DATA PROTECTION ATTACHMENT FOR DOCUSIGN SERVICES FOR WEB PLAN CUSTOMERS

Version Date: January 9, 2025

This Data Protection Attachment for Docusign Services (“DPA”) is incorporated into and made part of the Terms. Unless otherwise defined in this DPA, capitalized terms will have the meaning given to them in the Terms. In the event of any conflict between these documents, the following order of precedence applies (in descending order): (a) Binding Corporate Rules; (b) the Standard Contractual Clauses as provided in herein; (c) the body of the DPA; (d) any documents attached to the DPA; and (e) the Terms.

1. DEFINITIONS. For purposes of this DPA:

“Binding Corporate Rules” means Docusign’s Binding Corporate Rules for Processors, the most current version of which is available on Docusign’s website at https://trust.docusign.com/en-us/trust-certifications/gdpr/bcr-p-processor-privacy-code/.

“Controller,” “Business,” “Processor,” and “Service Provider” (or equivalent terms) have the meanings set forth under Data Protection Laws.

“Data Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data managed by Docusign.

“Data Protection Laws” means all applicable laws, regulations, and other legally binding requirements in any jurisdiction relating to privacy, data protection, data security, and breach notification that apply to Docusign’s Processing of Personal Data, including, without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and any associated regulations and amendments, including the California Privacy Rights Act amendments (“CCPA”); the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); the Swiss Federal Act on Data Protection (“FADP”); and the United Kingdom Data Protection Act of 2018 (“UK GDPR”). 

“Data Subject” means an identified or identifiable natural person about whom Personal Data relates (or equivalent term under Data Protection Laws).

“Data Transfer” means either a transfer of Personal Data from a Controller to a Contracted Processor, an onward transfer of Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws).

“EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, located http://data.europa.eu/eli/dec_impl/2021/914/oj, and completed as set forth in Section 8 below.

“Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” or equivalent terms that is Processed by Docusign in connection with providing Docusign Services under the Terms, and such terms shall have the same meaning as defined by Data Protection Laws.

“Process” and “Processing” has the meaning set forth under Data Protection Laws and the Docusign Binding Corporate Rules Processor Policy, and includes any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

2. SCOPE AND PURPOSES OF PROCESSING.

2.1 Depending on Data Protection Laws, Customer is a Controller or Business, and Docusign is a Processor or Service Provider with respect to Docusign’s Processing of Personal Data to provide the Docusign Services under the Terms. 

2.2 The scope, nature, purposes, and duration of the Processing, the types of Personal Data Processed, and the Data Subjects concerned are set forth in this DPA, including its Schedule A. The details provided in Schedule A are deemed to satisfy any requirement to provide such details under any Data Protection Laws.

2.3 Docusign will Process Personal Data: (a) to provide the Docusign Services to Customer under the Terms, including this DPA; (b) on Customer’s behalf pursuant to Customer’s instructions; and (c) in compliance with Data Protection Laws. Docusign will not “sell” Personal Data (as such term in quotation marks is defined in Data Protection Laws), “share” or Process Personal Data for purposes of “cross-context behavioral advertising” or “targeted advertising” (as such terms are defined in Data Protection Laws), or otherwise Process Personal Data for any purpose other than for the specific purposes set forth herein, unless obligated or permitted to do otherwise under applicable law, or outside of the direct business relationship with Customer. Provision of the Docusign Services involves the ongoing operation, support, and improvement of the Docusign Services. Docusign securely Processes information related to how the Docusign Services are used by all customers and users for security and fraud prevention/detection purposes, as well as to analyze, develop, protect, and improve the Docusign Services, including developing new features or functionality for the Docusign Services and/or developing new related or expected products or services. Customer acknowledges and agrees that Docusign may Process Personal Data for such purposes and that such purposes are compatible with, reasonably necessary to, and proportionate to providing the Services. 

