TuringSign General Terms & Conditions

These TuringSign Certificates Terms of Use (“Certificate Terms of Use”) apply to the products and services provided by TuringSign Pte Limited, a company incorporated in Geneva, Switzerland under the laws of Switzerland to an entity or person (“Customer”), as identified by the TuringSign management portal or related API made available to Customer (“Portal”) or individually issued certificates on TuringSign E-commerce platform. The Terms of Use apply throughout the certificate life cycle, from when the Customer issues it until its expiration date.

By accepting or signing an agreement that incorporates these Certificate Terms of Use, the accepter or signer acknowledges that he/she has read and understood this Terms of Use. If Customers are to access the Site on behalf of a legal entity, he/she is (i) acting as the authorized representative of the Customer to the Agreement in discussion, (ii) has the authority to obtain the company’s official stamp, seal or signatures, (iii) can verify the authenticity of the Customer’s website, (iv) control all uses of the Certificate, and (iv) is expressly authorized by Customer to approve Certificate requests on Customer’s behalf. In the event of any discrepancy between these Terms and Conditions and a proposal accepted by a Subscriber, these Terms and Conditions shall apply unless explicitly stated in the proposal that it is the intention of the parties to modify the General Terms and Conditions.

Changes to the Terms of Use

TuringSign reserves the rights to revise and update these Terms of use in our sole discretion. All changes are effective immediately when they are posted on the official website.

1. TuringSign Website Account Users:

TuringSign reserves the rights to disable or restrict access, withdraw or amend any parts of the Site at any time, including services or materials provided, without prior notice. We will not be liable for any part of the Site becoming unavailable at any time period. Website Users may be asked to provide certain registration details or information when accessing the Site, in such case, Website Users are required to provide correct, updated and complete information and take responsibilities for any wrongful information. Website Users must treat authentication credentials, including but not limited to usernames, passwords, as confidential and not disclose to any other person or entity. Website Users are required to notify TuringSign immediately of any unauthorized access or use of such credentials for any security breach. TuringSign reserves the rights to disable usernames, passwords, accounts if any defects from provision of Terms and User are identified at any time.

2. Intellectual Property Rights

Subscriber acknowledges that TuringSign, its vendors and licensors retain all property rights to its contents, features (including but not limited to information, software, design, images, videos); any reproduction, distribution, modification without prior confirmation from TuringSign are considered violation of this Term of Use.

3. CertifyID Account Users:

Customers granted an account user under TuringSign Certificate Management Portal CertifyID (hereby referred to as CertifyID) can request adding individuals as administrators under such account. Customers act as Certificate Requesters and communicate with TuringSign regarding the issuance and management of Certificates. TuringSign reserves the rights to validate and approve Certificates. Customer is responsible for periodically reviewing and reconfirming which individuals have authority to request Certificates. If Customer wishes to remove a Portal Account user, Customer will take the necessary measures to prevent such user’s access to the Portal, including (i) contacting TuringSign for removing such user’s account, or (ii) changing its password and authentication mechanisms. Customers are required to notify TuringSign immediately if any unauthorized use of the Portal Account is detected.

4. Requests:

Customer may request Certificates only for domain names registered to Customer, an affiliate of

Customer, or other entity that expressly authorizes TuringSign to allow Customer to obtain and manage

Certificates for the domain name.

5. Verification:

After receiving a request for a Certificate from Customer, TuringSign will review the request and attempt to verify the relevant information in accordance with the TuringSign Certification Practices Statement and applicable industry standards, guidelines and requirements, including laws and regulations related to the issuance of Certificates (“Industry Standards”). Verification of such requests is subject to TuringSign’s sole discretion, and TuringSign may refuse to issue a Certificate for any reason or no reason. TuringSign will notify Customer if a Certificate request is refused but TuringSign is not required to provide a reason for the refusal. “Certificate Practices Statement” (hereby referred to as “CPS”) means the applicable written statements of the policies and practices used by TuringSign to operate its public key infrastructure (“PKI”). For more information about TuringSign published CPS, go to our website at https://turingsign.com/wp-content/uploads/2022/08/turingsign-cps.pdf

6. Certificate Life Cycle:

The lifecycle of an issued Certificate depends on the type of Certificates and customizations made by Customer when placing an order, the requirements in the CPS, and the intended use of the Certificate. TuringSign may modify Certificate lifecycles for unissued Certificates as necessary to comply with requirements of: (i) the Agreement; (ii) Industry Standards. Customer agrees to cease using a Certificate and its related Private Key (defined below) after the Certificate’s expiration date or after TuringSign revokes a Certificate as permitted in the Agreement.

