General Terms and Conditions

1 Incorporation and Scope of Application

(1) The following General Terms and Conditions (“GTC”) shall apply to all contractual relationships in which SIGN8 GmbH – hereinafter referred to as “SIGN8” – concludes a contract with its customers for the use of the SIGN8 application.

(2) Unless otherwise agreed in writing, SIGN8 shall provide services exclusively on the basis of the respective offer and contract (“SIGN8 License Agreement”) in connection with the GTC described herein, as well as the added Service Level Agreements.

(3) Supplementary, deviating or contradictory terms and conditions, e.g. from the customer’s GTC or order forms, shall not become part of the contract unless expressly agreed in writing between the contracting parties. This shall also apply in the event that SIGN8 provides services without expressly objecting to such terms in advance.

(4) The GTC shall also apply to pre-contractual obligations, in particular with regard to liability conditions and confidentiality.

(5) A contract between SIGN8 and the customer shall be concluded by two concurrent declarations of intent by the contracting parties regarding the agreements concluded in the contracts (License Usage Agreement, Offer) pursuant to §§ 145 et seq. BGB (Bürgerliches Gesetzbuch – German Civil Code).

2 General subject matter of the contract and scope of services

(6) By licensing the SIGN8 Product, the licensee obtains the technical possibility and authorization to access the application and to use the functionalities of the application. The servers used by SIGN8 to provide the application are located within the European Union. The trust services offered by SIGN8 include both advanced and qualified remote signatures as well as advanced and qualified remote seals.

(7) SIGN8 is a cloud-based application. SIGN8 enables the licensee and the users authorized by him to digitally sign or validate documents, depending on the scope of the license. By using the application, the customer (as a term describing a person who is concurrently, both, a licensee and a user) can accelerate existing document processes, simplify them and make them digitally available at the same time.

(8) SIGN8 shall not itself perform the identification of the customer for a qualified electronic signature or a qualified electronic seal; this shall be performed by an external third-party provider. SIGN8 only receives confirmation of the customer’s identity from the third-party provider. In the case of a qualified seal, on the other hand, SIGN8 GmbH checks the respective extract from the commercial register of the legal entity.

(9) Legal or other advice, with regard to the type of signature/seal, the type of contract, any formal and deadline requirements, does not fall within the scope of SIGN8’s services. SIGN8 provides advanced and qualified signatures and advanced and qualified seals as well as the necessary technical environment. SIGN8 shall not be liable for any incorrectly or inappropriately selected signature forms.

(10) SIGN8 reserves the right to submit change requests only in the event of a reduction in the scope of services/offerings or any restrictions on the usability of individual services or service or function offerings at the customer. SIGN8 shall also be entitled to make further adjustments or changes that do not result in any disadvantage to the customer without a change request.

(11) SIGN8 shall be entitled to use subcontractors, even without the licensee’s prior consent. A list of subcontractors acting as processors can be provided by SIGN8 upon request. SIGN8 is generally free to change subcontractors, including the identification providers used. In this case, SIGN8 is obligated to continue to guarantee the contractually agreed scope of functions and security standards without restriction.

(12) During your ordering process, you will be redirected to the website of an online payment service provider. To be able to pay the invoice amount, you must follow the instructions of the online payment service provider there and provide your data required for the payment and confirm the payment instruction. The payment transaction will be carried out automatically by the online payment service provider immediately afterwards. You will receive further instructions during the ordering process. Further note that the terms and conditions of the online payment service provider apply as well.

(13) Only PDF file types can be signed.

(14) Unless SIGN8 GmbH has been notified in writing (info@sign8.eu is sufficient) that the use of the company logo listed in this section is not desired or it has not been expressly agreed and mentioned in the offer, the Client permits and authorises SIGN8 GmbH to use its name and logo for advertising references in any form and on any medium of SIGN8 GmbH for the term of the Services and up to 3 (three) years beyond the term. SIGN8 GmbH is released from the obligation to maintain confidentiality for these purposes.

All workflow documents (PDF files) are deleted after a period of 6 months after the workflow has been created and sent. The customer/user hereby agrees that SIGN8 GmbH is entitled to send a reminder e-mail to the customer/user via e-mail to the address provided during registration/signature before deleting the document(s).

