Terms and conditions

Intesi Group Certification Authority Service Terms and Conditions

This document contains the full text of the Terms and Conditions of Intesi Group S.p.A. (www.intesigroup.com/en/documents) company with registered office in Milano (MI) Via Torino, 48, VAT Number 02780480964, hereinafter referred to as “Intesi Group”.

These Terms and Conditions constitute a contract between Intesi Group and its clients (private individuals and businesses, hereinafter referred to as “Subscriber” or “Subject”) and shall apply to the use that Subjects, Subscribers and Relying parties make of Intesi Group Services.

Using Intesi Group Services imply full acceptance and without reserve of these Intesi Group Terms and Conditions.

1 – Definitions and acronyms

• Trust Service (TS): electronic service which enhances trust and confidence in electronic transactions;
• Trust Service Provider (TSP): natural or a legal person who provides one or more trust services, for example a Certification Authority;
• Certification Authority (CA): authority trusted by one or more users to issue, manage and assign public-key certificates;
• Registration Authority (RA): entity that is responsible for identification and authentication of subjects of certificates mainly;
• Subject: entity identified in a certificate as the holder of the private key associated with the public key given in the certificate;
• Subscriber: legal or natural person bound by agreement with a trust service provider to any subscriber obligations;
• Relying Party: legal or natural person that relies upon an electronic identification or a Trust Service; Signature Service: the Services requested by the Subject or the Subscriber in the Request Form;
• Certificate or Public Key Certificate: public key of an entity, together with some other information, rendered unforgeable by digital signature with the private key of the Certification Authority which issued it;
• Contract: set of all the contractual documents in relation to the delivery of the Services by Intesi Group to the Subscribers and Subjects;
• Request Form: the form used by the Subject or the Subscriber to request the Services;
• Public Key Infrastructure (PKI): infrastructure able to support the management of public keys able to support authentication, encryption, integrity or non-repudiation services
• TSP Policy: set of rules that indicates the applicability of a trust service (for example certificates) to a particular community and/or class of application with common security requirements. The TSP Policy may be unilaterally modified by Intesi Group at any time, and may be consulted on the Intesi Group web site www.intesigroup.com;
• TSP Practice Statement: statement of the practices which a TSP employs in providing a trust service (for example that a certification authority employs in issuing managing, revoking, and renewing). The TSP Practice Statement may be unilaterally modified by Intesi Group at any time, and may be consulted on the Intesi Group web site www.intesigroup.com;
• Authentication Credentials: the code or the codes, preserved as confidential, for identification of the Subscriber to the Service;
• Device: physical or virtual device linked to qualified electronic and/or seal certificates (ex Smartcard, Signing Stick, Token or within a remote signature QSCD held by the TSP);
• Qualified electronic signature creation device (QSCD): means an electronic signature creation device that meets the requirements laid down in Annex II of Reg. UE 2014/910;
• Operations: the technical activities carried out by the Registration Authority;
• Local Registration Authority (LRA): Intesi Group or the legal person authorized by Intesi Group to carry out operations of issuing and renewal of Certificates and/or Timestamps;
• Identification and Registration Operations: the activities of identification and registration of the Subscriber (or subject) carried out by the RAO;
• Registration Authority Officer (RAO): each natural person expressly authorized by the LRA to carry out Operations of identification and registration of the Subscriber (or the Subject) on its behalf;
• Coordinated Universal Time: the time scale based on the second as defined in ITU-R Recommendation TF.460-6 (02/02);
• Fees: amounts paid by the Subscriber or the Subject for the Service;
• Certificate revocation list: signed list indicating a set of certificates that are no longer considered valid (and thus unusable) by Intesi Group. It is accessible on its web site www.intesigroup.com;
• Party: singly the Subscriber, or the Subject or Intesi Group;
• Parties: collectively the Subscriber, the Subject and Intesi Group.

2 – Contractual Terms and Conditions

2.1 The Contract between Intesi Group and the Subscriber and/or the Subscriber is regulated in descending hierarchical order by:

a) the Request Form;

b) the present Terms and Conditions;

c) the TSP Policy;

d) the TSP Practice Statement.

2.2 Intesi Group Service is provided in accordance with the eIDAS regulation, Italian legislation, ETSI EN 319 411 Policy and security requirements for Trust Service Providers issuing certificates (Part 1-2) and ETSI EN 319 401 General Policy Requirements for Trust Service Providers, TSP Policy and TSP Practice Statement.

