Processor privacy code

Introduction

DocuSign provides a digital transaction management platform to its business customers, which is used by business customers to facilitate digital transactions that include the signing process of contractual documents and other documents of the business customer (DocuSign Application).  In providing the DocuSign Application to its business customers, DocuSign hosts and processes such documents on the DocuSign Application.  These documents may contain personal information of individuals, such as the sender and recipients and persons signing the documentation.  DocuSign processes such personal information as a data processor on behalf of its business customers.

DocuSign’s Code of Conduct expresses DocuSign’s commitment to strive to protect personal information. This Processor Privacy Code (Processor Code) indicates how DocuSign shall implement this commitment with respect to personal information that DocuSign processes on behalf of its business customers through the DocuSign Application.

Article 1 - Scope, applicability, and implementation

Scope

 

DocuSign as Data Processor

1.1

This Processor Code addresses the worldwide Processing of Personal Information of BC Individuals by DocuSign in its role as a Data Processor in the course of delivering Customer Services, where such Personal Information is (i) subject to EEA Data Transfer Restrictions; (ii) Processed by DocuSign in a country outside the EEA; and (iii) Processed pursuant to a Services Contract that provides that this Processor Code shall apply to such Personal Information.

The Processor Code will also apply if the Services Contract specifically states that the Processor Code will also apply to types of transfers of Personal Information other than those specified above (hereafter, such Personal Information collectively, Business Customer Individual Information or BCI Information).

Electronic and paper-based Processing

1.2

This Processor Code applies to the Processing of BCI Information by DocuSign by electronic means and in any systematically accessible paper-based filing systems.

Applicability of local law and this Processor Code

1.3

Nothing in this Processor Code will be construed to take away any rights and remedies that BC Individuals may have under applicable local law. This Processor Code provides supplemental rights and remedies to BC Individuals only.

Sub-policies and notices

1.4

DocuSign may supplement this Processor Code through sub-policies and notices that are consistent with this Processor Code.

Compliance responsibility

1.5

This Processor Code is binding on DocuSign. The Responsible Executive shall be accountable for his/her business organization’s compliance with this Processor Code. DocuSign Staff must comply with this Processor Code.

Effective date

1.6

This Processor Code enters into force as of June 11, 2018. The Processor Code will be published on the DocuSign Internet site.

Processor Code supplements prior policies

1.7

This Processor Code supplements all DocuSign privacy policies that exist on the Effective Date.

Implementation

1.8

This Processor Code shall be implemented within DocuSign based on the timeframes specified in Article 15.

Role of DocuSign Ireland

1.9

DocuSign Inc. has tasked DocuSign International (EMEA) Limited (DocuSign Ireland) with the coordination and implementation of this Processor Code.

Privacy Lead advice

1.10

Where there is a question as to the applicability of this Processor Code, Staff shall seek the advice of the appropriate Privacy Lead prior to the relevant Processing.

 

Article 2 – Services contract

Services Contract

2.1

DocuSign shall Process BCI Information only on the basis of a validly entered into written or electronic agreement with a Business Customer (Services Contract) which complies with Applicable Data Processor Law.

The DocuSign Contracting Entity may use Sub-Processors, both DocuSign Sub-Processors and Third Party Sub-Processors, in the regular performance of Services Contracts. The standard Services Contract shall authorize the use of such Sub-Processors, provided that the DocuSign Contracting Entity remains liable to the Business Customer for the performance of the contract by the Sub-Processors in accordance with the terms of the Services Contract. The provisions of Article 7 further govern the use of Sub-Processors.

Termination of Services Contract

2.2

Upon termination of the Services Contract, DocuSign shall allow the Business Customer to retrieve a copy of all BCI Information and thereafter shall make unrecoverable such BCI Information as set forth in the Services Contract and certify to the Business Customer that DocuSign has done so, except to the extent the Services Contract or applicable law provides otherwise. In that case, DocuSign shall no longer Process the BCI Information, except to the extent required by the Services Contract or applicable law.

Audit of termination measures

2.3

Upon termination of the Services Contract, DocuSign shall, at the request of the Business Customer, allow its Processing facilities to be audited in accordance with Article 10.2, 10.3 and 10.4 (as applicable) to verify that DocuSign has complied with its termination-related obligations under Article 2.2.

 

Article 3 – Compliance obligations of DocuSign

Instructions of the Data Controller

3.1

DocuSign shall Process BCI Information only on behalf of the Business Customer and in accordance with any documented instructions received from the Business Customer, including instructions from BC Individuals through their use of the DocuSign Application, consistent with the terms of the Services Contract or as needed to comply with applicable law.

Compliance with Applicable Law

3.2

DocuSign shall Process BCI Information only in accordance with the Applicable Data Processor Law and shall deal promptly and appropriately with requests for assistance of the Business Customer as reasonably required to enable the Business Customer’s compliance with the Applicable Data Controller Law in accordance with the Services Contract and DocuSign shall inform the Business Customer if DocuSign believes that any such instruction infringes Applicable Data Controller Law.

