# Identity issuers terms

General terms and conditions applicable to the services from Identity Issuers

(i) The Identity Issuers provide electronic identification solutions that may be used for authentication,signing and other services (the "Identity Issuers Services"). Subject to the Identity Issuer Terms below, the Customer may use the Identity Issuers Services. The Customer acknowledges and agrees that the Identity Issuers Terms applies in addition to the terms of this Agreement and that the Identity Issuers Terms shall prevail in the event of conflict.

(ii) The Customer is always responsible for becoming approved and qualified as a receiver of the relevant certificates, keys and passwords from the Identity Issuers.

(iii) The Customer is responsible for passing on certificates, keys and passwords to Signicat received from Identity Issuers. Further, Signicat may notify the Customer of certain certificates, keys and passwords from third parties that the Customer must pass on to Signicat, provided that the Customer is entitled to pass on such information.

(iv) Any new certificates replacing certificates already provided shall be passed on to Signicat without undue delay. If the Customer receives information from an Identity Issuer which it has reason believe is relevant for the fulfilment of this Agreement, or if the Customer has reason to believe any certificates, keys or passwords are incorrect, this information shall without undue delay be passed on to Signicat via the Signicat Portal.

(v) The Customer acknowledges and accepts that the Identity Issuers may change the Identity Issuers Services, as well as the Identity Issuers Terms. In the event of such changes, Signicat will inform the Customer in writing without undue delay. Additionally, the Customer agree that the Customer and its Affiliates shall, when providing their services, inform that their services are supported by the Identity Issuer Services, and that Signicat shall approve the manner in which the Identity Issuer Services is presented to the End Users, such approval not to be unreasonably withheld.

# Norwegian BankID

# 1. Terms and conditions for BankID

In furtherance of the Agreement, the Parties agree to add the following agreements pertaining BankID to the Agreement as part of Appendix 4:

(i) Merchant Agreement BankID: https://confluence.bankidnorge.no/confluence/display/RES/Brukerstedsavtaler (opens new window)

(ii) Standard Terms and Conditions for BankID (Distribution Agreement): https://confluence.bankidnorge.no/confluence/pages/viewpage.action?pageId=17635782 (opens new window)

(iii) Terms and Conditions for Issuers Liability https://confluence.bankidnorge.no/confluence/pages/viewpage.action?pageId=176357833 (opens new window)

(iv) Special terms for BankID AML https://confluence.bankidnorge.no/confluence/display/RES/Special+terms+for+BankID+AML (opens new window)

In case of conflict between the Agreement and the above-mentioned agreements, the latter shall prevail.

# 1.1 The customer's compliance

The Customer are responsible for ensuring that the service(s), which use the BankID service(s), is in accordance with rules and regulations for Norwegian BankID, and with applicable law.

Customer acknowledge and agree that Signicat and BankID Norway is entitled to terminate or suspend the right to use the BankID service(s) with immediate effect in the event of any breach of the obligations set out in this Section 1.1.

# Swedish BankID

# 1. Service description

The Swedish banks, Nordea Bank AB, Svenska Handelsbanken AB, and Swedbank AB (collectively the "BankID Banks") cooperate through the mutually owned company Finansiell ID-Teknik BID AB ("BID") to deliver an electronic identification solution that may be used for authentication and signing the "BankID Service", the electronic certificate that provides secure identification and digital signing online which is available to physical persons with a Swedish national identification number.

The BankID Banks offer the BankID Service for resale by service providers, such as Signicat. Signicat's integration module for the BankID Service allows other service providers, such as the Customer, to access the BankID Services through the Signicat Services.

Subject to the terms and conditions in the Agreement and this Appendix, the Customer and its Affiliates have the right to use the BankID Service. The BankID Service is issued in accordance with each BankID Bank's Policy and Certificate Policy Statement.

This Appendix remains in force as long as Signicat has a valid agreement with a BankID Bank, and the Customer may use the BankID Service as long as the Agreement between Signicat and the Customer and the agreement between Signicat the BankID Banks are in force.

# 2. Signicat's obligations

Signicat shall provide to the Customer the BankID Service through the Signicat Services if the BankID Bank accepts the Customer. Signicat will collect such consent from the BankID Bank on behalf of the Customer.

# 3. Customer's obligations

The Customer and its Affiliates shall ensure that their services that utilize the Bank ID Services are in accordance with applicable laws and regulations, any instructions or regulations from BankID Banks/BID communicated to the Customer by Signicat, and that the services does not: (vi) include discriminating, pornographic or otherwise offending material; (vii) risk harm to the trademarks or reputation of the BankID Banks; (viii) appear as unethical or immoral, or; (ix) put the BankID Banks at risk of any other economic harm.
The Customer is solely responsible for any costs related to integration between the BankID Service and the Customers service.

