Qualified and Advanced Electronic Signatures)

Terms and Conditions of Use Swisscom certification service (Qualified and advanced Electronic Signatures)

Terms and Conditions of Use for the use of the Swisscom qualified certificate is permitted in connection with the use certification service with qualified and advanced certificates of the trust service in accordance with these Terms and Con- for qualified and advanced electronic signatures (Swisscom ditions of Use ("limitation of use"). certificate class "Saphir and Diamant") 2.2 Identity verification process and retention of the information Swisscom or the registration authority appointed by 1 Scope of these Terms and Conditions of Use Swisscom checks your identity in the identity verification pro- These Terms and Conditions of Use shall apply in the rela- cess. For qualified electronic signatures, this is done by tionship between you and Swisscom (Schweiz) AG, Alte means of your passport or an identity card allowing travel to Tiefenaustrasse 6, Worblaufen, Switzerland, company ID Switzerland. Depending in each case on the actual organisa- CHE-101.654.423 (hereinafter "Swisscom") for your use of tion of the identity verification process, you may be re- the Swisscom certification service with qualified and ad- quested in the verification process for advanced electronic vanced certificates for qualified and advanced electronic sig- signatures to also submit other documents than those re- natures. quired for qualified electronic signatures.

2 Swisscom’s Services Based on your identify verification process for qualified electronic signatures, you may also create advanced electronic 2.1 Certification service in general signatures in accordance with these Terms and Conditions of For your certification services with qualified certificates, Use where the subscriber application used by you offers dif- Swisscom is an accredited certification services provider in ferent types of signatures. However, not every identity verifi- Switzerland pursuant to the Swiss Federal Act concerning cer- cation process for advanced electroniac signatures can also tification services in the area of electronic signature (Elec- be used for the superior grade signature level of the qualified tronic Signature Act, ZertES; SR 943.03) and is audited and electronic signature. supervised by the ZertES accreditation agency. For your certification services with advanced certificates, Swisscom pro- Swisscom registers and files the personal information about vides certification services in accordance with internationally you which is collected in the identity verification process in recognised technical standards. accordance with the applicable regulations. The handling of your data is described in section 6 of these Terms and Condi- In general, the certification service is provided in accordance tions of Use. with the Swisscom certificate policy in its then current ver- sion. This certificate policy – Certificate Policy (CP/CPS) for 2.3 Issuance of certificate and keys, creation of signature the issuance of "Diamant" (Diamond) class certificates (quali- Swisscom creates the qualified or advanced certificate and fied) and "Saphir" (Sapphire) class certificates (advanced) – the cryptographic pair of keys for the signing process on a form an integral part of these Terms and Conditions of Use. special server (Hardware Security Module, HSM). The quali- You can view and download the document online at fied or advanced certificate is a certificate which assigns to http://www.swissdigicert.ch/download_docs (in the “CH” you the public key of the asymmetrical cryptographic pair of section). keys. You alone have the activation data which allows you to use the private key by deploying your mobile phone (e.g. Mo- As part of the certification service, Swisscom creates a digital bile ID or SMS authentication process, see also in this regard certificate which includes personal information about you. sections 3 and 4 of these Terms and Conditions of Use). As Swisscom links this digital certificate with the file which you soon as you enter the activation data after being requested sign electronically (e.g. a PDF document of your bank). The to do so, Swisscom creates the qualified or advanced elec- electronic signature on the document is thereby assigned to tronic signature for you. you as an individual, just as if it were signed in your own hand, where the writing of the name on the document is as- For each signing process Swisscom creates a new digital cer- signed to the individual signing it. The result is that third par- tificate (with a short validity period of 10 minutes) with a ties can also rely on the electronic signature and on the infor- new pair of keys. mation contained in the digital certificate. 2.4 Verification of the electronic signature In each case, depending on the type of signature offered by The Swisscom certification service allows the validity of the the subscriber application (see section 3 in this regard), a electronic signature to be validated. Third parties also (often qualified electronic signature is created pursuant to Article 2 referred to as the "relying party") can validate the validity of letter e of the Electronic Signature Act (ZertES; SR 943.03) or your electronic signature (e.g. for qualified electronic signa- an advanced signature is created. No other type of use of the tures on the website www.validator.ch or generally with the

Swisscom (Schweiz) AG September 2018 Page 1 of 5

Terms and Conditions of Use Swisscom certification service (Qualified and advanced Electronic Signatures)

