Contracts, commercial policies, and legal documentation under unified governance

The situation before

Bulgari is one of the world’s leading luxury jewelry and accessories houses, with global operations spanning flagship boutiques, licensed retail partners, e-commerce, and a substantial manufacturing and supply-chain footprint. The documentation that supports this operation is substantial: supplier contracts, licensing agreements, retail-partner agreements, distribution contracts, commercial policies, legal templates, and the information-security documentation that supports the organization’s ISO 27001 posture.

Before consolidation, this documentation lived across multiple systems. Legal templates were stored in a document-management tool dedicated to legal operations. Contracts-in-flight moved through a contract-lifecycle platform. Commercial policies lived in SharePoint. ISMS documentation lived in separate security-team shared folders. Each system was fine for its specific purpose; the sum was fragmented.

The challenge wasn’t any individual tool. It was that different teams — Legal, Commercial, Compliance, Information Security — worked in different systems, with different approval patterns, different audit trails, and different retention behaviors. Cross-functional documents (commercial agreements that needed both Legal and Compliance sign-off, for example) often moved between systems with transitions that weren’t always cleanly documented.

Why luxury retail has specific document-governance pressures

Luxury retail operates in a relationship-heavy commercial context. Supplier relationships, licensing partnerships, and distribution arrangements often span decades; documentation of those relationships carries legal weight that extends well beyond the typical retail context. A specific pressure: contracts signed today may be consulted in disputes five, ten, or fifteen years from now. The documentation has to be retrievable on that time horizon.

Additional pressures:

• GDPR for customer data across European and global operations — with specific luxury-sector patterns where high-value customers generate high-sensitivity data.
• ISO 27001 for the information-security management system covering brand-sensitive data (product designs, supplier information, customer VIP data, pricing strategies).
• Regional consumer-protection and commercial-contract regulations varying by market.
• Intellectual-property documentation covering the brand’s design and trademark portfolio.

The governance layer needed to serve all these pressures without adding another specialized system to the stack.

What Bulgari adopted

Over approximately five months, Bulgari migrated Legal templates, commercial policies, ISMS documentation, and selected contract workflows onto docs365.ai. The implementation happened inside Bulgari’s existing M365 tenant — SharePoint Online as the substrate, active-lifecycle layer providing governance. Contract-lifecycle-specific workflows (where the counterparty needs a branded signing experience) continued to run through a specialized tool for specific contract types; most supplier and internal-partnership documentation moved to the unified platform.

Core operational patterns:

• Document templates for every recurring contract type — supplier master agreements, licensing agreements, retail-partner contracts, distribution agreements, NDA templates, commercial-policy templates. Templates carry the Legal team’s current preferred language as default; specific deals customize from the template.
• Sequential approval with Legal Counsel as a fixed pre-flow approver on every contract template and high-value agreement. Commercial Director fixed on commercial-policy approvals. Chief Privacy Officer fixed on policies touching customer data.
• PAdES signing (advanced level) via DocuSign for high-value supplier contracts and licensing agreements above an organization-defined threshold. For routine internal documents and lower-threshold agreements, standard approval with audit-log evidence is sufficient — the Legal team concluded that cryptographic signing on every contract would add cost without proportionate legal value.
• Versioning — critical for contracts because the “what did we agree to on [date]” question arrives routinely over long time horizons. Minor versions preserve the negotiation arc; major versions are the executed agreements.
• Audit log on every document. For contracts, this answers “who drafted, who negotiated, who approved, who signed, against which version, on what date” — the standard legal-audit questions.
• ISO 27001 documentation — the ISMS policies, procedures, and records — now live in the same governance layer. ISO 27001 surveillance audits access the evidence the same way ISO 9001 audits would: through the document’s own audit log.

The PAdES decision

Bulgari’s approach to e-signature is worth detailing because it illustrates the “only pay for cryptographic binding when it matters” principle we recommend across our customer base.

Contracts below a certain financial threshold — routine supplier agreements, internal service agreements, standard licensing amendments — use standard approval. The audit log captures who approved, when, against which version. For legal purposes this is sufficient evidence; disputes over these agreements are rare, and when they occur, the audit-log evidence plus the versioned PDF holds up.

Contracts above the threshold — major supplier master agreements, significant licensing deals, high-value distribution contracts — use PAdES advanced. The signer is identity-verified through DocuSign. The signature is cryptographically bound to the PDF. Any modification invalidates the signature. This is the evidence that legal teams want for agreements where the counterparty might later dispute the terms or the identity of the signer.

The boundary between “standard approval” and “PAdES signed” is a Legal-team decision, configured at the document-type level. Authors don’t choose; the document type chooses. This prevents both the “I forgot to turn on signing” failure mode and the “we’re signing every routine document with full PAdES and paying for it” cost mistake.

What changed for Legal and Commercial teams

Contract visibility. Contracts-in-flight, executed contracts, and template-level contracts all live in the same library with consistent governance. The General Counsel’s office can produce a query of “all executed supplier contracts signed in Q3” in seconds. Previously this required reconciling the contract-lifecycle system with the Legal template repository.

Template discipline. Contract templates are themselves versioned documents under the same approval flow. A template update (new jurisdiction clause, revised liability language, updated GDPR data-processing terms) goes through Legal review, gets approved, and becomes the new starting point for subsequent deals. Deal teams always start from the current template because the current template is always the one visible in the library.

ISMS integration. ISO 27001 documentation gets the same governance treatment as commercial documentation. Information-security policies evolve, get reviewed, and surface in the cadence dashboard alongside everything else. ISMS surveillance audits access evidence the same way every other audit does — from the document’s own audit log, on demand.

Cross-functional handoffs. Documents that previously moved between systems now stay in the same library throughout. A commercial policy touching customer data gets Legal review, Compliance review, and Chief Privacy Officer sign-off — all in one flow, captured in one audit log, producing one unified evidence package.

What we’d point other luxury-retail organizations to

If you operate in a similar profile — luxury brand with global operations, heavy contract volume, ISO 27001 program, long-term relationship documentation that must be retrievable over decades — the Bulgari pattern has broad applicability.

Key architectural decisions:

1. Document templates for every recurring contract type. The templates themselves are governed documents that evolve under Legal’s stewardship; deals start from the current template by construction.
2. PAdES advanced for agreements above a defined threshold; standard approval for everything else. The threshold is a policy decision by the Legal team, configured once.
3. ISMS documentation governed alongside commercial documentation. One library, one governance layer, one audit trail — even though the ISO 27001 program and the commercial program are separate compliance programs.
4. Version history as long-term asset. For contracts, versioning isn’t just audit hygiene — it’s direct legal evidence over multi-decade horizons.

For contract-lifecycle-specific workflows where the counterparty needs a branded signing experience (negotiation portals, customer-facing redlining, counterparty identity management), specialized contract-lifecycle platforms often remain the better choice for that specific scope. The unified governance platform handles contract templates, executed-contract governance, and internal approval; the contract-lifecycle platform handles the active negotiation with the counterparty. Bulgari runs this hybrid for specific contract categories; the two work alongside each other.

A thirty-minute conversation maps your profile against this pattern and identifies which documentation belongs in the unified governance layer and which warrants specialized tooling.