ID VERIFICATION FOR QES ATTACHMENT FOR DOCUSIGN ESIGNATURE
Service Attachment revision date: August 29, 2022. Unless otherwise defined in this Service Attachment, capitalized terms will have the meaning given to them in the Agreement.
1. DEFINITIONS
“Certificate(s)” means the Certificate generated by the CA via the Service for a Signer, which attests the unique link between the Signer Identity and a Public Key. The Public Key is uniquely associated with a Private Key managed by Docusign. In this case, the term “Certificate” means the qualified certificate for electronic signature, as defined in Article 3-15 of eIDAS, generated by Docusign to the benefit of a Signer.
“Certification Authority” (or “CA”) is Docusign France, the authority that generates Certificates and manages the Certificate life cycle (issuance, renewal, revocation) on the request of the Registration Authority, in accordance with the rules and practices defined in its Certificate Policy(ies).
“Certificate Policy(ies)” (or “CP”) means the set of rules published by the CA. A Certificate Policy describes the general characteristics of the Certificates as well as the obligations and responsibilities of the CA, the RA, Signers, Certificate requesters, and any other PKI component involved in the management of a Certificate life cycle. The Certificate Policy(ies) of Docusign and its (their) successive update(s) can be accessed on Docusign’s website (https://www.docusign.fr/societe/certification-policies), and are an integral part of this Service Attachment. For the purposes of this Service Attachment, the applicable OID is equivalently 1.3.6.1.4.1.22234.2.14.3.31 depending on the moment of issuance.
“Certificate Revocation List” (or “CRL”) means the list of invalid Certificates that were revoked before their expiration date. CRLs are issued periodically and are digitally signed by the CA that issued the Certificates in the list. The URL for where to find the CRL is contained in the Certificate.
“Documentation” includes the Certificate Policies for the purposes of this Service Attachment.
“Docusign France” (or “DSF”) means Docusign France SAS, a wholly owned subsidiary of Docusign, Inc.
“eIDAS” means EU Regulation No. 910/2014.
“Private Key” means a mathematical key, associated with the Public Key, that is secret, uniquely contained within a certified remote Qualified Signature creation device, and remotely activated by the Signer to sign eDocuments. In the context of the Service, the Private Keys are generated only for the purpose of a single Transaction and are erased after the completion of such Transaction.
“Qualified Signature” (or “QES”) means qualified electronic signature as defined in Article 3-12 of eIDAS.
“Registration Authority (or “RA”) means a third party authorized by Docusign France to register requests for the issuance, renewal, and revocation of Certificates. The RA collects electronic copies of the Signer’s ID document, verifies the name of the Signer, and records evidence of the Signer’s identity. The RA interacts with and has integrated their service with Docusign eSignature to interact with the Signer.
“ID Check Remote for QES” means the Docusign ID Check Remote for QES service which provides: (i) qualified electronic signatures under the meaning of eIDAS; (ii) an RA interface which allows the Signer to interact with the RA via live video over the Internet; and (iii) evidence storage services. Signers access the Service via Docusign eSignature.
“ID Verification for QES” means the Docusign ID Verification for QES service which provides: (i) qualified electronic signatures under the meaning of eIDAS; (ii) an RA interface which allows the Signer to upload require ID Verification documents; and (iii) evidence storage services. Signers access the Service via Docusign eSignature.
“Service” means ID Check Remote for QES and/or ID Verification.
“Signer(s)” means any individual who signs eDocuments using the Service.
“Signer Identity” means the set of personal data (including name, email address, mobile phone number, and copy of an official ID document) used to identify a Signer.
“Transaction(s)” means the performance of a signature process, defined by a set of eDocuments submitted for electronic signature, by one or more Signers via Docusign eSignature.
“Trust Service Provider” (or “TSP”) means an entity that has been approved by a CAB to offer QES. DSF is authorized by the French National Cybersecurity Agency (ANSSI) to provide QES.