3 Rights of use and copyrights

(15) The customer is granted the non-exclusive right, limited in time to the term of this agreement, to access the SIGN8 environment and use, by means of an application or interface provided by SIGN8, the functionalities associated with SIGN8 in accordance with the order and the SIGN8 License Agreement. The customer shall not receive any rights beyond this, in particular to SIGN8, the application or the operating software. The customer expressly acknowledges that it does not obtain any intellectual property rights in the application, which shall remain the exclusive property of SIGN8.

(16) The customer is not authorized to decompile, disassemble or perform any form of reverse engineering. §§, 69d ff. UrhG.

(17) The customer is not entitled to use SIGN8 beyond the use permitted under the SIGN8 License Agreement and these GTC or to have third parties use SIGN8 beyond the use permitted under the SIGN8 License Agreement and these GTC or to make it accessible to third parties beyond the use permitted under the SIGN8 License Agreement and these GTC. In particular, the customer shall not be permitted to reproduce, sell or temporarily transfer SIGN8 services or parts thereof, and especially not to rent, lend or lease them.

(18) If the contractual use of SIGN8 is impaired by third party property rights through no fault of SIGN8, SIGN8 shall be entitled to refuse the services affected thereby. SIGN8 shall notify the customer thereof without undue delay and provide the customer with access to its data in a suitable manner. In this case, the customer is not obliged to pay. Other claims or rights of the customer remain unaffected.

(19) Self-performance to remedy a defect is contrary to the clear intention of SIGN8. The customer shall be obliged to notify SIGN8 of any defects, including possible defects known to him.

4 Data protection and data security

(20) Personal data are processed in accordance with REGULATION (EU) 2016/679.

(21) SIGN8 may transfer personal data of a person using trust services to the competent authorities to the extent that the competent authorities require the transfer in accordance with the provisions applicable thereto, as the transfer is necessary

a. for the prosecution of criminal or administrative offenses,

b. to avert dangers to public safety or order, or

c. for the performance of the statutory duties of the federal and state constitutional protection authorities, the Federal Intelligence Service, the Military Counter-Intelligence Service or the financial authorities, or

insofar as courts order transmission in the context of pending proceedings in accordance with the provisions applicable to such proceedings. The authorization to transfer data does not apply insofar as it is expressly excluded by other laws.

(22) Parties shall comply with the applicable data protection provisions, in particular those applicable in Germany (EU Data Protection Regulation, BDSG (latest version)) and shall oblige their employees deployed in connection with the contract to observe data secrecy and confidentiality, unless they are already generally obliged to do so.

(23) SIGN8 shall document the transmission. The documentation must be kept for twelve months.

(24) If the competent body has made a request for data transfer, it shall inform the data subject of the transfer of the data that has taken place. Information may be dispensed with as long as the performance of the statutory duties would be jeopardized and as long as the interest of the person concerned in being informed does not prevail. Five years after transmission, notification may be definitively dispensed with if the conditions for notification are unlikely to occur in the future.

(25) If the customer collects, processes or uses personal data itself or through SIGN8, the customer warrants that it will do so in accordance with the applicable laws, in particular the laws of the Federal Republic of Germany. data protection regulations and shall indemnify SIGN8 against any claims by third parties in the event of a violation.

(26) It is clarified that the customer retains control over the data both generally in the contractual relationship and in the data protection sense. The customer is the sole owner with regard to the right of disposal and ownership of all customer-specific data (entered, processed, stored and output data). SIGN8 does not carry out any control of the data and content stored for the customer with regard to a legal admissibility of the collection, processing and use; this responsibility is assumed exclusively by the customer.

(27) The customer grants SIGN8 permission to process the customer’s data required for business transactions in compliance with data protection regulations.

(28) If required, the parties shall separately conclude the necessary contract on the processing of personal data on behalf (order processing agreement pursuant to Article 28 GDPR) of the customer and attach it to the contractual documents.

(29) SIGN8 takes technical and organizational security precautions and measures to ensure data protection. As a matter of principle, the customer shall not be entitled to demand access to the premises containing the application, server and operating software as well as other system components of SIGN8.

