Docstoc
EXCLUSIVE OFFER FOR DOCSTOC USERS
Try the all-new QuickBooks Online for FREE.  No credit card required.

verisign Services Agreement v 2

Document Sample
verisign Services Agreement v 2 Powered By Docstoc
					[AFFILIATE LOGO/ADDRESS]

                                                            [Affiliate] Master Services Agreement


CUSTOMER                                                       CONTRACT NO.
Name:
Address:


CUSTOMER PRINCIPAL CONTACT                                     [AFFILIATE] PRINCIPAL CONTACT
Name:                                                          Name:
Title:                                                         Title:
Phone:                                                         Phone:
Fax:                                                           Fax:
Email:                                                         Email:




EFFECTIVE DATE:                                                 TERM:

This [Affiliate] Master Services Agreement (the "Agreement") is made and entered into as of the Effective
Date identified above by and between [Affiliate full name] ("[Affiliate]") and the company identified above
(“Customer”). [Affiliate] and Customer may also be referred to individually as a “Party” or collectively as the
“Parties” throughout this Agreement.
IN WITNESS WHEREOF, the Parties have caused this Agreement to be duly executed and delivered as of
the Effective Date.

[AFFILIATE FULL NAME]                                [Customer name]

By: _______________________                          By:__________________________
         (Signature)                                              (Signature)
__________________________                           _____________________________
Name (print)                                         Name (print)

__________________________                           _____________________________
Title                                                Title




                                     VeriSign Master Services Agreement -- Confidential
                                                        Version 2.0
                                                                                                                                -1-

                                               TERMS AND CONDITIONS

1.        DEFINITIONS                                                     “VTN” means the VeriSign Trust Network, the
     Unless otherwise specified, capitalized terms used                   Certificate-based public key infrastructure governed by
in this Agreement will have the meanings attributed to                    the VeriSign Trust Network Certificate Policy (located
them in this Section 1, or in the definition section of the               at http://www.verisign.com/repository/vtnCp.html).
Exhibit in which such term appears.
 “Confidential Information” means material, data,                         2.        RIGHTS AND OBLIGATIONS
systems and other information concerning the                                   (a) Provision of Services. [Affiliate] will provide
operation, business, projections, market goals, financial                 each of the Services ordered by Customer in accordance
affairs, products, services, customers and Intellectual                   with the terms and conditions specified herein and in
Property Rights of the other Party that may not be                        the applicable Exhibits throughout the applicable
accessible or known to the general public.                                Service Period(s).
“Confidential Information” shall include, but not be                           (b) Installation and Configuration. For Services
limited to, the terms of this Agreement, and any                          requiring Software installation and/or system
information which concerns technical details of                           configuration services, [Affiliate] shall send a member
operation of any of [Affiliate]’s Software or Services                    of its professional services staff to Customer’s site to
offered or provided hereunder.                                            perform such installation or configuration (collectively,
“Fee Schedule” means Exhibit A hereof and/or any                          “Installation Services”). Any professional services work
applicable fee schedule, exhibit, addendum, or accepted                   in addition to or separate from the standard installation
purchase order that the Parties agree in writing shall be                 services (“Additional Professional Consulting
applicable to this Agreement.                                             Services”) will be provided at [Affiliate]’s then current
“Intellectual Property Rights” means any and all now                      rates under a Statement of Work (“SOW”) to be agreed
known or hereafter existing rights associated with                        upon by the Parties.
intangible property, including but not limited to                              (c) Fees and Payment Terms. Customer shall pay
registered and unregistered, United States and foreign                    fees for the Software and Services provided hereunder
copyrights, trade dress, trade names, corporate names,                    as set forth in the Fee Schedule. Except as expressly
logos, inventions, patents, patent applications, software,                agreed in writing, any amounts paid by Customer
and know-how.                                                             pursuant to this Agreement or any SOW are non-
 “Service Period” means, with respect to each of the                      refundable. All fees for Services will be due and
Services described in an Exhibit, the period of time                      payable in accordance with the applicable invoice. In
during which Customer is entitled to receive such                         the event that Customer fails to pay its fees on or before
Service.                                                                  the due date, [Affiliate] will apply late fees equal to the
 “Services” means the [Affiliate] services to be                          lesser of ten percent (10%) per annum or the maximum
provided to Customer under this Agreement or any                          legal rate.
[Affiliate] Statement of Work issued hereunder.                                (d) Volume Upgrades. During the term of this
“Software” means any [Affiliate] or VeriSign software                     Agreement, Customer may offer to purchase additional
provided to Customer under this Agreement, including                      Units of a Service already provided to Customer
any APIs, guides, or documentation provided therewith.                    pursuant to this Agreement (each such purchase a
“Statement of Work” or “SOW” means any valid                              “Volume Upgrade”) by submission of a purchase order
statement of work issued by [Affiliate] pursuant to this                  to [Affiliate] clearly identifying the number of
Agreement, the terms of which shall set forth any                         additional Units to be purchased for each Service and
additional rights and obligations of the Parties hereto                   referencing this Agreement. Such offer will be deemed
relating to the subject matter described therein. No                      accepted by [Affiliate], and this Agreement will be
SOW shall be valid unless it is fully executed by both                    deemed to be amended to include such Volume
[Affiliate] and Customer.                                                 Upgrade, upon [Affiliate]’s issuance of an invoice
 “Unit” means an individual annual Seat license,                          therefore to Customer. [Affiliate] may accept or reject
Certificate, authentication, or other applicable Service                  any such offer at its sole discretion. Any other purchase
volume metric.                                                            of additional Software or Services from [Affiliate] will
“VeriSign” means VeriSign, Inc. and its wholly-owned                      require modification of this Agreement pursuant to
subsidiaries.                                                             Section 9(c) to reflect such purchase.

