Data processing agreement

Latest update: 15 November 2024
You can read the previous version here

1. PURPOSE

This Data Processing Agreement (hereinafter the “Agreement”) forms an integral part of the Contract. The purpose of the Agreement is to set out the conditions under which Yousign undertakes to carry out the Processing of Personal Data supplied in connection with the provision of the Services according to Article 28 of Regulation (EU) 2016/679 (hereinafter the “GDPR”). 

This Agreement comes into effect from the date of signature of the Contract to which it is attached and shall remain in force throughout the period of the contractual relationship between Yousign and the Subscriber/User.

2. DEFINITIONS 

All terms written with a capital letter not defined in this Agreement will have the meaning given to them here.

3. DESCRIPTION OF PROCESSING

The Subscriber/User authorises Yousign, solely for the purpose of performing the Contract, to carry out on its behalf the Processing of Personal Data (hereinafter the “Authorised Processing”) necessary to provide the Services.

4. CLASSIFICATION OF THE PARTIES

The Parties expressly acknowledge that the Subscriber/User is the Controller and Yousign is a Processor for all Authorised Processing in relation to the performance of the Contract.

Yousign is authorised by the User/Subscriber to process the Personal Data necessary for the provision of the Services on behalf of the Controller. All Processing carried out by Yousign as Controller is mentioned in the Privacy Policy available on the Site.

5. SELECTION OF SERVICES

The Subscriber/User has sole responsibility for the choice of Services and must ensure that the Services to which they subscribe for the purpose of their activities have the characteristics and conditions required by the latter.

6. COMPLIANCE WITH APPLICABLE REGULATIONS

Each Party shall perform the Contract in accordance with the applicable Personal Data protection laws and regulations, and shall comply with the obligations incumbent on it, including but not limited to the provisions of the GDPR, at all times, in relation to said performance.

7. SUBSCRIBER/USER OBLIGATIONS AS THE CONTROLLER

The Subscriber/User, in their capacity as the Controller, must fulfil the obligations incumbent on them pursuant to the GDPR. In particular, they have sole responsibility for (i) the lawfulness of the Authorised Processing, especially in light of the principles and obligations set out in the applicable Personal Data protection laws and regulations, notably concerning the legal basis of the Authorised Processing and the provision of information to Data Subjects, (ii) the use of the Platform, Services and Documents that they complete, place, store, archive, view, and upload and/or delete tofrom the Platform, (iii) keeping a record of Processing and (iv), if applicable, the completion of formalities prior to carrying out the Processing.

The Subscriber/User shall provide Yousign with the data mentioned in Annex 1  in order to enable Yousign to provide the Electronic Signature Services, and supervise the Authorised Processings, including by conducting audits under the conditions described in the article “Audits”.

The Subscriber/User shall appoint a primary point of contact to represent the Controller and shall communicate their contact details to Yousign through the Corporate Account.

The Subscriber/User are responsible for their use of the Services, in particular the protection and security of the Personal Data in transit from and to the Platform.

8. YOUSIGN OBLIGATIONS AS THE PROCESSOR

8.1 Compliance with Instructions. Yousign shall process the Personal Data solely for the purposes described in this Agreement or as otherwise agreed in accordance with the lawful instructions given by the Subscriber/User. 

If Yousign considers that an Instruction constitutes a breach of the GDPR or any other provision of the applicable Personal Data protection laws and regulations, it shall inform the Subscriber/User immediately. 

It is stipulated that Yousign’s commitment is limited to the provision of the Services and hosting the Platform. As soon as the Controller enters Personal Data onto the Platform, it must comply with the relevant legal provisions in terms of Personal Data protection, including on the provision of information to Data Subjects, and consent if applicable.  

8.2 Confidentiality. Yousign shall reserve access to the authorised Personal Data solely to those employees and Sub-Processors who need to access them to carry out their duties in relation to the performance of the Contract. Yousign undertakes that all such recipients shall be bound by confidentiality obligations equivalent to those mentioned in this Agreement.

8.3 Security of Authorised Processing. Yousign shall implement and maintain appropriate technical and organisational measures to protect the Personal Data from any breach, as described on the Security page. Yousign may amend or update these security measures at its sole discretion, provided said amendments or updates do not result in a lower level of security. 