2.4 Customer will ensure that: (a) all such notices have been given, and all such authorizations have been obtained, as required under Data Protection Laws, for Docusign (and its Affiliates and Subprocessors) to Process Personal Data as contemplated by the Terms and this DPA; (b) it has complied, and will continue to comply, with all Data Protection Laws; and (c) it has, and will continue to have, the right to transfer or provide access to, Personal Data to Docusign for Processing in accordance with the terms of the Terms and this DPA.

2.5 Unless otherwise specified in the Terms, Customer agrees it will not provide Docusign with any sensitive or special categories of Personal Data that impose specific data security or data protection obligations on Docusign in addition to or different from those specified in this DPA (including any appendix to the DPA) or Terms.

3. PERSONAL DATA PROCESSING REQUIREMENTS. Docusign will:

(a) Ensure that the persons it authorizes to Process the Personal Data are subject to confidentiality obligations regarding such activity or are under an appropriate statutory obligation of confidentiality.

(b) Without undue delay notify Customer of: (i) any known third-party or Data Subject complaints regarding the Processing of Personal Data; or (ii) any known government request for access to or information about Docusign’s Processing of Personal Data on Customer’s behalf, unless prohibited by applicable laws. Docusign will provide Customer with reasonable cooperation and assistance in relation to any such request. If Docusign is prohibited by applicable laws from disclosing the details of a government request to Customer, Docusign shall use reasonably available legal mechanisms to challenge any demands for data access through the applicable government process that it receives, as well as any non-disclosure provisions attached thereto.

(c) Provide reasonable assistance to Customer for Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Personal Data, when required by Data Protection Laws.

(d) Where required by Data Protection Laws, provide reasonable assistance to Customer for Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any legal obligation applicable to Docusign under Data Protection Laws to consult with a regulatory authority in relation to Docusign’s Processing or proposed Processing of Personal Data.

(e) Comply with the CCPA's restrictions pursuant to 1798.140 (e)(6) regarding combining Personal Data with Personal Data received from, or on behalf of, another person or persons for the purposes enumerated in the CCPA. 

(f) Without undue delay notify Customer if it determines that: (i) it can no longer meet its obligations under this DPA or Data Protection Laws; or (ii) in its opinion, an instruction from Customer infringes Data Protection Laws.

4. DATA SUBJECT REQUESTS.

4.1 If Docusign receives a direct request from a Data Subject regarding rights under Data Protection Laws, Docusign will promptly re-direct the Data Subject to the Customer if the Data Subject has identified Customer as Controller of the Personal Data subject to the request so that the Data Subject can directly submit their request to the Customer. Docusign will provide reasonable assistance to Customer in fulfilling its obligations under Data Protection Laws to respond to Data Subject requests, but Customer understands and agrees that, as a Controller, Customer is solely responsible for responding to such Data Subject’s requests or inquiries and that Docusign has no responsibility to respond to a Data Subject for or on behalf of Customer.

4.2 If Customer receives a request or inquiry from a Data Subject related to Personal Data Processed by Docusign, Customer can either: (a) access its Docusign Services containing Personal Data to address the request or inquiry; or (b) to the extent such access is not available to Customer, contact Docusign customer support for reasonable assistance to enable Customer to address the request or inquiry.

5. DATA SECURITY.

5.1 Docusign will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data. Details regarding the specific security measures that apply to the Docusign Services are as described in the Binding Corporate Rules. Customer acknowledges that Docusign’s security measures are subject to technical progress and development and that Docusign may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Docusign Services purchased by Customer.

5.2 Customer shall be responsible for properly implementing access and use controls and configuring certain features and functionalities of the Docusign Services that Customer may elect to use and agrees that it will do so in accordance with this DPA and the Terms in such manner that Customer deems adequate, including, without limitation, maintaining appropriate security, protection, deletion, and backup of its own Personal Data.

6. DATA BREACH. Docusign will notify Customer without undue delay upon becoming aware of any Data Breach resulting from Docusign’s Processing of Personal Data on behalf of Customer and will assist Customer in Customer’s compliance with its Data Breach-related obligations, including, without limitation, by:

(a) Taking commercially reasonable steps to mitigate the effects of the Data Breach and reduce the risk to Data Subjects whose Personal Data was involved; and

(b) Providing all legally-required information to Customer regarding the Data Breach.