                                          [Affiliate] Master Services Agreement -- Confidential
                                                               Version 2.0
                                                                                                                              -2-
     (e) Taxes. All taxes, duties, fees and other                        intellectual property rights in the Software or Services
governmental charges of any kind (including sales,                       except for the license granted in Section 3(a).
services and use taxes, but excluding taxes based on the
gross revenues or net income of [Affiliate]) which are                   5.        CONFIDENTIAL INFORMATION
imposed by or under the authority of any government or                   The Parties acknowledge that by reason of their
any political subdivision thereof on the fees for any of                 relationship under this Agreement, they may have
the Services shall be borne by Customer and shall not                    access to and acquire Confidential Information. Each
be considered a part of, a deduction from or an offset                   Party receiving Confidential Information (the
against such fees.                                                       “Receiving Party”) agrees to maintain all such
     (f) Publicity. Any and all press releases and other                 Confidential Information received from the other Party
public announcements relating to the existence or terms                  (the “Disclosing Party”), both orally and in writing, in
of this Agreement or the underlying transactions                         confidence and agrees not to disclose or otherwise
between [Affiliate] and Customer must be approved in                     make available such Confidential Information to any
advance by the Parties in writing.                                       third party without the prior written consent of the
                                                                         Disclosing Party; provided, however, that the Receiving
3.        GRANT OF LICENSE                                               Party may disclose the terms of this Agreement to its
     (a) Software License. In exchange for the                           legal and business advisors if such third parties agree to
payment by Customer of the applicable Service fees,                      maintain the confidentiality of such Confidential
[Affiliate] grants to Customer a limited, non-exclusive,                 Information. The Receiving Party further agrees to use
non-transferable, non-sublicenseable license to use the                  the Confidential Information only for the purpose of
Software within the [Affiliate’s territory] on CPUs                      performing this Agreement. Notwithstanding the
under Customer’s control solely in connection with                       foregoing, the obligations set forth herein shall not
Customer’s use of the Service for which such copy was                    apply to Confidential Information which: (i) is or
provided. Customer is expressly prohibited from                          becomes a matter of public knowledge through no fault
sublicensing, selling, renting, leasing or otherwise                     of or action by the Receiving Party; (ii) was rightfully
distributing copies of the Software, or permitting either                in the Receiving Party’s possession prior to disclosure
direct or indirect use of the Software by any third party.               by the Disclosing Party; (iii) subsequent to disclosure,
Customer agrees not to disassemble, decompile, reverse                   is rightfully obtained by the Receiving Party from a
engineer or make any other attempt to discover or                        third party who is lawfully in possession of such
obtain the source code for the Software. In the event                    Confidential Information without restriction; (iv) is
any modifications are made to the Software by anyone                     independently developed by the Receiving Party
other than [Affiliate] or its authorized subcontractors                  without resort to the Confidential Information; or (v) is
(excluding Customer), all warranties with respect to the                 required by law or judicial order, provided that prior
Software shall immediately terminate.                                    written notice of such required disclosure is furnished
                                                                         to the Disclosing Party as soon as practicable. Subject
4.        PROPRIETARY RIGHTS                                             to the foregoing, Customer understands and agrees that
Customer acknowledges that [Affiliate] and its                           all information provided to [Affiliate] under this
licensors, including VeriSign, retain all Intellectual                   Agreement will be treated by [Affiliate] in accordance
Property Rights and title in and to all of [Affiliate]’s                 with the Privacy Statement posted on [Affiliate]'s
and their Confidential Information, trade secrets or                     website.
other proprietary information, products, services, and
the ideas, concepts, techniques, inventions, processes,                  6.        REPRESENTATIONS, WARRANTIES,
software or works of authorship developed, embodied                      AND INDEMNIFICATION
in, or practiced in connection with the Services                              (a) Customer’s Representations and Warranties.
provided by [Affiliate] hereunder, including without                     Customer represents and warrants that (i) it has the
limitation all modifications, enhancements, derivative                   right, power and authority to enter into this Agreement
works, configurations, translations, upgrades, and                       and to fully perform its obligations under this
interfaces thereto (all of the foregoing “[Affiliate]                    Agreement; and (ii) will not make any unauthorized
Works”). The [Affiliate] Works do not include                            representation or warranty to any third party regarding
Customer’s browser software or Customer’s base                           any [Affiliate] Services.
hardware platform. No provision of this Agreement or                          (b) [Affiliate]’s Representations and Warranties.
any SOW issued hereunder gives Customer any                              [Affiliate] represents and warrants that (i) it has the
                                                                         right, power and authority to enter into this Agreement
                                         [Affiliate] Master Services Agreement -- Confidential
                                                              Version 2.0
                                                                                                                                -3-
and to fully perform its obligations under this                            provided by [Affiliate] and used by Customer without
Agreement; and (ii) [Affiliate] has used and will use all                  infringement of third party patent, copyright or trade
commercially reasonable efforts to ensure that all                         secret rights. If neither of the foregoing options is
Software delivered to Customer pursuant to this                            available to [Affiliate] on a commercially reasonable
Agreement is free of any computer “viruses,” “worms”                       basis, [Affiliate] may terminate this Agreement
and other illicit code at the time of delivery, and agrees                 immediately upon written notice and pay Customer,
to promptly notify Customer of any computer viruses,                       within thirty (30) days after such termination, a
worms or other illicit code subsequently discovered in                     termination fee equal to the prorated portion of any
any such Software.                                                         annual fees (excluding installation and any other non-
      (c) Indemnification. Each party hereto (the                          recurring fees) paid by Customer commensurate with
“Indemnitor”) agrees to, and shall, indemnify, defend                      the remaining portion of the Service year for which
and hold harmless the other party hereto (the                              such fees were paid. NOTWITHSTANDING ANY
“Indemnitee”), and its directors, shareholders, officers,                  OTHER PROVISION OF THIS AGREEMENT, THE
agents, employees, successors and assigns from any and                     RIGHTS AND REMEDIES SET FORTH IN
all third party claims, suits, proceedings, judgments,                     SECTIONS 6(c)(iii) AND 6(d) CONSTITUTE THE
damages, costs (including reasonable attorneys' fees                       ENTIRE OBLIGATION OF [AFFILIATE] AND THE
and expenses) and other liabilities arising from, in                       EXCLUSIVE REMEDIES OF CUSTOMER WITH
connection with or related in any way to, directly or                      RESPECT TO THE SUBJECT MATTER THEREOF.
indirectly, (i) the Indemnitor’s actual or alleged
material breach of any duty, obligation, representation,                   7.        TERM AND TERMINATION
or warranty of the Indemnitor specified in this                                 (a) Term and Renewal. This Agreement will
Agreement, (ii) any condition identified as a “[Affiliate]                 commence as of the Effective Date and will continue
Indemnification Condition” where [Affiliate] is the                        for the period identified as the “Term” on the cover
Indemnitor, or a “Customer Indemnification Condition”                      sheet of this Agreement (“Initial Term”) unless
where Customer is the Indemnitor, in an Exhibit hereof,                    terminated earlier as set forth below. Following
or (iii) solely with respect to [Affiliate]’s                              expiration of the Initial Term, this Agreement will
indemnification of Customer, any alleged infringement                      automatically renew for successive one (1) year terms
of any United States patent, copyright or trade secret by                  (each a “Renewal Term”) unless either Party provides
the unmodified Software or Services as delivered by                        written notice to the other Party at least sixty (60) days
[Affiliate]. The Indemnitee shall promptly notify the                      prior to the commencement of a Renewal Term of its
Indemnitor of any such claim, and the Indemnitor shall                     intent to avoid such Renewal Term. The Initial Term
bear full responsibility for the defense of such claim                     and any Renewal Terms are collectively referred to in
(including any settlements); provided however, that (1)                    this Agreement as the “Term.” The termination of any
the Indemnitor shall keep the Indemnitee informed of,                      Service or SOW shall not modify the Term of this
and consult with the Indemnitee in connection with the                     Agreement. The expiration or termination of this
progress of such litigation or settlement; and (2) the                     Agreement shall immediately terminate any and all
Indemnitor shall not have any right, without the                           Services ordered hereunder, including any [Affiliate]
Indemnitee’s written consent, (which shall not be                          SOWs executed hereunder.
unreasonably withheld), to settle any such claim if such                        (b) Termination for Default. Each Party will
settlement arises from or is part of any criminal action,                  have the right to terminate this Agreement for any
suit or proceeding or contains a stipulation to or                         material breach that is not cured within thirty (30) days
admission or acknowledgment of, any liability or                           after written notice of such breach.
wrongdoing (whether in contract, tort or otherwise) on                          (c) Termination for Insolvency. Either Party
the part of the Indemnitee, or requires any specific                       hereto may terminate this Agreement, effective
performance or non-pecuniary remedy by the                                 immediately upon written notice, should the other Party
Indemnitee.                                                                hereto (i) admit in writing its inability to pay its debts
       (d) [Affiliate] Options Related to Intellectual                     generally as they become due; (ii) make a general
Property Infringement Claims. In the event of any                          assignment for the benefit of creditors; (iii) institute
claim, suit, or proceeding subject to Section 6(c)(iii)                    proceedings, or have proceedings instituted against it,
above, [Affiliate] shall have the right, at its sole option,               seeking relief or reorganization under any laws relating
to obtain the right to continue use of the affected                        to bankruptcy or insolvency; (iv) have a court of
Software or Services or to replace or modify the                           competent jurisdiction appoint a receiver, liquidator, or
affected Software or Services so that they may be                          trustee over all or substantially all of such Party’s
                                           [Affiliate] Master Services Agreement -- Confidential
                                                                Version 2.0
                                                                                                                               -4-
property or provide for the liquidation of such Party’s                   commercially recognized overnight delivery service
property or business affairs.                                             (such as Federal Express or DHL), or courier. Notice
     (d) Survival of Terms. Any payment obligations                       shall be deemed served upon personal delivery or
which accrued prior to termination or expiration of this                  delivery by courier, upon the second business day after
Agreement, Sections 1, 2(e), 2(f), 4, 5, 6(c), 6(d), 7(d),                the date sent for notices sent via overnight delivery, or
8, 9, and any section of an Exhibit hereof titled                         upon the fifth business day after the date sent for
“Disclaimer”, “Limitation of Liability”, or an                            notices sent via certified mail. Either Party may change
equivalent thereof, shall survive the expiration or                       the address to which notices are to be delivered by
termination of this Agreement.                                            written notice to the other Party. Notices to [Affiliate]
                                                                          shall be addressed to [specify individual].
8.       LIMITATION OF LIABILITY                                               (b) Entire Agreement. This Agreement, together
THE PARTIES AGREE THAT, EXCEPT FOR                                        with any Exhibits hereof and SOW(s) executed
AMOUNTS PAYABLE FOR BREACH OF                                             hereunder, constitutes the entire understanding and
SECTIONS 3 OR 5 OR AS SPECIFIED IN SECTION                                agreement between [Affiliate] and Customer with
6(c), OR AS OTHERWISE PROVIDED IN ANY                                     respect to the transactions contemplated, and
EXHIBIT: (A) A PARTY’S ENTIRE LIABILITY                                   supersedes any and all prior or contemporaneous oral or
AND EXCLUSIVE REMEDY ARISING OUT OF                                       written representation, understanding, agreement or
THIS AGREEMENT IS LIMITED TO TWO (2)                                      communication concerning the subject matter hereof
TIMES THE AMOUNTS PAID OR PAYABLE BY                                           (c) Amendments and Waiver. Subject to the
CUSTOMER TO [AFFILIATE] HEREUNDER FOR                                     provisions of Section 2(d) relating to Volume
THE SERVICES GIVING RISE TO THE CLAIM TO                                  Upgrades, any term or provision of this Agreement may
A MAXIMUM OF ONE MILLION DOLLARS                                          be amended, and the observance of any term of this
($1,000,000), AND (B) NEITHER PARTY WILL BE                               Agreement may be waived, only by a writing
LIABLE TO THE OTHER PARTY OR TO ANY                                       referencing this Agreement and signed by the parties to
THIRD PARTY FOR ANY CONSEQUENTIAL,                                        be bound thereby, and this Agreement may not be
INDIRECT, SPECIAL, INCIDENTAL OR                                          modified or extended solely by submission of a
EXEMPLARY DAMAGES, WHETHER                                                purchase order or similar instrument referencing this
FORESEEABLE OR UNFORESEEABLE, EVEN IF                                     Agreement. In the event that [Affiliate] accepts any
SUCH PARTY HAS BEEN ADVISED OF THE                                        Volume Upgrade offer as described in Section 2(d),
POSSIBILITY OF SUCH DAMAGES, ARISING                                      such acceptance and the resulting modification of this
OUT OF THIS AGREEMENT, THE [AFFILIATE]                                    Agreement will include only the increased Units and
SERVICES, OR ANY EXPRESS OR IMPLIED                                       fees for the applicable Service(s) stated in [Affiliate]’s
WARRANTY, MISREPRESENTATION,                                              invoice, and any terms, conditions, or other additional
NEGLIGENCE, STRICT LIABILITY, OR OTHER                                    material included in the purchase order will be of no
TORT. EXCEPT FOR THE EXPRESS LIMITED                                      force or effect. No SOW which is not explicitly
WARRANTIES CONTAINED IN SECTION 6 OR                                      identified as an amendment to Section 4 of this
THE APPLICABLE EXHIBITS HEREOF,                                           Agreement shall be construed to create any Intellectual
[AFFILIATE] DISCLAIMS ALL OTHER                                           Property Right(s) of Customer or any third-party.
WARRANTIES, EXPRESS, IMPLIED, OR                                               (d) Force Majeure. Neither Party shall be deemed
STATUTORY, INCLUDING WITHOUT                                              in default hereunder, nor shall it hold the other Party
LIMITATION, ANY IMPLIED WARRANTY OF                                       responsible for, any cessation, interruption or delay in
MERCHANTABILITY, FITNESS FOR A                                            the performance of its obligations hereunder due to
PARTICULAR PURPOSE, SATISFACTION OF                                       earthquake, flood, fire, storm, natural disaster, act of
CUSTOMER REQUIREMENTS, AND ANY                                            God, war, terrorism, armed conflict, labor strike,
WARRANTY ARISING OUT OF A COURSE OF                                       lockout, or boycott, provided that the Party relying
PERFORMANCE, DEALING OR TRADE USAGE.                                      upon this provision: (i) gives prompt written notice
                                                                          thereof, and (ii) takes all steps reasonably necessary to
9.        GENERAL PROVISIONS                                              mitigate the effects of the force majeure event; provided
     (a) Notices. All notices shall be in writing and                     further, that in the event a force majeure event extends
addressed to the Party to be served at the respective                     for a period in excess of thirty (30) days in the
addresses set forth on the cover page of this Agreement.                  aggregate, either Party may immediately terminate this
Any such notice may be served personally or by                            Agreement.
certified mail (postage prepaid), internationally
                                          [Affiliate] Master Services Agreement -- Confidential
                                                               Version 2.0
                                                                                                                               -5-
       (e) Severability. In the event that any provision                       (h) Independent Contractors. The Parties to this
of this Agreement should be found by a court of                           Agreement are independent contractors. Neither Party
competent jurisdiction to be invalid, illegal or                          is an agent, representative, joint venturer, or partner of
unenforceable in any respect, the validity, legality and                  the other Party. Neither Party shall have any right,
enforceability of the remaining provisions contained                      power or authority to enter into any agreement for or on
shall not, in any way, be affected or impaired thereby.                   behalf of, or incur any obligation or liability of, or to
      (f) Compliance with Law, Export Requirements,                       otherwise bind, the other Party. Each Party shall bear
and Foreign Reshipment Liability. Each Party agrees                       its own costs and expenses in performing this
that it shall comply with all applicable federal, state and               Agreement.
local laws, regulations, and export requirements in                            (i) Governing Law. This Agreement shall be
connection with its performance under this Agreement.                     governed by the laws of [specify Affiliate jurisdiction].
To the extent Luna tokens and/or readers from an                          The Parties agree that the United Nations Convention
[Affiliate] vendor (“Luna Products”) are supplied under                   on Contracts for the International Sale of Goods shall
this Agreement, the Luna Products are subject to any                      not apply to this Agreement. The Parties agree that
laws, regulations, orders or other restrictions on the                    jurisdiction and venue for any matter arising out of or
export from Canada of softward, hardware, or technical                    pertaining to this Agreement shall be proper only in
information, which may be imposed from time to time                       [specify courts of Affiliate’s jurisdiction].
by the government of Canada. Regardless of any                                  (j) Third Party Beneficiaries. No provisions of
disclosure made by Customer to [Affiliate] of an                          this Agreement are intended nor shall be interpreted to
ultimate destination of the software, hardware, or                        provide or create any third party beneficiary rights or
technical information and, notwithstanding anything                       any other rights of any kind in any other party.
contained in this Agreement to the contrary, Customer                     Notwithstanding the foregoing, [Affiliate]’s suppliers of
will not modify, export, or re-export, either directly or                 Services delivered hereunder shall enjoy the same
indirectly, any software, hardware, or technical                          disclaimers of warranty, limitations on liability and
information, or portions thereof, and where applicable,                   similar exculpatory provisions with respect to such
Luna Products, without first obtaining any and all                        products as does [Affiliate]. Customer is hereby
necessary licenses from the United States government                      notified that VeriSign, Inc., a Delaware corporation,
or agencies, and where applicable, the Canadian                           located at 487 East Middlefield Road, Mountain View,
government, or any other country that requires an                         California 94043, is a third-party beneficiary to this
export license or other governmental approval at the                      Agreement to the extent that this Agreement contains
time of modification, export, or re-export. To the                        provisions which relate to Customer's use of
extent that Luna Products are supplied under this                         [Affiliate]'s Services licensed or provided hereby. Such
Agreement, Customer consents to the disclosure of its                     provisions are made expressly for the benefit of
personal information to the Government of Canada for                      [Affiliate] and are enforceable by VeriSign, Inc. in
purposes related to the export of Luna Products.                          addition to [Affiliate].
      (g) Assignment. Neither Party may assign or                              (k) Order of Precedence. In the event of a
transfer this Agreement or any obligation hereunder                       conflict between the body of this Agreement and any
without the prior written approval of the other Party,                    Exhibit, the terms of the Exhibit shall govern, but only
except to an entity acquiring all or substantially all of                 in regard to the specific Service provided under that
the assets of that Party, whether by acquisition of assets                Exhibit.
or shares, or by merger or consolidation. Any
assignment in violation of this Section 9(g) shall be
void. Subject to the foregoing, this Agreement shall be
binding upon and inure to the benefit of the successors
and assigns of the Parties.
      [Affiliate may, at its option, include the following
(note that re-numbering of the paragraphs will be
required): (h) Insurance Coverage. Each Party shall,
at its own expense, maintain standard errors and
omissions insurance in an amount that is not less than
U.S. two million dollars (US $2,000,000.00) [or the
equivalent in Affiliate’s currency].]

                                          [Affiliate] Master Services Agreement -- Confidential
                                                               Version 2.0
                                                                                                                 Exhibit “A”
                                                                                                                   Page A-1

                                                             EXHIBIT A
                                                               FEES

The Fees set forth in Table 1 below are due and payable in accordance with Section 2 of the Agreement and the
Additional Terms and Conditions below.

[Affiliate must modify as appropriate based on what services it has the right to provide.]

Table 1:
                                                                                              Initial   Annual
Service/Product Description                                               Units                Fees      Fees
Installation Services Fee (one time)                                          ##              $         N/A
                                                                          (Man Days)
Managed PKI Private Label Certificate Service Annual Managed                 N/A
Service Fee for:
( ) Single Application License
( ) Multi-Application License
Managed PKI Private Label Certificate Service Annual Seat Fee                  ##
                                                                             (Seats)
Managed PKI Co-Branded Certificate Service Annual Managed                     N/A
Service Fee for:
( ) Single Application License
( ) Multi-Application License
Managed PKI Co-Branded Certificate Service Annual Seat Fee                     ##
                                                                             (Seats)
Managed PKI for SSL Certificate Service Fee for:                               ##
( ) Standard Certificate Service                                             (Seats)
( ) Premium Edition Certificate Service
Gold Service for Managed PKI for SSL Fee                                      N/A
Managed PKI Key Management Service                                             ##
                                                                             (Seats)
Managed PKI Roaming Service Fee for:                                           ##
( ) Roaming Service                                                          (Seats)
( ) Enterprise Roaming Service: Split Hosted
( ) Enterprise Roaming Service: [Affiliate] Hosted
Premium Validation Services Fee                                              (type)
Platinum Service Fee                                                          N/A
Additional Professional Consulting Services                              (x) man days
TOTAL FEES                                                                    N/A




                                           [Affiliate] Master Services Agreement -- Confidential
                                                                Version 2.0
                                                                                                                      Exhibit “A”
                                                                                                                        Page A-2


 Table 2:
 Service/Product Components
Managed PKI (Single Application License):                                Managed PKI (Multi-Application License):
    (__) Private Label Certificate Service or                                (__) Private Label Certificate Service or
    (__) Co-Branded Certificate Service include(s);                          (__) Co-Branded Certificate Service includes;
      ·Custom Key Ceremony                                                      ·Custom Key Ceremony
      One (1) CA Certificate                                                    (__) CA Certificate
      One (1) copy of Managed PKI Software (includes                            One (1) copy of Managed PKI Software (includes
      Local Hosting, and Automated Administration                              Local Hosting, and Automated Administration modules),
      modules)                                                                  Select Go Secure! Applications from the following;
      Select One (1) Go Secure! Application from the following;                           ____ GoSecure! For Microsoft Exchange
                ____ GoSecure! For Microsoft Exchange                                     ____ GoSecure! For Web Applications
                ____ GoSecure! For Web Applications                                       ____ GoSecure! For Lotus Notes
                ____ GoSecure! For Lotus Notes                                            ____ GoSecure! For Checkpoint
                ____ GoSecure! For Checkpoint                                             ____ GoSecure! For Nortel
                ____ GoSecure! For Nortel                                       (__) Automated Administration Hardware Kit(s)
         (__) Automated Administration Hardware Kit(s)                          One (1) Manual Administrator Kit (Available upon
                                                                               request at no additional charge

