(CFCA disclaimers contained in this Agreement, please read carefully, especially the bold content)
Dear Subscribers:
CFCA (China Financial Certification Authority, referred to as "CFCA") is a Certification Authority approved and authorized by related national management department of China. As a trusted Third-party Certification Authority, CFCA provides digital certificate for certificate user (referred to as “Subscriber”) via Register Authority (referred to as “RA”), in order to enhance online transaction security.
Subscriber must read and agree “CFCA digital certificate service agreement” (referred to as “this agreement”) before they apply for digital certificates issued by CFCA. This Agreement constitutes the subscriber’s rights and obligations with CFCA, if disagree with all or part of the terms of this agreement, do not apply for CFCA digital certificate. Upon completion of download or initial use of the digital certificate, it deemed that subscriber have accepted and are willing to comply with all the terms of this Agreement.
Section 1, rights and obligations of subscriber:
1, Subscriber shall honor the principles of honesty and credibility; that accurate, complete and authentic information and materials are submitted in certificate application; that CFCA will be informed timely of any change in these information and materials. Loss caused by unauthentic, inaccurate or incomplete information submitted intentionally or accidentally by subscriber, or subscriber failed to inform CFCA and the original RA after the change of the information, are borne by subscriber.
2, Subscriber will obtain download voucher of certificate after RA have registered and verified the information provided by subscriber, subscriber shall properly safeguarded the certificate download voucher and use the voucher to download digital certificate from related website to safe container; subscriber may also entrust or authorize others to obtain a digital certificate through other secured method. Certificate download voucher is one-time usable and valid for 14 days. If subscriber fails to download digital certificate within 14 days, the subscriber needs to regain the certificate download voucher from RA. Subscriber shall confirm the information on obtained digital certificates, certificate is deemed to be effective upon the first use.
3, Subscriber shall use software obtained through legitimate means.
4, Subscriber shall legally use digital certificates issued by CFCA and bear the responsibilities for use of the certificates:
① the use of the certificates shall comply with all applicable laws and regulations;
② the use of the certificates shall be consistent with the intention of the subscriber, or just handle authorized affairs;
③ the use of the certificates shall comply with the this agreement’s terms and conditions of use.
5, Subscriber shall take necessary measures to guarantee the safety of certificate, private key and the associated password, including storage, usage and backup. EV Code Signing certificate must be stored in container conforms FIPS 140-2 or equal level of security environment; as for the first time when using a PKI token, subscriber shall modify the initial default password. In case of theft, fraudulent use of a digital certificate private key and password caused by intentional or negligent actions of the subscriber, subscriber shall be liable for the result.
6, If the subscriber’s digital certificate private key and password leaked or lost, or the subscriber does not want to continue to use a digital certificate, or the subject of subscriber does not exist anymore, subscribers or legal rights holder shall inform the original RA and request to revoke the certificate immediately, the relevant procedures shall comply with RA requirements. CFCA will revoke the digital certificate of subscriber in 4 hours after receipt of the request for revocation from RA.
7, If subscriber harm the interests of the CFCA, subscriber will indemnify CFCA for losses and damages. Circumstances include but are not limited to:
① Falsehood/incompleteness/misrepresentation of information provided by the subscriber on the certificate application. Subscriber failed to inform CFCA timely when the information changed;
② Subscriber learnt that its digital certificate private key had been compromised or may have been compromised and failed to provide timely notice to relevant parties and cease the use;
③ subscriber failed in fulfilling other relevant stipulations of this agreement.
8, Subscriber has the obligation to pay the digital certificate service fee on schedule. (Subscriber can contact RA for detailed cost)
9, CFCA is entitled to request the subscriber to replace their digital certificate due to safety risks. Subscriber shall replace the certificate with the original RA within limited time after receipt of the notice of replacement request from CFCA.
10, For code signing certificate applied by subscriber, once found one of the following circumstances, subscriber shall immediately inform CFCA and apply to revoke the certificate:
① There is evidence showed that this code-signing certificates has been used to sign suspicious code, including but not limited to viruses, Trojans, or other inappropriate code.
② Content in certificate is no longer correct or no longer accurate.
③ The private key of certificate is leaked, lost or other related information has been compromised, lost, or other relevant part has been misused.
11, Once the certificate is revoked, the subscriber will not be able to use the certificate.
12, Subscriber is clear about that, if CFCA found improper use of subscriber’s certificates, or subscriber’s certificates are used for illegal or criminal actions, CFCA is entitled to directly revoke subscriber’s certificates.