2.3 The present Terms and Conditions provide the conditions of use of Services and are binding for the Subscriber and the Subject, while using Services and for the Relying Party, while relying on issued Certificates.

3 – Object

3.1 These Terms and Conditions govern the delivery by Intesi Group of the Certificate Services requested by the Subscriber or the Subject using the Request Form according to TSP Practice Statement and TSP Policy.

3.2 The Subject or the Subscriber, or the LRA acting on the Subject or Subscriber’s behalf, submits any and all requests for Services to Intesi Group, using the Request Form.

3.3 The provision of the Services by Intesi Group will take place only after the successful outcome of a mandatory verification.

The TSP Policy to which the issuance of each type of Certificate is subjected, details the validation process followed by Intesi Group prior to the issuance of the Certificate and the return process.

3.4 Both the Subscriber and the Subject undertake to communicate to Intesi Group (or to LRA) all information needed to verify their identity and they have to check that the Certificate requests are accurate, authorized and complete according to the collected evidence or attestation of identity.

Both the Subscriber and the Subject are responsible for the truthfulness of the data notified in the Request Form.

3.5 In the case where the information requested shall be verified by means of a certificate of a qualified electronic signature or of a qualified electronic seal issued by another TSP in compliance with point (a) or (b) of Article 24 Reg. 910/2014, Intesi shall not be held liable neither for the content nor the truthfulness of the information communicated by the Subject or the Subscriber to the other TSP that issued the certificate, nor the respect of the requirements for the TSP indicated in Article 24 Reg. 910/2014

3.6 The failure to provide – for whatever cause or reason – the requested Services shall not involve any obligation to pay compensation or indemnity to the Subject, or the Subscriber or the Registration Authority by Intesi Group.

4 – Conclusion, Duration and Termination of The Contract

4.1 The Contract will be considered concluded upon acceptance by the Subscriber of the present Terms and Conditions and payment of the applicable Fees.

4.2 In any case, Intesi Group shall suspend or revoke the provision of any Certificate issuance or renewal Service in case of late payment of the applicable Fees.

4.3 The maximum validity period of the Certificates issued by Intesi Group is 5 years.

4.4 This Contract may be early terminated by Intesi Group by a prior written notice of 2 months.

The termination notice shall be notified to the Subscriber in writing by means of communication ensuring evidence and date of receipt.

The Subscriber or the Subject are not entitled to any compensation or refund of Fees in case of early termination of the Contract.

4.5 The breach of any contractual obligation which is not remedied by the breaching Party within 15 days after having been invited in writing to do so by the other party, shall be considered as a justifiable reason for the immediate contract termination. The non-culpable Party may terminate the Contract with immediate effect, without respecting a period of notice, by notice given in writing by means of communication ensuring evidence and date of receipt.

4.6 Shall be considered as exceptional circumstances justifying the immediate Contract termination: bankruptcy, any kind of composition between the bankrupt and the creditors, death or incapacity of the Subscriber or the Subject;

4.7 As of the day when termination of the Contract takes effect, Intesi Group will proceed with immediate effect to blockage of all of the Certificate Services.

5 – Subject’s Obligations

5.1 The Subject is obliged to:

a) use the Services in compliance with (i) the Request Form (ii) the present Terms and Conditions, (iii)

b) communicate to Intesi Group all information needed to enable correct provision of the Certificate Services, submit evidence of his/her identity and guarantee the accuracy and regular updating of these information;

c) provide a physical address, or mail address, which describe how he/she shall be contacted.

d) pay the Fees in compliance with the time requirements and procedures requested by Intesi Group;

e) activate the Services within 30 days of the assignment of the Device and the Authentication Credentials. Failing that, the Services may be automatically and irrevocably blocked for security reasons by Intesi Group and a new Request Form must be submitted by the Subscriber or the Subject, if necessary with a return of the Device, all of this being at the exclusive expense of the Subscriber or the Subject;

f) apply utmost diligence in the use, preservation and protection of the Authentication Credentials, as referred to in the TSP Policy and TSP Practice Statement. In particular, the Subscriber must take all necessary measures to avoid causing damage to others while using the Certificate Services;

g) not disclose the Authentication Credentials – neither directly nor indirectly, for whatever purpose – to any third party;

h) immediately inform Intesi Group in the event of theft or tentative of theft of the Authentication Credentials in order to permit Intesi Group to block the Services. Failing to comply, the Subscriber will be considered solely liable for the consequences for Intesi Group, the Relying Party and other third parties;

i) immediately suspend the Services in case of suspicion of possible loss of confidentiality and/or integrity of one or more components of the Services and inform Intesi Group which will suspend the Services. The Subject and / or the Subscrber will be considered solely liable for all damage sustained by himself, the Subscriber, Intesi Group or any third party;

j) implement, maintain and develop a technical infrastructure (including hardware and software solutions) such as to permit use of the Services in accordance with the Contract;

k) if the Services have been revoked, is obliged to render the Device to Intesi Group.