 Key Management Service includes:
        Key Management Service software·
        Key Management cryptographic hardware

 Roaming Service includes:
      Roaming Service software (Split-Hosted only)
      Go Secure! For Web Applications




                                              Additional Terms & Conditions:

 •   All fees are shown and must be paid in U.S. Dollars
 •   All fees shown in Table 1 above will be due and payable net 30 from the invoice date. Any fees designated as
     “Annual Fees” fees in Table 1 are annual recurring fees that will also be due and payable net 30 from each
     anniversary of the Effective Date throughout the Term.
 •   The fees for any Renewal Term(s) will be the same as the fees in effect for the immediately preceding Service year;
     provided, however, that [Affiliate] may increase such fees by up to five percent (5%) for any Renewal Term by
     providing written notice of such increase to Customer at least ninety (90) days prior to the commencement of such
     Renewal Term.
 •   Customer shall reimburse [Affiliate] for out-of-pocket or travel expenses reasonably incurred in connection with
     rendering Installation Services or Additional Professional Consulting Services to Customer (collectively,
     “Reimbursable Expenses”). Reimbursable Expenses and any other fees arising under this Agreement or any
     Statement(s) of Work shall be due and payable by Customer within thirty (30) days of Customer’s receipt of invoice.
 •   Customer acknowledges and agrees that, notwithstanding any other provision of this Agreement, [Affiliate] may, at
     its sole discretion, suspend access to any or all of the Services after such time as Customer is thirty (30) days late in
     remitting any payment due hereunder and continuing until all applicable fees have been received and processed by
     [Affiliate].
 •   Unused Units may not be carried over to subsequent years.



                                           [Affiliate] Master Services Agreement -- Confidential
                                                                Version 2.0
                                                                                                                     Exhibit “B”
                                                                                                                       Page B-1

                                                   EXHIBIT B
                                           SERVICE LEVEL AGREEMENT

OVERVIEW                                                                     (b) Up Time Percentage. [Affiliate]’s Up Time
     This Service Level Agreement (“SLA”) details the                   percentage throughout the Term will be no less than
system availability and customer support terms for the                  ninety-nine percent (99%) for Gold Service, and no less
[Affiliate] Services (except as may be otherwise                        than ninety-nine and one-half percent (99.5%) for
provided in the applicable Service Exhibits). The SLA                   Platinum Service.
terms below include [Affiliate]’s standard SLA terms                         (c) Scheduled Down Time. [Affiliate] will notify
(“Gold Service”), and certain additional SLA                            Customer via electronic mail of Scheduled Down Time
commitments for customers that purchase [Affiliate]’s                   and anticipated impact to Service specific functionality
premium SLA package (“Platinum Service”).                               not less than thirty (30) hours in advance of the planned
                                                                        downtime window. Scheduled Down Time will not
1.        DEFINITIONS                                                   exceed four (4) hours in any single calendar week.
“Customer Administrator” means a trusted Customer
employee designated by Customer as its administrator                    3.        CUSTOMER SUPPORT
with respect to the relevant Service(s).                                     (a) Severity Levels. The Response Times
 “Response Time” means the amount of time that                          associated with [Affiliate]’s provision of customer
elapses between Customer’s report of a service problem                  support to Customer in connection with the Services
to [Affiliate] and [Affiliate]’s response acknowledging                 will be based, in part, on classification of reported
the report and indicating that a response to the problem                problems by severity level as follows:
has been initiated.                                                             (i) Severity 1. Severity 1 problems
“Scheduled Down Time” means scheduled periods of                               include any events that have a major
[Affiliate] system and Service unavailability to perform                       impact on the operations of the system
routine service maintenance, upgrades, and testing.                            and on end users' use of the Service(s),
“Service Performance” means the amount of time that                            such as:
elapses between the arrival of data sent by Customer at                        • System or application unavailability
[Affiliate]’s back-end system and the transmission from                           that prevents critical transactions
[Affiliate]’s back-end system of the corresponding                                from being processed
response or automated action initiated by [Affiliate] in                       • Online application outages that
connection with the relevant Service. “Service                                    significantly impact the online
Performance” refers only to the performance of                                    availability of the Service(s)
[Affiliate]’s back-end system, and does not include the                        • Telecommunications interruptions
system availability, performance, or response delay of                            that lead to a major disruption of the
any third party.                                                                  Service(s)
 “Up Time” means the percentage of time that                                   • Consistent degradation of availability
[Affiliate]’s systems are available and capable of                                that significantly impairs the utility of
receiving and processing data from Customer in                                    the Service(s)
connection with the Services. Unless otherwise                                 (ii) Severity 2. Severity 2 problems
specified, “Up Time” refers only to availability of                            include any events (other than Severity
[Affiliate]’s systems, and does not include the system                         1 problems) that have a moderate
availability or performance of any party.                                      impact on the operations of the system
                                                                               and on end users' use of the Service(s),
2.       SERVICE AVAILABILITY                                                  such as:
     (a) Up Time Measurement. Up Time is                                       • Errors that disable only certain non-
calculated on a rolling 90 day basis as a percentage                              essential functions of the Service(s)
equal to (i) the total number of minutes in any 90 day                            and may result in degraded
period that [Affiliate]’s systems are available and                               operations, including without
capable of receiving and processing data from                                     limitation, errors that cause
customers, divided by (ii) the total number of minutes                            significant transaction processing
in such period.
                                        [Affiliate] Master Services Agreement -- Confidential
                                                             Version 2.0
                                                                                                                        Exhibit “B”
                                                                                                                          Page B-2
          delays                                                                   personnel are notified of the problem, and
       • Intermittent degradation of                                               production management and engineering
          availability that moderately impairs                                     personnel are actively working on the problem
          the utility of the Service(s)                                         • Hour 5: [Affiliate]’s Vice Presidents of
       (iii) Severity 3. Severity 3 problems include any                           Operations and Engineering are notified and,
       events (other than Severity 1 or 2 problems) that                           together with the Director(s) of Production
       have a minor impact on the operations of the                                Services and Customer Service, involved in
       system and on end users' use of the Service(s).                             the problem resolution
     (b) Response Times. For Gold Service, [Affiliate]                          • Hour 8: [Affiliate]’s executive management
will provide first level telephone support to Customer                             team including the CEO are notified and
Administrator(s) 24 hours a day, 7 days a week, 52                                 involved in the problem resolution
weeks a year, for Severity 1 problems, and from 5:00                            (ii) Severity 2.
am - 6:00 pm Pacific Time, Monday through Friday, 52                            • Hour Zero to Hour 72: [Affiliate] will work
weeks a year, for Severity 2 and 3 problems, excluding                             to resolve the problem and will attempt to
United States national holidays and Scheduled Down                                 provide a solution within 72 hours after
Time periods. For Platinum Service, [Affiliate] will                               problem identification. In the event that
provide first level telephone support to Customer                                  [Affiliate] does not develop a plan, within the
Administrator(s) 24 hours a day, 7 days a week, 52                                 first 4 business days after the problem is
weeks a year for Severity 1, 2, and 3 problems. During                             reported, for resolution of the problem within
such hours, incoming first level support calls will be                             the following 10 day period, and the problem
answered immediately by an automated call system.                                  is not due to the fault of Customer, [Affiliate]
[Affiliate] will provide a call system option to speak                             will escalate the problem in accordance with
directly to a trained customer support representative.                             the Severity 1 escalation procedures described
80% of the time that this option is selected, customers                            above.
will speak to a trained customer support representative                      (d) Pre-Production Environment. Customer will
within 120 seconds of selecting that option. All first                  have access to the [Affiliate] pre-production
level support calls will be logged and such logs will be                environment as applicable to the Service(s) provided
maintained for at least one year. [Affiliate]’s Response                for a period of 60 days after the Effective Date for Gold
Times, broken out by System type and Severity Level,                    Service, and for a period of one (1) year after the
are provided in Table A below.                                          Effective Date for Platinum Service. No other
                                                                        provision of this SLA will be applicable to pre-
TABLE A: Customer Support Problem Response                              production environment availability or performance.
(during hours provided in Section 3(b) above)                                (e) Hardware Expedited Replacement Service.
                                                                        Replacement hardware will be shipped to Customer
 Severity    Callback within       Callback within                      within 72 hours via two day delivery for Gold Service,
  Level      (Gold Service)        (Platinum Service)                   and within 24 hours via two day delivery for Platinum
                                                                        Service.
Severity 1         4 hours               2 hours                             (f) Maintenance and Service Version. Both Gold
                                                                        and Platinum Support include a maintenance plan under
Severity 2         8 hours               4 hours                        which [Affiliate] will provide Software upgrades, bug-
                                                                        fixes, patches, error corrections and enhancements
Severity 3    next business day     next business day                   which are developed by [Affiliate] and made available
                                                                        to [Affiliate]’s customers generally. [AFFILIATE]
                                                                        WILL PROVIDE SUCH MAINTENANCE PLAN
                                                                        AND CUSTOMER SUPPORT AS PROVIDED IN
     (c) Escalation. Severity 1 and 2 problems will be                  THIS SLA ONLY FOR THE THEN CURRENT
internally escalated in the following fashion to ensure                 RELEASE OF THE [AFFILIATE] SERVICES OR
effective resolution:                                                   SOFTWARE AND ONE PREVIOUS RELEASE AT
       (i) Severity 1.                                                  ANY GIVEN TIME.
       • Hour 0 to Hour 4: [Affiliate]’s Director(s) of
          Production Services and Customer Service,                     4.    ADDITIONAL TERMS FOR PLATINUM
          production management, and engineering                        SERVICE CUSTOMERS
                                        [Affiliate] Master Services Agreement -- Confidential
                                                             Version 2.0
                                                                                                Exhibit “B”
                                                                                                  Page B-3
     (a) Managed PKI Service Performance. For
Platinum Service only, the Managed PKI Services (if
applicable) will be provided in accordance with the
following Service Performance standards, as applicable
(excluding any additional latency resulting from use of
the Managed PKI Services in conjunction with other
Services), which standards reflect average performance
for customers over any calendar month:
• 90% of all Administrator approvals of a Certificate
     will occur within 10 seconds
• 90% of all Administrator revocations of a
     Certificate will occur within 5 seconds
• 90% of all Administrator requests for a CRL will
     occur within 5 seconds
• 90% of all end user requests for a Certificate will
     occur within 5 seconds
• 90% of all end user pickups of approved
     Certificates will occur within 5 seconds
• 90% of all end user revocations of his/her own
     Certificate will occur within 5 seconds
• 99% of all of the above requests or actions will
     occur within 2 minutes
     (b) Support Account Manager. For Platinum
Service only, [Affiliate] will designate a qualified
[Affiliate] employee to serve as Customer’s Support
Account Manager for all support issues. The Support
Account Manager will be available to conduct support
service reviews at Customer’s request once per calendar
quarter.
     (C) Reports. For Platinum Service only, [Affiliate]
will make available to Customer monthly reports
detailing for the period covered by the report: (i) the
total percentage of Up Time, (ii) the number of
Scheduled Down Time periods, (iii) the percentage of
Scheduled Down Time periods completed within the
scheduled window specified in the notice provided by
[Affiliate], (iv) severity level classifications and
resolution times for reported problems, and (v) actual
Service Performance figures corresponding to the
standards specified in this Exhibit (aggregated across
all Managed PKI Service customers).




                                        [Affiliate] Master Services Agreement -- Confidential
                                                             Version 2.0
                                                                                                                        Exhibit “C”
                                                                                                                          Page C-1
                                                        EXHIBIT C
                                            PRIVATE LABEL CERTIFICATE SERVICES
                                                      (MANAGED PKI)

                              [Affiliate should include only if it has the right to provide this service.]