7. Issuance:

TuringSign will issue and deliver the requested Certificate to Customer using any reasonable means of delivery once validation is completed. Typically, TuringSign will deliver Certificates via email to an address specified by Customer as an electronic download in the Portal or in response to an API call made by Customer via the Portal. Customer will abide by all applicable laws, regulations and Industry Standards when ordering and using Certificates. Customer acknowledges that the while the Free Certificates are opened to any region, the Certificate types required validations are not currently available in countries or regions outside of APAC (as of 01 May 2023).

8. Certificate License:

Effective immediately upon initiating a request for a Certificate and continuing until the Certificate expires or is revoked, Customer may only use, for the benefit of the Certificate’s subject, each issued Certificate and related services (whether performed before or after issuance of the Certificate) and corresponding Key Set for the purposes described in the CPS, in accordance with all applicable laws, regulations, Industry Standards, and with the terms herein. Any Certificates trusted by Application Software Vendors are subject to all applicable Industry Standards requirements, including those found in applicable Application Software Vendor root store policies and the CPS, regardless of how the Certificates are used. Any use that is not allowed by applicable Industry Standards or the CPS is not permitted. TuringSign strongly discourages certificate or key pinning, using Certificates trusted for the web with non-web PKI, or any other use of Certificates that would make it difficult for Customer to meet the revocation timelines or other requirements of the CPS, and any such use will not be considered a sufficient reason to delay revocation. “Key Set” means a set of two or more mathematically related keys, referred to as Private Keys or key shares along with a Public Key, wherein (i) the Public Key can encrypt a message which only the Private Key(s) can decrypt, and (ii) even knowing the Public Key, it is computationally infeasible to discover the Private Key(s). Customer will promptly inform TuringSign if it becomes aware of any misuse of a Certificate, Private Key, or the Portal. Customer is responsible for obtaining and maintaining any authorization or license necessary to order, use, and distribute a Certificate to end users and systems, including any license required under United States’ export laws. SSL Certificates may be used on one or more physical server or device at a time; however, TuringSign may charge a fee for use of Certificates on additional servers or devices.

9. Key Sets:

A “Private Key” means the key that is kept secret by Customer that is used to create digital signatures and/or decrypt electronic records or files that were encrypted with the corresponding Public Key. A “Public Key” means Customer’s publicly-disclosed key that is contained in Customer’s Certificate and corresponds to the secret Private Key that Customer uses. Customer must (i) generate Key Sets using trustworthy systems, (ii) use Key Sets that are at least the equivalent of RSA 2048 bit keys, and (iii) keep all Private Keys confidential. Customer is solely responsible for any failure to protect its Private Keys. Customer represents that it will only generate and store Key Sets for Adobe Signing Certificates and EV Code Signing Certificates on a FIPS 140-2 Level 2 device. All other Certificate types may be stored on secure software or hardware systems. Customer is responsible for ensuring that Customer’s acquisition, use, or acceptance of Key Sets generated by TuringSign in accordance with the Agreement complies with applicable local laws, rules and regulations – including but not limited to export and import laws, rules, and regulations – in the jurisdiction in which Customer acquires, uses, accepts or otherwise receives such Key Sets. If Customer is permitted to import or export Private Keys (including copies) in connection with its use of specific TuringSign services, TuringSign will not be liable to Customer for Customer’s use or storage of Private Keys (including copies) that are not created in the applicable Portal or service or that are used outside such Portal or service, including after they are exported from the applicable Portal or service.

10. Publication of Certificate Information.

Customer consents to: (i) TuringSign’s public disclosure of information (such as Customer’s official organization name, domain name, jurisdiction of incorporation), embedded in an issued Certificate; and (ii) Customer’s Certificates and information embedded therein being logged by or on behalf of TuringSign in publicly-accessible Certificate transparency databases for purposes of detecting and preventing phishing attacks and other forms of fraud. Such publication of Certification information will be in accordance with the applicable CPS.

TuringSign will issue, manage, renew, and revoke a Certificate in accordance with any requests or reports submitted by Customer. Customer will provide accurate and complete information when communicating with TuringSign and will notify TuringSign within 5 Business Days if any information relating to its account on the Portal changes. Customer will respond to any inquiries from TuringSign regarding the validity of information provided by Customer within 5 Business Days after Customer receives notice of the inquiry. Certificates are considered accepted by Customer thirty (30) days after the Certificate’s issuance, or earlier upon use of the Certificate when evidence exists that the Customer used the Certificate. Although TuringSign will automatically send a reminder about activating Certificates or alert email about expiring Certificates, TuringSign is under no obligation to do so and Customer is solely responsible for ensuring Certificates are properly activated and renewed prior to expiration.

12. Defective Certificates.

Customer’s sole remedy for a defect in a Certificate (“Defect”) is to require TuringSign to use commercially reasonable efforts to cure the defect after receiving notice of such Defect from Customer. TuringSign is not obligated to correct a Defect if (i) Customer misused, damaged, or modified the Certificate, (ii) Customer did not promptly report the Defect to TuringSign, or (iii) Customer has breached any provision of the Agreement.