Notification of non-compliance, substantial adverse effect

3.3

If a Group Company:

  1. determines that it is unable for any reason to comply with its obligations under Articles 3.1 and 3.2 and cannot cure this inability to comply; or
  2. becomes aware of any circumstance or change in the Applicable Data Processor Law, except with respect to the Mandatory Requirements, that is likely to have a substantial adverse effect on its ability to meet its obligations under Article 3.1, 3.2 or 10.3;
  3. such Group Company shall promptly notify DocuSign Ireland and the Business Customer thereof, in which case the Business Customer will have the right to temporarily suspend the relevant transfer of BCI Information under this Processor Code to DocuSign until such time the Processing is adjusted in such a manner that the non-compliance is remedied. To the extent such adjustment is not possible, the Business Customer shall have the right to terminate the relevant part of the Processing by DocuSign in accordance with the terms of the Services Contract.

Request for disclosure of BCI Information

3.4

If DocuSign receives a request for disclosure of BCI Information from a law enforcement authority or state security body of a non-EEA country (Authority), it will first assess on a case-by-case basis whether this request (Disclosure Request) is legally valid and binding on DocuSign. Any Disclosure Request that is not legally valid and binding on DocuSign will be resisted in accordance with applicable law. 

Subject to the following paragraph, DocuSign shall promptly inform the Business Customer, the Lead DPA and the Competent DPA of any legally valid and binding Disclosure Requests, and will request the Authority to put such Disclosure Requests on hold for a reasonable delay in order to enable the Lead DPA to issue an opinion on the validity of the relevant disclosure.

If the suspension and/or notification of a Disclosure Request is prohibited, such as in case of a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation, DocuSign will request the Authority to waive this prohibition and will document that it has made this request.  In any event, DocuSign will on an annual basis provide to the Lead DPA general information on the number and type of Disclosure Requests it received in the preceding 12 month period, to the fullest extent permitted by applicable law.

Inquiries of the Business Customer

3.5

DocuSign shall deal promptly and appropriately with inquiries of the Business Customer related to the Processing of the BCI Information pursuant to the terms of the Services Contract.

 

Article 4 – Processor purposes

Legitimate business purposes

4.1

Where DocuSign serves as a Data Processor, BCI Information may be Processed by DocuSign for one or more of the following purposes:

  1. Providing Customer Services including:
    1. operating the DocuSign Application and performing Customer Services through the DocuSign Application;
    2. hosting, storage, backup, or archiving documents and related transactional data on the DocuSign Application;
    3. reporting on the use of the Customer Services by a Business Customer; security maintenance (e.g., implementing access controls, auditing use, managing servers, managing network security,  managing incidents); or
  2. Support services including:
    1. providing (local and remote) assistance to Business Customers and end users in the use of the DocuSign Application;
    2. DocuSign generation of service level reports or other reports on a Business Customer's use of DocuSign products or services for Business Customer management information purposes; or
  3. Customer-specific custom services including:
    1. adjusting the DocuSign Application to meet a Business Customer's specifications (e.g., by engaging application specialists, undertaking project management activities, modifying of device or system);
    2. the collection and analysis of Business Customer use data to report trends (e.g., specific status reports, management reporting, proactive management for security, the general improvement of Business Customer's internal operations);
    3. the provision of training for Business Customer staff or third parties related to the DocuSign Application.
  4. DocuSign internal business process execution and management leading to incidental Processing of Personal Information for:
    1. internal auditing of DocuSign Processor-related activities;
    2. activities related to compliance with applicable law or regulation (e.g., data processing law);
    3. data de-identification and aggregation of de-identified data for data minimization; and
    4. use of de-identified, aggregate data to facilitate continuity, sustainability, and improvement of DocuSign products and services.

 

Article 5 – Security Requirements

Data Security

5.1

DocuSign shall take appropriate commercially reasonable technical, physical and organizational measures to protect BCI Information from misuse or accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, acquisition or access during the Processing. DocuSign shall in any event take the measures specified in Annex 1 of this Processor Code, which Annex may be revised by DocuSign provided that such changes do not in any material manner diminish the level of security provided to BCI Information under Annex 1.

Data access and confidentiality

5.2

DocuSign shall provide DocuSign Staff access to BCI Information only to the extent necessary to perform the Processing. DocuSign shall impose confidentiality obligations on Staff with access to BCI Information.

Data Security Breach notification requirement

5.3

DocuSign shall notify the Business Customer of a Data Security Breach without undue delay after becoming aware that a Data Security Breach has occurred, unless otherwise prohibited such as if a law enforcement official or supervisory authority determines that notification would impede a (criminal) investigation or cause damage to national security or the trust in the relevant industry sector. In this case, notification shall be delayed as instructed by such law enforcement official or supervisory authority. DocuSign shall respond promptly to inquiries of the Business Customer relating to such Data Security Breach.

 

Article 6 – Transparency to BC individuals

Requests of BC Individuals

6.1

DocuSign shall promptly notify the Business Customer of requests or complaints that are received directly from a BC Individual regarding DocuSign’s obligations under the Processor Code without responding to such requests or complaints.

If DocuSign receives such a request or complaint from a BC Individual, DocuSign will refer the BC Individual to the Business Customer to address the request or complaint and provide reasonable cooperation to the Business Customer to assist the Business Customer in addressing such requests in accordance with the Service Contract.