BACKGROUND                                                                 Certificate) without the authorization of the Person
     Customer wishes to: (i) issue, manage, revoke,                        named as the subject of the Certificate.
and/or renew digital Certificates in a Private Hierarchy                   “Key Generation” means the [Affiliate] procedures for
branded with Customer’s trade name based on                                proper generation of Customer’s Public Key and
Certificate Applications submitted to, validated by, and                   Private Key via a trustworthy process and for storage of
approved by Customer, and (ii) outsource to [Affiliate]                    Customer’s Private Key and documentation thereof.
the functions of issuing, managing, revoking, and/or                       “Operational Period” means a period starting with the
renewing such Certificates, but (iii) retain for itself the                date and time a Certificate is issued (or on a later date
functions of validating and approving Certificate                          and time certain if stated in the Certificate) and ending
Applications and requesting revocation or renewal of                       with a date and time at which the Certificate expires or
Certificates. This Exhibit governs the terms and                           is earlier revoked.
conditions by which [Affiliate] provides the Managed                       “Private Hierarchy” means a domain consisting of a
PKI Private Label Certification Services.                                  system of CAs that issued Certificates in a chain
                                                                           leading from Customer’s root CA through one or more
1.       DEFINITIONS                                                       Certification Authorities to Subscribers in accordance
 “Administrator Certificate” means the Certificate                         with Customer’s practices. Certificates issued in a
issued by [Affiliate] to the Customer employee                             Private Hierarchy are intended to meet the needs of
designated as the Managed PKI Administrator for the                        organizations authorizing their issuance and are not
sole purpose of accessing the Managed PKI Control                          intended for interactions between organizations and/or
Center to perform the Administrator functions.                             individuals through public channels.
“Certificate” or “Digital Certificate” means a                             “Private Key” means a mathematical key (kept secret
message that, at least, states a name or identifies the                    by the holder) used to create Digital Signatures and,
issuing CA, identifies the Subscriber, contains the                        depending upon the algorithm, to decrypt messages or
Subscriber’s Public Key, identifies the Certificate’s                      files encrypted (for confidentiality) with the
Operational Period, contains a Certificate serial                          corresponding Public Key.
number, and contains a Digital Signature of the issuing                    “Public Key” means a mathematical key that can be
CA.                                                                        made publicly available and which is used to verify
“Certificate Applicant” means a person or authorized                       signatures created with its corresponding Private Key.
agent that requests the issuance of a Certificate by a                     Depending on the algorithm, Public Keys are also used
CA.                                                                        to encrypt messages or files which can then be
“Certificate Application(s)” means a request from a                        decrypted with the corresponding Private Key.
Certificate Applicant (or authorized agent) to a CA for                    “Registration Authority” or “RA” is an entity
the issuance of a Certificate.                                             approved by a CA to assist persons in applying for
“Certification Authority” or “CA” means a Person                           Certificates and/or revoking (or where authorized,
authorized to issue, suspend, or revoke Certificates.                      suspending) Certificates, and approving such
 “Certificate Signing Unit” or “CSU” means a                               applications, in connection with the Private Label
hardware unit or software designed for use in signing                      Certificate Services. An RA is not the agent of a
Certificates and key storage.                                              Certificate applicant. An RA may not delegate the
“Erroneous Issuance” means: (a) issuance of a                              authority to approve Certificate Applications other than
Certificate in a manner not materially in accordance                       to authorized RAAs of the RA.
with the procedures required by the Managed PKI                            “Registration Authority Administrator” or “RAA”
Administrator’s Handbook (b) issuance of a Certificate                     is an employee of an RA that is responsible for carrying
(other than a Class 1 Certificate) to a Person other than                  out the functions of an RA.
the one named as the subject of the Certificate, or (c)                    “Seat” means a single individual that is an authorized
issuance of a Certificate (other than a Class 1                            end user of the Service, without regard to the number of
                                                                           Certificates actually issued to such individual.
                                           [Affiliate] Master Services Agreement -- Confidential
                                                                Version 2.0
                                                                                                                        Exhibit “C”
                                                                                                                           Page C-2
“Subscriber” means a person who is the subject of,                       the Managed PKI Administrator’s Handbook published
and has been issued, a Certificate, and is capable of                    at the Managed PKI Control Center, as amended. If an
using, and is authorized to use, the Private Key that                    Administrator ceases to have the authority to act as
corresponds to the Public Key listed in the Certificate at               Administrator on behalf of Customer, Customer‘s RAA
issue.                                                                   shall promptly request revocation of the Administrator
“Subscriber Agreement” is the agreement executed                         Certificate of such Administrator.
between a Subscriber and the CA or [Affiliate] relating                       (c) Survival. In addition to the termination
to the provision of designated Certificate related                       provisions set forth in the Agreement, the revocation
Services and governing the Subscriber’s rights and                       and security requirements in this Exhibit and the
obligations relating to the Certificate.                                 Managed PKI Administrator’s Handbook shall survive
                                                                         termination of this Agreement until the end of the
When the Private Label Certificate Service is sold with                  Operational Period of all Certificates issued hereunder.
Premium Validation, the following additional                                  (d) Customer’s Warranties. In addition to the
definitions apply:                                                       express representations set forth in the Agreement,
                                                                         Customer warrants to [Affiliate] that (a) all information
“Certificate Revocation List” or “CRL” is a                              material to the issuance of a Certificate and validated
periodically (or exigently) issued list, digitally signed                by or on behalf of Customer is true and correct in all
by a CA, of identified Certificates that have been                       material respects; (b) Customer 's approval of
revoked prior to their expiration dates. The list                        Certificate applications will not result in Erroneous
generally indicates the CRL issuer’s name, the date of                   Issuance; (c) Customer has substantially complied with
issue, the date of the next scheduled CRL issue, the                     the Managed PKI Administrator’s Handbook and the
revoked certificates’ serial numbers, and the specific                   RA Requirements; (d) no Certificate information
times and reasons for revocation.                                        provided to [Affiliate] infringes the intellectual property
“Online Certificate Status Protocol” or “OCSP” is a                      rights of any third parties; (e) the information in the
protocol for providing Relying Parties with real-time                    Certificate application(s) (including email address) has
Certificate Status Information, and may be accessed (by                  not been and will not be used for any unlawful purpose;
customers who have purchased OCSP support) by                            (f) Customer’s RAA has been (since the time of the
querying the appropriate [Affiliate] OCSP Responder at                   RAA Certificate’s creation) and will remain the only
a URL specified by [Affiliate].                                          person(s) possessing the RAA Certificate(s)Private
“Premium CRL(s)” means CRLs which [Affiliate]                            Key, or any challenge phrase, PIN, software, or
updates more frequently than standard CRLs and makes                     hardware mechanism protecting the Private Key, and no
available to customers who have purchased Premium                        unauthorized person has had or will have access to such
CRL access at a URL specified by [Affiliate].                            materials or information; (g) Customer will use the
“Premium Validation” means, collectively, the                            RAA Certificate exclusively for authorized and legal
services by which Premium CRLs and OCSP                                  purposes consistent with this Agreement; (h) Customer
information are made available to customers.                             will not monitor, interfere with or reverse engineer the
                                                                         technical implementation of the [Affiliate] systems or
2.        CUSTOMER’S OBLIGATIONS                                         Software or otherwise knowingly compromise the
     (a) Registration Authority Administrator.                           security of the [Affiliate] systems or Software.
Customer shall appoint one or more authorized
Customer employees as RAA(s). Such RAA shall be                          3.        [AFFILIATE]’S OBLIGATIONS
entitled to appoint additional RAAs on Customer’s                             (a) Services. [Affiliate] shall provide Customer
behalf. Customer shall cause RAAs receiving                              with the Services indicated in this Exhibit throughout
Certificates hereunder to abide by the terms of the                      the Service Period. [Affiliate] shall issue, manage,
applicable Subscriber Agreement and the Managed PKI                      revoke, and/or renew Certificates in accordance with
Administrator’s Handbook.                                                the instructions provided by Customer and its
     (b) Administrator’s Functions. Customer shall,                      Administrator(s). Upon Customer’s approval of a
through its RAA(s) using hardware and software                           Certificate Application, [Affiliate]: (i) shall be entitled
designated by [Affiliate], validate the information in                   to rely upon the correctness of the information in each
Certificate Applications, approve or reject such                         such approved Certificate Application, and (ii) shall
Certificate Applications, and instruct [Affiliate] to                    issue a Certificate for the Certificate Applicant for
issue, renew and revoke Certificates in accordance with                  which such Certificate Application was submitted.
                                         [Affiliate] Master Services Agreement -- Confidential
                                                              Version 2.0
                                                                                                   Exhibit “C”
                                                                                                     Page C-3
Certificates issued or licensed under this Agreement,
including RAA Certificates, will have a maximum
Operational Period of twelve (12) months from the date
each Certificate is issued.
     (b) RAA Certificate. Upon [Affiliate]'s
completion of authentication procedures required for
the RAA Certificate, [Affiliate] will process Customer's
RAA Certificate Application(s). [Affiliate] will notify
Customer whether Customer's RAA Certificate
Application is approved or rejected. RAA's use of the
PIN from [Affiliate] to pick up the RAA Certificate or
otherwise installing or using the RAA Certificate is
considered RAA acceptance of the RAA Certificate.
After the RAA picks up or otherwise installs the RAA
Certificate, the RAA must review the information in it
before using it and promptly notify [Affiliate] of any
errors. Upon receipt of such notice, [Affiliate] may
revoke the RAA Certificate and issue a corrected RAA
Certificate.
     (c) CA Key Generation. During a single CA Key
Generation event, [Affiliate] shall generate for
Customer, pairs of CA keys for use in signing
Certificates issued by [Affiliate] on behalf of Customer
for use in Customer’s Private Hierarchy. Customer’s
Private Key of each pair shall be stored in one or more
Certificate Signing Units.
     (d) [Affiliate] Warranty. [Affiliate] warrants that
there are no errors introduced by [Affiliate] in the
Certificate information as a result of [Affiliate]'s failure
to use reasonable care in creating the Certificate.

4.       ADDITIONAL TERMS
     Each Service account includes at least one CA
Certificate. Additional CA Certificates for a given
volume may be purchased by Customer after the
Effective Date. For Single Application Managed PKI
Certificate Services, additional CA Certificates may be
purchased, but may not be activated until Customer
purchases Multi-Application Managed PKI Certificate
Services, and each User will be limited to one
Certificate per year (except for Managed PKI Key
Management Service deployments with dual key
option). Automated Administration hardware
components become the property of Customer, but
upon termination of Service any [Affiliate] Certificates
stored in the hardware will be revoked. Administrator
Kits consist of a smart card, smart card reader, software
and one (1) Administrator Certificate. Any extraction
of CA Certificates and/or corresponding key pairs from
the [Affiliate] systems and Services will be subject to
agreement of the parties.

                                           [Affiliate] Master Services Agreement -- Confidential
                                                                Version 2.0
                                                                                                                        Exhibit “D”
                                                                                                                          Page D-1
                                                       EXHIBIT D
                                             CO-BRANDED CERTIFICATE SERVICES
                                                     (MANAGED PKI)

                              [Affiliate should include only if it has the right to provide this service.]