13. Warranty:

Customer acknowledges that the Relying Party Warranty is only for the benefit of Relying Parties. “Relying Party Warranty” means a warranty offered to a Relying Party that meets the conditions found in the Relying Party Agreement and Limited Warranty posted on TuringSign’s website at https://www.TuringSign.com/legal-repository. The Relying Party Warranty for Certificates issued from a QTSP or a TuringSign affiliate is posted at https://www.quovadisglobal.com/repository. Customer does not have rights under the Relying Party Warranty, including any right to enforce the terms of the Relying Party Warranty or make a claim under the Relying Party Warranty. “Relying Party” has the meaning set forth in the Relying Party Warranty. An Application Software Vendor is not a Relying Party when the software distributed by the Application Software Vendor merely displays information regarding a Certificate or facilitates the use of the Certificate or digital signature.

For each requested Certificate, Customer represents and warrants that: a. Customer has the right to use or is the lawful owner of (i) any domain name(s) specified in the Certificate, and (ii) any common name or organization name specified in the Certificate; b. Customer will use the Certificate only for authorized and legal purposes; c. Customer has read, understands, and agrees to the CPS; d. Customer will immediately report in writing to TuringSign any non-compliance with the CPS or Baseline Requirements; and e. the organization included in the Certificate and the registered domain name holder is aware of and approves of each Certificate request.

15. Restrictions:

Customer will only use a TLS/SSL Certificate on the servers accessible at the domain names listed in the issued Certificate. Additionally, Customer will not: a. modify, sublicense, or create a derivative work of any TLS/SSL Certificate (except as required to use the Certificate for its intended purpose) or Private Key; b. upload or distribute any files or software that may damage the operation of another’s computer; c. impersonate or misrepresent Customer’s affiliation with any entity; d. use a Certificate or any related software or service (such as the Portal) in a manner that could reasonably result in a civil or criminal action being taken against Customer or TuringSign; e. use a Certificate or any related software to breach the confidence of a third party or to send or receive unsolicited bulk correspondence; f. interfere with the proper functioning of the TuringSign website or with any transactions conducted through the TuringSign website; g. attempt to use a Certificate to issue other Certificates; h. submit Certificate information to TuringSign that infringes the intellectual property rights of any third party; or l. intentionally create a Private Key that is substantially similar to a TuringSign or third-party Private Key.

16. Certificate Revocation

TuringSign may revoke a Certificate without notice for the reasons stated in the CPS, including if TuringSign reasonably believes that:

1. Customer requested revocation of the Certificate or did not authorize the issuance of the Certificate;
2. Customer has breached the Agreement or an obligation it has under the CPS;
3. any provision of an agreement with Customer containing a representation or obligation related to the issuance, use, management, or revocation of the Certificate terminates or is held invalid;
4. Customer is added to a government prohibited person or entity list or is operating from a prohibited destination under the laws of the United States;
5. the Certificate contains inaccurate or misleading information;
6. the Private Key associated with the Certificate was disclosed or compromised;
7. the Certificate was (i) misused, (ii) used or issued contrary to law, the CPS, or Industry Standards, or (iii) used, directly or indirectly, for illegal or fraudulent purposes, such as phishing attacks, fraud, or the distribution of malware, other illegal or fraudulent purposes, or any other violations as outlined in the TuringSign Acceptable Use Policy;
8. revocation is necessary to protect the rights, confidential information, operations, or reputation of TuringSign or a third party.

17. Electronic

Email is the main form of communication between TuringSign and Customers. Customers agree that (1) the content of communication will be strictly limited to communication or notice about TuringSign products or services; (2) Customers will follow applicable law (including applicable electronic communications law and data privacy/data protection law); and (3) Customers will indemnify, defend and hold harmless TuringSign against third-party claims, government regulatory action or fines, and all liabilities, damages and costs.

18. Sharing of Information.

Customer acknowledges and accepts that if (i) the authority to request the Certificate cannot be verified, or (ii) the Certificate is revoked for reasons other than Customer request (e.g. as a result of private key compromise, discovery of malware, etc.), TuringSign is authorized to share information about Customer, any application or object signed with the Certificate, the Certificate, and the surrounding circumstances with other certification authorities or industry groups, including the CAB Forum.

19. Industry Standards.

Both parties will comply with all Industry Standards and laws that apply to the Certificates; if such an applicable law or Industry Standard changes and that change affects the Certificates or other services provided under the Agreement, then TuringSign may alter the services or amend or terminate the Agreement to the extent necessary to comply with the change.

20. Survival and Termination.

The Certificate Terms of Use survive the termination of the Agreement until all Certificates issued expire or are revoked.