5.2 Provisions from a), to j) will also apply to the Subscriber.

Furthermore the Subscriber is obliged to:

a) inform the Subject of the present Terms and Conditions and have the latter comply with the Contract;

b) define and notify, under its sole responsibility, the Subject in what context, in what applications and within what administrative, contractual, commercial and financial limits the Subject is authorized to use the Services; Intesi Group may not in any case be held liable in case of use of the Services by the Subject for purposes not authorized by the Subscriber;

c) in the case of being informed that the Subject’s Certificate has been revoked, or the issuing CA has been compromised, ensure that the Authentication Credentials are not used by the Subject.

5.3 If upon identification or subsequently, also by using fake identification means, the Subject and the Subscriber:

i) supplied fake, inaccurate, incomplete or outdated information with regard to their own identity and / or their biographical data and / or Subject attributes;

ii) disguised their real identity or falsely declared to be someone else;

iii) used Services in an improper way by violating the law or causing damage to third parties;

iv) carried out technical interventions or tampered with the Device either personally or through unauthorized third parties;

v) failed to adopt the necessary procedures needed to avoid the illegal use of the Services by third parties; he shall be considered responsible for any ensuing damage caused to Intesi Group and / or third parties by wrong information included in the Services, with the obligation to guarantee and release Intesi Group of responsibility in the event of any request of compensation.

5.4 The Subscriber and the Subject consent to the keeping of a record by the TSP of information used in registration, subject device assignment, including whether this is to the Subscriber or to the Subject where they differ, and any subsequent revocation, the identity and any specific attributes placed in the certificate, and the passing of this information to third parties under the same conditions as required by this policy in the case of the TSP terminating its services.

6 – Intesi Group’s Obligations

6.1 Intesi Group is obliged to:

a) operate in accordance with the TSP Policy and TSP Practice Statement;

b) ensure that its reference clock is synchronized with Coordinated Universal Time within the declared accuracy of 1 second;

c) undergo internal and external reviews to assure compliance with relevant legislation and internal Intesi Group policies and procedures;

d) provide high availability access to Intesi Group systems except in the case of maintenance or unavailability of Intesi Group systems, planned technical interruptions and loss of time synchronization;

e) record all information necessary to verify the Subject’s identity,

6.2 The complete and accurate Certificate will be available to the Subscriber and/or the Subject from Time4Mind portal at https://user.time4mind.com.

The Trust Service Provider logs are retained for the period set forth by Article 15 no. 7 D.P.C.M. 30 marzo 2009 and subsequent amendments.

Every issued Time-stamp, is kept for the minimum period set forth by Article 15 no. 7 D.P.C.M. 30 marzo 2009 and subsequent amendments.

Data records are protected and maintained in a secure site for storage that guarantees its integrity.

If the Subject, the Subscriber or the Relying Party ask Intesi Group any proof of the existence recorded data in relation to provided Services, they have to cover the costs of such service.

7 – Information for Relying Party

7.1 The Relying Party is obliged to study the risks, liabilities, limitations and uses related to the acceptance of the Services, which are established in the TSP Policy and TSP Practice Statement and in the present Terms and Conditions.

7.2 Before placing any reliance on a Certificate, the Relying Party shall verify the validity, suspension or revocation of the Certificate using Intesi Group Revocation List.

8 – Limitation of liability

8.1 Intesi Group is liable for the performance of all its obligations specified in the TSP Policy, the TSP Practice Statements and these Terms and Conditions according to the legislation of the European Union.

8.2 Intesi Group shall not be held liable for the content or the lawfulness of the data for which the Service is requested by the Subscriber or the Subject.