BACKGROUND                                                                “Certification Practices Statement” or “CPS” means
     Customer wishes to become a CA and RA within                         a document, as revised from time to time, representing
the VTN, and to outsource to [Affiliate] the functions of                 a statement of the practices a CA or RA employs in
issuing, managing, revoking, and/or renewing Client                       issuing Certificates. [Affiliate]’s CPS is published at
Certificates, while retaining for itself the RA functions                 [provide URL].
of a CA; namely, validating and approving Certificate                     “Erroneous Issuance” means: (a) issuance of a
Applications and requesting revocation or renewal of                      Certificate in a manner not materially in accordance
Client Certificates in accordance with the [Affiliate]                    with the procedures required by the CPS, or the
CPS and Managed PKI Administrator’s Handbook.                             Managed PKI Administrator’s Handbook (b) issuance
This Exhibit governs the terms and conditions by which                    of a Certificate (other than a Class 1 Certificate) to a
[Affiliate] provides the Managed PKI Co-Branded                           Person other than the one named as the subject of the
Certification Services.                                                   Certificate, or (c) issuance of a Certificate (other than a
                                                                          Class 1 Certificate) without the authorization of the
1.         DEFINITIONS                                                    Person named as the subject of the Certificate.
“Administrator Certificate” means the Certificate                         “Key Generation” means the [Affiliate] procedures for
issued by [Affiliate] to the Customer employee                            proper generation of Customer’s Public Key and
designated as the Managed PKI Administrator for the                       Private Key via a trustworthy process and for storage of
sole purpose of accessing the Managed PKI Control                         Customer’s Private Key and documentation thereof.
Center to perform the Administrator functions.                            “Operational Period” means a period starting with the
“Affiliated Individual” means a human being that is                       date and time a Certificate is issued (or on a later date
affiliated with an organization: (i) as an officer,                       and time certain if stated in the Certificate) and ending
director, employee, partner, contractor, intern, or other                 with a date and time at which the Certificate expires or
person within the organization, or (ii) as a person                       is earlier revoked.
maintaining a contractual relationship with the                           “Private Key” means a mathematical key (kept secret
organization where the organization has business                          by the holder) used to create Digital Signatures and,
records providing strong assurances of the identity of                    depending upon the algorithm, to decrypt messages or
such person.                                                              files encrypted (for confidentiality) with the
“Certificate” or “Digital Certificate” means a                            corresponding Public Key.
message that, at least, states a name or identifies the                   “Public Key” means a mathematical key that can be
issuing CA, identifies the Subscriber, contains the                       made publicly available and which is used to verify
Subscriber’s Public Key, identifies the Certificate’s                     signatures created with its corresponding Private Key.
Operational Period, contains a Certificate serial                         Depending on the algorithm, Public Keys are also used
number, and contains a Digital Signature of the issuing                   to encrypt messages or files which can then be
CA.                                                                       decrypted with the corresponding Private Key.
“Certificate Applicant” means a person or authorized                      [Affiliate may wish to include language similar to the
agent that requests the issuance of a Certificate by a                    shaded provisions if Affiliate is in the EU and will be
CA.                                                                       offering Qualified Certificates. Note that the model
“Certificate Application(s)” means a request from a                       language below is based on EU legislation in 2003;
Certificate Applicant (or authorized agent) to a CA for                   Affiliate should update language in light of current
the issuance of a Certificate.                                            EU and local legal requirements.] “Qualified
“Certification Authority” or “CA” means a Person                          Certificate” means a certificate which meets the
authorized to issue, suspend, or revoke Certificates.                     requirements laid down in Annex I under the Directive
 “Certificate Signing Unit” or “CSU” means a                              1999/93/EC of the European Parliament and of the
hardware unit or software designed for use in signing                     Council of 13 December 1999 on a Community
Certificates and key storage.                                             framework for electronic signatures (“Directive”) (as
                                                                          amended and/or replaced from time to time) and is
                                          [Affiliate] Master Services Agreement -- Confidential
                                                               Version 2.0
                                                                                                                    Exhibit “D”
                                                                                                                       Page D-2
provided by a CA that fulfils the requirements laid                      available to customers who have purchased Premium
down in Annex II of the Directive.                                       CRL access at a URL specified by [Affiliate].
“Secure Signature-Creation Device” means a                               “Premium Validation” means, collectively, the
signature-creation device that meets the requirements                    services by which Premium CRLs and OCSP
laid down in Annex III of the Directive.                                 information are made available to customers.
“Registration Authority” or “RA” is an entity
approved by a CA to assist persons in applying for                       2.        APPOINTMENT
Certificates and/or revoking (or where authorized,                            (a) Appointments. [Affiliate] hereby appoints
suspending) Certificates, and approving such                             Customer as a non-[Affiliate] CA within the VTN
applications, in connection with the Co-Branded                          pursuant to the [Affiliate] CPS, and Customer accepts
Certificate Services. An RA is not the agent of a                        such appointment
Certificate applicant. An RA may not delegate the                             (b) Certification and Registration Authority.
authority to approve Certificate Applications other than                 Except for the functions outsourced to [Affiliate] under
to authorized RAAs of the RA.                                            this Exhibit, Customer shall meet all requirements and
“Registration Authority Administrator” or “RAA”                          perform all obligations imposed upon a CA and/or RA
is an employee of an RA that is responsible for carrying                 within the VTN under the [Affiliate] CPS as amended
out the functions of an RA.                                              from time to time, including without limitation the
“Seat” means a single individual that is an authorized                   duties in Section 4 of this Exhibit.
end user of the Service, without regard to the number of
Certificates actually issued to such individual.                         3.        [AFFILIATE] CPS AND THE MANAGED
“Subscriber” means a person who is the subject of,                       PKI ADMINISTRATOR’S HANDBOOK
and has been issued, a Certificate, and is capable of                        Customer must comply with the applicable
using, and is authorized to use, the Private Key that                    requirements of the [Affiliate] CPS and the Managed
corresponds to the Public Key listed in the Certificate at               PKI Administrator’s Handbook published at the
issue.                                                                   Managed PKI Control Center, as periodically amended.
“Subscriber Agreement” is the agreement executed                         [Affiliate] shall notify the Customer appointed
between a Subscriber and the CA or [Affiliate] relating                  Registration Authority Administrator (“RAA”) of any
to the provision of designated Certificate related                       amendments by posting the information to the Managed
Services and governing the Subscriber’s rights and                       PKI Control Center.
obligations relating to the Certificate.
                                                                         4.        CUSTOMER’S OBLIGATIONS
When the Co-Branded Certificate Service is sold with                          (a) Registration Authority Administrator.
Premium Validation, the following additional                             Customer Contact shall appoint one or more authorized
definitions apply:                                                       Customer employees as RAA. Such RAA shall be
                                                                         entitled to appoint additional RAAs on Customer’s
“Certificate Revocation List” or “CRL” is a                              behalf. Customer shall cause RAAs receiving
periodically (or exigently) issued list, digitally signed                Certificates hereunder to abide by the terms of the
by a CA, of identified Certificates that have been                       applicable Subscriber Agreement, which can be found
revoked prior to their expiration dates. The list                        in the Managed PKI Administrator’s Handbook.
generally indicates the CRL issuer’s name, the date of                        (b) Registration Authority Requirements.
issue, the date of the next scheduled CRL issue, the                     Customer shall comply with the requirements stated in
revoked certificates’ serial numbers, and the specific                   the [Affiliate] CPS and the Managed PKI
times and reasons for revocation.                                        Administrator’s Handbook as periodically amended,
“Online Certificate Status Protocol” or “OCSP” is a                      including without limitation, requirements for
protocol for providing Relying Parties with real-time                    validating the information in Certificate Applications,
Certificate Status Information, and may be accessed (by                  approving or rejecting such Certificate Applications, ,
customers who have purchased OCSP support) by                            and revoking Certificates, using hardware and software
querying the appropriate [Affiliate] OCSP Responder at                   designated by [Affiliate]. Customer shall perform such
a URL specified by [Affiliate].                                          tasks in a competent, professional and workmanlike
“Premium CRL(s)” means CRLs which [Affiliate]                            manner. Customer shall approve a Certificate
updates more frequently than standard CRLs and makes                     Application only if the Certificate Applicant is an
                                                                         Affiliated Individual as to Customer. If a Subscriber
                                         [Affiliate] Master Services Agreement -- Confidential
                                                              Version 2.0
                                                                                                                      Exhibit “D”
                                                                                                                         Page D-3
that has been issued a Certificate by Customer ceases to                 knowingly compromise the security of the [Affiliate]
be affiliated with Customer as an Affiliated Individual,                 systems or Software or the VTN.
Customer shall promptly request revocation of such                            (f) Audit Rights. [Affiliate] may conduct an audit
Subscriber’s Certificate through the Managed PKI                         of Customer not more than once per year to ensure
Control Center. If an RAA ceases to have the authority                   compliance with the terms of this Exhibit. Any such
to act as RAA on behalf of Customer, Customer shall                      audit will be conducted during business hours upon
promptly request revocation of the RAA Certificate of                    reasonable written notice to Customer and will not
such RAA.                                                                unreasonably interfere with Customer’s business
     (c) Customer’s Subscribers. Customer shall cause                    activities. Customer will provide reasonable
Subscribers receiving Certificates hereunder to abide by                 cooperation to [Affiliate] in connection with any such
the terms of the appropriate Subscriber Agreement, to                    audit. If an audit reveals that Customer has breached
which they assented as a condition of enrolling for their                any term of this Exhibit, then: (i) Customer will pay
Certificates. Customer will ensure that the “Limitation                  [Affiliate]’s reasonable costs of conducting the audit,
of Liability” terms set forth in the Agreement are                       and (ii) notwithstanding the one audit per year
incorporated into any agreement between Customer and                     limitation stated above, [Affiliate] may conduct such
a Subscriber relating to the [Affiliate] Services or the                 further audits as it deems reasonably necessary to
subject matter of this Agreement.                                        ensure compliance with the terms of this Exhibit.
     (d) Survival. In addition to the termination                        Routine annual audits may only cover the immediate
provisions set forth in the Agreement, the revocation                    preceding year of activity.
and security requirements in this Exhibit, the CPS, and
the Managed PKI Administrator’s Handbook shall
                                                                         5.        [AFFILIATE]’S OBLIGATIONS
survive termination of this Agreement until the end of
                                                                              (a) Services. [Affiliate] shall provide Customer
the Operational Period of all Certificates issued
                                                                         with the Services specified in this Exhibit throughout
hereunder.
                                                                         the Service Period. [Affiliate] shall issue, manage,
     (e) Customer’s Warranties. In addition to the
                                                                         revoke, and/or renew Client Certificates in accordance
express limited warranties set forth in the Agreement,
                                                                         with the instructions provided by Customer and its
Customer warrants to [Affiliate] that: (i) all
                                                                         RAA(s). Upon Customer’s approval of a Certificate
information material to the issuance of a Certificate and
                                                                         Application, [Affiliate]: (i) shall be entitled to rely
validated by or on behalf of Customer is true and
                                                                         upon the correctness of the information in each such
correct in all material respects; (ii) Customer 's
                                                                         approved Certificate Application, and (ii) shall issue a
approval of Certificate applications will not result in
                                                                         Certificate for the Certificate Applicant for which such
Erroneous Issuance (iii) Customer has substantially
                                                                         Certificate Application was submitted. Certificates
complied with the CPS, the Managed PKI
                                                                         issued or licensed under this Agreement, including
Administrator’s Handbook, and the RA Requirements;
                                                                         RAA Certificates, will have a maximum validity period
(iv) no Certificate information provided to [Affiliate]
                                                                         of twelve (12) months from the date each Certificate is
infringes the intellectual property rights of any third
                                                                         issued.
parties; (v) the information in the Certificate
                                                                              (b) RAA Certificate. Upon [Affiliate]'s completion
application(s) (including email address) has not been
                                                                         of authentication procedures required for the RAA
and will not be used for any unlawful purpose; (vi)
                                                                         Certificate, [Affiliate] will process Customer 's RAA
Customer’s RAA has been (since the time of the RAA
                                                                         Certificate Application(s). [Affiliate] will notify
Certificate’s creation) and will remain the only
                                                                         Customer whether Customer's RAA Certificate
person(s) possessing the RAA Certificate(s)private key,
                                                                         Application is approved or rejected. RAA's use of the
or any challenge phrase, PIN, software, or hardware
                                                                         PIN from [Affiliate] to pick up the RAA Certificate or
mechanism protecting the private key, and no
                                                                         otherwise installing or using the RAA Certificate is
unauthorized person has had or will have access to such
                                                                         considered RAA acceptance of the RAA Certificate.
materials or information; (vii) Customer will use the
                                                                         After the RAA picks up or otherwise installs the RAA
RAA Certificate exclusively for authorized and legal
                                                                         Certificate, the RAA must review the information in it
purposes consistent with this Agreement; and (viii)
                                                                         before using it and promptly notify [Affiliate] of any
Customer will not monitor, interfere with or reverse
                                                                         errors. Upon receipt of such notice, [Affiliate] may
engineer the technical implementation of the [Affiliate]
                                                                         revoke the RAA Certificate and issue a corrected RAA
systems or Software or the VTN, or otherwise
                                                                         Certificate.

                                         [Affiliate] Master Services Agreement -- Confidential
                                                              Version 2.0
                                                                                                                         Exhibit “D”
                                                                                                                             Page D-4
     (c) CA Key Generation. This Section applies to                       Customer shall comply with the Directive 1999/93/EC
the extent Customer is a CA within the VTN. During a                      of the European Parliament and of the Council of 13
single Key Generation event, [Affiliate] shall generate                   December 1999 on a Community framework for
for Customer, pairs of CA keys for use in signing                         electronic signatures (“Directive”) (as amended and/or
Certificates issued by [Affiliate] on behalf of Customer                  replaced from time to time) and shall meet the
for use in the VTN. Customer’s Private Key of each                        authentication requirements set forth in Section 7.3.1 of
key pair shall be stored in one or more Certificate                       the European Telecommunications Standards Institute,
Signing Units.                                                            Policy requirements for certification authorities issuing
     (d) [Affiliate] Warranties. [Affiliate] warrants                     qualified certificates (ETSI TS 101 456 V1.2.1 April
that (a) there are no errors introduced by [Affiliate] in                 2002) (“ETSI Policy Document”), or the corresponding
the Certificate information as a result of [Affiliate]'s                  Section in the then-current version of same. Without
failure to use reasonable care in creating the Certificate,               limiting the generality of the foregoing, Customer shall
(b) The Certificate(s) comply in all material respects                    ensure that certificate applicants are properly identified
with the CPS, and (c) [Affiliate]'s revocation services                   and authenticated and that certificate applications are
and use of a repository conform to the CPS in all                         complete, accurate and duly authorized; inform
material aspects.                                                         certificate applicants of the terms and conditions
                                                                          regarding use of the certificate; verify the identity and,
6.       INDEMNITY                                                        if applicable, any specific attributes of the certificate
    (a) Customer Indemnification Condition(s): any                        applicant to which a the certificate is issued; and retain
actual or alleged breach of the Subscriber Agreement                      a copy of the agreement made with the certificate
by a Subscriber receiving an RAA Certificate                              applicant. In addition, Customer shall check the
hereunder.                                                                identity of the certificate applicant against a physical
                                                                          person either directly or indirectly using means which
7.       ADDITIONAL TERMS                                                 provides equivalent assurance to physical presence
Each Service account includes at least one CA                             through evidence of the full name, date and place of
Certificate. Additional CA Certificates for a given                       birth, a nationally recognized identity number, or other
volume may be purchased by Customer after the                             attributes which may be used to, as far as possible,
Effective Date. For Single Application Managed PKI                        distinguish the person from others with the same name.
Certificate Services, additional CA Certificates may be                   Customer shall also require certificate applicant to
purchased, but may not be activated until Customer                        provide a physical address, or other attributes, which
purchases Multi-Application Managed PKI Certificate                       describe how the certificate applicant may be contacted.
Services, and each User will be limited to one                            Customer shall also communicate to certificate
Certificate per year (except for Managed PKI Key                          applicants whether Customer requires certificate
Management Service deployments with dual key                              applicants to use Secure Signature-Creation Devices.
option). Automated Administration hardware
components become the property of Customer, but
upon termination of Service any [Affiliate] Certificates
stored in the hardware will be revoked. Administrator
Kits consist of a smart card, smart card reader, software
and one (1) Administrator Certificate. Any extraction
of CA Certificates and/or corresponding key pairs from
the [Affiliate] systems and Services will be subject to
agreement of the parties.

[Affiliate may wish to include language similar to the
shaded provisions if Affiliate is in the EU and will be
offering Qualified Certificates. Note that the model
language below is based on EU legislation in 2003;
Affiliate should update language in light of current
EU and local legal requirements.]
8.        QUALIFIED CERTIFICATE TERMS

                                          [Affiliate] Master Services Agreement -- Confidential
                                                               Version 2.0
                                                                                                                      Exhibit “E”
                                                                                                                        Page E-1
                                                    EXHIBIT E
                                       MANAGED PKI KEY MANAGEMENT SERVICE

                            [Affiliate should include only if it has the right to provide this service.]

