1 Incorporation and Scope of Application
(1) These General Terms and Conditions (“GTC”) apply to all present and future contractual relationships in which SIGN8 GmbH, Fürstenrieder Str. 5, 80687 Munich, Germany (“SIGN8”), enters into an agreement with its customers for the use of the SIGN8 product portfolio or individual products thereof (the “SIGN8 Solution”). The SIGN8 Solution includes, in particular, (qualified) trust services, other certification services, as well as related support and consulting services. These GTC also apply to any pre-contractual obligations.
(2) The SIGN8 Solution is offered exclusively on the basis of these GTC. Any general terms and conditions of the customer that deviate from, contradict, or supplement these GTC shall not become part of the agreement between SIGN8 and the customer—even if SIGN8 is aware of them—unless SIGN8 has expressly agreed to their application in writing. This also applies if SIGN8 does not expressly object to differing terms in individual cases or if correspondence makes reference to general terms and conditions of the customer or of a third party, or refers to such terms.
(3) Unless otherwise agreed in writing, SIGN8 provides its services exclusively on the basis of the respective offer and agreement (the “SIGN8 License Agreement”), in conjunction with these GTC, the License Terms of Use, the applicable Service Level Agreements, the current Certificate Practice Statement and PKI Disclosure Statement, as well as the current SIGN8 Time Stamping Policy, all of which form an integral part of the agreement (together the “Contract Documents”). Use of our services is limited to the purposes and application areas described therein. Any use beyond this is at the customer’s own risk. SIGN8 accepts no liability for damages resulting from use outside these limitations.*
(4) A contract between SIGN8 and the customer is concluded by two corresponding declarations of intent of the contracting parties regarding the agreements set forth in the SIGN8 License Agreement (including all Contract Documents), in accordance with §§ 145 et seq. of the German Civil Code (BGB).
(5) Further information regarding SIGN8 trust services is publicly available at the following link: https://sign8.eu/trust/. This site provides details about SIGN8 as a Qualified Trust Service Provider, the Certificate Practice Statement, the PKI Disclosure Statement, and the Conformity Assessment Report.*
2. General Subject Matter of the Agreement and Scope of Services
(6) SIGN8 provides (qualified) trust services in accordance with Regulation (EU) No. 910/2014 (“eIDAS”) and Regulation (EU) No. 2024/1183 of the European Parliament and of the Council of April 11, 2024, amending Regulation (EU) No. 910/2014 with respect to establishing a European framework for digital identity (“eIDAS 2.0,” together the “eIDAS Regulations”) (the “Trust Services”), as well as additional certification and support services.
(7) The SIGN8 Solution is intended exclusively for businesses within the meaning of Section 14 of the German Civil Code (BGB) (including self-employed professionals) and for legal entities under public law such as corporations, institutions, foundations, and public authorities. Consumers within the meaning of Section 13 BGB are excluded from entering into agreements with SIGN8. Customers confirm that they are acting in a business capacity, and not as private individuals (consumers), upon entering into the agreement – specifically by explicitly confirming a required field when creating an organization during the registration process for the SIGN8 Solution. Permissible use by consumers as signers or users of the SIGN8 Solution within a signature process initiated by a customer remains unaffected.
(8) Details of the services offered are set out in the respective offer from SIGN8, in other Contract Documents, and in any individual agreements made in writing or text form. Such details constitute descriptions of services only and do not constitute guarantees. A guarantee is provided only if it is expressly designated as such.
(9) The Trust Services offered by SIGN8 include advanced electronic signatures (“AES” or “FES”), qualified electronic signatures (“QES”), advanced and qualified electronic seals (“QSeal”), qualified electronic timestamps (“QTimestamp”) within the meaning of the eIDAS Regulations, as well as the necessary technical environment.
(10) To verify compliance with the eIDAS Regulations, SIGN8 is regularly audited by a recognized conformity assessment body pursuant to Article 3 No. 18 of eIDAS. These audits review both the documentation (such as the security concept, Certificate Practice Statement, and other internal documents) and the actual provision of Trust Services and compliance with applicable requirements, prior to and at regular intervals. Further information on conformity assessments can be found in our Certificate Practice Statement, available at https://sign8.eu/trust.*
(11) SIGN8 is listed in the official EU Trusted List as a Qualified Trust Service Provider in accordance with the eIDAS Regulations. For a certificate to be legally recognized as qualified, validation must be performed using appropriate software that checks the specific qualified service against the information published in the EU Trusted List. If validation is not performed based on these trusted list entries, the certificate cannot be considered qualified under the eIDAS Regulations.
(12) The SIGN8 Solution is designed to accelerate, simplify, and digitize the customer’s existing document workflows. Upon conclusion of the agreement, the customer (licensee within the meaning of the License Terms of Use) receives the contractually agreed, non-exclusive right to use the SIGN8 Solution, as well as the technical ability to access the application and use its functionalities in accordance with the License Terms of Use. Use of certain features—particularly qualified trust services (e.g., qualified electronic signatures, seals, or timestamps) – requires prior successful identification or authentication.