 

Article 7 – Third-Party Sub-Processors

Third Party Sub-Processor Contracts

7.1

Third Party Sub-Processors may Process BCI Information only if the Third Party Sub-Processor has a binding contract with DocuSign. The contract shall impose similar data protection-related Processing terms on the Third Party Sub-Processor that will be no less protective than those imposed on the DocuSign Contracting Entity by the Services Contract and this Processor Code.

Publication of Overview of Third-Party Sub-Processors

7.2

DocuSign shall publish on the appropriate DocuSign website an overview of the Third Party Sub-Processors involved in the performance of the relevant Customer Services. This overview shall be promptly updated in case of changes. 
 

Notification New Third Party Sub-processors and Right to Object

7.3

DocuSign shall provide notice to Business Customers of any new Third Party Sub-processors engaged by DocuSign for the delivery of the Customer Services. Within 30 days of receiving such notice, the Business Customer may object to the involvement of such Third Party Sub-processor in the delivery of the Services by providing objective justifiable grounds, such as history of security breaches which would introduce an unreasonable risk to the protection of BCI Information.  In the event the objection is not unreasonable, DocuSign may use reasonable efforts to adapt the Services to avoid processing of BCI Information by such Third Party Sub-processor, or otherwise inform the Business Customer that such adjustment is not commercially feasible, in which case the Business Customer shall have the right to terminate the relevant part of the Processing in accordance with the terms of the Services Contract.

 

Article 8 – Supervision and compliance

Chief Privacy Officer

8.1

DocuSign Inc. shall appoint a Chief Privacy Officer who is responsible for:

  1. supervising compliance with this Processor Code;
  2. providing periodic reports, as appropriate, to the Chief Executive Officer on data protection risks and compliance issues;
  3. deciding on complaints as described in Article 11.2 and
  4. coordinating, in conjunction with the appropriate Privacy Lead, official investigations or inquiries into the Processing of BCI Information by a public authority.

Security &
Privacy Council

8.2

The Chief Privacy Officer shall maintain an advisory Security & Privacy Council. The Security & Privacy Council has created and shall maintain a framework for:

  1. developing and maintaining (including monitoring and testing) policies, procedures and system information (as required by Article 9);
  2. planning training and awareness programs;
  3. monitoring and reporting on compliance with this Processor Code;
  4. overseeing the collection, investigation and resolution of privacy inquiries, concerns and complaints; and
  5. determining and updating appropriate sanctions for violations of this Processor Code (e.g., disciplinary standards in co-operation with other relevant internal functions, such as HR and Legal).

Privacy Leads

8.3

The Chief Privacy Officer has established and shall maintain a global network of Privacy Leads sufficient to direct compliance with this Processor Code within their respective regions or organizations.

These Privacy Leads shall perform at least the following tasks:

  1. regularly advise their respective executive teams and the Chief Privacy Officer on privacy risks and compliance issues, including any new legal requirement that the Privacy Lead believes to interfere with DocuSign’s ability to comply with this Processor Code (as required by Article 13.2);
  2. maintain and ensure that the policies and procedures are implemented, the system information is maintained and DPIAs are performed (as required by Article 9);
  3. implement the privacy compliance framework as required by the Chief Privacy Officer;
  4. be available for requests for privacy approval or advice;
  5. own and authorize all appropriate privacy sub-policies in their organizations; and
  6. cooperate with the Chief Privacy Officer, and other Privacy Leads.

Responsible Executive

8.4

The Responsible Executive shall perform at least the following tasks:

  1. ensure that the policies and procedures are implemented, the system information is maintained and DPIAs are performed (as required by Article 9);
  2. ensure that BCI Information is returned or securely deleted after termination of the Services Contract (as required by Article 2.2); and
  3. determine how to comply with the Processor Code when there is a conflict with applicable law (as required by Article 13.1).

Privacy Leads with statutory position

8.5

Where a Privacy Lead holds his or her position pursuant to law, he or she shall carry out his or her job responsibilities to the extent they do not conflict with his or her statutory position.

 

Article 9 – Policies, procedures and training

Policies and procedures

9.1

DocuSign shall develop and implement policies and procedures to comply with this Processor Code.

System information

9.2

DocuSign shall maintain readily available information regarding the structure and functioning of all systems and processes that Process BCI Information (e.g., inventory of systems and processes, privacy impact assessments).  A copy of this information will be provided to the Lead DPA or to a Competent DPA upon request.

Staff training

9.3

DocuSign shall provide training on the obligations and principles laid down in this Processor Code and other privacy and data security obligations to Staff who have access to or responsibilities associated with managing BCI Information.

 

Article 10 – Monitoring and Auditing Compliance

Internal audits

10.1

DocuSign’s internal audit team shall audit business processes and procedures that involve the Processing of BCI Information for compliance with this Processor Code. The audits shall be carried out in the course of the regular activities of DocuSign’s internal audit function or at the request of the Chief Privacy Officer. The Chief Privacy Officer may request to have an audit as specified in this Article conducted by an external auditor. Applicable professional standards of independence, integrity and confidentiality shall be observed when conducting an audit. The Chief Privacy Officer and the appropriate Privacy Leads shall be informed of the results of the audits. Any violations of this Processor Code identified in the audit report will be reported to the Responsible Executive. A copy of the audit results related to compliance with this Processor Code will be provided upon request to the Irish DPA or to any Competent DPA.

