policies must be addressed and resolved.

   3. This procedure will be made available to individuals whose personal information is processed by Docusign under the Controller Policy and to Customers on whose behalf Docusign processes personal information under the Processor Policy.

2. How individuals can bring complaints

   1. Any individuals may raise a data protection question, concern or complaint (whether related to the Policies or not) by e-mailing Docusign’s Office of the Chief Privacy Officer at privacy@docusign.com.

3. Complaints where Docusign is a controller

   1. Who handles complaints?

      1. The Office of the Chief Privacy Officer will handle all questions, concerns, or complaints in respect of personal information for which Docusign is a controller (such as personal information processed in the context of HR admin or customer relationship management), including questions, concerns or complaints arising under the Controller Policy. The Office of the Chief Privacy Officer will liaise with colleagues from relevant business and support units as necessary to address and resolve such questions, concerns and complaints.

   2. What is the response time?

      1. The Office of the Chief Privacy Officer will acknowledge receipt of a question, concern or complaint to the individual concerned without undue delay, investigating and making a substantive response within one (1) month.

      2. If, due to the complexity of the question, concern or complaint, a substantive response cannot be given within this period, the Office of the Chief Privacy Officer will advise the individual accordingly and provide reasons why an extension is necessary and a reasonable estimate (not exceeding two (2) months) of the timescale within which a substantive response will be provided.

      3. If, having reviewed the question, concern or complaint, the Office of the Chief Privacy Officer does not take action that has been requested by the individual, the Office of the Chief Privacy Officer shall inform the individual without delay and of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

   3. What happens if an individual disputes a finding?

      1. If the individual notifies the Office of the Chief Privacy Officer that it disputes any aspect of the response finding and wishes to further escalate the matter within Docusign, the Office of the Chief Privacy Officer will refer the matter to the Chief Privacy Officer. The Chief Privacy Officer will review the case and advise the individual of his or her decision either to accept the original finding or to substitute a new finding. The Chief Privacy Officer will respond to the complainant within one (1) month from being notified of the escalation of the dispute.

      2. As part of its review, the Chief Privacy Officer may arrange to meet the parties to the dispute in an attempt to resolve it. If, due to the complexity of the dispute, a substantive response cannot be given within one (1) month of its escalation, the Chief Privacy Officer will advise the complainant accordingly and provide a reasonable estimate for the timescale within which a response will be provided which will not exceed two (2) months from the date the dispute was escalated.

      3. If the complaint is upheld, the Chief Privacy Officer will arrange for any necessary steps to be taken as a consequence (for example, implementing procedures to remedy the complaint and prevent recurrence).

4. Complaints where Docusign is a processor

   1. Communicating complaints to the Customer

      1. Where a complaint is brought in respect of the processing of personal information for which Docusign is a processor on behalf of a Customer, Docusign will communicate the details of the complaint to the relevant Customer without delay and without handling it (unless Docusign has agreed in the terms of its contract with the Customer to handle complaints).

      2. Docusign will cooperate with the Customer to investigate the complaint, in accordance with the terms of its contract with the Customer and if so instructed by the Customer.

   2. What happens if a Customer no longer exists?

      1. In circumstances where a Customer has disappeared, no longer exists or has become insolvent, and no successor entity has taken its place, individuals whose personal information are processed under the Processor Policy have the right to complain to Docusign and Docusign will handle such complaints in accordance with paragraph 3 of this Complaint Handling Procedure.

      2. In such cases, individuals also have the right to complain to a competent data protection authority and to file a claim with a court of competent jurisdiction, including where they are not satisfied with the way in which their complaint has been resolved by Docusign. Such complaints and proceedings will be handled in accordance with paragraph 5 of this Complaint Handling Procedure.

5. Right to complain to a competent data protection authority and to commence proceedings

   1. Overview

      1. Where individuals' personal information:

         1. are processed in Europe by a group member acting as a controller and/or transferred to a group member located outside Europe under the Controller Policy; or

         2. are processed in Europe by a group member acting as a processor and/or transferred to a group member located outside Europe under the Processor Policy;

         then those individuals have certain additional rights to pursue effective remedies for their complaints, as described below.