(30) The content of the client’s documents uploaded to SIGN8’s portal is accessible to the employees of SIGN8 GmbH (VDA). However, the authorised staff members are only authorised to access the files in exceptional cases. The customer will be informed about this.

5 Duties and responsibilities of SIGN8

(31) SIGN8 undertakes to provide the customer with all documents, data and information required by the latter for the use of SIGN8.

(32) SIGN8 explicitly points out that both an advanced and a qualified seal only certify the origin and integrity of a document, according to Article 3 No. 25 eIDAS Regulation. A qualified electronic seal is subject to the presumption of the integrity of the data to which the qualified electronic seal is linked and the accuracy of the information provided by the seal creator pursuant to Article 36 eIDAS Regulation. A qualified electronic signature has the same legal effect as a handwritten signature (see Art. 25 eIDAS). A qualified seal has the same legal effect as a company stamp (see Art. 35 eIDAS).

(33) SIGN8 shall be liable for any damage caused intentionally or negligently to natural or legal persons as a result of a breach of the obligations set forth in the eIDAS Regulation. A qualified trust service provider that is SIGN8 shall be presumed to have acted intentionally or negligently, unless the qualified trust service provider proves that damage occurred without it having acted intentionally or negligently.

(34) SIGN8 undertakes to refrain from using the information, documents, data and, in general, all elements communicated to it under this contract for the sole purpose of fulfilling it, beyond what is provided for in the contract. It undertakes not to disclose or share these elements with any third parties, unless they are its subcontractors in the performance of this contract or there is an express request or authorization to this effect from the customer. Likewise, SIGN8 shall be released from the obligation of silence to the extent required by law.

(35) SIGN8 undertakes to perform its obligations under this agreement with due care and professionalism. It guarantees for itself and obligates its subcontractors that the services described in this contract will be provided at a level of security and confidentiality that meets the requirements of the eIDAS Regulation. Nevertheless, the customer expressly acknowledges and accepts that SIGN8 is subject to a duty to perform using due care, although excluding any liability for success.

(36) SIGN8 undertakes to make every effort to ensure the security of SIGN8 and the user accounts created in the customer’s name. However, SIGN8 shall not be liable in case of lack of vigilance as well as in case of lack of security measures taken by the customer or the users with regard to maintaining the confidentiality of their user ID and password.

(37) SIGN8 shall not be liable for correct use of the forms of e-signatures, electronic seals or validation covered by the respective booked license packages. It is the sole responsibility of the customer or user to ensure that documents are signed/sealed/validated with the appropriate form of signature.

(38) SIGN8 undertakes to carry out regular checks to verify the functioning and accessibility of SIGN8. In view of this, SIGN8 reserves the right to temporarily suspend access to the application for reasons of scheduled maintenance.

(39) Similarly, SIGN8 shall not be liable in the event of temporary difficulties or the impossibility of access to SIGN8 if this is caused by circumstances beyond its control or for which it is not responsible, by force majeure or by disruptions in the telecommunications networks.

(40) SIGN8 shall not be held liable for any delay due to the late or defective transmission by the customer of the information and data required for the implementation of the services or due to errors not indirectly and exclusively caused by SIGN8. In particular, SIGN8 shall not be liable for the circumstance if the e-mails sent to the client and/or signatories in the course of the performance of the services end up in their spam mailboxes, resulting in a delay/non-compliance with deadlines.

(41) Section 6 of the VDG makes SIGN8 liable for third parties it has entrusted with the tasks under Regulation (EU) No 910/2014, under the VDG and under the statutory instrument pursuant to Article 4 of the VDG. Section 20 of the VDG, as for its own actions. Section 831 para. 1 s. 1 of the German Civil Code shall not apply.

(42) Pursuant to Article 13 para. 1 eIDAS, SIGN8 as a trust service provider shall be liable for any damage caused intentionally or negligently to natural or legal persons resulting from a breach of the obligations set forth in eIDAS. As SIGN8 is a Qualified Trust Service Provider (expected to become so in Q4 2022), it will be presumed to have breached the Regulation intentionally or negligently unless SIGN8 (as a Qualified Trust Service Provider) can demonstrate that it did not suffer the harm referred to in the first subparagraph of Article 13 eIDAS without acting intentionally or negligently. Thus, the burden of proof lies with SIGN8 as the qualified trust service provider. There is no liability beyond the legal framework.

