GlobalSign Subscriber Agreement for Code Signing Certificates (EMEA)

Version 1.7

PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE DIGITAL CERTIFICATE ISSUED TO YOU OR YOUR ORGANISATION. BY USING THE DIGITAL CERTIFICATE, YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, PROMPTLY RETURN THE UNUSED DIGITAL CERTIFICATE OR CANCEL THE ORDER WITHIN 7 DAYS OF ISSUANCE TO GLOBALSIGN FOR A FULL REFUND. IF YOU HAVE PROBLEMS UNDERSTANDING THIS AGREEMENT, E-MAIL US AT legal@globalsign.com

This GlobalSign Code Signing Subscriber Agreement ("Agreement") is effective as of the date of the application for the Digital Certificate (the "Effective Date") between GlobalSign ("GlobalSign"), and the applicant receiving the Digital Certificate ("Subscriber").

GlobalSign CPS is incorporated by reference hereto and is available at www.globalsign.com/repository.

1. Definitions

Digital Certificate

A collection of electronic data consisting of a Public Key, identifying information about the owner of the Public Key, and validity information, which has been Digitally Signed by GlobalSign. Certified shall refer to the condition of having been issued a valid Digital Certificate by GlobalSign, which Digital Certificate has not been revoked.

Certificate Revocation List ("CRL")

A collection of electronic data containing information concerning revoked Digital Certificates.

Certification Authority ("CA")

GlobalSign or an entity which is certified by GlobalSign to issue Digital Certificates to Users in a Digital Certificate Hierarchy. GlobalSign is subscriber's CA hereunder.

Digital Signature

Information encrypted with a Private Key which is appended to electronic data to identify the owner of the Private Key and verify the integrity of the electronic data. Digitally Signed shall refer to electronic data to which a Digital Signature has been appended.

Private Key

A mathematical key which is kept private to the owner and which is used to create Digital Signatures or to decrypt electronic data.

Public Key

A mathematical key which is available publicly and which is used to verify Digital Signatures created with the matched Private Key and to encrypt electronic data which can only be decrypted using the matched Private Key.

Subscriber

An individual or an organization that has requested a CA to issue him, her or it a Digital Certificate, or an authorized custodian enrolling on behalf of an individual or Organization.

2. Authority to Use Digital Certificate.

Grant of Authority

As of the Effective Date, GlobalSign hereby grants to Subscriber the authority for the term set forth in Section 8 to use the enclosed Digital Certificate to create Digital Signatures or to use the Digital Certificate in conjunction with Private Key or Public Key operations.

Limitations on Authority

Subscriber shall use the enclosed Digital Certificate only in connection with properly licensed cryptographic software.

3. Services Provided by GlobalSign

After execution of this Agreement and payment of all applicable fees, in addition to the grant of authority pursuant to Section 2, GlobalSign or a third party provider designated by GlobalSign shall provide the following services to Subscriber hereunder:

CRL Availability

Use its reasonable efforts to compile, aggregate and make electronically available to all CAs in the Secure Server Hierarchy i) GlobalSign's current CRL, and (ii) the CRLs provided by CAs to GlobalSign; provided, however, that GlobalSign shall not be in breach of its obligations hereunder as a result of any delay in or failure of performance on its part which arises out of any equipment failure or telecommunications breakdown beyond the reasonable control of GlobalSign.

Timestamping Services

GlobalSign offers the ability to timestamp code signed with a GlobalSign Digital certificate as a non chargeable service when used reasonably. A reasonable limit of 50 timestamp operations per month for the duration of the certificate is set. GlobalSign withholds the right to withdraw the service or charge for the service where the volume of time stamping operations performed is in excess of this limit.

Revocation Status Services

Use its reasonable efforts to provide to CAs, Certified Users and users of those Digital Certificates in the Secure Server Hierarchy information concerning the status of particular Digital Certificates; provided, however, that GlobalSign shall not be in breach of its obligations hereunder as a result of any delay in or failure of performance on its part which arises out of any equipment failure or telecommunications breakdown beyond the reasonable control of GlobalSign.

Key Generation

Under the GlobalSign model the subscriber has the opportunity to allow GlobalSign to use a trustworthy system as detailed within the CPS and marketed as 'AutoCSR' in order to generate the private-public keys, in which case the following terms also apply:

(a) GlobalSign generates subscriber keys using an algorithm recognized as being fit for the purposes of electronic signatures;

(b) GlobalSign uses a key length and algorithm, which is recognized as being fit for the purposes of electronic signatures.

Revoke Digital Certificates

GlobalSign will revoke a Code Signing Certificate it has issued upon the occurrence of any of the following events:

*The Subscriber requests revocation of its Code Signing Certificate.

*GlobalSign obtains reasonable evidence that the Subscriber's Private Key (corresponding to the Public Key in the Code Signing Certificate) has been compromised, or that the Code Signing Certificate has otherwise been misused;

*GlobalSign receives notice or otherwise becomes aware that a Subscriber violates any of its material obligations under the Subscriber Agreement;

*GlobalSign receives notice or otherwise becomes aware that a Subscriber uses the certificate for activities such as signing hostile code, including spyware or other malicious software (malware) downloaded without the users consent;.