(13) Legal or other advice regarding the type of signature, seal, or timestamp to be used, the nature of the contract, or any applicable formal or deadline requirements is not part of the services provided by SIGN8. SIGN8 makes available simple, advanced, and qualified electronic signatures, advanced and qualified electronic seals, qualified electronic timestamps, as well as the necessary technical environment. SIGN8 accepts no liability for any incorrect or unsuitable choice of signature, seal, or timestamp type.
(14) The servers used by SIGN8 to provide the SIGN8 Solution are located within the European Union.
(15) Depending on the selected product, qualified signatures and seals for supported file types are executed by the customer using their own qualified electronic signature creation device pursuant to Article 3 No. 23 eIDAS (a “Qualified Signature/Seal Creation Device” or “QSCD”) via a hardware component (such as a USB token) with a qualified certificate (“local access model” or “local QSCD”), or by SIGN8 via a QSCD operated by SIGN8 (“remote access model” or “remote QSCD”). The obligations of the contracting parties depend on the chosen signature model (see in particular Sections (45) and (59)c).*
(16) SIGN8 reserves the right to replace a local QSCD before the end of the respective usage period if required to comply with applicable law, for security reasons, due to SIGN8’s legitimate interests, or for other important reasons. In doing so, SIGN8 will take reasonable account of the affected customers’ interests.
(17) Customer identification for qualified services is generally not carried out by SIGN8 itself but by an external third-party provider. SIGN8 only receives confirmation of the customer’s identity from that third-party provider. In the case of a QSeal, however, SIGN8 verifies the relevant commercial register extract or a document from a comparable register of the legal entity.
(18) With SIGN8 Ident, SIGN8 offers an on-site identification service performed by contracted SIGN8 Ident agencies. Use of this service is governed by a separate agreement.
(19) With the SIGN8 Trust Center Infrastructure (TCI), SIGN8 offers customers an infrastructure for issuing and managing qualified electronic certificates. For this purpose, SIGN8 provides the customer with a fully or partially equipped system environment (data center) through which the customer, under the supervision and control of SIGN8, can create signature certificates. Use of this service is governed by a separate agreement.
(20) SIGN8 supports the digital signature formats PAdES (ETSI EN 319 142-1 V1.1.1 and EN 319 142-2 V1.1.1), JAdES (ETSI TS 119 182-1 V1.1.1), and CAdES (ETSI EN 319 122-1 V1.1.1 and ETSI EN 319 122-2 V1.1.1). Support of these formats enables the creation of advanced and qualified electronic signatures in line with the requirements of the eIDAS Regulations.*
(21) For billing and tracking purposes, the number of signatures used is recorded at the time a workflow is sent or when a signature request is created via the API.
(22) Third parties relying on trust services provided by SIGN8 (“Relying Parties”) are obligated to verify the validity of the relevant certificate or the verification result of a signature, seal, or timestamp before use. This can be done, for example, via the validation service provided by the European Commission, the DSS Demonstration WebApp (available at: https://ec.europa.eu/digital-building-blocks/DSS/webapp-demo/validation). In the case of qualified electronic timestamps, it is particularly important to verify whether the timestamp was correctly created and whether the certificate of the Time Stamping Unit (“TSU”) used for the signature was valid at the time of verification and had not been revoked or compromised. During the validity of the associated TSU certificate, this can be checked against the current revocation status (e.g., via OCSP); after expiry, the measures described in Annex D of ETSI EN 319 421 apply. The usage and validity limitations specified in the License Terms of Use and the Trust Service Policy must also be observed. In particular, any restrictions on the use of qualified timestamps documented in the current SIGN8 Time Stamping Policy must be followed. Furthermore, all other requirements, security notices, and usage restrictions arising from applicable agreements, policies, or other accompanying documents must be observed. Any use beyond these limitations is at the customer’s own risk.*
(23) SIGN8 may, without prior approval from the customer, engage subcontractors. A list of subcontractors acting as data processors can be made available by SIGN8 upon request. SIGN8 is generally free to change subcontractors, including identification providers, provided that SIGN8 continues to fully guarantee the agreed functionality and security standards.
(24) During the ordering process, customers are redirected to the website of an online payment service provider. To pay the invoice amount, customers must follow the instructions of the payment service provider, enter the data required for payment, and confirm the payment authorization. The payment transaction is then automatically executed by the payment service provider. Further information is provided during the ordering process and in our Privacy Policy. Please also note that the terms and conditions of the payment service provider apply.