Business Customer audit

10.2

DocuSign shall, at its option, either

  1. make available the facilities it uses for the Processing of BCI Information for an audit by a qualified, reputable independent third party auditor selected by the Business Customer, provided such auditor is (a) reasonably acceptable to DocuSign; and (b) has executed a written confidentiality agreement reasonably acceptable to DocuSign before conducting the audit. In accordance with the audit provisions of the applicable Services Contract audits shall be conducted no more than once per year per Business Customer and during regular business hours, and shall be subject to (a) a written request submitted to DocuSign at least six weeks in advance of the proposed audit date, (b) a detailed written audit plan reviewed and approved by DocuSign’s security organization and (c) DocuSign’s on-site security policies. Upon completion of the audit, the Business Customer shall provide DocuSign with a copy of the audit report, which shall be treated as confidential information pursuant to the terms of the Services Contract; or
  2. DocuSign shall provide to the Business Customer a statement issued by a qualified independent third party assessor certifying that the DocuSign business processes and procedures that involve the Processing of BCI Information comply with the principles laid down in this Processor Code.

DPA audit

10.3

The Lead DPA may request an audit of the facilities used by DocuSign for the Processing of BCI Information for compliance with this Processor Code. In addition, a DPA that has the right to audit a Business Customer (a “Competent DPA”) will be authorized to audit the relevant data transfer for compliance with this Processor Code, subject to the same conditions as would apply to an audit by that DPA of the Business Customer itself under the Applicable Data Controller Law.

DPA audit procedure

10.4

DocuSign will facilitate any audit by a DPA under Article 10.3 by undertaking the following actions:

  1. Information sharing:  DocuSign and the Business Customer will collaborate in good faith to attempt to resolve the request by providing information to the DPA including DocuSign audit reports, discussion with DocuSign subject matter experts, and review of security, privacy, and operational controls in place. The Business Customer will have access to its BCI Information in accordance with the Services Contract and may delegate such access to representatives of the DPA.
  2. Examinations:  If the information available through these mechanisms is insufficient to address the DPA’s stated objectives, DocuSign will provide the DPA with the opportunity to communicate with DocuSign’s auditor at the Business Customer’s expense;
  3. If this appears insufficient, DocuSign will provide the DPA with a direct right to examine DocuSign’s data processing facilities used to process the BCI Information on giving reasonable prior notice and during business hours, with full respect to the confidentiality of the information obtained and to the trade secrets of DocuSign.
  4. Scope:  The DPA can only access the BCI Information belonging to the Business Customer. The Business Customer will be liable for DocuSign’s reasonable additional costs associated with such examination. 

For clarity, DocuSign and its Business Customers are committed to working together in good faith to resolve a DPA request through discussion and interaction among the Business Customer, DocuSign, and the DPA.

Nothing in this Article 10.4 will be construed to take away any audit rights that a DPA may have under applicable law. This Processor Code provides supplemental audit rights to DPAs only. In the event of any conflict between this Article 10.4 and applicable law, the provisions of applicable law shall prevail.

Annual report

10.5

The Chief Privacy Officer shall produce an annual BCI Information protection report for the Chief Executive Officer of DocuSign Inc. on DocuSign compliance with this Processor Code and other relevant issues.

Mitigation

10.6

DocuSign shall, if so indicated, ensure that adequate steps are taken to address breaches of this Processor Code identified during the monitoring or auditing of compliance pursuant to this Article 10.

 

Article 11 – Legal issues

Rights of BC Individuals

11.1

If DocuSign violates the Processor Code with respect to the BCI Information of a BC Individual (Affected BC Individual), the Affected BC Individual can as a third party beneficiary enforce against the DocuSign Contracting Entity any claim as a result of a breach of Article 1.5, 1.6, 2.1, 2.2, 3, 5, 6.1, 7.1, 7.3, 10.2, 10.3, 11.1, 11.2, 11.3, 11.4, 11.7, 11.8 and 13.3.

To the extent the Affected BC Individual may enforce any such rights against the DocuSign Contracting Entity, the DocuSign Contracting Entity may not rely on a breach by a Sub-processor of its obligations to avoid liability except to the extent any defense of Sub-processor would also constitute a defense of DocuSign. DocuSign may, however, assert any defenses or rights that would have been available to the Business Customer. DocuSign also may assert any defenses that DocuSign could have asserted against the Business Customer (such as contributory negligence), in defending against the Affected BC Individual’s claim.

Complaints Procedure

11.2

BC Individuals may file a written complaint in respect of any claim they have under Article 11.1 with the Office of the Chief Privacy Officer. The BC Individual also may file a complaint or claim with the authorities or the court in accordance with Article 11.3.

The Office of the Chief Privacy Officer shall be responsible for complaint handling.  Each complaint will be assigned to an appropriate Staff member (either within the Office of the Chief Privacy Officer or within the applicable business unit or functional area). These Staff will:

  1. Promptly acknowledge receipt of the complaint;
  2. Analyze the complaint and, if needed, initiate an investigation;
  3. If the complaint is well-founded, advise the applicable Privacy Lead so that a remediation plan can be developed and executed; and
  4. Maintain records of all complaints received, responses given, and remedial actions taken by DocuSign.