When the Customer use the BankID Services to identify End Users, this identification shall not be used to issue or use other electronic identities for End Users in any manner or form. If the Customer uses other identification – or signing solutions than the BankID Services, the issuing of such identities must be structured so that the verification of the user never directly or indirectly is based on or can be connected to the BankID Services.

The Customer must only use the BankID certificates in its own platform, website, service, portal or application.

ID-switching (Sw: ID-växling)

The Customer is not permitted to allow End Users to be identified with BankID and thereafter allow the End User to be identified by another identification method. By way of example:

(i) The End User logs into the Customer's application and is identified by BankID. After the End User has been identified, the End User is asked to log in with Touch ID. The next time the End User logs into the Customer's application, the End User is identified with Touch ID. In this example, the Customer must ensure that the End User uses BankID to log in every time. (ii) The End User log into the Customer's web site and is identified by BankID. After the login, the End User is asked to create a password for future login. In this example, the Customer must ensure that the End User logs in with BankID every time.

BankID-switching (Sw: BankID växling)

The Customer is not permitted to enable BankID-switching, i.e. that the Customer with the BankID certificates handles BankID identification or signing for third parties. It is important that the Customer, when using the BankID Service in the Customer's service, communicate clearly to the End User that logs in using BankID where the End User has logged in and who is the counterparty when signing, for instance, an agreement. Similarly, the display name the Customer uses must enable the End User to easily identify the Customer (the registered business name, or another name that is more known to the public), and it must be clearly set out what any agreements the End User's will sign with the Customer using BankID is regarding. By way of example, the following use of BankID certificates is not permitted:

(i) Company A manufactures Product B, creates a website, and uses as a display name for the BankID certificates "My pages". The correct handling would be for Company A to use its registered business name as display name, i.e. Company A, or the product name, Product B, if said product is well-known to the public. Use of the display name "My pages" does not clearly communicate to the End User where the End User is logging in. (ii) Company X creates an application where other companies are offered to enter into agreements with private parties and acquire BankID certificate. The private party, i.e. the End User, logs into Company X's application and is offered to enter into an agreement with Company Y. The End User thereafter use BankID to sign by way of Company Y's BankID certificate. In this case the End User is not offered the desired clarity by using BankID, as Company X's display name will appear, even though the End User is entering into an agreement with Company Y.

The Customer shall ensure that their users abide by the terms and conditions of the Agreement, as well as this Appendix.

# Finnish Trust Network

This appendix is part of the Agreement between Signicat and the Customer. It specifies obligations of the Parties when Signicat is providing the Signicat Services as a member of the Finnish Trust Network (“FTN”) in accordance with the Finnish Act on Strong Electronic Identification and Trust Services (617/2009).

If there is a contradiction between the terms of this Appendix and those of the Application Service Provider Agreement, the terms of this Appendix apply. Signicat reserves the right to change the terms of this Appendix following changes to applicable legislation or to Signicat’s contractual obligations with Identity Issuers.

As an ID broker in the FTN network, Signicat redirects End Users to their Identity Issuer, receives authenticated End User’s information from the Identity Issuer and returns the information to the Customer. Signicat has ID brokering agreements (based on Signicat Connect service) with Identity Issuers that are members of the FTN.

The Customer is obliged to comply with all applicable laws and regulations, including, but not limited to the Finnish Act on Strong Electronic Identification and Trust Services (617/2009) when using the Signicat Services.

# Technical terms and restrictions

In accordance with the Finnish Act on Strong Electronic Identification and Trust Services (617/2009), Identity Issuers may set restrictions to the use of the identity they issue. The Customer is obliged to comply with the restrictions and limitations.

The following restrictions apply to all strong eIDs:

a) WebSSO
Forwarding a strong e-identity authentication transaction and web session to an external 3rd party service provider is NOT permitted.

b) Creation of a strong FTN e-identity
Applicable only to TRAFICOM supervised entities. Only certified members of the Finnish Trust Network (FTN) may create new strong FTN e-identities based on an existing strong FTN e-identity provided in accordance with Finnish Act on Strong Electronic Identification and Trust Services (617/2009).

# Liability

Signicat is not liable for any damages to the Customer, End User or a third party caused by unauthorized use of electronic identity or the data brokered by Signicat. Unauthorized use means any use that does not comply with applicable legislation, with the restrictions and limitations on identity use defined by Identity Issuers, or with the contractual terms and conditions that apply between End Users and Identity Issuers.

If, based on an ID-brokering agreement, Signicat is liable to compensate an Identity Issuer the liability of the Identity Issuer for damages to an End User or a third party due to unauthorized use of the identity, the Customer is liable to compensate Signicat for the full amount, unless the damage is caused by Signicat’s breach of contract. No limitation of liability applies.

Last updated: 12/11/2020, 3:42:39 PM