(c) Docusign’s obligation to report a Data Breach under this DPA is not and will not be construed as an acknowledgement by Docusign of any fault or liability of Docusign with respect to such Data Breach. Customer is solely responsible for determining whether to notify impacted Data Subjects and for providing such notice, and for determining whether relevant supervisory authorities need to be notified of a Data Breach as may be required for Customer’s own business and activities. Notwithstanding the foregoing, Customer agrees to reasonably coordinate with Docusign on the content of Customer’s intended public statements or required notices for affected Data Subjects and/or notices to relevant supervisory authorities regarding the Data Breach.

7. SUBPROCESSORS.

7.1 Customer acknowledges and agrees that Docusign may use Docusign Affiliates and other Subprocessors (as defined in Data Protection Laws) to Process Personal Data in accordance with the provisions within this DPA and Data Protection Laws. 

7.2 Docusign’s Services Subprocessor List is available on Docusign’s website at https://www.docusign.com/trust/privacy/subprocessors-list (the “Subprocessor List”), and notice regarding new Docusign Service Subprocessors is made available through a subscription mechanism as described on the Docusign website. Customer agrees to subscribe to the Subprocessor List for Docusign to notify Customer of new Subprocessor(s) for the applicable Docusign Services. Docusign will maintain an up-to-date list of its Subprocessors, and it will provide Customer with reasonable notice of any new Subprocessor added to the list. In the event Customer has a commercially reasonable objection to a new Subprocessor, Docusign will use reasonable efforts to make available to Customer a change in the Docusign Services or recommend a commercially reasonable change to Customer’s use of the Docusign Services to avoid Processing of Personal Data by the objected-to Subprocessor.

8. INTERNATIONAL DATA TRANSFERS.

8.1 Docusign will not engage in any cross-border Processing of Personal Data, or transmit, directly or indirectly, any Personal Data to any country outside of the country from which such Personal Data was collected, without complying with Data Protection Laws. 

8.2 To the extent Docusign’s cross-border Processing of Personal Data involves a transfer of Personal Data subject to cross-border transfer obligations under Data Protection Laws, the Binding Corporate Rules apply to the Processing of Personal Data by Docusign and/or its Affiliates as part of the provision of Docusign Services under the Terms. The Binding Corporate Rules are incorporated by reference into this DPA.

8.3 Notwithstanding section 8.2 above, and only to the extent legally required, by signing this DPA, Customer and Docusign are deemed to have signed the EU SCCs as an additional safeguard, which form part of this DPA and (except as described in Section 8.3(d) and (e) below) will be deemed completed as follows:

(a) Module 2 of the EU SCCs applies to transfers of Personal Data from Customer (as a Controller) to Docusign (as a Processor) and Module 3 applies to transfers of Personal Data from Customer (as a Processor) to Docusign (as a Subprocessor);

(b) Clause 7 (the optional docking clause) is included;

(c) Under Clause 9 (Use of Subprocessors), the Parties select Option 2 (General written authorization);

(d) Under Clause 11 (Redress), the optional language requiring that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;

(e) Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The Parties select the laws of Ireland;

(f) Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;

(g) Annex I(A) and I(B) (List of Parties) is completed as set forth in Schedule A;

(h) Under Annex I(C) (Competent supervisory authority), the Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission;

(i) Annex II (Technical and organizational measures) is completed as provided in Schedule A of this DPA; and

(j) Annex III (List of Subprocessors) is not applicable as the Parties have chosen General Authorization under Clause 9; however, Docusign’s Subprocessor List can be viewed as described above in Section 7.