BACKGROUND                                                                   (a) Key Manager Administrator. Customer
     Customer wishes to use the Managed PKI Key                         Contact shall appoint one or more authorized Customer
Management Service to generate key pairs on behalf of                   employees as Key Manager Administrator (“KMA”).
its Subscribers, back up Subscribers’ Private Keys in                   KMAs may have different roles, such as a security
encrypted form, manage such Private Keys, and use                       administrator role or a key recovery role. Only KMAs
[Affiliate]’s Key Recovery Service to recover such                      with a security administrator role shall be entitled to
Private Keys in accordance with the Key Management                      appoint additional KMAs on Customer’s behalf. If any
Service Administrator’s Guide and this Exhibit.                         KMA is no longer authorized to recover keys,
[Affiliate] is willing to permit Customer to use the                    Customer shall configure the Managed PKI Control
Managed PKI Key Management Service under the                            Center to prevent such KMA from performing key
terms and conditions below and in the Key                               recovery functions. Customer must comply with the
Management Service Administrator’s Guide.                               applicable requirements of the Key Management
                                                                        Service Administrator’s Guide published at the
1.        DEFINITIONS                                                   Managed PKI Control Center, as periodically amended.
“Erroneous Key Recovery” means: (a) recovery and                        [Affiliate] shall notify the Customer-appointed
transmission of a Private Key in a manner not                           Administrator of any amendments to the Key
materially in accordance with the procedures required                   Management Service Administrator’s Guide by posting
in the Managed PKI Administrator’s Handbook, (b)                        the information to the Managed PKI Control Center.
recovery and transmission of a Private Key to a Person
other than the Subscriber that is the rightful holder of                     (b) Key Manager Registration Authority
the Private Key, and (c) recovery and transmission of a                 Requirements. Customer shall comply with the
Private Key without the authorization of the Subscriber                 requirements stated in the Key Management Service
that is the rightful holder of the Private Key.                         Administrator’s Guide as periodically amended,
Notwithstanding the foregoing, Erroneous Key                            including without limitation, requirements for
Recovery does not include: (a) Customer’s recovery of                   generating Key Pairs on behalf of Certificate
a Subscriber’s Private Key and transmission to law                      Applicants, transmitting Public Keys to [Affiliate] for
enforcement officials in response to a search warrant or                inclusion in Certificates to be issued to such Certificate
subpoena; (b) Customer’s recovery of a Subscriber’s                     Applicants, transmitting key recovery information to
Private Key and transmission in response to judicial or                 [Affiliate], validating requests from Subscribers
administrative process; or (c) Customer’s recovery of a                 recovering their Private Keys to ensure that they are in
Subscriber’s Private Key to obtain access to messages                   fact from such Subscribers, approving or rejecting such
that are intended to be decrypted by use of such Private                requests, using hardware and software designated by
Key, even without Subscriber’s authorization, for                       [Affiliate], using the Managed PKI Key Management
Customer’s legitimate and lawful business purposes.                     Service to request the information needed to recover
“Key Manager Administrator” means a person that                         Private Keys, and (where appropriate) transmitting
shall use trustworthy systems to generate key pairs,                    recovered Private Keys to the requesting Subscribers.
send Public Keys and Private Key recovery information                   Customer shall use trustworthy systems to generate key
to [Affiliate], store Private Keys, and transmit Private                pairs, send Public Keys and Private Key recovery
Keys to Subscribers.                                                    information to [Affiliate], store Private Keys, and
 “Key Recovery Impersonation” means a Person’s                          transmit Private Keys to Subscribers.
requesting and receiving from Customer a Subscriber’s                        (c) Manner of Performance. Customer shall
Private Key by submitting to Customer false or falsified                perform the tasks in Section 2(b) above in a competent,
information relating to naming or identity indicating                   professional and workmanlike manner. Customer shall
that such Person is such Subscriber.                                    utilize [Affiliate]’s Software and Services provided
                                                                        under this Exhibit exclusively for lawful purposes and
2.    CUSTOMER’S KEY RECOVERY                                           for purposes consistent with the Key Management
DUTIES                                                                  Service Administrator’s Guide and, with respect to the
                                        [Affiliate] Master Services Agreement -- Confidential
                                                             Version 2.0
                                                                                                                          Exhibit “E”
                                                                                                                              Page E-2
Managed-PKI Co-Branded Certificate Services, if                           Certificate Applicant (upon approval of a Certificate
applicable, the [Affiliate] CPS.                                          Application) and transmits the Public Key to [Affiliate],
     (d) Export Compliance. Regardless of any                             [Affiliate] shall place such Public Key in a Certificate
disclosure made by Customer to [Affiliate] of the                         and issue the Certificate pursuant to the applicable
location of Subscribers receiving Private Keys                            Managed PKI Certificate Service terms.
generated by Customer under this Exhibit and,                                  (c) [Affiliate] Centralized Key Management
notwithstanding anything contained in this Agreement                      Service. [Affiliate] shall authenticate requests received
to the contrary, Customer will not, either directly or                    from Customer’s KMA for a Subscriber’s Private Key
indirectly, generate and send Private Keys to Persons                     that Customer generated or approved in accordance
outside the United States and/or provide Certificates to                  with Key Management Service Administrator’s Guide.
such Persons containing Public Keys corresponding to                      If [Affiliate] authenticates the request, it shall provide
such Private Keys, without first obtaining any and all                    Customer with Key Recovery information needed to
necessary licenses from the United States government                      recover such Subscriber’s Private Key.
or agencies or any other country for which such
government or any agency thereof requires an export                       5.     LIABILITY RELATING TO REQUESTS
license or other governmental approval at the time such                   FOR PRIVATE KEYS
Private Keys are sent to such Persons or at the time                      CUSTOMER SHALL BEAR EXCLUSIVE
such Certificates are provided to such Persons.                           RESPONSIBILITY, AND LIABILITY TO ANY AND
     (e) Customer’s Warranties. In addition to the                        ALL PERSONS, FOR THE GENERATION OR
express limited warranties contained in each applicable                   AUTHENTICATION OF ALL REQUESTS FOR
Exhibit(s) under this Agreement, Customer warrants to                     PRIVATE KEYS THAT CUSTOMER SUBMITS TO
[Affiliate] that: (i) each request submitted to [Affiliate]               [AFFILIATE] AND FOR THE CONDUCT OF KMAs.
by Customer for information to recover a Subscriber’s                     [AFFILIATE] DISCLAIMS ALL SUCH
Private Keys after Customer has received a request for                    RESPONSIBILITY AND LIABILITY.
the same from someone purporting to be such
Subscriber has in fact been submitted to Customer, and
authorized, by such Subscriber, (ii) requests generated
by Customer for information to recover a Subscriber’s
Private Key without the Subscriber’s permission are
authorized by Customer for the legitimate and lawful
business purposes of Customer, (iii) without limiting
the generality of the foregoing, a request submitted to
[Affiliate] by Customer for information to recover a
Subscriber’s Private Key will not result in an Erroneous
Key Recovery, including but not limited to Erroneous
Key Recovery resulting from Key Recovery
Impersonation, and (iv) Customer has substantially
complied with the Key Management Service
Administrator’s Guide.

4.       [AFFILIATE]’S OBLIGATIONS
         [Affiliate] shall provide Customer with the use
of the Managed PKI Key Management Service as set
forth herein, to be used concurrently with the [Affiliate]
Managed PKI Services.
     (a) RAA Certificate. Upon approval of Certificate
Application(s) of the KMA(s), if any, [Affiliate] shall
issue an RAA Certificate or Administrator Certificate to
each such KMA as appropriate to obtain access to the
Services provided under this Exhibit.
     (b) Placement of Public Keys in Certificates.
After Customer generates a Key Pair on behalf of a
                                          [Affiliate] Master Services Agreement -- Confidential
                                                               Version 2.0
                                                                                                                       Exhibit “F”
                                                                                                                         Page F-1
                                                    EXHIBIT F
                                     MANAGED PKI ENTERPRISE ROAMING SERVICE
                                       (SPLIT HOSTED OR [AFFILIATE] HOSTED)

                           [Affiliate should include only if it has the right to provide this service.]
         [Note: The two types of Roaming covered in this Exhibit F are not included in versions MPKI 6.0 and later.]

BACKGROUND                                                              Control Center. Customer shall also comply with the
     Customer wishes to use the Managed PKI                             Managed PKI Certificate Service requirements, as
Enterprise Roaming Service (the “Service”) to enable                    applicable, to validate the information in Certificate
its end users to securely download their Private Key                    Applications, approve or reject such Certificate
and Certificate from any client terminal thereby giving                 Applications, use hardware and software designated by
the end user “roaming capabilities”. [Affiliate] grants                 [Affiliate], and instruct [Affiliate] to issue Certificates
Customer the right to use the Service under the terms                   to such Certificate Applicants. In the Split Hosted
and conditions set forth in this Exhibit and in                         Service version, Customer, through the [Affiliate]
accordance with the [Affiliate] Roaming Service                         Personal Trust Agent (“PTA”), shall (i) ensure that a
Administrator’s Guide. This Exhibit includes                            Subscriber’s Encrypted Private Profile needed to
[Affiliate]’s standard terms for both the Split Hosted                  recover a Subscribers Private Key, is stored in
and the [Affiliate] Hosted versions of the Service.                     Customer’s designated roaming and storage servers,
                                                                        and (ii) store information used to generate a
1.        DEFINITIONS                                                   Subscriber’s Symmetric Key, in Customer’s roaming
“Encrypted Private Profile” means the encrypted                         server(s) in accordance with the [Affiliate] Roaming
information relating to a Subscriber’s Private Key and                  Service Administrator’s Guide.
Certificate.                                                                 (c) Roaming Subscribers. Customer shall bear
“Split Hosted” means the version of the [Affiliate]                     full responsibility for ensuring that only those
Managed PKI Enterprise Roaming Service in which the                     Subscribers validated and approved by Customer, shall
roaming servers are distributed between the Customer                    receive access to the [Affiliate] Roaming Services
and the [Affiliate] premises.                                           provided herein.
“Symmetric Key” means a key to be used to decrypt or
encrypt a Subscriber’s Encrypted Private Profile.                       3.        [AFFILIATE]’S OBLIGATIONS
“Symmetric Key Information” means the information                            [Affiliate] shall provide Customer with the use of
used to generate a Symmetric Key.                                       the Managed PKI Enterprise Roaming Service as set
“[Affiliate] Hosted” means the version of the                           forth herein, to be used concurrently with the [Affiliate]
[Affiliate] Managed PKI Enterprise Roaming Service in                   Managed PKI Services.
which the roaming servers are located at the [Affiliate]                     (a) Certificate Issuance. [Affiliate]’s issuance of
premises.                                                               Certificates for use with the Managed PKI Enterprise
                                                                        Roaming Service will be subject to the Managed PKI
2.        CUSTOMER’S OBLIGATIONS                                        Certificate Service terms.
     (a) Appointment. Customer Contact shall appoint                         (b) Symmetric Key Data. Either the [Affiliate]
one or more authorized Customer employees as                            PTA and/or Roaming API software may be used by
Roaming Service Center Administrator(s) (“RSCA”) or                     Customer to (i) obtain a Subscriber's Encrypted Private
use its existing Administrators or RAA’s, whichever the                 Profile from Customer’s designated storage server; (ii)
case may be, to access the Roaming Service Center and                   obtain the information from [Affiliate]'s and/or
perform the functions described below.                                  Customer’s roaming servers (as applicable) to generate
     (b) Roaming Administrator Functions. Customer                      a Subscriber’s Symmetric Key, and (iii) use the
must comply with the applicable requirements of the                     Symmetric Key to decrypt a Subscriber’s Encrypted
Roaming Service Administrator’s Guide published at                      Private Profile, thereby allowing the Subscriber to use
the Managed PKI Control Center, as periodically                         their Private Key and Certificate contained therein. In
amended. [Affiliate] shall notify the Customer of any                   the [Affiliate] Hosted Service version, the Subscribers’
amendments to the Roaming Service Administrator’s                       Symmetric Key Information is stored in [Affiliate]’s
Guide by posting the information to the Managed PKI

                                        [Affiliate] Master Services Agreement -- Confidential
                                                             Version 2.0
                                                                                                Exhibit “F”
                                                                                                  Page F-2
designed roaming server(s) and automatically erased
after it is used to generate a Symmetric Key.
     (c) Export License. [Affiliate] will maintain the
licenses necessary to provide the Managed PKI
Roaming Service, subject to the terms of [Affiliate]’s
and its licensors’ export license agreement with the
U.S. Department of Commerce, Bureau of Export
Administration.
     (d) Disaster Recovery. In the [Affiliate] Hosted
Service version, [Affiliate] will provide disaster
recovery capability following the completed or
operational implementation of the Service. Such
disaster recovery capability will be the same capability
used for [Affiliate]’s own system operation and will not
include Customer specific business continuity or
processes.

5.     CUSTOMER’S LIABILITY RELATING
TO SUBSCRIBERS’ PRIVATE DATA
CUSTOMER SHALL BEAR EXCLUSIVE
RESPONSIBILITY, AND LIABILITY TO ANY AND
ALL PERSONS, FOR THE SECURITY OF ITS
SUBSRIBERS’ ENCRYPTED PRIVATE PROFILE.
[AFFILITE] DISCLAIMS ALL SUCH
RESPONSIBILITY AND LIABILITY.




                                        [Affiliate] Master Services Agreement -- Confidential
                                                             Version 2.0
                                                                                                                    Exhibit “F”
                                                                                                                      Page F-1
                                                      EXHIBIT F
                                             MANAGED PKI ROAMING SERVICE
                                                 (CUSTOMER-HOSTED)

                            [Affiliate should include only if it has the right to provide this service.]

