Trusteddit Subscriber Agreement

“C2PA”

The Coalition for Content Provenance and Authenticity, an open technical standard for certifying the provenance and history of digital media content.

“Certificate”

An X.509 v3 digital certificate issued by the Trusteddit CA to the Subscriber for the purpose of signing C2PA manifests and assertions.

“Certificate Authority (CA)”

The Trusteddit intermediate certificate authority that issues, manages, and revokes certificates under the Trusteddit PKI.

“Private Key”

The cryptographic key associated with the Certificate that is used to create digital signatures. The Private Key must be kept confidential by the Subscriber.

“Public Key”

The cryptographic key embedded in the Certificate that is used by relying parties to verify digital signatures created with the corresponding Private Key.

“Key Pair”

The Private Key and corresponding Public Key generated by the Subscriber.

“Relying Party”

An individual, organization, or application that verifies content credentials signed with a Certificate issued by Trusteddit.

“CP” and “CPS”

The Trusteddit Certificate Policy and Certificate Practice Statement, respectively, as published at trusteddit.com/pki/.

As a Subscriber, you agree to the following obligations:

2.1 Accurate Information

You shall provide accurate, complete, and truthful information in your certificate application and in all communications with Trusteddit. You shall promptly notify Trusteddit of any changes to the information contained in your Certificate or provided during the application process.

2.2 Key Pair Generation and Protection

You shall:

• Generate your Key Pair using a cryptographically secure method that meets the requirements specified in the CPS
• Protect your Private Key from unauthorized access, disclosure, or use at all times
• Use a key size and algorithm that meets or exceeds the minimum requirements specified in the CPS
• Store your Private Key in a secure environment, using encryption or hardware protection where feasible
• Never share, transfer, or disclose your Private Key to any other party

2.3 Certificate Usage

You shall:

• Use your Certificate exclusively for signing C2PA content credentials as permitted by the CP
• Not use your Certificate for any prohibited purpose as defined in the CP, Section 1.4.2
• Not use your Certificate to sign content on behalf of another entity unless you are authorized to do so
• Cease using your Certificate immediately upon expiration or revocation

2.4 Revocation Notification

You shall:

• Immediately notify Trusteddit if you know or suspect that your Private Key has been compromised, lost, stolen, or otherwise disclosed to an unauthorized party
• Immediately notify Trusteddit if any information in your Certificate is or becomes inaccurate
• Request revocation of your Certificate within twenty-four (24) hours of discovering any grounds for revocation

2.5 Compliance

You shall comply with this Agreement, the CP, and the CPS, as well as all applicable laws and regulations in connection with your use of the Certificate.

Trusteddit agrees to the following obligations:

3.1 Certificate Issuance

Trusteddit shall issue Certificates in accordance with the CP and CPS, including performing identity validation of Subscribers as described in those documents. Trusteddit shall use commercially reasonable efforts to process certificate applications within the timelines specified in the CPS.

3.2 Certificate Revocation

Trusteddit shall process revocation requests in accordance with the timelines specified in the CPS. Trusteddit shall update CRLs and OCSP responses promptly following any revocation.

3.3 Repository Maintenance

Trusteddit shall maintain its repository, including the CP, CPS, CRLs, and OCSP responder, in an accessible and operational state. Trusteddit shall use commercially reasonable efforts to ensure the availability of certificate status services (CRL and OCSP).

3.4 Notification

Trusteddit shall notify the Subscriber of material changes to the CP, CPS, or this Agreement at least thirty (30) days prior to the effective date of such changes. Trusteddit shall notify the Subscriber of any revocation of their Certificate.

3.5 Privacy

Trusteddit shall handle Subscriber personal information in accordance with applicable privacy laws and the Trusteddit privacy policy. Subscriber information collected during the application process will not be disclosed to third parties except as required by law, with the Subscriber's consent, or as necessary for PKI operations.