(25) Unless explicitly stated otherwise in the respective offer or otherwise communicated in writing or text form to SIGN8 (via email to customerservice@sign8.eu), the customer hereby permits and authorizes SIGN8 to use its name and logo for promotional reference purposes in any form and on any medium by SIGN8 for the duration of the services and up to three years thereafter. For these purposes and to this extent, SIGN8 is released from any confidentiality obligations.
(26) All workflow documents are deleted six months after creation and sending of the workflow. The customer/user agrees that SIGN8 is entitled to send the customer/user a reminder email to the address provided at registration/signature before such deletion takes place.
3. Rights of Use and Copyrights
(27) The usage and copyright rights granted to the customer with respect to the SIGN8 Solution are governed by the SIGN8 License Terms of Use, which the customer accepts when entering into the SIGN8 License Agreement.
(28) The customer receives a non-exclusive, time-limited right, restricted to the duration of this agreement, to access the SIGN8 Solution and, through an application or an interface provided by SIGN8, to use the functionalities of the SIGN8 Solution as set forth in the order and the SIGN8 License Agreement. No further rights – particularly with respect to the SIGN8 Solution, the application, or the operating software – are granted to the customer. The customer expressly acknowledges that no intellectual property rights to the SIGN8 Solution, or parts thereof, are transferred, and that all such rights remain solely with SIGN8.
(29) The customer is not entitled to use the SIGN8 Solution beyond the scope permitted under the SIGN8 License Agreement, the SIGN8 License Terms of Use, and these GTC, nor may the customer allow third parties to use the SIGN8 Solution beyond that scope or provide them with access. In particular, the customer is not permitted to reproduce, sell, or temporarily transfer the SIGN8 Solution or parts thereof, including but not limited to renting, lending, or leasing. The customer is not authorized to decompile, disassemble, or perform any type of reverse engineering on the SIGN8 Solution or its components (cf. Sections 69d et seq. of the German Copyright Act (UrhG)).
(30) If the proper contractual use of the SIGN8 Solution is impaired by third-party intellectual property rights through no fault of SIGN8, SIGN8 is entitled to refuse the affected services. SIGN8 will promptly inform the customer of this and provide appropriate means for the customer to access their data. In such cases, the customer is not obliged to make payment in the respective amount, depending on to which extent the services he booked are affected. Any further claims or rights of the customer remain unaffected.
(31) Self-remedy by the customer to correct a defect is expressly excluded by SIGN8. The customer is required to notify SIGN8 of any defects known to them, including potential defects.
4. Data Protection and Data Security
(32) Personal data is processed in compliance with applicable data protection law, in particular with Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR). Further information on data protection when using the SIGN8 Solution can be found in our Privacy Policy available on our website at https://www.sign8.eu/.*
(33) SIGN8 as well as its customers and users shall comply with all applicable data protection requirements and ensure that employees involved in connection with the agreement are bound in writing to maintain data secrecy and confidentiality, unless they are already subject to such obligations.*
(34) SIGN8 may disclose the personal data of a person using Trust Services to competent public authorities (such as government bodies and courts) where such disclosure is required under applicable legal provisions, and where it is necessary:
a. for the prosecution of criminal or regulatory offenses,
b. to prevent threats to public safety or order,
c. to fulfill statutory tasks of federal and state intelligence services, the Federal Intelligence Service, the Military Counterintelligence Service, or tax authorities, or
d. where courts or authorities order disclosure in the course of pending proceedings in accordance with applicable provisions.
Authorization to disclose data does not apply where disclosure is expressly prohibited by other laws. SIGN8 must document the transfer of personal data. Such documentation is retained for at least twelve months.*
(35) Where the competent authority has requested disclosure of data, it shall inform the affected person of the transfer. Notification may be omitted as long as fulfilling statutory tasks would be jeopardized and as long as the individual’s interest in notification does not outweigh this. Five years after the transfer, notification may be permanently waived if it can be established with near certainty that the conditions for notification will not arise in the future.*
(36) If the customer collects, processes, or uses personal data – whether independently or through SIGN8 – the customer guarantees that they are authorized to do so under applicable law, in particular data protection law, and indemnifies SIGN8 against any third-party claims in the event of a breach.*
(37) It shall be clarified that the customer retains full control over the data, both generally under the contractual relationship and specifically under data protection law. The customer has exclusive rights of disposal and ownership with respect to all customer-specific data (entered, processed, stored, and output data). SIGN8 does not exercise any control over data or content stored for the customer regarding the legality of its collection, processing, or use; this responsibility lies solely with the customer.
(38) The customer grants SIGN8 permission to process the data necessary for contract execution in compliance with applicable data protection laws.
(39) Where required, the parties shall separately enter into a data processing agreement in accordance with Article 28 GDPR, which shall be attached to the contractual documents.
(40) SIGN8 implements technical and organizational security measures to ensure data protection. The customer is generally not entitled to demand access to SIGN8’s premises, servers, operating software, or other system components.