8.4 With respect to Personal Data transferred from the United Kingdom, for which the UK GDPR (and not the GDPR or FADP) governs the international nature of the transfer, the International Data Transfer DPA to the EU SCCs (available as of the Effective Date at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf) (“UK SCCs”) forms part of this DPA and takes precedence over the rest of this DPA as set forth in the UK SCCs. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. The UK SCCs shall be deemed complete as follows: (a) the Parties’ details shall be the Parties and their Affiliates to the extent any of them are involved in such transfer; (b) the Key Contacts shall be the contacts set forth in the Terms; (c) the Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties; (d) DocuSign may end this DPA as set out in Section 19 of the UK SCCs; and (e) by entering into this DPA, the Parties are deemed to be signing the UK SCCs.

8.5 For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in Section 8.3 of this DPA, but with the following differences, to the extent required by the FADP: (a) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the Data Transfers are subject exclusively to the FADP and not to the GDPR;  (b) the term “Member State” in EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (c) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).

9. AUDITS. To the extent required by Data Protection Laws, and no more than once per calendar year, Docusign shall make available such information reasonably requested by Customer to confirm Docusign’s compliance with this DPA (e.g., SOC, ISO, NIST, PCI DSS, similar audit reports issued by a qualified third-party auditor, “Audit Report”).

10. DESTRUCTION OR RETRIEVAL OF PERSONAL DATA. Prior to termination or expiration of the Terms, Customer may retrieve Personal Data Processed by Docusign in accordance with the terms of the Terms, and at Customer’s request, Docusign will delete all Personal Data in its possession or control as soon as reasonably practicable, save that this requirement will not apply to the extent that Docusign is permitted by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems. For Personal Data stored in Customer’s service environment, Customer acknowledges that it is required to take appropriate action to back up or otherwise store separately any Personal Data while the Docusign Services environment is still active prior to termination.

11. MISCELLANEOUS PROVISIONS.

Notwithstanding anything else to the contrary in the Terms, Docusign reserves the right to make any modification to this DPA as may be required to comply with Data Protection Laws.

Any claims brought under this DPA shall be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Terms.

This DPA will remain in force and effect through the term of the Terms or for as long as Docusign is Processing Personal Data subject to this DPA, whichever is longer.

Schedule A

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

The exporter (Controller) is Customer and Customer’s contact details and signature are as provided in the Terms and the DPA.

Data importer(s):

The importer (Processor) is Docusign, Inc. or the applicable DocuSign Group Members set forth in Appendix 1 of the DocuSign Binding Corporate Rules for Processors, which includes the contact details for each of the applicable entities. 

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose Personal Data is transferred:

Any data subjects whose Personal Data is contained in Data Exporter’s data being used in the Docusign Services, as set out in the Terms which describes the provision of Docusign Services to Customer, including Customer’s Account Administrator, Authorized Users, representatives, and end users, including, without limitation, Customer’s employees, contractors, partners, suppliers, customers, and clients.

Categories of Personal Data transferred:

Any Personal Data that is provided by Data Exporter to Data Importer in connection with the Terms and the DPA, including, without limitation, contact information such as name, address, telephone or mobile number, email address, and passwords; as well as data related to use of the Docusign Services and any content that Customer transmits through the use of the Docusign Services.

Sensitive data transferred (if applicable): Content submitted by Customer through the Docusign Services may constitute sensitive data under applicable Data Protection Laws where Customer or Customer’s end users choose to include such sensitive data within the content they submit. Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or Processing, or prior to permitting its end users to transmit or Process any sensitive data via the Docusign Services. 

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):

On a continuous basis as needed to provide the Docusign Services to Customer for the term of the Terms.

Nature of the Processing:

The nature of the Processing is set out in the Terms between the parties.

Purpose(s) of the Data Transfer and further Processing:

The purposes of the Data Transfer are for Docusign to provide the Docusign Services pursuant to the Terms.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:

The data will be retained for the time period needed to accomplish the purposes of Processing, unless otherwise required by applicable law.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the Processing:

Please see Section 7 for information about how to access a list of Docusign’s Subprocessors and the nature of the services they provide. All transfers will last for the duration of the Terms between the parties.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13:

The Data Exporter’s competent supervisory authority will be determined in accordance with Data Protection Law and, where possible, will be the Irish Data Protection Commissioner.

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

See the Docusign Binding Corporate Rules.