BACKGROUND                                                              and (ii) store information used to generate a
     Customer wishes to use the Managed PKI Roaming                     Subscriber’s Symmetric Key, in Customer’s roaming
Service to enable its end users to securely download                    server in accordance with the [Affiliate] Roaming
their Private Key and Certificate from any client                       Service Administrator’s Guide.
terminal thereby giving the end user “roaming                                (c) Roaming Subscribers. Customer shall bear
capabilities”. [Affiliate] grants Customer the right to                 full responsibility for ensuring that only those
use the Managed PKI Roaming Service under the terms                     Subscribers validated and approved by Customer, shall
and conditions set forth in this Exhibit and in                         receive access to the [Affiliate] Roaming Services
accordance with the [Affiliate] Roaming Service                         provided herein.
Administrator’s Guide.
                                                                        3.        [AFFILIATE]’S OBLIGATIONS
1.       DEFINITIONS                                                         [Affiliate] shall provide Customer with the use of
“Encrypted Private Profile” means the encrypted                         the Managed PKI Roaming Service as set forth herein,
information relating to a Subscriber’s Private Key and                  to be used concurrently with the [Affiliate] Managed
Certificate.                                                            PKI Services.
“Symmetric Key” means a key to be used to decrypt or                         (a) Certificate Issuance. [Affiliate]’s issuance of
encrypt a Subscriber’s Encrypted Private Profile.                       Certificates for use with the Managed PKI Enterprise
“Symmetric Key Information” means the information                       Roaming Service will be subject to the Managed PKI
used to generate a Symmetric Key.                                       Certificate Service terms.
                                                                             (b) [Affiliate] Roaming Service. The [Affiliate]
2.        CUSTOMER’S OBLIGATIONS                                        PTA and/or Roaming API software may be used by
     (a) Appointment. Customer Contact shall appoint                    Customer to (i) obtain a Subscribers Encrypted Private
one or more authorized Customer employees as                            Profile from Customer’s designated storage server; (ii)
Roaming Service Center Administrator(s) (“RSCA”) or                     obtain the information from both of Customer’s
use its existing Administrators or RAA’s, whichever the                 roaming and storage servers to generate a Subscriber’s
case may be, to access the Roaming Service Center and                   Symmetric Key, and (iii) use the Symmetric Key to
perform the functions described below.                                  decrypt a Subscriber’s Encrypted Private Profile,
     (b) Roaming Administrator Functions. Customer                      thereby allowing the Subscriber to use their Private Key
must comply with the applicable requirements of the                     and Certificate contained therein.
Roaming Service Administrator’s Guide published at                           (c) Export License. [Affiliate] will maintain the
the Managed PKI Control Center, as periodically                         licenses necessary to provide the Managed PKI
amended. [Affiliate] shall notify the Customer of any                   Roaming Service, subject to the terms of [Affiliate]’s
amendments to the Roaming Service Administrator’s                       and its licensors’ export license agreement with the
Guide by posting the information to the Managed PKI                     U.S. Department of Commerce, Bureau of Export
Control Center. Customer shall also comply with the                     Administration.
Managed PKI Service requirements, as applicable, to
validate the information in Certificate Applications,                   4.     CUSTOMER’S LIABILITY RELATING
approve or reject such Certificate Applications, use                    TO A SUBSCRIBERS PRIVATE DATA
hardware and software designated by [Affiliate], and                    CUSTOMER SHALL BEAR EXCLUSIVE
instruct [Affiliate] to issue Certificates to such                      RESPONSIBILITY, AND LIABILITY TO ANY AND
Certificate Applicants. Customer, through the                           ALL PERSONS, FOR THE SECURITY OF ITS
[Affiliate] Personal Trust Agent (“PTA”), shall (i)                     SUBSRIBERS ENCRYPTED PRIVATE PROFILE.
ensure that a Subscriber’s Encrypted Private Profile                    [AFFILIATE] DISCLAIMS ALL SUCH
needed to recover a Subscribers Private Key, is stored                  RESPONSIBILITY AND LIABILITY.
in Customer’s designated roaming and storage servers,

                                        [Affiliate] Master Services Agreement -- Confidential
                                                             Version 2.0
                                                                                                                     Exhibit “H”
                                                                                                                       Page H-1
                                                EXHIBIT G
                                    MANAGED PKI FOR SSL CERTIFICATE SERVICES
                                       (STANDARD AND/OR PREMIUM EDITION)

                             [Affiliate should include only if it has the right to provide this service.]

                                                                              (a) Appointments. [Affiliate] hereby appoints
BACKGROUND                                                               Customer as a non-[Affiliate] RA within the VTN
         Customer wishes to become an RA within the                      pursuant to the [Affiliate] CPS, and Customer accepts
VTN and to perform the RA functions of validating and                    such appointment.
approving Certificate Applications and requesting                             (b) Registration Authority. This Section 2(b)
revocation or renewal of SSL Certificates in accordance                  applies to the extent Customer performs any of the
with the [Affiliate] CPS and Managed PKI for SSL                         functions or exercises any of the rights of an RA within
Administrator’s Handbook. Except as indicated below,                     the VTN. Customer shall meet all requirements and
the terms of this Exhibit apply to both the Standard                     perform all obligations imposed upon an RA within the
Edition version of the Managed PKI for SSL Certificate                   VTN under the [Affiliate] CPS as amended from time
Services (“Service”) and the Premium Edition of the                      to time, including without limitation the duties in
Service.                                                                 Section 3 of this Exhibit.

1.        DEFINITIONS                                                    3.        CUSTOMER’S OBLIGATIONS
“Certificate” or “Digital Certificate” means a                                (a) Registration Authority Administrator.
message that, at least, states a name or identifies the                  Customer Contact shall appoint one or more authorized
issuing CA, identifies the Subscriber, contains the                      Customer employees as RAAs. Such RAA shall be
Subscriber’s Public Key, identifies the Certificate’s                    entitled to appoint additional RAAs on Customer’s
Operational Period, contains a Certificate serial                        behalf. Customer shall cause RAAs receiving
number, and contains a Digital Signature of the issuing                  Certificates hereunder to abide by the terms of the
CA.                                                                      applicable Subscriber Agreement, which can be found
“Certificate Application(s)” means a request to a CA                     in the Managed PKI for SSL Administrator’s
for the issuance of a Certificate.                                       Handbook.
“Certification Authority” or “CA” means a Person                              (b) Registration Authority Requirements.
authorized to issue, suspend, or revoke Certificates.                    Customer must comply with the applicable
“Registration Authority” or “RA” is an entity                            requirements of the [Affiliate] CPS and the Managed
approved by a CA to assist with application for                          PKI for SSL Administrator’s Handbook published at
Certificates and/or revoking (or where authorized,                       the Managed PKI Control Center, as periodically
suspending) Certificates, and approving such                             amended. [Affiliate] shall notify the Customer
applications, in connection with the Service. An RA is                   appointed RAA of any amendments by electronic mail
not the agent of a Certificate applicant, and may not                    or by posting the information to the Managed PKI
delegate the authority to approve Certificate                            Control Center. Customer shall also comply with the
Applications other than to authorized RAAs of the RA.                    requirements set forth in the [Affiliate] CPS and the
“Registration Authority Administrator” or “RAA”                          Managed PKI for SSL Administrator’s Handbook, as
is an employee of an RA that is responsible for carrying                 periodically amended, for validating the information in
out the functions of an RA.                                              Certificate Applications, approving or rejecting such
"SSL Certificate" shall mean a Class 3 organizational                    Certificate Applications, using hardware and software
certificate used to support SSL sessions between a web                   designated by [Affiliate], and revoking Certificates.
browser and web server that uses encryption.                             Customer shall perform such tasks in a competent,
"SSL Premium Certificate" shall mean a Class 3                           professional and workmanlike manner. Customer shall
organizational certificate used to support SSL sessions                  approve a Certificate application only if (i) the
between a web browser and web server that uses                           application was made on behalf of a server within
stronger encryption than an SSL Certificate.                             Customer’s organization; (ii) the Customer RA has
                                                                         authorized the use of Customer's organizational name in
2.       APPOINTMENT                                                     the Certificate; (iii) and Customer has authorized the

                                         [Affiliate] Master Services Agreement -- Confidential
                                                              Version 2.0
                                                                                                                          Exhibit “H”
                                                                                                                             Page H-1
use of a domain name ending in the domain name listed                           (e) Customer Warranties. In addition to the
in Customer's RAA Certificate(s) (For example, if                          express limited warranties set forth in the Agreement,
Customer's domain name in its RAA Certificate(s) is                        Customer warrants to [Affiliate] that (i) all information
"company.com," then Certificate applicants can only                        material to the issuance of a Certificate and validated
request Certificates under this Agreement if their                         by or on behalf of Customer is true and correct in all
domain names end in "company.com."). If an RAA                             material respects; (ii) Customer 's approval of
ceases to have the authority to act as RAA on behalf of                    Certificate applications will not result in Erroneous
Customer, Customer shall promptly request revocation                       Issuance; (iii) Customer has substantially complied with
of the RAA Certificate of such RAA. If Customer's                          the CPS, the Handbook, and the RA Requirements; (iv)
Organizational name and/or domain registration                             no Certificate information provided to [Affiliate]
change, Customer’s RAA shall promptly request                              infringes the intellectual property rights of any third
revocation all Certificates issued hereunder. Customer                     parties; (v) the information in the Certificate
is prohibited from disclosing any challenge phrase,                        application(s) (including email address) has not been
PIN, software or hardware mechanism protecting the                         and will not be used for any unlawful purpose; (vi)
RAA Certificate private key to a third party.                              Customer’s RAA has been (since the time of the RAA
     (c) Survival. In addition to the termination                          Certificate’s creation) and will remain the only
provisions set forth in the Agreement, the revocation                      person(s) possessing the RAA Certificate(s)private key,
and security requirements set forth in this Exhibit, the                   or any challenge phrase, PIN, software, or hardware
CPS, and the Managed PKI for SSL Administrator’s                           mechanism protecting the private key, and no
Handbook shall survive termination of this Agreement                       unauthorized person has had or will have access to such
until the end of the Operational Period of all                             materials or information; (vii) Customer will use the
Certificates issued hereunder.                                             RAA Certificate exclusively for authorized and legal
     (d) Certificate Restrictions. Customer is                             purposes consistent with this Agreement; and (viii)
prohibited from using a Certificate (i) for or on behalf                   Customer will not monitor, interfere with or reverse
of any other organization or (ii) to perform private or                    engineer the technical implementation of the [Affiliate]
public key operations in connection with any domain                        systems or Software or the VTN, except with the prior
name and/or organization name other than the one(s)                        written approval from [Affiliate], and shall not
submitted by the RAA during enrollment; (iii)                              otherwise intentionally compromise the security of the
Customer is also prohibited from using a Certificate on                    [Affiliate] systems or Software or the VTN.
more than one physical server or device at a time,                              (f) Additional Service Terms. Each Managed PKI
unless Customer has selected the specific licensing                        for SSL service license can support one organization
option on the enrollment screen that permits the use of a                  and multiple domain names, as long as each of those
Certificate on one physical device with additional                         domain names are owned and registered to that
Certificate licenses for each physical server that each                    organization. Different legal entities must purchase
device manages, or where replicated Certificates may                       separate Managed PKI for SSL service licenses. This
otherwise reside (the "Licensed Certificate Option").                      service is not intended for service providers that issue
Customer acknowledges and agrees that the Licensed                         SSL certificates to unrelated organizations, and may not
Certificate Option can result in increased security risks                  be used for such purpose. [Affiliate] does not offer
to Customer's network and [Affiliate] expressly                            Private Label or Co-Branded Managed PKI for SSL.
disclaims any liability for breaches of security that                      Premium SSL certificates enable 128-bit encrypted
result from the distribution of a single key across                        sessions with the export Versions of newer Netscape
multiple devices. [AFFILIATE] CONSIDERS THE                                and Microsoft browsers. This includes Netscape
UNLICENSED USE OF A CERTIFICATE ON A                                       versions 4.06 and later and Microsoft Versions 4.0 and
DEVICE THAT RESIDES ABOVE A SERVER OR                                      later (Win32 Platform). Premium SSL certificates do
SERVER FARM SOFTWARE PIRACY AND WILL                                       not work with Netscape prior to 4.05 or Microsoft 4.5
PURSUE VIOLATORS TO THE FULLEST EXTENT                                     and earlier or for the Apple Macintosh. CUSTOMER
OF THE LAW. If Customer chooses to display                                 ACKNOWLEDGES IT UNDERSTANDS THE
[Affiliate]'s Secure Site Seal (the "Seal"), it must install               APPLICABLE EXPORT AND BROWSER
and display such Seal only in accordance with the                          LIMITATIONS BEFORE PURCHASING THIS
Secure Site Seal Licensing Agreement posted on the                         SERVICE.
[Affiliate] website.