(41) The content of documents uploaded by the customer to the SIGN8 portal is technically accessible to SIGN8 employees. However, authorized employees are only permitted to access such files in exceptional cases (e.g., support requests). The customer will be notified if such access becomes necessary.
5. Duties and Responsibilites of SIGN8*
(42) SIGN8 assures the customer that it will provide the certification and trust services within the scope selected by the customer and confirmed by SIGN8 at the time of contract conclusion, in accordance with the applicable legal requirements and/or contractually agreed frameworks – such as the eIDAS Regulation, the Certification Policy, and the Certificate Practice Statement.
(43) SIGN8 undertakes to provide the customer with all documents, data, details, and information necessary for the use of the SIGN8 Solution.
(44) SIGN8 expressly points out that both advanced and qualified electronic seals only confirm the origin and integrity of a document in accordance with Article 3(25) of eIDAS. For a QSeal, there is a presumption of the integrity of the data to which the QSeal is attached and of the correctness of the seal creator’s identity in accordance with Article 36 of eIDAS. A QES has the same legal effect as a handwritten signature (see Article 25 of eIDAS). A QSeal has the same legal effect as a corporate stamp (see Article 35 of eIDAS). A QTimestamp reliably proves the time at which an electronic document existed and establishes the presumption of the correctness of the date and time of the timestamp as well as its integrity (see Article 41 of eIDAS).
(45) SIGN8 undertakes to use only qualified electronic signature, seal, and timestamp creation devices (QSCDs) in accordance with Article 3(23) of eIDAS for qualified trust services, if the customer books a remote access model via a QSCD operated by SIGN8. In such cases, the creation of qualified signatures, seals, and timestamps takes place exclusively by means of a QSCD controlled and properly certified by SIGN8, such as a Hardware Security Module („HSM“), which complies with the requirements of the eIDAS Regulation and applicable security profiles. SIGN8 ensures that QES, QSeals, and QTimestamps are never generated outside such a QSCD. The use of private (signature) keys is carried out solely on behalf of and under the exclusive control of the (signature) key holder and solely for the creation of qualified electronic signatures, seals, and timestamps. The customer’s control over the generation of qualified electronic signatures, seals, or timestamps is ensured by the use of strong authentication procedures. Furthermore, SIGN8 ensures that key materials managed by SIGN8 for generating QSeals are used exclusively for seal creation; their use for other purposes, in particular for signatures or encryption, is technically excluded.
(46) SIGN8 undertakes not to use any information, documents, data, or other elements provided to it under the SIGN8 License Agreement, these GTC and other Contract Documents for purposes beyond fulfilling the contract. SIGN8 further undertakes not to share such elements with third parties, except with subcontractors involved in fulfilling this agreement or where the customer has expressly authorized or instructed such use. SIGN8 is released from confidentiality obligations only to the extent required by law.
(47) SIGN8 undertakes to perform its obligations under this agreement diligently and professionally. SIGN8 guarantees, both for itself and its subcontractors, that the services described in this agreement will be delivered at a level of security and confidentiality that meets the requirements of the eIDAS Regulation. The customer expressly acknowledges and accepts, however, that SIGN8 is subject only to an obligation of due care in the provision of services and not to a strict guarantee of results.
(48) SIGN8 undertakes to make every effort to ensure the security of SIGN8 and the user accounts created in the customer’s name. However, SIGN8 shall not be liable for any lack of vigilance or insufficient security measures on the part of the customer or users in maintaining the confidentiality of their user IDs and passwords.
(49) SIGN8 undertakes to conduct regular checks to verify the functionality and accessibility der SIGN8 Lösung. For this purpose, SIGN8 reserves the right to temporarily interrupt access to the application for scheduled maintenance.
(50) As a trust service provider, SIGN8 is liable under Article 13(1) of eIDAS for any damage caused intentionally or negligently to natural or legal persons as a result of a breach of obligations set out in the eIDAS Regulation. Since SIGN8 is a qualified trust service provider, it is presumed under Article 13(1), second subparagraph of eIDAS that any breach of duty was intentional or negligent, unless SIGN8 proves that the damage was not caused by intentional or negligent conduct. With respect to business customers, SIGN8 shall not be liable for minor negligence in the breach of non-essential contractual obligations. Liability beyond the statutory claims is excluded.
(51) In accordance with Section 6 of the German Trust Services Act (VDG), SIGN8 is liable for third parties engaged to perform its core tasks under the eIDAS Regulation, the VDG, and the statutory ordinance pursuant to Section 20 VDG, as if for its own. Section 831(1) sentence 2 of the German Civil Code (BGB) does not apply.
(52) SIGN8 is not liable for whether the license packages booked by users and the electronic signatures, seals, timestamps, or other validations included therein are suitable for the intended purpose or used correctly. It is solely the responsibility of the customer or user to ensure that the appropriate form of signature, seal, timestamp, or other validation is used for each document.
