Data processing agreement

Latest update: 30 March 2023

1. PURPOSE

This Data Processing Agreement (hereinafter the “Agreement”) forms an integral part of the Contract. The purpose of the Agreement is to set out the conditions under which Yousign undertakes to carry out the Processing of Personal Data supplied in connection with the provision of the Services according to Article 28 of Regulation (EU) 2016/679 (hereinafter the “GDPR”). 

This Agreement comes into effect from the date of signature of the Contract to which it is attached and shall remain in force throughout the period of the contractual relationship between Yousign and the Subscriber/User.

2. DEFINITIONS 

All terms written with a capital letter not defined in this Agreement will have the meaning given to them here.

3. DESCRIPTION OF PROCESSING

The Subscriber/User authorises Yousign, solely for the purpose of performing the Contract, to carry out on its behalf the Processing of Personal Data (hereinafter the “Authorised Processing”) necessary to provide the Services.

The type of operations carried out on the Personal Data are the collection, extraction, recording, organisation, retention, adaptation, modification, archiving, viewing, transmission, reconciling, anonymising and erasing of Personal Data. 

The purpose of Processing is the provision of the Services as described in the Contract.

The Personal Data processed are all the data required for the provision of the Services as described in the Contract. In principle, the data included in the Documents, the identification data of the Data Subjects listed below and the connection data that record the actions of Users and Third-party Signatories on the Platform are considered relevant.

The categories of Data Subject are all individuals whose Personal Data must be processed to ensure the provision of the Services as described in the Contract, namely the Subscriber, Users, Third-party Signatories and and the Visitors of the Platform. 

4. CLASSIFICATION OF THE PARTIES

The Parties expressly acknowledge that the Subscriber/User is the Controller and Yousign is a Processor for all Authorised Processing in relation to the performance of the Contract.

Yousign is authorised by the User/Subscriber to process the Personal Data necessary for the provision of the Services on behalf of the Controller. 

5. SELECTION OF SERVICES

The Subscriber/User has sole responsibility for the choice of Services and must ensure that the Services to which they subscribe for the purpose of their professional activities have the characteristics and conditions required by the Controller. 

Yousign shall provide the Subscriber/User, in accordance with the conditions set out in the article “Audits”, with information on the security measures implemented in relation to the Services, so that it can assess the compliance of said measures with the Authorised Processing assigned by the Controller.

6. COMPLIANCE WITH APPLICABLE REGULATIONS

Each Party shall perform the Contract in accordance with the applicable Personal Data protection laws and regulations, and shall comply with the obligations incumbent on it, including but not limited to the provisions of the GDPR, at all times, in relation to said performance.

7. SUBSCRIBER/USER OBLIGATIONS AS THE CONTROLLER

The Subscriber/User, in their capacity as the Controller, must fulfil the obligations incumbent on them pursuant to the GDPR. In particular, they have sole responsibility for (i) the lawfulness of the Authorised Processing, especially in light of the principles and obligations set out in the applicable Personal Data protection laws and regulations, notably concerning the legal basis of the Authorised Processing and the provision of information to Data Subjects, (ii) the use of the Platform, Services and Documents that they complete, place, store, archive, view and upload to the Platform, (iii) keeping a record of Processing carried out and (iv), if applicable, the completion of formalities prior to carrying out the Processing.

Furthermore, the Subscriber/User shall provide Yousign with the data indicated in the characteristics of the Authorised Processing and supervise the Authorised Processing, including by conducting audits under the conditions described in the article “Audits”.

The Subscriber/User shall appoint a primary point of contact to represent the Controller and shall communicate their contact details to Yousign through the Corporate Account.

The Subscriber/User are responsible for their use of the Services, in particular the protection and security of the Personal Data in transit from and to the Platform.

8. YOUSIGN OBLIGATIONS AS THE PROCESSOR

8.1 Compliance with Instructions. Yousign shall process the Personal Data solely for the purposes described in this Agreement or as otherwise agreed in accordance with the lawful instructions given by the Subscriber/User. 