      2. The individuals described above have the right to complain to a competent data protection authority (in accordance with paragraph 5.2) and/or to commence proceedings in a court of competent jurisdiction (in accordance with paragraph 5.3), whether or not they have first complained directly to the Customer in question or to Docusign under this Complaints Handling Procedure. However, Docusign's endeavours to resolve all complaints amicably and directly, wherever possible, and for that reason encourages any individual with a complaint to contact the Office of the Chief Privacy Officer before complaining to a competent data protection authority and/or commencing proceedings.

      3. Docusign accepts that complaints and claims made pursuant to paragraphs 5.2 and 5.3 may be lodged by a non-for-profit body, organisation or association acting on behalf of the individuals concerned.

   2. Complaint to a data protection authority

      1. If an individual wishes to complain about Docusign’s processing of his or her personal information to a data protection authority, on the basis that a European group member has processed personal information in breach of the Policies or in breach of applicable data protection laws, he or she may complain about that European group member to the data protection authority in the European territory:

         1. of his or her habitual residence;

         2. of his or her place of work; or

         3. where the alleged infringement occurred.

      2. If an individual wishes to complain about Docusign’s processing of his or her personal information to a data protection authority, on the basis that a non-European group member has processed personal information in breach of the Policies or in breach of applicable data protection laws, then DocuSign International (EMEA) Ltd will submit to the jurisdiction of the competent data protection authority (determined in accordance with paragraph 5.2.1 above) in place of that non-European group member, as if the alleged breach had been caused by the DocuSign International (EMEA) Ltd.

   3. Proceedings before a national court

      1. If an individual wishes to commence court proceedings against Docusign, on the basis that a European group member has processed personal information in breach of the Policies or in breach of applicable data protection laws, then he or she may commence proceedings against that European group member in the European territory:

         1. in which that European group member is established; or

         2. of his or her habitual residence.

      2. If an individual wishes to commence court proceedings against Docusign, on the basis that a non-European group member has processed personal information in breach of the Policies or in breach of applicable data protection laws, then DocuSign International (EMEA) Ltd will submit to the jurisdiction of the competent data court (determined in accordance with paragraph 5.3.1 above) in place of that non-European group member, as if the alleged breach had been caused by the DocuSign International (EMEA) Ltd.

An individual's right to lodge proceedings before a competent court shall be without prejudice to any administrative or non-judicial remedy available to that data subjects, including the right to lodge a complaint with a competent data protection authority.

Return to top

APPENDIX 9 - CO-OPERATION PROCEDURE

1. Background

   1. Docusign’s Binding Corporate Rules: Cooperation Procedure sets out the way in which Docusign will cooperate with competent data protection authorities in relation to the "Docusign Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy").

2. Cooperation Procedure

   1. Where required, Docusign will make the necessary personnel available for dialogue with a competent data protection authority in relation to the Policies.

   2. Docusign will review, consider and implement:

      1. any advice or decisions of relevant competent data protection authorities on any data protection law issues that may affect the Policies; and

      2. any guidance published by data protection authorities (including the European Data Protection Board or any successor to it) in connection with Binding Corporate Rules for Processors and Binding Corporate Rules for Controllers.

   3. Subject to applicable data protection law, Docusign will provide upon request copies of the results of any audit it conducts of the Policies to a competent data protection authority.

   4. Docusign agrees that:

      1. a data protection authority may audit any group member over which it exercises jurisdiction for compliance with the Policies, in accordance with the applicable data protection law(s) of that jurisdiction; and

      2. a data protection authority may audit any group member who processes personal information for a Customer over which that data protection authority exercises jurisdiction for compliance with the Policies, in accordance with the applicable data protection law(s) of that jurisdiction and with full respect to the confidentiality of the information obtained and to the trade secrets of Docusign (unless this requirement is in conflict with applicable data protection law).

   5. Docusign agrees to abide by a formal decision of any competent data protection authority on any issues relating to the interpretation and application of the Policies (unless and to the extent that Docusign is entitled to appeal any such decision and has chosen to exercise such right of appeal).