*GlobalSign receives notice or otherwise becomes aware of a material change in the information contained in the Code Signing Certificate;

*A determination, in GlobalSign's sole discretion, that the Code Signing Certificate was not issued in accordance with GlobalSign's Code Signing Policies;

*If GlobalSign determines that any of the information appearing in the Code Signing Certificate is not accurate.

*GlobalSign ceases operations for any reason and has not arranged for another Code Signing CA to provide revocation support for the Code Signing Certificate;

*GlobalSign's right to issue Code Signing Certificates expires or is revoked or terminated [unless GlobalSign makes arrangements to continue maintaining the CRL/OCSP Repository] ;

*GlobalSign's Private Key for its Code Signing issuing CA Certificate has been compromised;

*GlobalSign receives notice or otherwise become aware that a Subscriber has been added as a denied party or prohibited person to a blacklist, or is operating from a prohibited destination under the laws of GlobalSign's jurisdiction of operation.

*The continued use of the certificate is harmful to the GlobalSign Trust model.

When considering whether certificate usage is harmful to GlobalSign, GlobalSign considers, among other things, the following:

*The nature and number of complaints received

*The identity of the complainant(s)

*Relevant legislation in force

*Responses to the alleged harmful use from the Subscriber

4. Subscriber's Obligations

Data accuracy

The subscriber undertakes to provide accurate and complete information at all times to GlobalSign, both in the GlobalSign Code Signing Certificate Request and as otherwise requested by GlobalSign CA in connection with the issuance of the GlobalSign Code Signing Digital Certificate(s) to be supplied by GlobalSign.

The subscriber shall also refrain from submitting to GlobalSign or any GlobalSign CA directory any material that contains statements that violate any law or the rights of any party.

The subscriber shall provide truthful, accurate and non misleading information for applications signed using a GlobalSign Digital Certificate such as, but not limited to, application name, information URL, and application description.

Key Generation

Under the GlobalSign model the subscriber has the opportunity to use a trustworthy system in order to generate its own private-public keys, in which case the following terms also apply:

(a) The subscriber generates subscriber keys using an algorithm recognized as being fit for the purposes of electronic signatures;

(b) The subscriber uses a key length and algorithm, which is recognized as being fit for the purposes of electronic signatures.

Protection of Private Key

The subscriber undertakes to take all reasonable measures necessary to maintain control of, keep confidential, and properly protect at all times the private key that corresponds to the public key to be included in the requested GlobalSign Code Signing certificate(s) (and any associated access information or device - e.g., password or token).

The subscriber shall ensure that the public key submitted to the GlobalSign CA correctly corresponds to the private key used.

The subscriber shall exercise appropriate and reasonable care to avoid unauthorized use of its private key.

Acceptance of GlobalSign Code Signing Certificate

The subscriber shall not install and use the GlobalSign Code Signing certificate(s) until it has reviewed and verified the accuracy of the data in each GlobalSign Code Signing Certificate.

Use of GlobalSign Code Signing Certificate

The subscriber shall install the GlobalSign Code Signing certificate solely in compliance with all applicable laws, solely up to contracted licenses, solely for authorized company business, and solely in accordance with the subscriber agreement.

Reporting and Revocation

The Subscriber undertakes to promptly cease using a GlobalSign Code Signing certificate and its associated private key, and promptly request GlobalSign to revoke the GlobalSign Code Signing certificate, in the event that:

*There has been loss, theft, modification, unauthorised disclosure, or other compromise of the private key of the certificate's subject.

*The Subscriber indicates that the original Code Signing Certificate Request was not authorized and does not retroactively grant authorization;

*The certificate's subject or their appointed subscriber has breached a material obligation of the CPS.

*The performance of a person's obligations under the CPS is delayed or prevented by a natural disaster, computer or communications failure, or other cause beyond the person's reasonable control, and as a result, another person's information is materially threatened or compromised.

*There has been a modification of the information contained in the certificate of the certificate's subject.

*This Subscriber Agreement has been terminated,

*The affiliation between an Enterprise Customer with a Subscriber is terminated or has otherwise ended,

*The information within the Certificate, other than non - verified Subscriber Information, is incorrect or has changed.

Termination of Use of Code Signing Certificate

The subscriber shall promptly cease all use of the Private Key corresponding to the Public Key listed in a GlobalSign Code Signing certificate upon expiration or revocation of that GlobalSign Code Signing certificate.

5. Permission to Publish Information

Customer agrees that GlobalSign may publish the serial number of Customer's Digital Certificate in connection with GlobalSign's dissemination of CRLs and Digital Certificate status information within and outside of the GlobalSign Secure Server Hierarchy.