DocuSign will use reasonable efforts to resolve complaints without undue delay, so that a response is given to the BC Individual within one calendar month of the date that the complaint was filed. The response will be in writing and will be sent to the BC Individual via the means that the BC Individual originally used to contact DocuSign (e.g., via mail or email). The response will outline the steps that DocuSign has taken to investigate the complaint and will indicate DocuSign’s decision regarding what steps (if any) it will take as a result of the complaint.

In the event that DocuSign cannot reasonably complete its investigation and response within one calendar month, it shall inform the BC Individual within one calendar month that the investigation is ongoing and that a response will be provided within the two calendar months after the original one month period.

If DocuSign’s response to the complaint is unsatisfactory to the BC Individual (e.g., the request is denied) or DocuSign does not observe the conditions of the complaints procedure set out in this Article 11.2, the BC Individual can file a complaint or claim with the authorities or the courts in accordance with Article 11.3.

Jurisdiction for Claims of BC Individuals

11.3

The Affected BC Individual may, at his/her choice, submit any claim under Article 11.1:

  1. to the Lead DPA or the courts in Ireland against DocuSign Ireland;
  2. to the courts in the country of his/her habitual residence or in the country of origin of the data transfer under this Processor Code against the DocuSign Contracting Entity or DocuSign Ireland; or
  3. to the DPA in the country of his/her habitual residence, place of work, or place where the infringement took place, against the DocuSign Contracting Entity or DocuSign Ireland.

The courts, the relevant DPA and the Lead DPA shall apply their own substantive and procedural laws to the dispute. Any choice made by the Affected BC Individual will not prejudice the substantive or procedural rights he/she may have under applicable law.

Right to claim damages, reversal burden of proof

11.4

In case an Affected BC Individual has a claim under Article 11.1, such Affected BC Individual shall be entitled to recover damages to the extent provided by applicable EEA law.

In case an Affected BC Individual brings a claim for damages under Article 11.1, it will be for the Affected  BC Individual to demonstrate that he/she has suffered damage and to establish facts which show it is plausible that the damage has occurred because of a violation of this Processor Code. It will subsequently be for the DocuSign Contracting Entity or DocuSign Ireland to prove that the damages suffered by the Affected BC Individual due to a violation of this Processor Code are not attributable to a Group Company or a Sub-processor or to assert other applicable defenses.

Rights of Business Customers

11.5

The Business Customer may enforce this Processor Code against the DocuSign Contracting Entity or, if the DocuSign Contracting Entity is not established in an EEA Country, against DocuSign Ireland. DocuSign Ireland shall, if so indicated, ensure that adequate steps are taken to address violations of this Processor Code by the DocuSign Contracting Entity or any other Group Company, including by any Third Party Sub-processor acting on their behalf.

The DocuSign Contracting Entity or DocuSign Ireland may not rely on a breach by another Group Company or a Sub-processor of its obligations to avoid liability.

Available remedies, limitation of damages

11.6

In case of a violation of this Processor Code, the Business Customer shall be entitled to compensation of damages consistent with the Services Contract.

Mutual assistance Group Companies and redress

11.7

All Group Companies shall cooperate and assist each other to the extent reasonably possible to achieve compliance with this Processor Code, including an audit or inquiry by the Business Customer or a DPA competent for Business Customer.

The DocuSign Group Company receiving a request for information pursuant to Article 6.1 or a claim pursuant to Article 11.1, is responsible for promptly informing the appropriate Privacy Lead thereof and handling any communication with the BC Individual regarding his request or claim as instructed by the appropriate Privacy Lead

 

Advice by Lead and Competent DPAs

11.8

DocuSign shall abide by the advice of the Lead DPA and Competent DPAs issued on interpretation and application of this Processor Code. DocuSign shall provide assistance requested by the Business Customer as reasonably required to enable the Business Customer’s compliance with the Applicable Data Controller Law in accordance with the Services Contract and Article 3.2 and 3.3.

 

Article 12 – Sanctions for non-compliance

Non-compliance

12.1

Non-compliance of DocuSign employees with this Processor Code may result in disciplinary action in accordance with DocuSign policies and local law, up to and including termination of employment.

 

Article 13 – Conflicts between this Processor Code and Applicable Data Processor Law

Conflict between Processor Code and law

13.1

Where there is a conflict between Applicable Data Processor Law and this Processor Code, the Responsible Executive shall consult with the appropriate Privacy Leads and the legal department to determine how to comply with this Processor Code and resolve the conflict to the extent reasonably practicable given the legal requirements applicable to the relevant Group Company.

New conflicting legal requirements

13.2

The relevant Privacy Leads, in consultation with the legal department, shall promptly inform the Responsible Executive of any new legal requirement that may interfere with DocuSign’s ability to comply with this Processor Code.

Reporting to Lead DPA and Competent DPA

13.3

If DocuSign becomes aware that Applicable Data Processor Law or any change in Applicable Data Processor Law is likely to have a substantial adverse effect on DocuSign’s ability to meet its obligations under 3.1, 3.2, or 10.3, DocuSign will report this to the Lead DPA and the Competent DPA.