Return to top

APPENDIX 10 - UPDATING PROCEDURE

1. Background

   1. Docusign’s Binding Corporate Rules: Updating Procedure describes how Docusign must communicate changes to the "Binding Corporate Rules: Controller Policy" ("Controller Policy") and to the "Binding Corporate Rules: Processor Policy" ("Processor Policy") (together the "Policies") to competent data protection authorities, individual data subjects, its Customers and to Docusign group members bound by the Policies.

   2. The Chief Privacy Officer is accountable for ensuring that the commitments made by Docusign in this Updating Procedure are met.

2. Records keeping

   1. Docusign must maintain a change log which sets out details of each and every revision made to the Policies, including the nature of the revision, the reasons for making the revision, the date the revision was made, and who authorised the revision.

   2. Docusign must also maintain an accurate and up-to-date list of group members that are bound by the Policies and of the sub-processors appointed by Docusign to process personal information on behalf of Customers. This information must be made available on request to competent data protection authorities and to Customers and individuals who benefit from the Policies.

   3. The Office of the Chief Privacy Officer shall be responsible for ensuring that the records described in this paragraph 2 are maintained and kept accurate and up-to-date.

3. Changes to the Policies

   1. All proposed changes to the Policies must be reviewed and approved by the Chief Privacy Officer in order to ensure that a high standard of protection is maintained for the data protection rights of individuals who benefit from the Policies. No changes to the Policies shall take effect unless reviewed and approved by the Chief Privacy Officer.

   2. Docusign will communicate all changes to the Policies (including reasons that justify the changes) or to the list of group members bound by the Policies:

      1. to the group members bound by the Policies via written notice (which may include e-mail or posting on an internal Intranet accessible to all group members);

      2. to Customers and the individuals who benefit from the Policies via online publication at www.docusign.com (and, if any changes are material in nature, Docusign must also actively communicate the material changes to Customers before they take effect, in accordance with paragraph 4.2 below); and

      3. to the data protection authority that was the lead authority for the purposes of granting Docusign’s BCR authorisation (“Lead Authority”), and any other relevant data protection authorities the Lead Authority may direct, at least once a year.

4. Communication of material changes

   1. If Docusign makes any material changes to the Policies or to the list of group members bound by the Policies that affect the level of protection offered by the Policies or otherwise significantly affect the Policies (for example, by making changes to the binding nature of the Policies), it will promptly report such changes (including the reasons that justify such changes) to the Lead Authority and all other Docusign group members.

   2. If a proposed change to the Processor Policy will materially affect Docusign’s processing of personal information on behalf of a Customer, Docusign will also:

      1. actively communicate the proposed change to the affected Customer before it takes effect, and with sufficient notice to enable the affected Customer to raise objections; and

      2. the Customer may then suspend the transfer of personal information to Docusign and/or terminate the contract, in accordance with the terms of its contract with Docusign.

5. Transfers to new group members

   1. If Docusign intends to transfer personal information to any new group members under the Policies, it must first ensure that all such new group members are bound by the Policies before transferring personal information to them.

Return to top

APPENDIX 11 - GOVERNMENT DATA REQUEST PROCEDURE

1. Introduction

   1. This Binding Corporate Rules: Government Data Request Procedure sets out Docusign's procedure for responding to a request received from a law enforcement or other government authority (together the "

      Requesting Authority

      ") to disclose personal information processed by Docusign (hereafter "

      Data Disclosure Request

      "). The term "Data Disclosure Request" includes requests for voluntary disclosure of personal information, as well as compelled disclosure orders pursuant to a subpoena, warrant or court order.

   2. Where Docusign receives a Data Disclosure Request, it will handle that Data Disclosure Request in accordance with this Procedure. If applicable data protection law(s) require a higher standard of protection for personal information than is required by this Procedure, Docusign will comply with the relevant requirements of applicable data protection law(s).

2. General principle on Data Disclosure Requests

   1. As a general principle, Docusign does not disclose personal information in response to a Data Disclosure Request unless either:

      • it is under a compelling legal obligation to make such disclosure; or

      • taking into account the nature, context, purposes, scope and urgency of the Data Disclosure Request and the privacy rights and freedoms of any affected individuals, there is an imminent risk of serious harm that merits compliance with the Data Disclosure Requests in any event.