Adobe Systems Incorporated Adobe Acrobat programme). and separate from your mobile phone or encrypted and must The information provided in section 5 of these Terms and be protected from access by third parties. Conditions of Use must be noted concerning the legal effects If you do not use the mobile ID and use a password and a of the different electronic signatures. one-time password sent by SMS, you shall ensure that this is 2.5 Availability always entered on input screens of Swisscom systems. Fur- Swisscom shall endeavour to provide the certification service ther information about this can be found in this document. continuously. Swisscom shall not, however, be liable for en- You undertake to immediately stop creating signatures and suring that the signing service is constantly available. where necessary to change the access data (e.g. mobile ID Swisscom may limit the availability temporarily if this is nec- PIN or password) if your mobile ID PIN and/or the personal essary, for example, with regard to capacity limits, or the password which you have to provide in the SMS authentica- safety or integrity of the servers, or to perform technical tion process has been stolen or if you know or suspect that maintenance or repairs and this is for the purpose of provid- another person has acquired knowledge of it (compromise). ing the services properly or improving them (maintenance work). Swisscom shall endeavour in this process to take ac- In the event of the loss or theft of the SIM card or the end count of the interests of the users of the certification service. device including the SIM card, you undertake to have the SIM card blocked immediately. 3 Preconditions of use As soon as there are any changes to your mobile phone num- You have an adequate understanding of digital certificates ber, the SIM card used or the identity data, you shall inform and of qualified and advanced electronic signatures. your registration authority or Swisscom directly of these You use a device and log in to an internet portal or an appli- changes. cation which allow the Swisscom certification service to be You undertake to take every reasonable and readily available used (so-called “subscriber application”). For example, it may opportunity to protect your device and your mobile phone be your employer's accounting software or your bank's or in- from attacks and malware ("viruses", "worms", "Trojan surance company's internet portal. The terms and conditions horses" and the like), particularly through using software of the subscriber application used by you may result in limita- from an official source that is continually updated. tions in the use of the certification service. In particular, the subscriber application used by you determines whether you You undertake to check the electronic signatures after they can create qualified or advanced electronic signatures. The have been created in accordance with section 2.4 of these linking of the subscriber application to the Swisscom certifi- Terms and Conditions of Use and to promptly report any dis- cation service is the subject of a separate agreement (All-in crepancies in the digital certificate to Swisscom. Signing Service Agreement). You have a mobile phone for the multi-factor authentication when the signing process is triggered, e.g. SMS or Mobile ID can be used as authentication methods. The actual signature authorisation results from the connection of the subscriber application used by you. If the signature is authorised through Mobile ID, you must have a Mobile ID with a Swiss Mobile ID provider (e.g. Swisscom) in order to use the certification service. 4 Your cooperation obligations

You undertake as part of the identity verification process to provide Swisscom and/or the registration authority with complete and true information.

You undertake not to use any data relating to your personal information (date of birth etc.) for the secret number se- quence (PIN) for your mobile ID or for your personal password when using the SMS signature approval process. Any records of the mobile ID PIN and/or personal password must not be disclosed to any other person, must be kept securely

Swisscom (Schweiz) AG September 2018 Page 2 of 5

Terms and Conditions of Use Swisscom certification service (Qualified and advanced Electronic Signatures)