If Yousign considers that an Instruction constitutes a breach of the GDPR or any other provision of the applicable Personal Data protection laws and regulations, it shall inform the Subscriber/User immediately. 

It is stipulated that Yousign’s commitment is limited to the provision of the Services and hosting the Platform. As soon as the Controller enters Personal Data onto the Platform, it must comply with the relevant legal provisions in terms of Personal Data protection, including on the provision of information to Data Subjects, and consent if applicable.  

8.2 Confidentiality. Yousign shall reserve access to the authorised Personal Data solely to those employees and Processors who need to access them to carry out their duties in relation to the performance of the Contract. Yousign undertakes that all such recipients shall be bound by confidentiality obligations in respect of the entrusted Personal Data.

8.3 Security of Authorised Processing. Yousign shall implement and maintain appropriate technical and organisational measures to protect the Personal Data from any breach, as described on the Security page. Yousign may amend or update these security measures at its sole discretion, provided said amendments or updates do not result in a lower level of security. 

8.4 Sub-processors. Yousign has a general authorisation from the User/Subscriber permitting it to use the Sub-processors listed here. Yousign shall inform each User/Subscriber, in writing, thirty (30) days in advance, of any planned change concerning the addition or replacement of Sub-processors.
If the User/Subscriber has legitimate and reasonable grounds to object to the appointment of a new Sub-processor, the User must justify their complaint to Yousign immediately by sending a written notification to the Support Service, within thirty (30) working days following the notification issued by Yousign, failing which the User/Subscriber will be deemed to have approved and accepted the changes. 

Following discussions and in the absence of an agreement between Yousign and the User/Subscriber, the latter may terminate the part of the Contract affected by the update concerned within thirty (30) days of the notification. 

In any case, Yousign shall demonstrate reasonable due diligence in the assessment, appointment and monitoring of Processing activities carried out by Sub-processors. Accordingly, the Sub-processors recruited must offer sufficient guarantees with regard to the applicable obligations in terms of the security of the Authorised Processing and the confidentiality of the authorised Personal Data, and shall be bound to Yousign by identical or equivalent obligations to those set out in this Agreement. 

Should the Sub-processor fail to fulfil its data protection obligations, Yousign shall retain full responsibility for the fulfilment of its responsibilities in respect of the User/Subscriber. 

8.5 Data transfers. If, pursuant to the Contract, Personal Data are transferred outside the European Union to a country that does not have an adequacy decision, a data transfer agreement in accordance with Standard Contractual Clauses or, at Yousign’s discretion, any other appropriate guarantee as provided for in Chapter V of the GDPR shall be implemented.

Moreover, if Yousign is obliged to transfer Personal Data to a third country or to an international organisation, pursuant to EU law or the law of a Member State to which it is subject, it must inform the Subscriber/User of said legal obligation prior to carrying out the processing, unless the law concerned prohibits the provision of such information on significant public interest grounds.

8.6 Rights of Data Subjects. It is the Controller’s responsibility to respond to requests from Data Subjects regarding the exercise of their Personal Data rights. As far as possible, Yousign, in its capacity as Processor and at the request of the Controller, may assist the Controller in fulfilling its obligation to respond to requests by Data Subjects to exercise their rights, namely rights of access, rectification, erasure and objection, the rights to restriction of processing and data portability, and the right not to be subject to automated decision-making (including profiling). 

If a Data Subject contacts Yousign directly to exercise one of their rights, Yousign shall refer the Data Subject to the Controller as soon as possible so that the latter can respond to their request. Yousign may assist the Controller to respond to requests insofar as it is reasonably necessary, but the Controller shall remain responsible for the responses given.

8.7 Notification of Personal Data breaches. Yousign shall notify the Subscriber/User of any Personal Data breach. This notification shall be accompanied by any useful information to enable the Subscriber/User, if necessary, to notify the relevant supervisory authority of the breach.

