Terms of Service

These Terms of Service (“Terms”) constitute a legally binding agreement between you (“User,” “you,” or “your”) and Sanmarcsoft LLC, a Texas limited liability company (“Sanmarcsoft,” “we,” “us,” or “our”), governing your access to and use of the Trusteddit platform and all related services (collectively, the “Services”).

By accessing or using the Services, you acknowledge that you have read, understood, and agree to be bound by these Terms. If you are using the Services on behalf of an organization, you represent and warrant that you have the authority to bind that organization to these Terms.

If you do not agree to these Terms, you must not access or use the Services.

Trusteddit provides the following services related to content authenticity and public key infrastructure:

• C2PA Content Credential Signing: Embedding Coalition for Content Provenance and Authenticity (C2PA) content credentials into digital media files to establish provenance and authenticity
• PKI Certificate Services: Issuance, management, renewal, and revocation of X.509 digital certificates for content signing purposes
• Trust Receipt Badge Generation: Creation of verifiable badges linked to signed content, providing visual proof of content credential status
• Timestamp Authority (TSA): Issuance of RFC 3161 trusted timestamps to provide cryptographic proof of the time at which content was signed

The Services are hosted on EU-sovereign infrastructure (Scaleway, Paris, France) and delivered through Cloudflare's global CDN and DNS network.

Access to certain Services requires authentication through Cloudflare Access (Zero Trust). By creating an account or authenticating to use the Services, you agree to:

• Provide accurate, current, and complete information during registration and certificate application processes
• Maintain the security of your authentication credentials and private keys
• Promptly notify us of any unauthorized use of your account or any other security breach
• Accept responsibility for all activities that occur under your account

You must not share your authentication credentials or private keys with any third party. Compromise of your private key constitutes grounds for immediate certificate revocation.

If you apply for or are issued a digital certificate through the Services, you agree to the following obligations:

4.1 Accurate Information

All information submitted in your certificate application must be truthful, accurate, and not misleading. Submitting false or fraudulent identity information is a material breach of these Terms and may result in immediate certificate revocation and account termination.

4.2 Private Key Protection

You are solely responsible for the security of your private key. You must:

• Generate your private key in a secure environment using cryptographically sound methods
• Store your private key securely, protected by strong access controls
• Never share, disclose, or transfer your private key to any unauthorized party
• Immediately request certificate revocation if you suspect your private key has been compromised

4.3 Certificate Usage

Certificates issued through the Services must be used only for their intended purpose as specified in the certificate profile and these Terms. You must not use certificates for any purpose not authorized by the certificate policy under which they were issued.

4.4 Revocation Obligations

You must promptly request revocation of your certificate if:

• Your private key has been or is suspected to have been compromised
• Any information in the certificate becomes inaccurate or misleading
• The certificate is no longer needed for its intended purpose
• You are no longer authorized to use the certificate (e.g., departure from an organization listed in the certificate)

You agree to use the Services only for lawful purposes and in accordance with these Terms. You must not use the Services to:

• Fraudulent signing: Sign content with the intent to deceive, defraud, or mislead others about the origin, authenticity, or integrity of the content
• Impersonation: Obtain certificates under false identity or misrepresent your affiliation with any person or organization
• Illegal content: Sign, certify, or generate Trust Receipt badges for content that is illegal under applicable law, including but not limited to content that violates intellectual property rights, child safety laws, or export control regulations
• Service disruption: Interfere with or disrupt the Services, servers, or networks connected to the Services, including attempting denial-of-service attacks, exploiting vulnerabilities, or reverse-engineering the platform
• Unauthorized access: Attempt to gain unauthorized access to any part of the Services, other users' accounts, or computer systems or networks connected to the Services
• Automated abuse: Use bots, scrapers, or automated tools to access the Services in a manner that exceeds reasonable usage or circumvents rate limits, without prior written authorization
• Certificate misuse: Use certificates issued through the Services for purposes other than C2PA content signing or as otherwise authorized by your certificate policy

Violation of this Acceptable Use Policy may result in immediate suspension or termination of your access to the Services, revocation of any issued certificates, and referral to appropriate law enforcement authorities where warranted.

6.1 Media File Processing

When you submit media files for C2PA signing, those files are processed in server memory to embed content credentials. Media files are not permanently stored on our servers. Files are held only for the duration of the signing operation and are purged from memory upon completion. Signed output files are returned directly to you.

6.2 Content Ownership

You retain all ownership rights to content you submit for signing. By submitting content for signing, you represent and warrant that:

• You own or have the legal right to sign the content with C2PA credentials
• The content does not infringe any third party's intellectual property rights, privacy rights, or other legal rights
• The content does not violate any applicable law or regulation

6.3 Signing Event Records

We retain metadata about signing operations (timestamp, certificate serial number, content hash, C2PA manifest identifiers) as required for PKI audit compliance and non-repudiation purposes. These records are retained for 7 years in accordance with our Privacy Policy.