6. DISCLAIMER OF WARRANTY AND LIMITATION OF LIABILITY IN NO EVENT (EXCEPT FOR FRAUD OR WILFULL MISCONDUCT) SHALL GLOBALSIGN BE LIABLE FOR ANY INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES, OR FOR ANY LOSS OF PROFITS, LOSS OF DATA, OR OTHER INDIRECT, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING FROM OR IN CONNECTION WITH THE USE, DELIVERY, LICENSE, PERFORMANCE OR NONPERFORMANCE OF CERTIFICATES, DIGITAL SIGNATURES, OR ANY OTHER TRANSACTIONS OR SERVICES OFFERED OR CONTEMPLATED BY THE CPS, EXCEPT FOR DAMAGE DUE TO RELIANCE (IN ACCORDANCE WITH THE CPS) ON THE VERIFIED INFORMATION ON THE MOMENT OF ISSUANCE OF THE CODE SIGNING CERTIFICATE TILL AN AMOUNT OF 37,500 EURO. GLOBALSIGN WILL NOT BE LIABLE IN THIS CASE IF THE FAULT IN THIS VERIFIED INFORMATION IS DUE TO FRAUD OR WILFULL MIDCONDUCT OF THE APPLICANT. GLOBALSIGN WILL NOT BE LIABLE IN THIS CASE IF THE USER HAS NOT RESPECTED HIS OBLIGATIONS MENTIONED AMONGST OTHERS IN ARTICLE 4 OF THIS AGREEMENT.

7. Term and Termination

This Agreement shall terminate on the earliest of:

7.1 One year, two, three years (depending on the certificate validity) from the Effective Date;

7.2 Failure by Subscriber to perform any of its material obligations under this Agreement if such breach is not cured within thirty (30) days after receipt of notice thereof from GlobalSign;

8. Effect of Termination.

Upon termination of this Agreement for any reason, Subscriber's Digital Certificate shall be revoked by GlobalSign in accordance with GlobalSign's procedures then in effect. Upon revocation of Subscriber's Digital Certificate for any reason, all authority granted to Subscriber pursuant to Section 2 shall terminate. Such termination or revocation shall not affect Sections 5, 6, 7, 9 and 10 of this Agreement which shall continue in full force and effect to the extent necessary to permit the complete fulfillment thereof.

9. Miscellaneous Provisions

Governing Laws

This Agreement shall be governed by, construed under and interpreted in accordance with the laws of England and Wales without regard to its conflict of law provisions. Venue shall be in the courts of England.

Binding Effect

Except as otherwise provided herein, this Agreement shall be binding upon, and inure to the benefit of, the successors, executors, heirs, representatives, administrators and assigns of the parties hereto. Neither this Agreement nor Subscriber's Digital Certificate shall be assignable by Subscriber. Any such purported assignment or delegation shall be void and of no effect and shall permit GlobalSign to terminate this Agreement.

Severability

If any provision of this Agreement, or the application thereof, shall for any reason and to any extent, be invalid or unenforceable, the remainder of this Agreement and application of such provision to other persons or circumstances shall be interpreted so as best to reasonably effect the intent of the parties hereto.

IT IS EXPRESSLY UNDERSTOOD AND AGREED THAT EACH AND EVERY PROVISION OF THIS AGREEMENT WHICH PROVIDES FOR A LIMITATION OF LIABILITY, DISCLAIMER OF WARRANTIES OR EXCLUSION OF DAMAGES IS INTENDED BY THE PARTIES TO BE SEVERABLE AND INDEPENDENT OF ANY OTHER PROVISION AND TO BE ENFORCED AS SUCH.

Entire Agreement

This Agreement constitutes the entire understanding and agreement of the parties hereto with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements or understandings between the parties.

Notices

Whenever Subscriber desires or is required to give any notice, demand, or request to GlobalSign with respect to this Agreement, each such communication shall be in writing and shall be effective only if it is delivered by a courier service that confirms delivery in writing or mailed, certified or registered mail, postage prepaid, return receipt requested, addressed to GlobalSign at one of our International offices as listed on http://www.globalsign.com/company/contact.htm, Attention: Legal department.

Such communications shall be effective when they are received.

Permission to utilize third party databases.

For natural persons, GlobalSign may validate items such as name, address and other personal information supplied during the application against appropriate third party databases. By accepting these terms and conditions you consent to such checks being made. In performing these checks, personal information provided by you may be disclosed to registered Credit Reference Agencies, which may keep a record of that information. You can rest assured that this is done only to confirm identity and as such a credit check is not performed. Your credit rating will not be affected by this process.

Trade Names, Logos.

By reason of this Agreement or the performance hereof, Subscriber and GlobalSign shall acquire no rights of any kind in any trademark, brand name, logo or product designation of the other party and shall not make any use of the same for any reason except as other wise authorised in writing by the party which owns all rights to such trademarks, trade names, logos or product designation.

10. NOTICE

You have to notify GlobalSign through any of our International offices as listed on http://www.globalsign.com/company/contact.htm immediately if there is an error in your certificate. Without reaction from the subscriber within 7 days from receipt, the certificate is deemed accepted.

By accepting the certificate, the subscriber assumes a duty to retain control of the subscriber's private key, to use a trustworthy system, and to take reasonable precautions to prevent its loss, disclosure or unauthorized use.