13, If the subscriber believes certification services provided by CFCA is the cause of subscriber‘s online transaction information leak/compromise, he shall submit dispute processing request and inform all related parties within 3 months of the incident.
Section Two, CFCA services, rights, obligations, limitations of liability and disclaimers
1, CFCA established “Certification Practice Statement” (referred to as CPS) according to related law and specifications. CPS is published on CFCA official website (www.cfca.com.cn). CPS makes clear that the functions of CFCA digital certificates, the rights and obligations of related parties including CFCA’s business procedure and responsibility. Relevant clauses of this agreement are from CPS.
2, CFCA offers 7X24-hour support hotline (4008809888) for subscribers. To ensure the quality of CFCA’s service, CFCA sets up a complaint hotline (010-83519756), CFCA will respond comments and suggestions within 1 working day.
3, In case of subscriber use digital certificates to encrypt/decrypt, sign/verify transaction information via secured tool, CFCA will ensure confidentiality, integrity, anti-denial of transaction information. If a dispute occurs, CFCA will undertake the following obligations according to different scenarios:
① provide CA certificate used to issue subscriber certificate;
② offer subscribers certificate revocation information, to prove that at the time of transaction the certificate is within or not in certificate revocation list.
③ verify the validity of digital certificates, digital signatures, time stamp authenticity.
4, In the following circumstances, CFCA is entitled to revoke issued digital certificate:
① subscriber provided Falsehood/incompleteness/misrepresentation in application process;
② Subscriber obligations under this agreement are not fulfilled;
③ subscriber request to revoke the digital certificates in writing;
④ safety of certificate cannot be guaranteed;
⑤ other cases defined by laws and administrative regulations.
5, CFCA will review and verify the information that subscriber provided in application, and provide related services in certificate life cycle, in the meantime provide inquiry services to related parties. CFCA and its registration agencies have obligation to protect subscriber private information security.
6, According to “Electronic Signature Law of the People’s Republic of China”, CFCA shall compensate the subscriber or relying party, who suffers loss caused by the certification service provided by CFCA. However, CFCA shall not be deemed at fault if it can prove that it has provided services according to the Electronic Signature Law of the People’s Republic of China, the Methods for the Administration of Electronic Certification Services and the CPS filed to the competent department, and shall not be required to bear any compensation and reimbursement responsibility to the subscriber or relying party. The following is not liable for compensation, whether it has infringed this agreement or not:
① Any indirect loss, direct or indirect loss of profit or income, compromise of reputation or goodwill, loss of business opportunities or chances, loss of projects, loss or failure to use data, device or software;
② Any loss or damage caused directly or indirectly by the above loss.
7, CFCA is not liable for the following losses:
① losses due to non-CFCA behavior caused;
② loss caused by force majeure, such as strikes, wars, disasters, viruses and other malicious code.
8, The ceiling of compensation for digital certificate applied by corporate subscribers is CNY 500,000.00. The ceiling of compensation for digital certificate applied by individual subscribers is CNY 200,000.00.
Section Three, Other Terms
1, “Original RA” related in this agreement, if original RA is merged or revoked, that is: the original RA does not exist anymore, business shall move to designated RA.
2, We suggest that subscribers frequently visit CFCA website (www.cfca.com.cn), in order to get latest information changes relate to certificate management, CPS and this Agreement with CFCA.
3, CFCA reserves the right to amend this Agreement, the revised agreement will be published in this CFCA website (www.cfca.com.cn). If subscribers continue to use the digital certificate service CFCA provided one month after the publication of revised agreement, subscribers deemed to have accepted these revisions. If subscribers do not accept the revised agreement, subscribers can unilaterally apply to RA in writing within the said period to stop using a certificate.
4, Once dispute related to CFCA electronic authentication services occurs, both sides shall first try to resolve the issue through friendly consultations and negotiations(if necessary CFCA will convene expert group, detailed procedure refer to the relevant provisions of the CPS), if both sides failed to reach a settlement, both sides can apply for arbitration from Beijing Arbitration Commission, according to commission rules, arbitration shall be take place in Beijing, arbitration result is final, and is binding upon both sides.
5. Upon subscriber complete download or initial use of the applied digital certificate, this agreement comes into effect.
China Financial Certification Authority Co., Ltd.
(China Financial Certification Authority)
August 4, 2015