8.4 Sub-processors. Yousign has a general authorisation from the User/Subscriber permitting it to use the Sub-processors listed here. Yousign shall inform each User/Subscriber, in writing, thirty (30) days in advance, of any planned change concerning the addition or replacement of Sub-processors.
If the User/Subscriber has legitimate and reasonable grounds to object to the appointment of a new Sub-processor, the User must justify their complaint to Yousign immediately by sending a written notification to the Support Service, within thirty (30) working days following the notification issued by Yousign, failing which the User/Subscriber will be deemed to have approved and accepted the changes. 

Following discussions and in the absence of an agreement between Yousign and the User/Subscriber, the latter can terminate the part of the Contract affected by the update concerned within thirty (30) days of the notification. 

In any case, Yousign shall demonstrate reasonable due diligence in the assessment, appointment and monitoring of Processing activities carried out by Sub-processors. Accordingly, the Sub-processors must offer sufficient guarantees with regard to the applicable obligations in terms of the security and the confidentiality of the authorised Personal Data, and shall be bound to Yousign by identical or equivalent obligations to those set out in this Agreement. 

Should the Sub-processor fail to fulfil its obligations, Yousign shall retain full responsibility for the fulfilment of its responsibilities in respect of the User/Subscriber. 

8.5 Data transfers. If, pursuant to the Contract, Personal Data are transferred outside the European Union to a country that does not have an adequacy decision, Yousign undertakes to implement a data transfer agreement in accordance with Standard Contractual Clauses or, at Yousign’s discretion, any other appropriate guarantee as provided for in Chapter V of the GDPR.

Moreover, if Yousign is obliged to transfer Personal Data to a third country or to an international organisation, pursuant to EU law or the law of a Member State to which it is subject, it must inform the Subscriber/User of said legal obligation prior to carrying out the Processing, unless the law concerned prohibits the provision of such information on significant public interest grounds.

8.6 Rights of Data Subjects. It is the Controller’s responsibility to respond to requests from Data Subjects regarding the exercise of their Personal Data rights. As far as possible, Yousign, in its capacity as Processor and at the request of the Controller, may assist the Controller in fulfilling its obligation to respond to requests by Data Subjects to exercise their rights, such as request for rights of access, rectification, erasure and objection, the rights to restriction of processing and data portability, and the right not to be subject to automated decision-making (including profiling). 

If a Data Subject contacts Yousign directly to exercise one of their rights, Yousign shall refer the Data Subject to the Controller as soon as possible so that the latter can respond to their request.

8.7 Notification of Personal Data breaches. Yousign shall notify the Subscriber/User of any Personal Data breach. This notification shall be accompanied by any useful information to enable the Subscriber/User, if necessary, to notify the relevant supervisory authority of the breach.

8.8 Record of Processing activities Yousign declares that it has a written record of all categories of Processing carried out on behalf of the Controller in accordance with the provisions of the GDPR.

8.9 Provision of information and assistance to the Controller. Yousign shall, at the written request of the Subscriber/User, provide the latter with reasonable assistance in carrying out Data Protection impact analyses as provided for in the GDPR. Yousign shall provide the Controller with all the necessary information concerning the Authorised Processing to assist it in fulfilling its statutory obligations.

9. AUDITS
The Controller may, in order to verify compliance with the provisions of this Agreement, carry out organisational or technical audits or have them carried out by others at its own expense, in accordance with the provisions set out in this article, up to a maximum of one (1) audit per year for a maximum of three (3) working days, the time spent by Yousign personnel being invoiced to the Controller.

The audit must be carried out in accordance with Yousign’s security rules and requirements. No audit shall be authorised for any reason whatsoever, without Yousign’s written agreement in advance. Yousign can object to the nomination of a particular auditor on the grounds of a lack of independence or a conflict of interest with the latter. In this case, the Controller will inform Yousign of the name of another auditor.

Each audit must be subject to an audit agreement, provided in writing by the Controller, and formally approved by Yousign a minimum of thirty (30) days before the start of the audit. The audit agreement must set out in detail the precise scope, limits, exclusions, objectives, nature of the tests and methodology used by the auditors, the dates and times, the escalation process in case of an incident during the audit, and the contact details of all the interested parties. 