 

Article 14 – Changes to this Processor Code

Approval for Changes

14.1

Any changes to this Processor Code require the prior approval of DocuSign Inc.’s Chief Executive Officer and shall thereafter be communicated to the Group Companies.

Effective Date of Changes

14.2

Any amendment shall enter into force after it has been approved and published on the DocuSign Internet site.

Prior Versions

14.3

Any request or claim of a BC Individual involving this Processor Code shall be judged against the version of this Processor Code that is in force at the time the request, complaint or claim is made.

Notification to Lead DPA and Business Customers

14.4

The Chief Privacy Officer shall be responsible for informing the Lead DPA of changes to this Processor Code (if any) on a yearly basis. Where a material change to this Processor Code has a material impact on the Processing conditions of the Services, DocuSign will promptly inform the Lead DPA thereof including a brief explanation for such change as well as provide notice of such change to the Business Customer. Within 30 days of receiving such notice, the Business Customer may object to such change by providing written notice to DocuSign. In the event that the parties cannot reach a mutually acceptable solution, DocuSign shall put in place an alternative data transfer solution. In the event no alternative data transfer solution can be put in place, DocuSign shall enable the Business Customer to terminate the relevant Customer Services in accordance with the terms of the Services Contract.

 

Article 15 – Transition Periods

Transition Period for New Group Companies

15.1

Any entity that becomes a Group Company after the Effective Date shall comply with this Processor Code within one year of becoming a Group Company.

Transition Period for Divested Entities

15.2

A Divested Entity will remain covered by this Processor Code after its divestment for such period as is required by DocuSign to disentangle the Processing of BCI Information relating to such Divested Entity.

Transition Period for IT Systems

15.3

Where implementation of this Processor Code requires updates or changes to information technology systems (including replacement of systems), the transition period shall be two years from the Effective Date or from the date an entity becomes a Group Company, or any longer period as is reasonably necessary to complete the update, change or replacement process.

Transition Period for Existing Agreements

15.4

Where there are existing agreements with Third Parties that are affected by this Processor Code, the provisions of the agreements will prevail until the agreements are renewed in the normal course of business. 

Compliance During the Transition Period

15.5

During the transition periods set out in Article 15.1 – 15.4, no BCI Information will be transferred to a Group Company under this Processor Code until that Group Company is (i) fully compliant or (ii) an alternative data transfer mechanism has been put in place, such as standard contractual clauses.

Contact Details

15.6

Office of the DocuSign Chief Privacy Officer:  [email protected]

Chief Privacy Officer

DocuSign Inc.

221 Main Street

Suite 1000

San Francisco, California 94105

 

ANNEX 1 

 

Definitions

Affected BC Individual

AFFECTED BC INDIVIDUAL shall have the meaning set forth in Article 11.1 above.

Applicable  Data Controller Law

APPLICABLE DATA CONTROLLER LAW shall mean the Data Protection Laws  that are applicable to the Business Customer as the Data Controller of the BCI Information.

Applicable Data Processor Law

APPLICABLE DATA PROCESSOR LAW shall mean the Data Protection Laws that are applicable to DocuSign as the Data Processor of the BCI Information.

Authority

AUTHORITY shall have the meaning set forth in Article 3.4 above.

BC Individual

BC INDIVIDUAL shall mean any individual whose Personal Information is Processed by DocuSign on behalf of a Business Customer through the DocuSign Application.

BCI Information

BCI INFORMATION shall have the meaning set forth in Article 1.1 above.

Business
Customer

BUSINESS CUSTOMER (BC) shall mean the customer who has entered into a contract with DocuSign for the delivery of DocuSign Application services.

Chief Privacy Officer

CHIEF PRIVACY OFFICER shall mean the officer referred to in Article 8.1

Competent DPA

COMPETENT DPA shall have the meaning set forth in Article 10.3 above.

Customer Services

CUSTOMER SERVICES shall mean the services provided by DocuSign to Business Customers through the DocuSign Application. Such services include hosting and processing contract documentation and other documents of Business Customers on the DocuSign Application on behalf of Business Customers.

Data Controller

DATA CONTROLLER shall mean the entity or natural person which alone or jointly with others determines the purposes and means of the Processing of Personal Information.

Data Processor

DATA PROCESSOR shall mean the entity or natural person which Processes Personal Information on behalf of a Third Party Data Controller.

Data Protection Law

DATA PROTECTION LAW shall mean the laws of an EEA Country containing rules for the protection of individuals with regard to the Processing of Personal Information including security requirements for and the free movement of such Personal Information.

Data Security Breach

DATA SECURITY BREACH shall mean the unauthorized acquisition, access, use or disclosure of unencrypted BCI Information that compromises the security or privacy of such data to the extent the compromise poses a significant risk of financial, reputational, or other harm to the BC Individual.  A Data Security Breach is deemed not to have occurred where there has been an unintentional acquisition, access or use of unencrypted BCI Information by an employee of DocuSign or the Business Customer or an individual acting under their respective authority, if

  1. the acquisition, access, or use of BCI Information was made in good faith and within the course and scope of the employment or professional relationship of such employee or other individual; and
  2. the BCI Information is not  further acquired, accessed, used or disclosed by any person.

Disclosure Request

DISCLOSURE REQUEST shall have the meaning set forth in Article 3.4 above.