(43) As long as SIGN8 is not yet a qualified trust service provider, the burden of proof referred to in paragraph 32 of the GTC shall be on the natural or legal person to claim the damage referred to in subparagraph 1 of Article 13 eIDAS Regulation. Thus, as long as SIGN8 is not yet a qualified trust service provider, the burden of proof lies with the natural or legal person to assert the violations just mentioned.

(44) SIGN8 reserves the right to revoke issued certificates if:

a. knowledge has been obtained that a certificate was obtained on the basis of false information (about a person); in this case, the reason for the revocation may be additionally indicated;

b. SIGN8 ceases its activities and the certificate is not continued by another trust service provider;

c. there is a sufficiently substantiated suspicion of misuse of a certificate;

d. the signature key certificate of the certification authority or that of the competent authority has been revoked;

e. facts justify the assumption that the electronic signature creation devices used have security defects;

f. SIGN8 as a certification and trust service provider is otherwise legally obligated to revoke;

g. the customer is in default of payment for more than 30 days after prior warning and setting of a deadline for the fulfillment of his payment obligation;

h. further grounds for revocation pursuant to Article 14 VDG exist.

6 Duties and responsibilities of the customer

(45) The customer shall be obligated to fulfill the obligations incumbent upon it for the performance and processing of the SIGN8 License Agreement. In particular, they are required to:

a. pay the agreed prices on time;

b. protect the usage and access authorizations as well as identification and authentication safeguards assigned to it from access by third parties and not pass them on to unauthorized third parties. In particular, they will ensure that users do not allow any third party to use the user accounts in their place or on their behalf, unless they assume unlimited liability in this context. They expressly confirm that it can be assumed that the eventual use of the services with this connection data is carried out by the corresponding users;

c. within the scope of their use of the services, comply with the applicable legal provisions and refrains from any violation of the rights of third parties or legal regulations. In addition, they shall ensure that (e.g. when transferring texts and data of third parties to servers used by SIGN8) all industrial property rights and copyrights are observed. SIGN8 cannot be held liable in any way in case of violation of the aforementioned rights by the customer;

d. obtain the required consent of the respective data subject, insofar as the data subject collects, processes or uses personal data within the scope of the use of SIGN8 and no statutory element of permission applies;

e. not to misuse SIGN8 or allow it to be misused, in particular not to transmit any illegal or immoral content or to refer to such information that falls under the criminal offense of incitement to hatred, incites to commit criminal acts or glorifies or trivializes violence, is sexually offensive or pornographic, is capable of seriously endangering the morals of children or young people or impairing their well-being or may damage SIGN8’s reputation. It is also the customer’s responsibility to ensure the legality and validity of the customer documents used within SIGN8 that are the subject of the services. In this regard, the customer expressly acknowledges that SIGN8 has no knowledge of the data stored by the customer in the customer area or of the customer documents for which SIGN8 does not carry out any moderation, selection, verification or control of any kind. SIGN8 cannot be held liable for the contents of the customer documents;

f. refrain from attempting to retrieve information or data without authorization, either by yourself or through unauthorized third parties, or to interfere or allow interference with programs operated by SIGN8, or to penetrate SIGN8’s data networks without authorization;

g. indemnify SIGN8 against all claims of third parties based on an unlawful use of SIGN8 by him or with his approval or arising in particular from data protection, copyright or other legal disputes related to the use of SIGN8. If the customer recognizes or if it becomes apparent to the customer that such a violation is imminent, the customer shall be obligated to inform SIGN8 GmbH immediately;

h. back up the data transmitted to SIGN8 on a regular basis and in accordance with the risk, but at least once a day, and create its own backup copies to ensure the reconstruction of the data and information in the event of loss. Archiving of data by SIGN8 is not offered, but can be provided upon request. SIGN8 shall not be liable for any loss of data, so that the customer cannot claim any compensation in this context.