(53) SIGN8 aims to provide an average annual availability of 99% for the offered trust services. Planned maintenance periods and disruptions due to force majeure (e.g., natural disasters, acts of war) are excluded. In particular, SIGN8 is not liable for temporary difficulties or inability to access the SIGN8 Solution caused by circumstances beyond SIGN8’s control, not attributable to SIGN8, resulting from force majeure, or disruptions in telecommunications networks.
(54) SIGN8 cannot be held liable for delays resulting from late or defective transmission of information and data required for the provision of services by the customer or for errors not directly and exclusively caused by SIGN8. In particular, SIGN8 is not liable for defective transmission or receipt of information and data communicated between SIGN8 and the customer. SIGN8 is also not liable if emails sent to the customer and/or signatories during service provision end up in their spam folders and cause delays or missed deadlines.
(55) As long as SIGN8 is not yet a qualified trust service provider within the meaning of the eIDAS Regulation, the presumption of fault in favor of a claimant referred to in section (50) of these Terms does not apply. A natural or legal person claiming damage under Article 13(1), first subparagraph of eIDAS must itself prove the existence of a breach of duty and intentional or negligent conduct by SIGN8.
(56) SIGN8 reserves the right to revoke issued certificates in accordance with the Certificate Practice Statement (available at https://sign8.eu/trust) and in particular if:
a. the signature key certificate of the certification authority or of the competent authority has been revoked;
b. the customer is in default of payment for more than 30 days after prior written reminder and the granting of a grace period to fulfill the payment obligation;
c. SIGN8 becomes aware that the underlying root certificate (“Root Certificate”) or the certificate itself has been compromised or has been revoked by the competent authority. In such cases, SIGN8 is obliged to inform the customer without undue delay after becoming aware.
(57) SIGN8 reserves the right to reject a certificate application if the application documents are missing, incomplete, or incorrect, or if identification documents are incomplete, damaged, or incorrect. Once all data has been properly submitted, the certificate will be activated and issued.
(58) Certificates that have been revoked cannot be reactivated. Revoked certificates will not be replaced. If a new certificate is required, this must be agreed upon separately.
6. Customer Duties and Responsibilities
(59) The customer is required to fulfill all obligations necessary for the performance and proper execution of the SIGN8 License Agreement. In particular, the customer agrees to:
a. pay the agreed fees on time;
b. protect all assigned usage and access credentials, the key pair, as well as identification and authentication safeguards from access by third parties, and not share them with any unauthorized third party. The customer must in particular ensure that users do not allow others to use their user accounts on their behalf or by proxy, unless they assume full and unlimited liability for such use. The customer expressly confirms that any use of the services with these access credentials will be deemed to have been made by the corresponding users;*
c. in the case of a local access model or a locally deployed QSCD (as defined in Section (15) of these GTC), generate and use QES exclusively with a QSCD as defined in Article 3(23) of the eIDAS Regulation. The QSCD used by the customer is provided by SIGN8, complies with the requirements of the eIDAS Regulation and the applicable implementing acts, and is properly certified. The customer must further ensure that the private key is used exclusively for the creation of electronic signatures, and that any other use of the key – particularly for authentication or encryption purposes – is strictly prohibited. The customer also undertakes to use the key pair associated with the qualified certificate for electronic seals solely for the creation of QSeals; any other use, in particular for electronic signatures, timestamps, or data encryption, is prohibited;*
d. comply with all applicable laws when using SIGN8’s services and refrain from infringing upon the rights of third parties or violating legal regulations. The customer must also ensure that all intellectual property and copyright laws are respected (e.g., when uploading third-party texts or data to servers used by SIGN8). SIGN8 cannot be held liable for any infringement of such rights committed by the customer;;
e. obtain the necessary consent of each affected individual when collecting, processing, or using personal data in connection with the use of the SIGN8 Solution, unless a statutory legal basis applies;
f. not use or allow the use of SIGN8 services in an abusive manner, in particular not transmit or refer to any unlawful or offensive content, including but not limited to content that constitutes incitement to hatred, promotes or trivializes crime or violence, is sexually offensive or pornographic, poses a serious moral risk to children or young people or may impair their well-being, or is capable of damaging the reputation of SIGN8. The customer is furthermore responsible for ensuring the legality and validity of the customer documents used within the SIGN8 Solution that are the subject of the services. In this regard, the customer expressly acknowledges that SIGN8 has no knowledge of the data stored by the customer in the customer area or of the customer documents themselves, and that SIGN8 does not provide any moderation, selection, review, or control of any kind. SIGN8 cannot be held liable for the content of the customer documents;*
g. refrain from attempting, either personally or through unauthorized third parties, to access information or data without authorization, to interfere with programs operated by SIGN8, or to unlawfully penetrate SIGN8’s data networks;