6.4 RFC 3161 Timestamps

Trusted timestamps issued by our Time-Stamp Authority are retained indefinitely to support long-term signature verification. Timestamps are cryptographic records that do not contain the content itself, only a hash of the signed data bound to a point in time.

Trust Receipt badges generated through the Services are visual indicators linked to C2PA-signed content. The following terms apply:

• Badges reflect the status of the associated content credential at the time of generation
• Badge validity depends on the continued validity of the underlying signing certificate; certificate revocation may affect badge status
• You may embed Trust Receipt badges in your content, websites, and publications to indicate content authenticity
• You must not modify, alter, or forge Trust Receipt badges or use them in a misleading manner

Certain Services may be offered on a paid basis. Where fees apply:

• Fees will be clearly disclosed before you commit to a paid service
• All fees are exclusive of applicable taxes unless stated otherwise
• We reserve the right to change fees with at least 30 days' advance notice to existing subscribers
• Failure to pay applicable fees may result in suspension of paid Services

For EU consumers, you have the right to withdraw from a paid subscription within 14 days of purchase without giving a reason (see Section 13 for EU consumer protections).

9.1 Our Intellectual Property

The Services, including but not limited to software, APIs, documentation, user interface design, trademarks, and logos, are owned by Sanmarcsoft LLC and are protected by applicable intellectual property laws. These Terms do not grant you any right, title, or interest in the Services beyond the limited right to use them in accordance with these Terms.

9.2 Your Content

You retain all intellectual property rights in content you submit for signing. We do not claim any ownership rights over your content. By submitting content for signing, you grant us a limited, temporary license to process the content solely for the purpose of providing the Services (i.e., embedding C2PA credentials and returning the signed file to you).

9.3 Open Standards

The C2PA specification is an open standard maintained by the Coalition for Content Provenance and Authenticity. Our implementation of C2PA signing is based on this open standard. Nothing in these Terms restricts your right to use C2PA-compliant tools from other providers.

10.1 Service Availability

We make commercially reasonable efforts to maintain the availability and reliability of the Services. However, the Services are provided on an “as is” and “as available” basis.

10.2 Disclaimer of Warranties

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, SANMARCSOFT LLC EXPRESSLY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. WE DO NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, OR COMPLETELY SECURE.

This disclaimer does not affect your statutory rights as a consumer under applicable EU law, including Directive 2011/83/EU (Consumer Rights Directive) and Directive (EU) 2019/770 (Digital Content Directive). Where mandatory consumer protections apply, these Terms are subject to those protections (see Section 13).

10.3 Certificate and Signing Disclaimers

While we exercise care in certificate issuance and C2PA signing operations, we do not guarantee:

• That C2PA credentials will be recognized or accepted by all platforms, applications, or relying parties
• That the presence of a C2PA credential is sufficient proof of content authenticity for all legal or regulatory purposes
• The accuracy of identity information provided by certificate subscribers beyond the verification procedures we perform
• Uninterrupted availability of CRL, OCSP, or TSA services, though we will make commercially reasonable efforts to maintain their availability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL SANMARCSOFT LLC, ITS OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, OR AFFILIATES BE LIABLE FOR:

• Any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, data, use, goodwill, or other intangible losses
• Damages resulting from unauthorized access to or alteration of your data or transmissions
• Damages resulting from the compromise of your private key, regardless of whether we were advised of the possibility of such damages
• Damages arising from reliance on C2PA credentials, certificates, or Trust Receipt badges issued through the Services

OUR TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THESE TERMS OR THE SERVICES SHALL NOT EXCEED THE GREATER OF: (A) THE TOTAL FEES PAID BY YOU TO US IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE LIABILITY, OR (B) ONE HUNDRED US DOLLARS (USD $100).

This limitation of liability does not apply to liability arising from (i) our gross negligence or willful misconduct, (ii) death or personal injury caused by our negligence, or (iii) any liability that cannot be excluded or limited under applicable EU consumer protection law.

You agree to indemnify, defend, and hold harmless Sanmarcsoft LLC and its officers, directors, employees, and agents from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to:

• Your use of the Services in violation of these Terms
• Your breach of any representation or warranty made in these Terms
• Content you submit for signing that infringes third-party rights
• Your failure to protect your private key or authentication credentials
• Your use of certificates for purposes not authorized by the applicable certificate policy

This indemnification obligation does not apply to EU consumers to the extent it would conflict with mandatory consumer protection laws.