                                           [Affiliate] Master Services Agreement -- Confidential
                                                                Version 2.0
                                                                                                                       Exhibit “H”
                                                                                                                           Page H-1
4.         [AFFILIATE]’S OBLIGATIONS                                     the Certificate information as a result of [Affiliate]'s
     (a) Services. [Affiliate] shall provide Customer                    failure to use reasonable care in creating the Certificate,
with the Services specified in this Exhibit throughout                   (b) The Certificate(s) comply in all material respects
the Service Period. [Affiliate] shall issue, manage,                     with the CPS, and (c) [Affiliate]'s revocation services
revoke, and/or renew SSL Certificates in accordance                      and use of a repository conform to the CPS in all
with the instructions provided by Customer through its                   material aspects.
RAA(s). Upon Customer’s approval of a Certificate
Application, [Affiliate]: (i) shall be entitled to rely                  5.     LIMITATION OF LIABILITY
upon the correctness of the information in each such                     IN ADDITION TO THE LIMITATION OF
approved Certificate Application, and (ii) shall issue a                 LIABILITY PROVIDED IN THE BODY OF THE
Certificate to the Certificate Applicant submitting such                 AGREEMENT, THE LIMITATION PROVIDED
Certificate Application. Certificates issued or licensed                 HEREIN WILL APPLY WITH RESPECT TO ANY
under this Agreement, including RAA Certificates,                        DAMAGES, CLAIMS, OR OTHER LOSSES
have a maximum validity period of twelve (12) months                     RELATING TO ANY CERTIFICATE ISSUED
from the date each Certificate is issued.                                HEREUNDER. [AFFILIATE]'S TOTAL LIABILITY
Notwithstanding the terms of the “Gold Service”                          FOR DAMAGES SUSTAINED BY CUSTOMER
Service Level Agreement Exhibit if attached to this                      AND/OR ANY THIRD PARTY FOR ANY USE OR
Agreement, neither the terms of that Service Level                       RELIANCE ON A SPECIFIC CERTIFICATE SHALL
Agreement nor any other service level commitments                        BE LIMITED, IN THE AGGREGATE, TO ONE
will apply with respect to the services provided under                   HUNDRED THOUSAND DOLLARS ($100,000).
this Exhibit unless a Gold Service Fee obligation for the                THE LIABILITY LIMITATIONS PROVIDED
then current Service Year is in effect.                                  HEREIN SHALL BE THE SAME REGARDLESS OF
     (b) RAA Certificate. [Affiliate] will notify                        THE NUMBER OF DIGITAL SIGNATURES,
Customer whether Customer's RAA Certificate                              TRANSACTIONS, OR CLAIMS RELATED TO
Application is approved or rejected. If the RAA                          SUCH CERTIFICATE(S). [AFFILIATE] SHALL
Certificate Application is approved, [Affiliate] will                    NOT BE OBLIGATED TO PAY MORE THAN THE
issue an RAA Certificate for Customer’s RAA's use in                     TOTAL LIABILITY LIMITATION FOR EACH
accordance with this Agreement. After the RAA picks                      CERTIFICATE.
up or otherwise installs the RAA Certificate, the RAA
must review the information in it before using it and                    6.       INDEMNITY
promptly notify [Affiliate] of any errors. Upon receipt                      (a) Customer Indemnification Condition(s): any
of such notice, [Affiliate] may revoke the RAA                           actual or alleged breach of the Subscriber Agreement
Certificate and issue a corrected RAA Certificate.                       by a Subscriber receiving an RAA Certificate
      (c) [Affiliate] Warranties. [Affiliate] warrants                   hereunder.
that (a) there are no errors introduced by [Affiliate] in




                                         [Affiliate] Master Services Agreement -- Confidential
                                                              Version 2.0
                                                                                                                     Exhibit “H”
                                                                                                                       Page H-1
                                                        EXHIBIT H
                                                    IDENTRUS EXPRESS

                         [Affiliate should include only if it has the right to provide this service.]

BACKGROUND                                                               Certificate) without the authorization of the Person
           Customer wishes to: (i) issue, manage,                        named as the subject of the Certificate.
suspend, revoke, and/or renew digital Certificates for                   “Key Generation” means the [Affiliate] procedures for
Identrus LLC PKI Solutions and which are Identrus                        proper generation of Customer’s Public Key and
compliant, in a Private Hierarchy which will link                        Private Key via a trustworthy process and for storage of
directly to the Identrus root CA and branded with                        Customer’s Private Key and documentation thereof.
Customer’s trade name based on Certificate                               “Operational Period” means a period starting with the
Applications submitted to, validated by, and approved                    date and time a Certificate is issued (or on a later date
by Customer, and (ii) outsource to [Affiliate] the                       and time certain if stated in the Certificate) and ending
functions of issuing, managing, suspending, revoking,                    with a date and time at which the Certificate expires or
and/or renewing such Certificates, but (iii) retain for                  is earlier revoked.
itself the functions of validating and approving                         “Private Hierarchy” means a domain consisting of a
Certificate Applications and requesting revocation or                    system of CAs that issued Certificates in a chain
renewal of Certificates.                                                 leading from Customer’s root CA through one or more
                                                                         Certification Authorities to Subscribers in accordance
1.       DEFINITIONS                                                     with Customer’s practices. Certificates issued in a
“Administrator Certificate” means the Certificate                        Private Hierarchy are intended to meet the needs of
issued by [Affiliate] to the Customer employee                           organizations authorizing their issuance and are not
designated as the Managed PKI Administrator for the                      intended for interactions between organizations and/or
sole purpose of accessing the Managed PKI Control                        individuals through public channels.
Center to perform the Administrator functions.                           “Private Key” means a mathematical key (kept secret
 “Certificate” or “Digital Certificate” means a                          by the holder) used to create Digital Signatures and,
message that, at least, states a name or identifies the                  depending upon the algorithm, to decrypt messages or
issuing CA, identifies the Subscriber, contains the                      files encrypted (for confidentiality) with the
Subscriber’s Public Key, identifies the Certificate’s                    corresponding Public Key.
Operational Period, contains a Certificate serial                        “Public Key” means a mathematical key that can be
number, and contains a Digital Signature of the issuing                  made publicly available and which is used to verify
CA.                                                                      signatures created with its corresponding Private Key.
“Certificate Applicant” means a person or authorized                     Depending on the algorithm, Public Keys are also used
agent that requests the issuance of a Certificate by a                   to encrypt messages or files which can then be
CA.                                                                      decrypted with the corresponding Private Key.
“Certificate Application(s)” means a request from a
Certificate Applicant (or authorized agent) to a CA for                  2.        CUSTOMER’S OBLIGATIONS
the issuance of a Certificate.                                           (a) Appointments. Customer shall appoint one or more
“Certification Authority” or “CA” means a Person                         authorized Customer employees as administrator(s)
authorized to issue, suspend, or revoke Certificates.                    (“Administrator(s)”).
“Certificate Signing Unit” or “CSU” means a                              (b) Administrator Functions. Customer, through its
hardware unit or software designed for use in signing                    Administrator(s), shall validate the information in
Certificates and key storage.                                            Certificate Applications, approve, suspend, or reject
“Erroneous Issuance” means: (a) issuance of a                            such Certificate Applications, use hardware and
Certificate in a manner not materially in accordance                     software designated by [Affiliate], and instruct
with the procedures required by the Managed PKI                          [Affiliate] to issue, suspend, renew and revoke
Administrator’s Handbook (b) issuance of a Certificate                   Certificates in accordance with the Managed PKI
(other than a Class 1 Certificate) to a Person other than                Administrator’s Handbook published at the Managed
the one named as the subject of the Certificate, or (c)                  PKI Control Center, as amended, and in accordance
issuance of a Certificate (other than a Class 1                          with Identrus LLC specifications. Customer shall
                                                                         transmit to [Affiliate] any requests it may have for
                                         [Affiliate] Master Services Agreement -- Confidential
                                                              Version 2.0
                                                                                                                        Exhibit “I”
                                                                                                                           Page I-2
revocation of Certificates issued by Customer. If an                     Identrus root CA. Customer’s Private Key of each key
Administrator ceases to have the authority to act as                     pair shall be stored in one or more Certificate Signing
Administrator on behalf of Customer, Customer                            Units. Additional key pairs may be generated for
Contact shall promptly request revocation of the                         additional CAs at a later date upon request by Customer
Administrator Certificate of such Administrator.                         for an additional fee.
                                                                         (f) Identrus Compliant. In addition to the express
3.        [AFFILIATE] OBLIGATIONS                                        limited warranties contained in this Agreement,
(a) Provision of Services. [Affiliate] shall provide                     [Affiliate] warrants to Customer that [Affiliate] has
Customer with the Services as set forth in this Exhibit                  substantially complied with most current Identrus LLC
for a period of twelve (12) months commencing on the                     Regulations made available to [Affiliate]. The services
Effective Date of this Agreement (the “Identrus                          are fully Identrus compliant when used for Identrus PKI
Managed PKI Service Period”). [Affiliate] shall issue,                   solutions.
manage, revoke, and/or renew Certificates in
accordance with the instructions provided by Customer                    4.     DISCLAIMER
and its Administrator(s) and in accordance with                          EXCEPT FOR THE EXPRESS LIMITED
Identrus LLC audit and security requirements.                            WARRANTIES CONTAINED IN THE
(b) Administrator Certificate. Upon approval of the                      AGREEMENT AND IN THIS EXHIBIT,
Certificate Application(s) of the Administrator(s),                      [AFFILIATE] MAKES NO OTHER WARRANTIES
[Affiliate] shall issue an Administrator Certificate to                  WHATSOEVER AND HEREBY DISCLAIMS ALL
each such Administrator. Such Certificates shall be                      LIABILITY AND RESPONSIBILITY FROM THE
valid for twelve months concurrent with the Identrus                     ERRONEOUS ISSUANCE OR IMPROPER
Managed PKI Service Period.                                              VALIDATION OF ANY CA SIGNING REQUEST
(c) Certificate Issuance. Upon Customer’s approval                       RECEIVED FROM IDENTRUS ON BEHALF OF
of a Certificate Application, [Affiliate]: (i) shall be                  CUSTOMER. FURTHERMORE, CUSTOMER
entitled to rely upon the correctness of the information                 ACKNOWLEDGES THAT IT IS A MEMBER IN
in each such approved Certificate Application, and (ii)                  GOOD STANDING WITH THE IDENTRUS LLC
shall issue a Certificate to the Certificate Applicant                   AND SUCH GOOD STANDING STATUS IS A
submitting such Certificate Application.                                 REQUIREMENT OF THE IDENTRUS LLC
(d) Certificate Lifecycle. Certificates issued or                        FINANCIAL ORGANIZATION OF WHICH,
licensed under this Exhibit shall have a validity period                 CUSTOMER HAS SOLE RESPONSIBILITY TO
as determined by Identrus LLC specifications.                            MAINTAIN AND WHICH SHALL HAVE NO
(e) Key Generation. During a single Key Generation                       BEARING ON THE SERVICES PROVIDED BY
event, [Affiliate] shall generate for Customer, pairs of                 [AFFILIATE] TO CUSTOMER.
CA keys for use in all Certificates issued by [Affiliate]
for use in Customer’s Private Hierarchy, under the




                                         [Affiliate] Master Services Agreement -- Confidential
                                                              Version 2.0
                                                                                                                        Exhibit “I”
                                                                                                                          Page I-2
                                                     EXHIBIT I
                                           DIGITAL NOTARIZATION SERVICE

                         [Affiliate should include only if it has the right to provide this service.]

BACKGROUND                                                                          (b) Verification. HTML text explaining the
     Customer desires to access to [Affiliate]’s Digital                  contents of a Digital Receipt may be generated and sent
Notarization service which enables Customer to                            along with the Digital Receipt by [Affiliate] to
timestamp documents, all on the terms and conditions                      Customer’s end user. Customer acknowledges that such
set forth below.                                                          HTML text is for Customer’s convenience only and is
                                                                          not necessarily secure. To verify that a Digitally
SERVICE TERMS AND CONDITIONS                                              Notarized document has not been altered since the time
                                                                          that the Digital Receipt was generated and to obtain the
1.        DEFINITIONS                                                     time of receipt by [Affiliate] of the document or hash of
“Digital Receipt” means a token which includes (i) the                    the document, a relying party must (a) verify the digital
hash of the subject document submitted for Digital                        signature in the Digital Receipt, read the hash contained
Notarization and (ii) the time that the subject document                  in the Digital Receipt, and compare the hash in the
or the hash of the document was received by [Affiliate]                   Digital Receipt with the hash of the document being
for Digital Notarization, both of which are signed by                     verified to verify that the two are the same, or (b)
[Affiliate].                                                              access [Affiliate]’s database of Digital Records via
“Digital Record” means a record containing the                            [Affiliate]’s Web-based interface.
following information: (a) Digital Receipt and (b) other                            (c) Storage. Customer shall retain all of its
information requested by [Affiliate] and entered by the                   Digital Receipts and Digitally Notarized documents. A
end user at the time of Digital Notarization such as                      Digital Record is stored by [Affiliate] for a period of at
name and description of the Digitally Notarized                           least one (1) year from the creation thereof. Storage for
document.                                                                 an additional period is subject to [Affiliate]’s offer of
“Digital Notarization” means the process by which                         such additional services and Customer’s payment of
[Affiliate] (a) reads the time of receipt by [Affiliate] of               applicable fees. [Affiliate] does not store a copy of a
a document or a hash of a document submitted by an                        Digitally Notarized document.
end user, (b) creates a hash of the document if the                                 (d) Availability of Digital Record. Customer
information submitted is a document (as opposed to the                    acknowledges that [Affiliate] may provide Digital
hash of a document), (c) creates a token that includes                    Record(s) of Customer to a third party if required by
the time of receipt and the hash, (d) adds a digital                      law, a subpoena, a warrant, or a judicial or
signature from [Affiliate] to the token to create a                       governmental request, requirement, or order.
Digital Receipt, (e) delivers the Digital Receipt to the
requesting end user, and (f) stores the Digital Record.                   3.       CUSTOMER’S SUBSCRIBERS
                                                                                   Customer shall cause subscribers receiving
2.        DIGITAL NOTARIZATION SERVICE                                    Certificates hereunder to abide by the terms of this
          (a) Access to Digital Notarization Service.                     Agreement and this Exhibit.
Customer may access [Affiliate]’s Digital Notarization
service using either of the following methods: (a)                        4.     DISCLAIMER
access via Customer’s customized applications which                       CUSTOMER ACKNOWLEDGES THAT
may integrate and utilize [Affiliate]’s Digital                           [AFFILIATE]’S DIGITAL NOTARIZATION
Notarization software development kit to perform                          SERVICE PROVIDES TIMESTAMPING OF A
Digital Notarization (subject to Customer’s payment of                    DOCUMENT AND IS NOT A “NOTARIZATION,” A
fees for such development kit, if any, and fees for the                   “NOTARIAL ACT,” OR ANY OTHER ACT OF A
Digital Notarization service); (b) access via [Affiliate]’s               “NOTARY PUBLIC” AS THOSE TERMS MAY BE
Web-based interface (subject to payment of applicable                     DEFINED UNDER APPLICABLE LAW.
fees for the Digital Notarization service).



                                          [Affiliate] Master Services Agreement -- Confidential
                                                               Version 2.0

				
DOCUMENT INFO
Shared By:
Stats:
views:53
posted:3/25/2011
language:Italian
pages:29