8.8 Record of processing activities Yousign declares that it has a written record of all categories of Processing carried out on behalf of the Controller in accordance with the provisions of the GDPR.

8.9 Provision of information and assistance to the Controller. Yousign shall, at the written request of the Subscriber/User, provide the latter with reasonable assistance in carrying out data protection impact analyses and prior consultation of the relevant supervisory authority, as provided for in the GDPR. Yousign shall provide the Controller with all the necessary information concerning the Authorised Processing to assist it in fulfilling its statutory obligations.

9. AUDITS
The Controller may, in order to verify compliance with the provisions of this Agreement, carry out organisational or technical audits or have them carried out by others at its own expense, in accordance with the provisions set out in this article, up to a maximum of one (1) audit per year for a maximum of three (3) working days, the time spent by Yousign personnel being invoiced to the Controller.

The audit must be carried out in accordance with Yousign’s security rules and requirements. No audit shall be authorised for any reason whatsoever, without Yousign’s written agreement in advance. Yousign may refuse to accept a particular auditor on the grounds of a lack of independence or a conflict of interest with said auditor. In this case, the Controller will inform Yousign of the name of another auditor.

Each audit must be subject to an audit agreement, provided in writing by the Controller, and formally approved by Yousign a minimum of thirty (30) days before the start of the audit. The audit agreement must set out in detail the precise scope, limits, exclusions, objectives, nature of the tests and methodology used by the auditors, the dates and times, the escalation process in case of an incident during the audit, and the contact details of all the interested parties. 

The information obtained during the audit is Confidential Information and must be treated as such by the Controller. Should the audit be carried out by an external auditor, the Controller shall ensure that the latter provides sufficient confidentiality guarantees in respect of the nature of the information it may access during the course of the audit.

The Controller shall systematically send the full audit report to Yousign free of charge, so that it can make its observations. If the audit report shows any non-fulfilment of the obligations set out in this Agreement, Yousign will determine, on the basis of its internal policies, the time frame from the receipt of the final version of the report to correct the failings and/or non-compliances noted.

10. RETENTION, ERASURE AND RESTORATION OF PERSONAL DATA 

Yousign shall comply with the retention period for Personal Data applicable to the purposes for which they were collected or provided and erase/anonymise them as soon as said purposes no longer exist, subject to statutory obligations. 

Yousign shall make a copy of the Personal Data provided to it during the performance of the Contract available to the User/Subscriber throughout the term of the Contract. 

The Subscriber/User may recover the Personal Data provided in respect of the provision of the Services, under the conditions set out in the Contract, at the end of the Services. These data will be made available to the User/Subscriber in a guaranteed interoperable format. 

Yousign shall also destroy the Personal Data at the end of the Services and under the conditions set out in the Contract, subject to the statutory retention obligations to which Yousign may be subject.

11. LIABILITY

Yousign can only be held liable for damage caused by Authorised Processing for which (i) it has failed to comply with the obligations set out in the GDPR that are specifically incumbent on the Processor or for which (ii) it has acted outside the lawful Instructions of the Controller or in breach thereof.

 

12. ENTIRE AGREEMENT

This Agreement constitutes the entire agreement between the Parties with regard to its subject-matter and replaces all former or current agreements between the Parties for the same purpose, including any previous version of the Personal Data protection agreement signed by the User/Subscriber and Yousign.

13. CONTACT 

In the event of any questions on Authorised Processing in respect of this Agreement, the User/Subscriber may contact Yousign using the contact form provided for this purpose on the Yousign Website, or by contacting the Support Service.

Yousign SAS, located in France, is Yousign’s main establishment within the meaning of Article 4 of the GDPR. The lead supervisory authority for Yousign for cross-border Processing within the meaning of Article 56 of the GDPR is the CNIL.

14. APPLICABLE LAW 

The Agreement shall be governed and interpreted in accordance with the national law applicable to the Controller.