If you are a consumer located in the European Union or European Economic Area, the following protections apply to you in addition to (and, where they conflict, in precedence over) the other provisions of these Terms:

13.1 Right of Withdrawal

Under Directive 2011/83/EU, you have the right to withdraw from a contract for paid Services within 14 days of purchase without giving a reason. To exercise your right of withdrawal, you must inform us by sending a clear statement to [email protected]. If you have expressly consented to the provision of digital content or services during the withdrawal period and acknowledged the loss of your right of withdrawal, the right of withdrawal may not apply once performance has begun.

13.2 Conformity of Digital Content

Under Directive (EU) 2019/770, digital content and digital services must conform to the contract. If the Services do not conform, you are entitled to have the non-conformity remedied, to receive a proportionate reduction in price, or to terminate the contract, in accordance with applicable law.

13.3 Unfair Contract Terms

Pursuant to Directive 93/13/EEC, any term in these Terms that is found to be unfair under applicable national law implementing this Directive shall not be binding on you as a consumer. The remaining terms shall continue to apply.

13.4 GDPR Compliance

We are committed to full compliance with the General Data Protection Regulation (EU) 2016/679. Your personal data is processed in accordance with our Privacy Policy and our GDPR Compliance statement. Our core infrastructure is hosted within the EU (Scaleway, Paris, France) to ensure data sovereignty.

13.5 Alternative Dispute Resolution

EU consumers may submit complaints through the European Commission's Online Dispute Resolution (ODR) platform at https://ec.europa.eu/consumers/odr. Our email for ODR correspondence is [email protected].

14.1 Termination by You

You may stop using the Services at any time. If you wish to close your account and request revocation of any active certificates, contact us at [email protected].

14.2 Suspension or Termination by Us

We may suspend or terminate your access to the Services, and revoke any issued certificates, if:

• You breach these Terms or the Acceptable Use Policy
• We reasonably believe your account has been compromised or your private key has been exposed
• We are required to do so by law, regulation, or court order
• You fail to pay applicable fees after notice and a reasonable cure period
• We determine in good faith that your continued use of the Services poses a risk to the integrity of the PKI trust chain

Where practicable, we will provide reasonable notice before suspension or termination, except where immediate action is necessary to protect the security or integrity of the Services or the PKI trust chain.

14.3 Effect of Termination

Upon termination, your right to use the Services ceases immediately. The following provisions survive termination: Section 4 (Certificate Subscriber Obligations, to the extent certificates remain valid), Section 9 (Intellectual Property), Section 10 (Warranties and Disclaimers), Section 11 (Limitation of Liability), Section 12 (Indemnification), Section 15 (Governing Law), and this Section 14.3.

15.1 Governing Law

These Terms are governed by and construed in accordance with the laws of the State of Texas, United States, without regard to its conflict of law provisions. However, if you are a consumer located in the European Union, you shall retain the benefit of any mandatory consumer protection provisions of the law of the EU Member State in which you are habitually resident.

15.2 Jurisdiction

Any disputes arising out of or relating to these Terms that cannot be resolved through good-faith negotiation shall be submitted to the exclusive jurisdiction of the courts located in Texas, United States. This does not affect the right of EU consumers to bring proceedings in their country of habitual residence.

15.3 Informal Resolution

Before initiating any formal dispute resolution proceeding, you agree to first contact us at [email protected] and attempt to resolve the dispute informally for at least 30 days.

We reserve the right to modify these Terms at any time. When we make material changes:

• We will update the “Last Updated” date at the top of this page
• For material changes affecting existing subscribers, we will provide at least 30 days' notice via the email address associated with your account or certificate
• The updated Terms will be published at trusteddit.com/legal/terms-of-service

Your continued use of the Services after the updated Terms take effect constitutes acceptance of the changes. If you do not agree with the revised Terms, you must stop using the Services.

Severability

If any provision of these Terms is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The invalid or unenforceable provision shall be modified to the minimum extent necessary to make it valid and enforceable.

Entire Agreement

These Terms, together with our Privacy Policy and GDPR Compliance statement, constitute the entire agreement between you and Sanmarcsoft LLC regarding the Services, superseding any prior agreements.

Waiver

Our failure to enforce any right or provision of these Terms shall not constitute a waiver of such right or provision.

Assignment

You may not assign or transfer these Terms or any rights or obligations hereunder without our prior written consent. We may assign these Terms in connection with a merger, acquisition, or sale of assets.

Force Majeure

We shall not be liable for any failure or delay in performing our obligations where such failure or delay results from circumstances beyond our reasonable control, including but not limited to natural disasters, acts of government, internet outages, or cyberattacks.

If you have questions about these Terms of Service, please contact us:

General Inquiries

[email protected]

Privacy and Data Protection

[email protected]

Certificate and PKI Issues

[email protected]