h. indemnify and hold SIGN8 harmless from any third-party claims arising from unlawful use of the SIGN8 Solution by the customer, from use with the customer’s consent, or from disputes related to data protection, copyright, or other legal issues connected to the use of the SIGN8 Solution. If the customer becomes aware – or should reasonably become aware – of a potential violation, they must notify SIGN8 without delay;
i. back up all data transmitted to SIGN8 on a regular and risk-appropriate basis, but at least once daily, and create their own backup copies to ensure reconstruction in the event of data loss.* SIGN8 does not provide archiving of data beyond the services offered, though this service may be provided upon request. SIGN8 is not liable for any data loss, and the customer cannot claim compensation in such cases;
j. be responsible for the creation, maintenance, and deletion of customer accounts. SIGN8 assumes no responsibility in this regard, including for potential data loss caused, for example, by erroneous deletion of customer accounts;
k. ensure that the customer, the licensee, and the users are solely responsible for maintaining the confidentiality of their identification data and passwords. The customer must notify SIGN8 immediately in writing, and in particular by email, if it becomes apparent that a user account has been used without the user’s knowledge;*
l. inform SIGN8 if the certificate information is no longer accurate, or if there is reasonable suspicion that third parties have gained knowledge of the identification or authentication data, and revoke the affected certificates;*
m. when a customer document must be signed by one or more third-party signatories, provide SIGN8 with the contact details – including last name, first name, email address, and telephone number – of the authorized signatories via SIGN8. The customer is responsible for the accuracy of this data and guarantees to SIGN8 that all user and third-party signatory data is accurate, current, truthful, and not misleading. The customer further undertakes to update such data in the customer account in the event of changes so that it always remains correct and reliable;*
n. check all data and information for viruses before transmission and use up-to-date antivirus programs in line with industry standards.* The customer is also responsible for notifying SIGN8 of any cyberattacks, potential threats, or intrusion attempts by third parties against the customer account and/or user accounts;
o. back up the data stored in the system and any evaluations performed by SIGN8 via download no later than one week before the termination of the SIGN8 License Agreement, as access to these data sets will no longer be possible after termination;
p. create their own signer pool before assigning authorized signers in a workflow. The customer or licensee is required to internally maintain a list of authorized signers within their organization. SIGN8 expressly assigns responsibility for maintaining accurate and legally valid lists of authorized signers to the customer. SIGN8 does not verify whether a signer is in fact authorized to sign;
q. use the assigned private signing key exclusively for cryptographic functions within the provided secure cryptographic device (e.g., QSCD or HSM). Exporting or using the private key outside of the secure device is strictly prohibited;*
r. comply with the applicable SIGN8 Time Stamping Policy when using timestamps, particularly any restrictions on usage or validity as set out in the policy.*
(60) The customer is also required to notify SIGN8 without delay if any of the following events occur before the expiration date stated in the certificate:*
a. the user’s private key has been lost, stolen, or may have been compromised;
b. control of the user’s private key has been lost due to compromised activation data (e.g., PIN code) or for other reasons;
c. the customer or the user becomes aware of inaccuracies or changes in the content of the certificate.
(61) If the user’s private key gets compromised in any way, the customer must immediately and permanently cease using that key, except for decrypting the key itself.*
(62) If the customer is notified that a user’s certificate has been revoked or compromised, they are obligated to ensure that the user no longer uses the private key.*
(63) The use of hardware and software not provided under the contractual relationship with SIGN8 or not part of the SIGN8 Solution is at the customer’s own risk.
(64) Prerequisites for using the SIGN8 WebApp are a functional internet connection and an up-to-date browser/client. Outdated or unsupported browser/client versions may lead to display errors or malfunctions.
(65) Providing these prerequisites, as well as telecommunications services including transmission from the point of delivery to the customer’s devices, is not part of the SIGN8 License Agreement and the rights and obligations set forth in these GTC and thus remain the responsibility of the customer.
(66) The customer expressly acknowledges that signed, sealed, or timestamped data must, if necessary, be re-protected by appropriate measures before the security value of the existing signatures, seals, or timestamps decreases over time.*
(67) A customer acting as a legal entity that applies for and has been granted authorization for advanced and qualified seals by SIGN8 has accepted SIGN8’s General Terms and Conditions, Privacy Policy, and License Terms. The legal entity is also authorized to grant further individuals within its organization the right to use advanced and qualified seals. The legal entity undertakes to bind such authorized individuals to comply with SIGN8’s General Terms and Conditions, Privacy Policy, and License Terms, which the legal entity itself has accepted. The company is liable for the individuals it selects and authorizes to apply advanced or qualified seals on behalf of the legal entity.