4.1 Subscriber Representations

By accepting a Certificate, you represent and warrant that:

1. All information provided in your certificate application is accurate and complete
2. You are the person or entity identified in the Certificate, or you are authorized to act on behalf of the entity identified in the Certificate
3. You have the legal authority to enter into this Agreement
4. You have generated your Key Pair using a cryptographically secure method
5. Your Private Key has not been and will not be disclosed to any unauthorized party
6. You will use the Certificate only for its intended purpose as defined in the CP
7. You will promptly cease using the Certificate if it is revoked or has expired
8. You will not use the Certificate for any fraudulent, deceptive, or unlawful purpose

4.2 Trusteddit Representations

Trusteddit represents and warrants that:

1. Certificates are issued in accordance with the CP and CPS
2. Identity validation procedures conform to the requirements of the CP
3. Certificate status information (CRL, OCSP) accurately reflects the current status of issued Certificates
4. The Trusteddit CA private key is protected using the security controls described in the CPS

5.1 Disclaimer of Warranties

Except as expressly stated in this agreement, the CP, or the CPS, Trusteddit provides certificates and PKI services “as is” and “as available,” without warranties of any kind, whether express, implied, statutory, or otherwise, including but not limited to implied warranties of merchantability, fitness for a particular purpose, and non-infringement.

5.2 Limitation of Liability

To the maximum extent permitted by applicable law:

• Trusteddit shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising out of or related to this Agreement or the use of any Certificate
• Trusteddit's total aggregate liability under this Agreement shall not exceed the fees paid by the Subscriber for the Certificate giving rise to the claim
• Trusteddit shall not be liable for any losses arising from the Subscriber's failure to protect their Private Key or comply with this Agreement

5.3 Force Majeure

Neither party shall be liable for any failure or delay in performance due to causes beyond its reasonable control, including but not limited to natural disasters, acts of government, war, terrorism, labor disputes, power failures, internet outages, or cyberattacks.

6.1 Subscriber Indemnification

You agree to indemnify, defend, and hold harmless Trusteddit, SanMarcSoft LLC, and their officers, directors, employees, and agents from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or related to:

• Your failure to protect your Private Key
• Any inaccurate information provided by you in connection with your certificate application
• Your use of the Certificate in violation of this Agreement, the CP, or applicable law
• Any content you sign using the Certificate
• Your failure to request timely revocation when required under this Agreement

6.2 Trusteddit Indemnification

Trusteddit agrees to indemnify and hold harmless the Subscriber from claims arising directly from Trusteddit's material breach of its obligations under this Agreement, the CP, or the CPS, subject to the limitations of liability set forth in Section 5.

7.1 Term

This Agreement becomes effective upon your acceptance (by applying for, accepting, or using a Certificate) and remains in effect until the later of: (a) the expiration or revocation of all Certificates issued to you under this Agreement, or (b) the satisfaction of all obligations under this Agreement.

7.2 Termination by Subscriber

You may terminate this Agreement at any time by requesting revocation of all Certificates issued to you under this Agreement and ceasing all use of those Certificates and associated Private Keys for new signing operations.

7.3 Termination by Trusteddit

Trusteddit may terminate this Agreement and revoke your Certificate(s) if:

• You breach any material obligation under this Agreement
• Information in your Certificate is discovered to be inaccurate
• Your Private Key has been compromised
• Required by applicable law, regulation, or court order
• Trusteddit ceases CA operations (subject to the wind-down procedures in the CP)

7.4 Effect of Termination

Upon termination, you must immediately cease using your Certificate and Private Key for creating new signatures. Sections 4, 5, 6, and 8 of this Agreement survive termination. Content signed prior to termination remains verifiable through the trust chain and timestamping.

8.1 Governing Law

This Agreement is governed by the laws of the State of New York, United States, without regard to its conflict of laws principles.

8.2 Entire Agreement

This Agreement, together with the CP and CPS (as incorporated by reference), constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior or contemporaneous agreements, understandings, and communications.

8.3 Amendments

Trusteddit may amend this Agreement by publishing the updated version to the PKI repository and providing notice to Subscribers. Continued use of the Certificate after the effective date of the amendment constitutes acceptance of the amended terms.

8.4 Severability

If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

8.5 Assignment

You may not assign or transfer this Agreement or any rights or obligations hereunder without Trusteddit's prior written consent. Trusteddit may assign this Agreement in connection with a merger, acquisition, or sale of substantially all of its assets.

8.6 Notices

All notices under this Agreement shall be sent to the email addresses on file. Notices to Trusteddit should be directed to [email protected].

8.7 Waiver

The failure of either party to enforce any provision of this Agreement shall not constitute a waiver of that provision or of the right to enforce it at a later time.