Divested Entity

DIVESTED ENTITY shall mean the divestment by DocuSign of a Group Company or business by means of:

  1. a sale of shares that results in the divested Group Company no longer qualifying as a Group Company and/or
  2. a demerger, sale of assets, or any other manner or form.

DocuSign

DOCUSIGN shall mean DocuSign Inc. and its Group Companies.

DocuSign Application

DOCUSIGN APPLICATION shall mean the digital transaction management platform provided by DocuSign to its Business Customers, which is used by Business Customers to facilitate digital transactions that include the signing process of contractual documents and other documents of the Business Customer.

DocuSign Contracting Entity

DOCUSIGN CONTRACTING ENTITY shall mean the DocuSign Group Company that has entered into the Services Contract.

DocuSign Inc.

DOCUSIGN, INC. shall mean DocuSign Inc., a Delaware, US company.

DocuSign Ireland

DOCUSIGN IRELAND shall mean DocuSign International (EMEA) Limited, an Irish company, which serves as DocuSign’s European headquarters.

DocuSign Security & Privacy Council

DOCUSIGN SECURITY & PRIVACY COUNCIL shall mean the council referred to in Article 8.2.

DocuSign Sub-Processor

DOCUSIGN SUB-PROCESSOR shall mean any Group Company engaged by DocuSign as a Sub-Processor.

DPA

DPA shall mean any data protection authority of one of the EEA Countries.

EEA Countries

EEA COUNTRIES (European Economic Area Countries) shall mean all Member States of the European Union, Norway, Iceland, Liechtenstein and, for purposes of this Processor Code, Switzerland.

EEA Data Transfer Restriction

EEA DATA TRANSFER RESTRICTION shall mean any restriction under Data Protection Law regarding outbound transfers of Personal Information.

Effective Date

EFFECTIVE DATE shall mean the date on which this Processor Code become effective as set forth in Article 1.6.

Employee

EMPLOYEE shall mean the following individuals:

  1. an employee, job applicant or former employee of DocuSign including temporary workers working under the direct supervision of DocuSign (e.g., independent contractors and trainees). This term does not include people working at DocuSign as consultants or employees of Third Parties providing services to DocuSign;
  2. a (former) executive or non-executive director of DocuSign or (former) member of the supervisory board or similar body to DocuSign.

Group
Company

GROUP COMPANY shall mean DocuSign Inc. and any company or legal entity of which DocuSign Inc. directly or indirectly owns more than 50% of the issued share capital, has 50% or more of the voting power at general meetings of shareholders, has the power to appoint a majority of the directors, or otherwise directs the activities of such other legal entity; however, any such company or legal entity shall be deemed a Group Company only as long as a liaison and/or relationship exists.

Lead DPA

LEAD DPA shall mean the data protection authority of Ireland.

Mandatory Requirements

MANDATORY REQUIREMENTS shall mean mandatory requirements of Applicable Data Processor Law which do not go beyond what is necessary in a democratic society i.e. which constitute a necessary measure to safeguard national security defense, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the state or the protection of a BC Individual or the rights and freedoms of others.

Personal Information

Personal information shall mean any information relating to an identified or identifiable individual.

Privacy Lead

PRIVACY LEAD shall mean the Privacy Leads appointed by the Chief Privacy Lead pursuant to Article 8.3.

Processing

Processing shall mean any operation that is performed on BCI Information, whether or not by automatic means, such as collection, recording, storage, organization, alteration, use, disclosure (including the granting of remote access), transmission or deletion of BCI Information.

Processor Code

PROCESSOR CODE shall mean this Processor Privacy Code.

Responsible Executive

RESPONSIBLE EXECUTIVE shall mean the lowest-level DocuSign business executive or the non-executive general manager of a DocuSign business function who has primary budgetary ownership of the relevant Processing.

Services Contract

SERVICES CONTRACT shall mean the contract entered into between a DocuSign Group Company and the Business Customer pursuant to Article 2.1, to permit the Business Customer to receive DocuSign Application services.

Staff

STAFF shall mean all Employees and other persons who Process BCI Information as part of their respective duties or responsibilities as employees or individuals under the direct authority of DocuSign using DocuSign information technology systems or working primarily from DocuSign premises.

Sub-Processor

SUB-PROCESSOR shall mean any Data Processor engaged to Process BCI Information as a sub-processor.

Third Party

THIRD PARTY shall mean any person or entity (e.g., an organization or government authority) outside DocuSign or the Business Customer.

Third Party Sub-processor

Any Third Party engaged by DocuSign as a Sub-Processor.

Interpretations

INTERPRETATION OF THIS PROCESSOR CODE:

  1. Unless the context requires otherwise, all references to a particular Article or Annex are references to that Article or Annex in or to this document, as they may be amended from time to time
  2. headings are included for convenience only and are not to be used in construing any provision of this Processor Code
  3. if a word or phrase is defined, its other grammatical forms have a corresponding meaning
  4. the male form shall include the female form
  5. the words "include", "includes" and "including" and any words following them shall be construed without limitation to the generality of any preceding words or concepts and vice versa
  6. a reference to a document (including, without limitation, a reference to this Processor Code) is to the document as amended, varied, supplemented or replaced, except to the extent prohibited by this Processor Code or that other document, and
  7. a reference to law includes any regulatory requirement, sectorial recommendation, and best practice issued by relevant national and international supervisory authorities or other bodies.