   2. For that reason, unless it is legally prohibited from doing so or there is an imminent risk of serious harm, Docusign will notify and consult with the competent data protection authorities (and, where it processes the personal information on behalf of a Customer, the Customer) in order to address the Data Disclosure Request.

3. Handling of a Data Disclosure Request

   1. Receipt of a Data Disclosure Request

      1. If a Docusign Group Member receives a Data Disclosure Request, the recipient of the request must pass it to Docusign's Office of the Chief Privacy Officer (or any other group or person within Docusign's legal department as instructed by the Chief Privacy Officer) (the "

         Responsible Party

         ") promptly upon receipt, indicating the date on which it was received together with any other information which may assist the Responsible Party to deal with the request.

      2. The request does not have to be made in writing, made under a Court order, or mention data protection law to qualify as a Data Disclosure Request. Any Data Disclosure Request, howsoever made, must be notified to the Office of the Chief Privacy Officer for review.

   2. Initial steps

      1. Docusign's Responsible Party will carefully review each Data Disclosure Request on a case-by-case basis, and will liaise with the legal department as appropriate to deal with the request to determine the nature, context, purposes, scope and urgency of the Data Disclosure Request, as well as its validity under applicable laws, in order to identify whether action may be needed to challenge the Data Disclosure Request and/or to notify the Customer and competent data protection authorities in accordance with paragraph 4.

4. Notice of a Data Disclosure Request

   1. Notice to the Customer

      1. If a request concerns personal information for which a Customer is the controller, Docusign will ordinarily ask the Requesting Authority to make the Data Disclosure Request directly to the relevant Customer, and Docusign will support the Customer in accordance with the terms of its contract to respond to the Data Disclosure Request.

      2. If this is not possible (for example, because the Requesting Authority declines to make the Data Disclosure Request directly to the Customer), Docusign will notify and provide the Customer with the details of the Data Disclosure Request prior to disclosing any personal information, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.

   2. Notice to the competent data protection authorities

      1. If the Requesting Authority is located in a country that does not provide an adequate level of protection for the personal information in accordance with applicable data protection laws, then Docusign will also put the Data Disclosure Request on hold in order to notify and consult with the competent data protection authorities, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.

      2. Where Docusign is prohibited from notifying the competent data protection authorities and suspending the Data Disclosure Request, Docusign will use its best efforts (taking into account the nature, context, purposes, scope and urgency of the request) to inform the Requesting Authority about its obligations under applicable data protection law and to obtain the right to waive this prohibition. Such efforts may include asking the Requesting Authority to put the Data Disclosure Request on hold so that Docusign can consult with the competent data protection authorities, which may also, in appropriate circumstances, include seeking a court order to this effect. Docusign will maintain a written record of the efforts it takes.

5. Transparency reports

   1. Docusign commits to preparing an annual report (a Transparency Report), which reflects to the extent permitted by applicable laws, the number and type of Data Disclosure Requests it has received for the preceding year and the Requesting Authorities who made those requests. Docusign shall make this report available upon request to competent data protection authorities.

6. Bulk transfers

   1. In no event will any Group Member transfer personal information to a Requesting Authority in a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society.

APPENDIX 12 - TRANSFER IMPACT ASSESSMENT POLICY

1. Background 

   1. Docusign’s Binding Corporate Rules: Transfer Impact Assessment Policy ("Transfer Impact Assessment Policy") describes how Docusign will ensure adequate protection for personal information that is subject to European data protection laws when it transfers such personal information internationally under its "Binding Corporate Rules: Controller Policy" ("Controller Policy") and "Binding Corporate Rules: Processor Policy" ("Processor Policy") (together the "Policies").

   2. It sets out Docusign's procedure for conducting Transfer Impact Assessments and promptly notifying any transfer risks in accordance with Applicable Data Protection Laws.

   3. The procedures and evaluations undertaken pursuant to this Transfer Impact Assessment Policy, in particular those contained in paragraph 3.4, should be conducted based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) GDPR, are not in contradiction with the Policies.