2. EU QUALIFIED SIGNATURE
2.1 Generally. The Parties acknowledge and agree that: (a) Docusign France is a TSP for the purpose of providing the Service; (b) where Customer contracts with Docusign for the provision of the Service and related certification services, Docusign is authorized to act as an agent for and on behalf of Docusign France for the purpose of contracting with Customer while Docusign France is the entity providing the actual delivery of any Qualified Electronic Signature and Certificates; and (c) the use of the Service is conditioned upon Customer adhering to the terms of this Service Attachment.
2.2 Right to Use. During the Term and subject to the terms and conditions of this Service Attachment, Customer will have the limited right to send eDocuments to Signers to be signed with the Service via Docusign eSignature. The right to use the Service is limited to Customer’s authorized Signers. Customer and its agents may not resell or otherwise provide or assist with the provision of the Service: (a) for the benefit of another party; (b) as a part of a service Customer offers to third parties; or (c) as a sublicensed or service bureau arrangement.
2.3 Certificate Policies. Customer acknowledges and agrees that: (a) Docusign France is a TSP and that the Service is based on Docusign France’s applicable Certificate Policies; (b) the Certificate Policies constitute essential commitments from Docusign France, including (where applicable) Customer, to any third party relying on the Service; and (c) the Certificate Policies have been or will be made available to Customer before the Order Start Date of the Service and can be accessed on Docusign’s website, https://www.docusign.fr/societe/certification-policies.
3. CUSTOMER RESPONSIBILITIES
3.1 Customer Responsibilities Generally. Customer acknowledges having received from Docusign all of the information it requires to assess whether the Service meets its needs and to take all necessary precautions for the implementation and operation of the Service.
3.2 Registration Authority Interface. Customer acknowledges that the RA interface (including its video functionality) is subject to certain technical limitations and/or requirements including, but not limited to, the languages used, minimum system and connectivity requirements to use the RA’s services, and the identification documents supported by the RA’s system. Customer acknowledges that the RA interface constitutes Third-Party Services as defined in and governed by the Agreement.
4. DOCUSIGN RESPONSIBILITIES
4.1 Trust Service Provider. Docusign shall make commercially reasonable efforts to: (a) ensure its and its Affiliates’ data centers and information technology are secure and trustworthy; (b) verify that the RA meets the ETSI 319 411-2 identity proofing requirements within the RA service; and (c) ensure that electronic signatures created with the Service, subject to the Customer fulfilling its responsibilities under this Service Attachment, will conform to the definitions of QES set forth in Article 3-12 of eIDAS.
4.2 Certification Services. Docusign France, in its capacity as CA, shall be responsible for the proper functioning of the Service’s components and the compliance of its Certificate management system and procedures with the provisions set forth in the applicable Certificate Policy(ies). Docusign France shall technically manage the life cycle of Certificates throughout their validity period in accordance with the terms and conditions defined in the applicable Certificate Policies.
5. REVOCATION
5.1 Revocation Generally. In its capacity as CA, Docusign France enables a Signer to report inaccuracies in the Signer Identity by way of a revocation request. If Docusign receives an authenticated revocation request from the RA in the first nine (9) days after a Certificate is issued, Docusign shall add Signer’s Certificate to the Certificate Revocation List maintained and published by the CA.
5.2 Revocation After Execution. A revocation recorded after the execution of a QES does not invalidate the QES. The RA shall develop and adhere to procedures to respond to revocation requests from a Signer it has identified. To this extent, the RA shall: (a) define and implement procedures to receive revocation requests from Signers and to authenticate such revocation requests; and (b) transmit authenticated revocation requests to Docusign France within eighteen (18) hours of receiving such revocation requests in accordance with the applicable Certificate Policies.
6. AGREEMENT ON PROOF
6.1 Computerized Records. Except where regulations to the contrary exist, computerized records stored in the information systems of Docusign and its Affiliates using reasonable security measures are accepted as proof of the communications and agreements between the Parties.
6.2 Means of Proof. Docusign may use, including for the purposes of providing evidence or establishing an invoice, any document, file, recording, monitoring report, or statistic in any medium, including an electronic medium that has been directly or indirectly created, received, or stored by Docusign in a database.