i. be responsible for the creation, maintenance and deletion of customer accounts. SIGN8 assumes no responsibility for these areas. Nor for a possible loss of data, for example due to incorrect deletion of customer accounts;

j. To ensure that the licensee and users are solely liable for maintaining the confidentiality of their identification data and password. The user undertakes to notify SIGN8 immediately in writing, and in particular by e-mail, if it becomes clear that a user account has been used without the user’s knowledge;

k. inform SIGN8 if the details of the certificates no longer correspond to the facts or if there are reasonable grounds to suspect that third parties have obtained knowledge of the identification or authentication data and to revoke the certificates concerned;

l. SIGN8, if a customer document is required to be signed by one or more third party signers, shall provide SIGN8 with the contact information, including last name, first name, email address and telephone number of said authorized third party signers through SIGN8. The customer is responsible for the correctness of the data. The customer warrants to SIGN8 that the data concerning the identity of the users and third party signatories, in particular, are accurate, current, true and not deceptive. In the event of changes, they undertake to update this data in the customer area so that it reflects the above criteria at all times;

m. to check data and information for viruses before sending them and to use state-of-the-art virus protection programs. The customer shall also be responsible for notifying SIGN8 of any cyber-attacks, potential threats or intrusion attempts by third parties on the customer account and/or user accounts;

n. to back up his data files existing in the system as well as the evaluations performed by SIGN8 by download at least until one week prior to the date of termination of the SIGN8 License Agreement, since after termination of the agreement these data files can no longer be accessed by the customer.

o. create its own signer pool before specifying the authorized signers from this signer pool when creating a workflow. The licensee will be required to maintain the lists of authorized signatories internally in his company. SIGN8 explicitly assigns the responsibility for maintaining traceable and legally valid lists of authorized signatories of the company to the licensee. SIGN8 does not check whether a signatory is authorized to sign.

(46) SIGN8 is accessed via web application. Prerequisites for using SIGN8 are: internet access and current browser/client. Outdated or unsupported versions of the browser/client may cause display errors or malfunctions.

(47) The provision of these prerequisites as well as the telecommunication services including the transmission services from the service transfer point to the equipment used by the customer are not the subject of this contract, but are the responsibility of the customer.

(48) Customer expressly acknowledges that the qualified/advanced signed or sealed data shall be re-protected by appropriate measures as necessary before the security value of the existing signatures or seals decreases due to the passage of time.

(49) A customer who has applied for and received authorisation for advanced and qualified seals from SIGN8 as a legal entity has agreed to SIGN8’s GTC, Privacy Policy and Licence Terms of Use. The legal entity entitled to seal is also entitled to authorise further persons from its company (legal entity) to advanced and qualified sealing. The legal entity authorised to seal undertakes to bind the other persons authorised to seal by the legal entity itself in accordance with the General Terms and Conditions, the Data Protection and the Licence Terms and Conditions (to which the legal entity has agreed). The company is liable for the authorised sealers selected by it, who seal advanced or qualified on behalf of the legal entity.

7 Data storage

(50) SIGN8 stores documents of its customers in Western Europe with AES-256 encryption.

8 Use of SIGN8 in breach of contract

(51) SIGN8 shall be entitled to block access to SIGN8 and to the Customer’s Data in the event of an unlawful breach by the Customer of any of the material obligations set out in this Agreement, in particular in the event of a breach of the obligations set out in paragraphs 6-(45)-e and 6-(45)-f. Access will not be restored until the breach of the material obligation concerned has been permanently remedied or the risk of repetition has been eliminated by the submission to SIGN8 of an appropriate cease-and-desist declaration with a penalty clause. The customer remains obligated to pay the agreed prices even in this case.

(52) SIGN8 is entitled to delete the data concerned in the event of a breach of 6-(45)-e and 6-(45)-f.

(53) The Licensee shall be liable for any unlawful breach of the obligations set out in 6-(45)-e and 6-(45)-f by a User authorised by the Customer.

9 Removal of defects

(54) SIGN8 does not warrant that SIGN8 products will be completely free from defects or will operate uninterrupted or error free, for more specific information see Service Level Agreements.

(55) All products are provided “as is” without warranty of any kind.

(56) The licensee and/or customer must immediately notify SIGN8 in writing of any defect, including a detailed description of the defect.