   4. Any capitalised terms or expressions used in this Transfer Impact Assessment Policy have the same meanings given in the Policies.
      

2. Data transfer compliance

   1. European data protection laws prohibit international transfers of personal information from Europe to third countries that do not provide an adequate level of protection ("Non-Adequate Country") unless appropriate safeguards are implemented to ensure the transferred data remains protected to the standard required under European law. This includes transfers of personal information to Docusign group members who are subject to the Policies, and transfers (and onward transfers) from Docusign group members to third parties who are not subject to the Policies. 

   2. In addition, as a processor and always in accordance with Rule 2 of the Processor Policy, Docusign will also comply with our Customers’ documented instructions in respect of any international transfers of personal information. 

   3. Whenever a Docusign group member transfers personal information internationally, or onward transfers personal information to third parties, providing such assistance in a reasonable time and to the extent reasonably possible, Docusign's designated representative(s) (as instructed by the Office of the Chief Privacy Officer) (the "Responsible Party") will be consulted so that they can ensure appropriate safeguards have been implemented to protect the personal information being transferred and, where necessary, a Transfer Impact Assessment has been conducted (as described below in paragraph 3).  

   4. Docusign group members may transfer personal information or onward transfer personal information internationally, only where measures necessary to comply with: (a) applicable Customers’ documented instructions in the terms of the applicable agreement with a Customer; and (b) the requirements of Applicable Data Protection Laws with respect to international transfers or onward transfers of personal information have been satisfied.      

3. Transfer Impact Assessments 

   1. Where the GDPR applies to the personal information that will be transferred (or onward transferred), then before a transferring Docusign group member (a “Data Transferor”) makes an international transfer (or onward transfer) of personal information that is subject to European data protection laws to a recipient group member or third party data recipient (a “Data Recipient”) located in a Non-Adequate Country, the Responsible Party will coordinate with the Data Transferor to undertake a risk assessment of such proposed transfer to confirm no material conflict between the laws and practices in the Non-Adequate Country where the Data Recipient will process the personal information (including any requirements to disclose personal information to public authorities or measures authorising access by public authorities), and Docusign’s obligations under the Policies (a “Transfer Impact Assessment”).

   2. The Responsible Party will liaise with the Data Transferor and Data Recipient as necessary to conduct the Transfer Impact Assessment, and shall keep Docusign International (EMEA) Ltd informed of the Transfer Impact Assessment and its findings.

   3. No international transfer (or onward transfer) of personal information may take place to a Non-Adequate Country unless:

      1. Transfer Impact Assessment has been conducted; and 

      2. any additional safeguards that are identified as necessary pursuant to the Transfer Impact Assessment to protect the transfer of personal information to the Data Recipient have been implemented by the Data Transferor and Data Recipient. 
         
         Factors to consider for Transfer Impact Assessments

4. The Transfer Impact Assessment should take into account the following elements:

   1. the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used, any intended onward transfers, the type of recipient, the purpose of processing, the categories and format of the transferred personal information, the economic sector in which the transfer occurs and the storage location of the data transferred;

   2. the laws and practices of the Non-Adequate Country destination (including those requiring the disclosure of data to public authorities or authorising access by such authorities, as well as those providing for access to these data during the transit between the country of the Data Transferor and the Non-Adequate Country ), relevant in light of the specific circumstances of the transfer and the applicable limitations and safeguards; and

   3. any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under the Policies, including measures applied during transmission and to the processing of the personal information in the country of destination.
      
      Laws and practices of third country of destination 

   4. As regards the impact of the laws and practices of the Non-Adequate Country on compliance with the Policies, different factors may be considered as part of an overall assessment. Such factors may include, for example, the Data Recipient's practical experience with prior instances of disclosure requests from public authorities, or the absence of such requests. This may be drawn from internal records or other documentation, provided that this information can be lawfully shared with third parties. 

   5. Where this practical experience is relied upon to conclude that the Data Recipient will not be prevented from complying with the requirements of the Policies, such conclusion needs to be supported with relevant, objective evidence (including that mentioned in Section 3.5 above), and it is for the Responsible Party, the Data Transferor and Data Recipient to assess whether the sufficiency of this evidence, in terms of their reliability and representativeness, supports the conclusion. 