 

ANNEX 2 - Security policy overview

People, processes and technology are vital assets that are essential to DocuSign’s business. DocuSign has established an Information Security Management System, and mandatory policies and procedures to protect the confidentiality, availability, and integrity of these assets. 

The following provides an overview of those policies, procedures and processes that comprise the technical, physical and organizational measures employed by DocuSign to protect BC Individual Information from misuse or accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, acquisition or access.

DocuSign’s Information Security Management System

This document establishes the framework of security, risk, and compliance management policies and guidelines issued by DocuSign’s Information Security team. Each department is responsible to integrate the controls based on appropriate risk assessments, and evolving industry standards.

DocuSign Information Security Policy

This document describes objectives, responsibilities and mandatory rules for information security.  This policy is derived from DocuSign’s Security and Compliance Council’s mandate and is fully endorsed by DocuSign Top Management.  This policy, along with the security controls listed in our Information Security Management System Statement of Applicability comprises the mandatory DocuSign Security Policies.  

DocuSign security controls

DocuSign’s Information Security Management System Statement of Applicability is an extension of DocuSign’s Information Security Policy and describes the control objectives, key controls, policies,  procedures, and organizational structures.  This document is a statement of responsibilities of both DocuSign management and staff in order to establish and maintain an organization-wide secure environment.  The following are security domains, further detailed in the Information Security Management System Statement of Applicability.

  • Information Security Policies
  • Organization of Information Security
  • Human Resource Security
  • Asset Management
  • Access Control
  • Cryptography
  • Physical and Environmental Security
  • Operations Security
  • Communications Security
  • System Acquisition, Development and Maintenance
  • Supplier Relationships
  • Information Security Incident Management
  • Business Continuity Management
  • Compliance

DocuSign security standards, guidelines and baselines:

Additional documents set forth further direction for implementation of specific, required controls, including:

  • DocuSign Acceptable Use Policy
  • DocuSign Access Control Policy
  • DocuSign Anti-Virus and Anti-Malware Policy
  • DocuSign Change Management Policy
  • DocuSign Clean Desk and Clear Screen Policy
  • DocuSign Data Disposal and Reuse Policy
  • DocuSign Hardening Standard
  • DocuSign Incident Management Policy
  • DocuSign Incident Management Process
  • DocuSign Incident Response Playbook
  • DocuSign Information Classification Policy
  • DocuSign Password Policy
  • DocuSign Physical and Environmental Security Policy
  • DocuSign SOC Operations Manual
  • DocuSign Vulnerability Scanning and Penetration Testing Policy
  • DocuSign Restricted Access Area Standard
  • DocuSign Document Control Procedure
  • DocuSign 2015 Business Continuity Plan
  • DocuSign Internal Audit Policy

Information classification and access control

DocuSign regards information required for the pursuance of its business as a corporate asset, which must be protected against loss and infringements on integrity and confidentiality. Each department is required by policy to assess risks to identified information assets and periodically check the level of security through security reviews.  Information is classified into one of three categories, and each classification requires appropriate levels of security controls (e.g., encryption of data classified as secret or confidential). DocuSign’s Information Classification Policy further requires that security measures for processing and storage of information be proportionate to classification level, and each user is to be uniquely identifiable, via personal user identification.  Access controls exist to restrict access to systems and data to management authorized individuals for valid business purposes only.  DocuSign employees and third parties processing DocuSign information are accountable for the protection of that information and the applicable assets, per DocuSign’s Security Policies. 

System integrity and availability

Each DocuSign department is responsible for formal acceptance of the continuity of its business in the event of degradation or failure of the information infrastructure. Back-up copies of critical business information and software must be taken regularly and tested to ensure recovery. Contingency procedures must be tested at least annually, and workability of the contingency plan must be formally verified.

Activity logging

DocuSign IT Security Controls require appropriate logging and monitoring of system activity to enable recording of IT security-relevant actions.  IT Security features, service levels and management requirements of all network services must be identified and included in any network services agreement, whether these services are provided in-house or outsourced.  Also, formal procedures are required for authorizing access to systems or applications, and all user access rights and privileges must be reviewed at regular intervals, at least quarterly.

Security incidents

All employees, contractors, and third party users of information systems and services are required to note and report any observed or suspected security weaknesses in systems or services, through management channels, to DocuSign CSIRT (Computer Security Incident Response Team) for investigation and follow-up, as appropriate.  Security incidents that involve personal data or that may have privacy implications must also be reported to the applicable Privacy Lead.

Physical security

DocuSign’s Physical and Environmental Security Policy requires DocuSign management to identify those areas requiring specific level of physical security, and access to those areas is provided only to authorized persons for authorized purposes. DocuSign secured areas employ various physical security safeguards, including closed caption television monitoring, use of security badges (identity controlled access) and security guards stationed at entry and exit points.  Visitors may only be provided access where authorized and are to be supervised at all times.

Compliance

DocuSign has a standing Compliance organization that regularly monitors the implemented security measures and implementation of new security requirements. Compliance with DocuSign Security Policies is accomplished through annual training, periodic reviews of local and organization-wide policies and procedures, and audits.