(57) If there are any defects in contractually agreed features and functions, these will be rectified by SIGN8 without being requested to do so.

(58) If the defect is not remedied within the set time limits even after two attempts to remedy the defect, or if it is impossible to remedy the defect, the customer may reduce the license price for the product in question. In case of substantial deviation, termination is possible with prior written notice.

(59) In case of an unfounded notice of defect (for example: error about use and application of the application) SIGN8 may charge the licensee for the effort of troubleshooting according to the time spent, in particular also if a reported material defect is not verifiable or reproducible or cannot be attributed to SIGN8.

(60) Claims for defects shall become statute-barred within three years of the provision of the last service/acceptance (§§ 190 et seq. BGB). The statutory periods shall remain unaffected insofar as §§ 438 para. 1 no. 2 or 634a para. 1 no. 2 of the German Civil Code (BGB) prescribe longer periods, in the event of an intentional or grossly negligent breach of duty by SIGN8, in the event of fraudulent concealment of a defect, as well as in cases of injury to life, limb or health, and for claims under the Product Liability Act.

(61) Since no purchase of the software takes place, but only a right of use is granted to the customer, a liability according to the product liability law is not applicable, as far as legally permissible.

(62) Further claims for defects are excluded to the extent permitted by law.

10 Evidence agreement

(63) The Customer expressly acknowledges and accepts that

a. the data collected through SIGN8’s website and IT equipment shall be considered as evidence of the transactions processed under this agreement;

b. these data constitute the main admissible evidence in the relationship between the parties, in particular in the calculation of the amounts owed to SIGN8.

(64) The customer may request the data required for the collection of evidence from SIGN8.

11 Adjustment and price adjustment clauses

(65) The user (SIGN8 GmbH) reserves the right to change these GTC at any time. The customer will be informed of the changes by e-mail or directly via SIGN8 four weeks before the changes come into force. He is entitled to object to the validity of the new GTC within 4 (four) weeks after receipt of the notification of change. If the customer fails to object, the amended GTC shall become part of the contract after the four-week period. SIGN8 GmbH shall expressly draw the customer’s attention to this deadline in the notice of change. Excluded from the right to amend these GTC in accordance with the previous paragraph are provisions which affect the main performance obligations of the contracting parties and which thus significantly change the relationship between main and counter-performance obligations as well as other fundamental changes to the contractual obligations which are equivalent to the conclusion of a new contract. An express contractual agreement is required for such changes.

(66) SIGN8 GmbH shall be entitled to adjust the respective prices (respective price lists, package or Costum8) at its reasonable discretion from a materiality limit of 5%. A price increase shall be considered and a price reduction shall be made if, for example, the procurement costs, procurement prices or costs for the provision of the service increase or decrease or other changes in the value added tax have become effective. Relevant cost increases shall be offset against relevant cost reductions, if any, and shall take effect after the expiry of a period of at least 4 (four) weeks from receipt of the notification of the adjustment. In the event of not insignificant price increases, the customer shall be entitled to terminate the contract with a notice period of 4 (four) weeks in writing from receipt of the notification of the adjustment. In this case, SIGN8 GmbH shall inform the customer of this in text form.

12 Deadlines, terms and termination

(67) The agreement shall enter into force at the beginning of the contractual term agreed in the SIGN8 License Usage Agreement with attached offer and shall end upon expiry of the agreed contractual term.

(68) Extraordinary termination is possible. A reason for extraordinary termination by SIGN8 exists, for example, if the Licensee is in arrears with two due, consecutive payments or more than two months with one payment and fails to make payment after expiration of a reasonable grace period.

(69) Notice of termination must be given in writing.

(70) SIGN8 GmbH contracts exclusively with entrepreneurs and freelancers according to Section 14 of the German Civil Code (BGB). In this respect, there is no right of revocation.

13 Severability clause and exclusive place of jurisdiction

(71) If individual provisions of this contract are or become invalid, this shall not affect the validity of the remaining provisions. In this case, the contracting parties shall replace the invalid provision with another provision that comes closest to the economic purpose of the omitted provision in a permissible manner.

(72) Munich is agreed as the exclusive place of jurisdiction, to the extent permitted by law.

14 List of abbreviations and terms

October 2022