   6. In particular, the Responsible Party, the Data Transferor and Data Recipient will take into account whether upon reasonable diligence, the practical experience is corroborated and not contradicted by publicly available or otherwise accessible and reliable information regarding the application of the laws in practice, such as case law and reports by independent oversight bodies.
      
      Findings of Transfer Impact Assessments 

   7. The Responsible Party will keep other relevant Docusign group members informed about the findings of the Transfer Impact Assessment, so that, if required, they can apply any identified additional safeguards determined to be necessary in respect of any identical or similar subsequent transfers they make. 

   8. Where the Transfer Impact Assessment concludes that it is not possible to implement additional safeguards to ensure the Data Recipient’s processing in the Non-Adequate Country will be compatible with the requirements of the Policies, then the Responsible Party will inform the Data Transferor (and other relevant group members) that they should not  proceed with any such transfer of personal information where effective supplementary measures could not be put in place and in such circumstances the transfers at stake will be suspended or ended. 
      
      Information and cooperation

   9. If the Data Recipient is a group member, the Data Recipient will use its best efforts to cooperate with the Responsible Party and the Data Transferor to ensure compliance with the requirements of the Policies throughout the duration of the transfer and subsequent processing. 

   10. If the Data Recipient is not a group member (i.e. if it is a third party data recipient), the Responsible Party and the Data Transferor will exercise appropriate diligence to ensure that the Data Recipient will continue to provide such cooperation, including where appropriate by seeking documented assurances from the Data Recipient. 

   11. The Responsible Party and the Data Transferor will coordinate with the Data Recipient to document the Transfer Impact Assessment as well as documenting any supplementary measures selected and implemented in relation to such transfers and to make these available to the competent data protection authority, and, where applicable, the Customer, on request.

5. Transfer Risk Notifications 

   1. If the Data Recipient is a Docusign group member, the Data Recipient will notify the Responsible Party and the Data Transferor promptly if, at any time during which it transfers, receives or processes personal information, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements of the Policies, including following a change in the laws of the Non-Adequate Country where it transfers, receives or processes personal information or a measure (such as a disclosure request) indicating an application of such laws in practice is not in line with the Policies (a “Transfer Risk Notification”). 

   2. When located in an EU Member State, the Data Transferor or Responsible Party will take reasonable steps to monitor, on an ongoing basis, and where appropriate in collaboration with Data Recipients, developments in the Non-Adequate Country to which the Data Transferor has transferred personal information that could affect the initial assessment of the level of protection and the decisions taken accordingly on such transfers and in particular in relation to developments that may affect the outcome of the Transfer Impact Assessment.

   3. If the Data Recipient is not a group member (i.e. if it is a third party data recipient), the Responsible Party and the Data Transferor will exercise appropriate diligence to ensure that the Data Recipient will provide any such Transfer Risk Notification to the Data Transferor as contemplated in clause 4.1 above, including where appropriate by seeking documented assurances from the Data Recipient.

   4. Following receipt of a Transfer Risk Notification from the Data Recipient, or if the Responsible Party or the Data Transferor otherwise have reason to believe that the Data Recipient’s processing is not in line with (or is at risk of coming out of line) with the  Policies, the Data Transferor upon consulting the Responsible Party will promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the Data Transferor and Data Recipient to address the situation, if appropriate in consultation with the Controller.

   5. The Responsible Party will instruct the Data Transferor to suspend the transfer if it considers that appropriate safeguards for such transfer cannot be ensured, or if the Responsible Party is informed that a competent data protection authority or the applicable Controller has instructed suspension of such transfer.

   6. In this case, the Data Transferor will be entitled to terminate its transfers of personal information to the Data Recipient, insofar as it concerns the processing of personal information under the Policies (in which event, the Data Recipient will be instructed by the Data Transferor to return or destroy the personal information it received). The Responsible Party will inform other relevant Docusign group members in such cases.

   7. If the Data Transferor transfers personal information to two or more Data Recipients, the Data Transferor may exercise this right to terminate only with respect to the relevant Data Recipient.

Return to top