5 Legal effects of the electronic signature the law of a country other than Switzerland and that requirements as to form (such as the written form requirement) The certification service in accordance with these Terms and might not be met. Conditions of Use creates in each case either a qualified electronic signature pursuant to Article 2 letter e of the Swiss The use of certain technical algorithms is also subject to stat- Electronic Signature Act (ZertES; SR 943.03) or an advanced utory restrictions in certain states. It is your responsibility to electronic signature in accordance with Swisscom’s certifi- investigate the circumstances in this regard beforehand. cate policy. The inclusion of additional information in a digital certificate The subscriber application (see in this regard section 3 of (specific attributes such as, for instance, right of representa- these Terms and Conditions of Use) used by you to reach the tion for your employer) is purely declaratory, with the exist- certification service determines the type of signature (quali- ence of an attribute and its legal effects governed by the ap- fied or advanced electronic signature) for each signature pro- plicable law (agency law, corporate law etc.) and not within cess. Swisscom has no influence on this choice. the scope of Swisscom's influence or responsibilities. Swisscom shall only be responsible in this context for verify- Further, the subscriber application used by you to reach the ing evidence of an attribute at the time when the identity is certification service can either have a qualified time stamp verified using the documentary evidence requested by associated with the qualified or advanced electronic signa- Swisscom. Specific attributes in the digital certificates do not ture at the certification service, or the time stamp may be reflect all possible situations under civil law (collective signing dispensed with. Swisscom has no influence on this choice. An authority, signing authority only in special cases etc.). electronic signature is therefore created either with or with- out a qualified time stamp depending on the setting for the 6 Duration access to the Swisscom certification service. In verifying the Taking account of the preconditions of use pursuant to sec- signature (see in this regard section 2.4 of these Terms and tion 3 of these Terms and Conditions of Use, you may use the Conditions of Use) you can check to see whether or not the certification service in accordance with these Terms and Con- electronic signature is associated with a qualified time stamp. ditions of Use for a period of five years, although this period Only a qualified electronic signature which has a qualified shall be shortened accordingly for qualified electronic signa- time stamp associated with it is equivalent pursuant to Swiss tures if the period of validity of the identification document law to a handwritten signature, unless otherwise provided by presented by you expires earlier. law or contract (Article 14 Swiss Code of Obligations). De- 7 Handling of your data pending on the particular situation, certain documents require a handwritten signature in order to be legally effective. 7.1 General, Privacy Statement Swisscom collects, stores and processes only data which is An advanced electronic signature (unlike a qualified elec- needed to provide the certification service. Handling of the tronic signature) is not legally regulated in Switzerland and data shall be governed not only by the applicable Swiss laws does not meet the legal written form requirement within the (Swiss Data Protection Act, Swiss Electronic Signature Act for meaning of Article 14 of the Swiss Code of Obligations, which means that it does not have the same legal effects as a hand- qualified electronic signatures) but also by the certificate policy referred to above in section 2.1 of these Terms and Condi- written signature. The legal requirement of a handwritten tions of Use. signature can as a matter of principle only be replaced with equivalent effect by a qualified electronic signature, which The handling of your data is further governed by the privacy must not be confused with an advanced electronic signature statement for use of the certification service, which can be based on an advanced certificate in accordance with these accessed at www.swisscom.com/signing-service . Terms and Conditions of Use. 7.2 Identity verification documentation It is your responsibility before using the certification service For the purpose of creating the digital certificate and to to determine your requirements and the legal effects of the maintain the verifiability of the certification service, qualified electronic signature or the advanced electronic sig- Swisscom collects and stores the following data about you (to nature in this context. the extent this has been provided by you in the identity verification process in accordance with section 2.2 of these You acknowledge that the qualified or advanced electronic signatures created with the Swisscom Swiss certification ser- Terms and Conditions of Use): vice may have different, possibly less extensive effects under - A copy of the relevant pages of the identity document submitted by you (passport, identity card, possibly other documents according to section 2.2. if only advanced

Swisscom (Schweiz) AG September 2018 Page 3 of 5

Terms and Conditions of Use Swisscom certification service (Qualified and advanced Electronic Signatures)

electronic signatures are to be created) with the infor- 7.4 Data after completion of the signing process mation contained therein (in particular: gender, first Swisscom shall retain the data described in section 7.2 for the names, last name, date of birth, valid date of identity duration specified in section 6 of these Terms and Conditions document, nationality) of Use to enable you to use the certification service. Swisscom is further obligated by law in the case of qualified electronic - Mobile phone number signatures to retain various data concerning the identity veri- - Other information and documents provided by you in fication process, the digital certificate and the signing process the identity verification process (such as residential ad- for 11 years from the last signing process. In the case of address, email address, extracts of Commercial Register, vanced electronic signatures, in accordance with its certificate powers of attorney or other documentary evidence con- policy, Swisscom retains various data concerning the identity cerning specific attributes) verification process, the digital certificate and the signing process for 7 years from the last signing process. This ensures that If the identity verification process is conducted by video-chat, the digitally signed document can still be verified as correct in the following data shall additionally be captured and stored: the years after it is created. Swisscom shall in this process rec- - Photograph of you from the video call ord all relevant information concerning the data issued and re- ceived by Swisscom and shall keep it in safekeeping so that it - Photographs of the identity document submitted by you is available, for the purposes of enabling corresponding evi- - Audio recording of the video call dence to be provided in judicial proceedings, in particular, and ensuring continuity of the certification service. - Technical information (e.g. IP address) of the device used by you On the one hand, Swisscom shall retain the following data for this purpose: 7.3 Digital certificate Based on the data which has been provided by you and col- - Log files for the signing process (specifically includes lected in the identity verification process, Swisscom shall at business partner number, process number, process-re- the request of the subscriber application and with your stated lated data) consent issue a qualified or advanced certificate containing - Hash value of the signed document the following information concerning you: On the other hand, Swisscom shall retain the information - First names, last name or pseudonym specified in section 7.2 of the Terms and Conditions of Use and - Mobile phone number shall manage a certificate data base.