The information obtained during the audit is Confidential Information and must be treated as such by the Controller. Should the audit be carried out by an external auditor, the Controller shall ensure that the latter provides sufficient confidentiality guarantees in respect of the nature of the information it may access during the course of the audit.

The Controller shall systematically send the full audit report to Yousign free of charge, so that it can make its observations. If the audit report shows any non-fulfilment of the obligations set out in this Agreement, Yousign will determine, on the basis of its internal policies, the time frame from the receipt of the final version of the report to correct the failings and/or non-compliances noted.

10. RETENTION, ERASURE AND RESTORATION OF PERSONAL DATA 

Yousign shall comply with the retention period for Personal Data applicable to the purposes for which they were collected or provided and erase/anonymise them as soon as said purposes no longer exist, subject to statutory retention obligations. 

Yousign shall make a copy of the Personal Data provided to it during the performance of the Contract available to the User/Subscriber throughout the term of the Contract. 

Also, the Subscriber/User may recover the Personal Data provided in respect of the provision of the Services, under the conditions set out in the Contract, at the end of the contractual relationship. These data will be made available to the User/Subscriber in a guaranteed interoperable format.

11. LIABILITY

Yousign can only be held liable for damage caused by Authorised Processing for which (i) it has failed to comply with the obligations set out in the GDPR that are specifically incumbent on the Processor or for which (ii) it has acted outside the lawful Instructions of the Controller or in breach thereof.

12. ENTIRE AGREEMENT

This Agreement constitutes the entire agreement between the Parties with regard to its subject-matter and replaces all former or current agreements between the Parties for the same purpose, including any previous version of the Personal Data protection agreement signed by the User/Subscriber and Yousign.

13. CONTACT 

In the event of any questions on Authorised Processing in respect of this Agreement, the User/Subscriber may contact Yousign using the contact form provided for this purpose on the Yousign Website, or by contacting the Support Service.

Yousign SAS, located in France, is Yousign’s main establishment within the meaning of Article 4 of the GDPR. The lead supervisory authority for Yousign for cross-border Processing within the meaning of Article 56 of the GDPR is the CNIL.

14. APPLICABLE LAW 

The Agreement shall be governed and interpreted in accordance with the French law.

Annex 1 - List of Personal Data Processing

In the context of providing Electronic Signature Services, Yousign carries out the following Processing on behalf of the Subscriber/User as Processor.

Processing No. 1 \- Management of Client/User Accounts

  1. Processing. Yousign Services involve the collection, recording, organization, storage, updating, reproduction, making available, consultation, use, transfer, anonymization, and deletion of Personal Data entrusted in the context of this processing.
  2. Purpose(s) of Processing.
    1. Management of contacts for signature requests
    2. Management of workspaces
    3. Management of labels
    4. Management of user profiles (roles and access rights)
    5. Management of monitoring dashboards
  3. Legal Basis for Processing. It is the responsibility of the Controller to determine the legal basis before any Processing.
  4. Category(ies) of Data Subjects.
    1. Subscribers and Users
    2. Individuals identified in contacts.
  5. Category(ies) of Personal Data.
    1. Identification Data: name, first name, photo (optional)
    2. Contact Data: email, postal address, location (city/country), phone number
    3. Professional Life: job title, company, language used
    4. Connection Data: user ID
  6. Data Recipients. Approved Sub-processors are listed here
  7. Retention Period. Data is retained for the duration of the contractual relationship.