(68) A customer may only use a qualified certificate issued by SIGN8 within the applicable and permissible legal framework, and does so at their own responsibility. This also applies to the use of batch signatures. The determination of whether the certification concept meets the requirements of a specific application and whether the qualified certificate is suitable for that purpose lies with the certificate holder.*
(69) The certificate holder is responsible for independently verifying the validity of an issued certificate using current revocation status information. The customer is also responsible for independently verifying the validity of an issued timestamp using current revocation status information.*
7. Payment Terms
(70) The fees for the services agreed under the SIGN8 License Agreement will be invoiced to the customer after issuance of the certificate and transmission of the identification data. All SIGN8 prices are quoted exclusive of the applicable statutory value-added tax (VAT).
(71) Customers with a registered office outside of Germany are required to provide a valid proof of business status (e.g., an official certificate or a valid VAT identification number) no later than at the time the order is placed and at least ten days before the agreed service period ends. If this proof is not provided on time, SIGN8 is entitled to charge German VAT on the contractual services, to the extent required by German VAT regulations. Such VAT may also be charged retroactively.
(72) If the customer requests changes to the information provided in the course of their order, they shall bear the costs incurred according to the agreed price rates. This specifically applies where the customer is responsible for incorrect information, for example due to culpable transmission of wrong or incomplete data.
(73) The customer may only offset claims that are undisputed or have been finally established by a court of law. A right of retention may only be exercised with respect to claims arising from the same contractual relationship with SIGN8.
8. Data Storage
(74) SIGN8 stores its customers’ documents in Western Europe using AES-256 encryption.
(75) The following records will be retained for the entire operational lifetime of SIGN8:*
a. records of the data used during registration or for the provision of advanced and qualified signature, seal, or timestamp services and the required end devices, including information on whether the provision was made to the customer or – if different – to another user;
b. data related to the certificate lifecycle;
c. the certificates themselves;
d. the identity data of signers and seal holders;
e. specific attributes included in the certificate;
f. information about subsequent suspensions and revocations; and
g. relevant log data.
(76) If SIGN8 discontinues its operation as a trust service provider, it will notify its customers in advance using the contact details provided during registration. The responsible handling of data entrusted to SIGN8 is ensured through a regulated termination plan. All rights and obligations under this contract, as well as documents and data, will be transferred to another qualified trust service provider, where possible, or otherwise handed over to the competent supervisory authority. All evidence will be preserved for at least eleven years after operations cease. Customers have the right to terminate the agreement at the time of transfer; SIGN8 will expressly inform customers of this right in the termination notice. Further information on the termination plan is available in our Certificate Practice Statement (accessible viahttps://sign8.eu/trust/).*
9. Improper Use of SIGN8
(77) SIGN8 may suspend access to the SIGN8 solution and its data if the customer unlawfully breaches any material obligation set forth in these GTC and the SIGN8 License Agreement, in particular the obligations described in sections (59)f and (59)g of these GTC. Access will only be restored once the breach of the relevant material obligation has been permanently remedied, or the risk of recurrence has been eliminated through the submission of a suitable cease-and-desist declaration with penalty undertaking to SIGN8. The customer remains obligated to pay the agreed fees even during such suspension.
(78) SIGN8 may delete affected data in the event of a breach of the obligations described in sections (59)f and (59)g.
(79) The customer (licensee) is liable for any unlawful breach of the obligations described in sections (59)f und (59)g committed by an authorized user.
10. Defect remediation
(80) SIGN8 does not warrant that SIGN8 products are entirely free of defects or that they will operate without interruption or error. For further information, please refer to our Service Level Agreements.
(81) All products are provided “as is” without any warranties.
(82) Defects must be reported to SIGN8 by the licensee and/or customer immediately, in writing, and must include a precise description of the defect.
(83) If defects occur in contractually agreed features or functions, SIGN8 will correct them proactively.
(84) If a defect is not remedied despite two correction attempts by SIGN8 within a reasonable time period set by the customer, or if remediation is impossible, the customer may reduce the license fee for the affected product accordingly. In the event of a material defect, the customer may terminate the SIGN8 License Agreement after providing prior written notice.
(85) If a defect report is unfounded (for example, due to user error or misapplication of the software), SIGN8 may charge the licensee for the costs of troubleshooting based on the actual time spent, particularly if the reported defect cannot be demonstrated, reproduced, or attributed to SIGN8.
(86) Defect claims expire in accordance with Section 195 of the German Civil Code (BGB, standard limitation period) within three years from the provision of the last service or from acceptance. Statutory limitation periods remain unaffected where Sections 438(1) no. 2 or 634a(1) no. 2 BGB prescribe longer periods, in cases of intentional or grossly negligent breach of duty by SIGN8, fraudulent concealment of a defect, injury to life, body, or health, or claims under the German Product Liability Act.
(87) As the software is not purchased but only licensed for use, liability under the German Product Liability Act is excluded to the extent permitted by law.
(88) Any additional defect claims are excluded to the extent permitted by law.