- Informal name for simplification purposes (e.g. first Swisscom shall delete the data described in this section 7.4 af- name) ter the expiry of a maximum of 17 years from completion of the identity verification process according to section 2.2 of - Two-digit ISO 3166 country code these Terms and Conditions of Use. In the case of identity ver- - Additional information e.g. to ensure the uniqueness of ification after the request only of advanced electronic signa- the digital certificate: tures in accordance with section 2.2, Swisscom shall delete - Name of company this data after the expiry of a maximum of 13 years after com- - E-mail address pletion of the identity verification process. - Number of the identity document presented 8 Involvement of third parties - Registration authority responsible for verification of identity Swisscom may engage third parties to perform its duties. Third parties shall be specifically engaged by Swisscom to - Time of issuance of digital certificate carry out the identity verification process (including retention The digital certificate is included in the electronically signed of the identity verification documentation) (registration au- file after completion of the signing process. Anyone in posses- thorities). sion of the digitally signed file may view the aforementioned 9 Liability and force majeure information from the digital certificate at any time. This ena- bles third parties to review personal information about you Swisscom must at all times fulfil the requirements which the and to also see that Swisscom as a Swiss certification service law and the technical standards impose on providers of certi- provider guarantees the certification of this data and the sign- fication services. Swisscom shall take appropriate state-of- ing process. the-art security measures for this purpose. You acknowledge

Swisscom (Schweiz) AG September 2018 Page 4 of 5

Terms and Conditions of Use Swisscom certification service (Qualified and advanced Electronic Signatures)

that despite all Swisscom's efforts, the use of modern tech- Swisscom may be forced to adapt both the certificate policy nology and security standards, and oversight by an independ- referred to in section 2.1 of these Terms and Conditions of ent agency with regard to compliance with the technical Use and these Terms and Conditions of Use. If any amend- standards and in the case of qualified electronic signatures ments are made, you shall be informed by Swisscom or by a oversight by the ZertES-accreditation authority with regard to registration authority delegated by it of the changes at least compliance with the statutory requirements, there can be no one month before the date they become effective and the guarantee that the certification service will be absolutely se- time limit you have for objecting. This information may be cure and free of defects. sent via SMS to the mobile phone number provided by you. You may refuse to accept the new Terms and Conditions by Unless Swisscom can prove that it is not at fault, it shall be revoking use of the certification service in accordance with fully liable to you for loss or damage incurred by you due to these Terms and Conditions as of their effective date. If you the fact that Swisscom has not complied with the obligations continue to use the certification service after their effective under the Swiss Electronic Signature Act. Unless Swisscom date, this shall be deemed to be acceptance of the amended can prove that it is not at fault, it shall be liable to you for Terms and Conditions. proven damages in the case of other contractual breaches (in particular in connection with advanced certificates and ad- 11 Applicable law and jurisdiction vanced electronic signatures) as follows: All legal relationships in connection with these Terms and Liability for material damage and financial losses due to sim- Conditions of Use shall be subject to Swiss law. ple negligence shall be limited to a maximum of CHF 5,000 for the entire contractual term. Swisscom's liability for indi- In the event of any dispute we will endeavour to resolve the dispute amicably. Subject to any mandatory jurisdictions (in rect loss or damage caused due to simple negligence, conse- particular for consumers pursuant to Art. 32 and 35 Civil Pro- quential losses, lost profit, data losses, loss or damage due to cedure Code), Bern, Switzerland, shall have jurisdiction. downloads, third party claims, and reputational losses shall be excluded. Swisscom shall at all times be fully liable to you 12 How to contact us for personal injury. Swisscom shall not be liable to you for the proper operation of third party systems, in particular not for If you have questions about the services provided in accord- the hardware and software used by you or for the subscriber ance with these Terms and Conditions of Use, you may con- application used by you for controlling the certification ser- tact Swisscom at the following website vice. www.swisscom.com/signing-service.

Swisscom shall not under any circumstances be liable to you for loss or damage incurred by you due to the fact that you have either failed to comply with or exceeded a limitation of use. Swisscom shall likewise not be liable to you if due to force majeure the performance of the service is occasionally interrupted, restricted in whole or in part, or rendered im- possible. The term “force majeure” includes in particular nat- ural phenomena of particular intensity (avalanches, flooding, landslides, etc.), acts of war, riots, and unforeseeable official restrictions. If Swisscom cannot fulfil its contractual obligations, the performance of the Agreement or the deadline for performing the same shall be postponed according to the force majeure event that has occurred. Swisscom shall not be liable for any loss or damage incurred by Customer because of the delay in the performance of the Agreement. 10 Amendments to the Terms and Conditions of Use

Swisscom reserves the right to amend and supplement these Terms and Conditions. In particular where amendments are made to the Federal Electronic Signature Act (ZertES; SR 943.03) and to its implementing legislation, and in the case of orders by the ZertES accreditation authority or an independ- ent agency for checking advanced electronic signatures,

Swisscom (Schweiz) AG September 2018 Page 5 of 5