Processing No. 2 \- Management of Documents and signature requests

  1. Processing. Yousign Services involve the collection, recording, organization, storage, updating, reproduction, making available, consultation, use, transfer, anonymization, and deletion of Personal Data entrusted in the context of this processing.
  2. Purpose(s) of Processing.
    1. Structuring of Documents to be signed: Generation and use of templates/management of “Forms”/uploading documents in PDF format on the Platform
    2. Creation of signature requests and invitation to sign (+ reminders)
    3. Management of signature request tracking (reminders/expiration/notification of signed documents availability)
    4. Management of intermediate versions (Partially signed Document)
    5. Management of signed documents (Download/consultation/Storage/archiving)
    6. Management of communications for Document/Audit Trail retrieval
  3. Legal Basis for Processing. It is the responsibility of the Controller to determine the legal basis before any Processing .
  4. Category(ies) of Data Subjects.
    1. Subscribers and Users
    2. Signatories
    3. Creators and individuals providing information to be completed in the “Forms”
    4. Validators/followers
  5. Category(ies) of Personal Data.
    1. Identification Data: civil status, name, first name
    2. Contact Data: email, postal address, phone number
    3. Professional Life: job title, company
    4. Connection Data: Document name/Document metadata
  6. Data Recipients. Approved Sub-Processors are listed here
  7. Retention Period. Data is retained for the duration of the contractual relationship.

Processing No. 3 \- Management of the signing act

  1. Processing. Yousign Services involve the collection, recording, organization, storage, updating, reproduction, making available, consultation, use, transfer, anonymization, and deletion of Personal Data entrusted in the context of this processing.
  2. Purpose(s) of Processing.
    1. Cancellation and trashing of signature requests
    2. Approval/rejection by a recipient
    3. Signature (scroll/Swipe to sign/image placement)
    4. Magic link management
  3. Legal Basis for Processing. It is the responsibility of the Controller to determine the legal basis before any Processing operation.
  4. Category(ies) of Data Subjects.
    1. Subscribers and Users
    2. Creator of the signature request
    3. Signatories
    4. Approver
  5. Catégorie(s) de données personnelles.
    1. Identification Data: name, first name
    2. Contact Data: email
    3. Professional Life: job title, company
    4. Connection Data: Legal log/IP address/ID of data subjects
  6. Data Recipients. Approved Sub-processors are listed here
  7. Retention Period. Data is retained for the duration of the contractual relationship.

Processing No. 4 \- Management of the Audit Trail

  1. Processing . Yousign Services involve the collection, recording, organization, storage, reproduction, making available, consultation, use, transfer, and deletion of Personal Data entrusted in the context of this processing.
  2. Purpose(s) of Processing:
    1. Creation of the Audit Trail
    2. Archiving of the Audit Trail
    3. Provision of the Audit Trail
  3. Legal Basis for Processing. It is the responsibility of the Controller to determine the legal basis before any Processing operation.
  4. Category(ies) of Data Subjects.
    1. Subscribers and Users.
    2. Signatories
  5. Category(ies) of Personal Data.
    1. Identification Data: name, first name, user ID, signatory ID
    2. Contact Data: email, phone number
    3. Professional Life: job title, company, company ID
    4. Connection Data: IP address/ID of data subjects/log and data of Document/ID and metadata of the signature request
    5. Data related to the certificate and hash
    6. Extracted ID data: ID number, type of document, expiration date, MRZ, issuance country, birth name, last name, first names, birth date, birth place, verified date of the ID, nationality ID card validity, status
  6. Data Recipients. Approved Sub-processors are listed here
  7. Retention Period. Data is retained for the duration of the contractual relationship.

Processing No. 5 \- API Management

  1. Processing . Yousign Services involve the collection, recording, organization, storage, updating, reproduction, making available, consultation, use, transfer, anonymization, and deletion of Personal Data entrusted in the context of this processing.
  2. Purpose(s) of Processing.
    1. Management of the sandbox
    2. Management of the demozone
    3. Version migration management
    4. Management of outbound reversibility requests from API clients
    5. API key generation
  3. Legal Basis for Processing. It is the responsibility of the Controller to determine the legal basis before any Processing operation.
  4. Category(ies) of Data Subjects.
    1. Subscribers and Users
    2. Signatories
    3. Testers on the demozone
    4. Data subjects participating in the creation and validation of the signature request (approver/follower/recipient, etc.)
  5. Category(ies) of Personal Data
    1. Identification Data: name, first name
    2. Contact Data: email, phone number, postal address
    3. Professional Life: job title, company
    4. Connection Data: ID token
  6. Data Recipients. Approved Sub-Processors are listed here
  7. Retention Period. Data is retained for the duration of the contractual relationship.