11. Reporting of Security Incidents
(89) Customers are provided the opportunity to report security-related incidents via a dedicated contact form available on our website at https://sign8.eu/trust.*
12. Evidence Agreement
(90) The customer expressly acknowledges and agrees that:
a. the data collected via SIGN8’s website and IT systems shall serve as evidence of the transactions carried out under this SIGN8 License Agreement; and
b. such data constitutes the primary admissible evidence between the parties, particularly with respect to calculating amounts owed to SIGN8.
(91) The customer may request access to the data necessary for evidentiary purposes from SIGN8.
13. Amendments and Price Adjustment Clauses
(92) SIGN8 reserves the right to submit change requests only in cases where there is a reduction in the scope of services or availability, or if certain features or functionalities become limited for the customer. Beyond that, SIGN8 may implement adjustments or changes that do not disadvantage the customer without requiring a formal change request.
(93) SIGN8 GmbH reserves the right to amend these Terms and Conditions at any time. Customers will be notified of any changes by email or directly via the SIGN8 Solution at least four (4) weeks prior to the changes taking effect. Customers may object to the application of the new Terms and Conditions within four (4) weeks after receiving the notification. If no objection is made, the amended Terms and Conditions will become part of the agreement once the four-week period has lapsed. SIGN8 will explicitly point out this deadline in the change notification. Excluded from this right to amend are provisions that concern the core contractual obligations of the parties and thus materially alter the balance of the parties’ main performance and payment obligations, as well as other fundamental contractual provisions that would be equivalent to entering into a new agreement. Such changes require an explicit contractual agreement.
(94) SIGN8 is entitled to adjust its service prices at its reasonable discretion if the costs of providing its services change. This applies in particular to changes in procurement costs, service delivery costs, or value-added tax. A price adjustment is only considered if the total costs increase or decrease by at least five percent (5%). In doing so, SIGN8 will account for both cost reductions and cost increases equally. Any adjustment will take effect no earlier than four (4) weeks after the customer has been notified. If the price increases by more than five percent (5%), the customer has the right to terminate the agreement in writing or text form within four (4) weeks after receiving the notification. SIGN8 will expressly inform the customer of this termination right in the notification.
14. Terms, Duration and Termination
(95) The agreement begins on the date set forth in the SIGN8 License Agreement (including the attached offer) and continues until the end of the agreed contractual term.
(96) Either party may terminate the SIGN8 License Agreement for good cause. In particular, SIGN8 may terminate the SIGN8 License Agreement without notice if:
a. the licensee is in default on two consecutive payments or, in total, for more than two months, and still fails to make payment after an appropriate grace period; or
b. it becomes apparent that the SIGN8 License Agreement was mistakenly concluded with a private individual (consumer). In such cases, services already rendered will be unwound in accordance with statutory provisions. Before issuing a termination, however, SIGN8 will provide the customer the opportunity to prove their business status or to amicably rescind the agreement.
(97) Termination must be made in writing.
(98) SIGN8 contracts exclusively with businesses and self-employed professionals as defined in Section 14 of the German Civil Code (BGB). Accordingly, there is no right of withdrawal (Widerrufsrecht).
15. Complaints and Dispute Resolution*
(99) If you have a complaint about our services or products, please contact our customer support team at customerservice@sign8.eu. Please include a detailed description of the issue and your contact details.
(100) In the event of disputes, the parties will seek to reach an amicable resolution, taking into account existing agreements, applicable provisions, and governing law.
(101) The SIGN8 Solution is not provided to consumers as defined by Sections 13 et seq. BGB. Accordingly, SIGN8 is neither obliged nor willing to participate in dispute resolution proceedings before a consumer arbitration board.
16. Final Provisions
(102) All legal relationships between SIGN8 and the customer are governed by German law. The UN Convention on Contracts for the International Sale of Goods (CISG) is excluded.*
(103) If any provision of these GTC is or becomes invalid, the validity of the remaining provisions shall not be affected. In such case, the parties will replace the invalid provision with a valid one that most closely reflects the economic purpose of the omitted provision in a legally permissible manner.
(104) The exclusive place of jurisdiction, to the extent legally permissible, is Munich, Germany.
(105) The place of performance for both SIGN8 and users of the SIGN8 Solution is Munich, Germany.
17. Contact Details of SIGN8*
SIGN8 GmbH
Fürstenrieder Str. 5
80687 München
Telephone: +49 89 2153 7472 000
E-Mail: info@sign8.eu
Website: www.sign8.eu
The sections and chapters of our GTC marked with an asterix (*) constitute mandatory information required under the legal and regulatory obligations of SIGN8 GmbH as a certified Qualified Trust Service Provider (QTSP), in particular pursuant to the eIDAS Regulation, the applicable ETSI standards, and the German Trust Services Act (Vertrauensdienstegesetz).