8.3 Intesi Group shall not be held liable for any direct and indirect consequences caused by any action or omission that results in liability, damages or losses, expenses of any type, including court and legal representation that may be incurred, by the publication and use of the Services, when any of the following causes concur:

a) lack of compatibility between the Certificate Services, including the equipment, applications, procedures or infrastructures of the Subscriber or the Relying Party or of any third party;

b) any unavailability of the Services subsequent to any suspension or blockage allowed in regard to the Contract;

c) any security failure originating with the Subscriber, the Subject or the Relying Party;

d) any breach of the Subscriber and/or Subject’s obligations as provided in paragraphs 5.1 and 5.2;

e) errors and/or frauds committed by the Subscriber, the Subject the Relying Party or any third party;

f) non-payment of the Fees;

g) any eventual unavailability or any malfunctioning of the electronic communications systems or networks;

h) the non-performance of Intesi Group obligations if such non-performance is due to faults or security problems of the supervisory body, the data protection supervision authority, any other public authority or third party not under Intesi Group control;

i) non-fulfilment of Intesi Group obligations if such non-fulfillment is occasioned by force majeure;

j) any non-functioning or malfunctioning of the Services caused by any deterioration, alteration or destruction of the Devices;

k) false or misleading statement made by the Subject or the Subscriber in the Certificate;

l) employment by the Subject or the Subscriber of a name (including common names, email address and domain names), or other information in the Certificate, that infringes intellectual property of third parties.

8.4 Intesi Group has compulsory insurance contracts, which cover all Intesi Group Services to ensure compensation for damage, which is caused as a result of violation of the obligations of Intesi Group.

8.5 In any event, Intesi will be liable in case of willful intent and negligence.

8.6 The Subscriber and the Subject will be obliged to guarantee and release Intesi Group in the event of any request for damages from the Relying Party or any third party for the events indicated in this article (including reimbursement for legal fees and interests).

8.7 The Relying Party undertakes to disclaim Intesi Group for any liability caused from any action or omission that results in liability, damages or losses, expenses of any type, including court and legal representation that may be incurred, by the use of the Service, when any of the following causes concur:

a) breach of the obligations of the Relying Party that trusts the Certificate;

b) impetuous confidence in a Certificate, under the circumstances;

c) failure to verify the status of a Certificate, to determine that is has not been suspended or revoked.

8.8  Intesi Group informs all Subscribers and Subject in case of Service termination. Intesi Group maintains the information and documentation related to the terminated Services according to its termination plans.

9 – Assignment

9.1 The Subscriber and/or the Subject shall not assign its rights or delegate its obligations under this Terms and Conditions to any third party. Any attempted assignment or delegation will be void.

9.2 Intesi Group may assign its rights and delegate its obligations under this Terms and Conditions upon notice to the Subject and/or the Subscriber.

10 – Notifications and Contract Amendments

10.1 Any communication or notice required or permitted to be given under this Contract will be made in writing and in the English or Italian language and will be deemed to have been duly and validly given

(i) in the case of notice sent by letter, upon the first business day after receipt of the same and (ii) in the case of notice sent by registered email, upon the first business day after acknowledgment of receipt of transmission, addressed, in each case, as follows: if to Intesi Group:

• by post: Intesi Group S.p.A. – Via Torino, 48 – 20123 Milano Italy.
• by email: tsp@intesigroup.com
• by PEC: tsp.intesigroup@legalmail.it
• by fax: +39 02 6760640

if to the Subscriber:

to the registered electronic mail address or, failing that, to the email address indicated by the Subscriber.

10.2 Intesi Group has the right to modify unilaterally the Contract. In this case, at least 30 (thirty) days before applying the amendments, the new contractual terms related to the Service will be published on the Intesi Group web site www.intesigroup.com or the Subscriber will be notified by email using the address indicated by the Subscriber in the Request Form.

10.3 In the case of non-acceptance of the new terms, the Subscriber must notify Intesi Group by registered electronic mail or registered letter with acknowledgment of receipt before the date these amendments will come into effect.

In the case of non-acceptance of the new terms by the Subscriber, Intesi Group will continue to apply the old terms until the termination of the Contract.

11 – Applicable Law, Competent Court Of Justice, Procedures for Complains and Dispute Settlement

11.1 The Contract is governed by Italian Law.

11.2 The Subject and Subscriber can submit their claim or complaint on the following email: tsp@intesigroup.com

11.3 Complaints received by Intesi Group will be treated by Intesi Group internal services in order to resolve any dispute promptly and efficiently.

11.4 Any controversy that cannot be solved by Intesi Group internal services shall be submitted to the exclusive jurisdiction of the Milan Court, except for the conditions that apply in case the Subscriber can be qualified as Consumer according to Italian Legislative Decree 206/2005.

12 – Personal Data Protection

12.1 Intesi Group follows the principles of data protection, established in the TSP Policy, in the TSP Practice Statements and in the Privacy Policy when handling personal information and logging information, in strict accordance with the provisions of the Regulation (EU) n. 679/2016 and the D.Lgs. n. 196/2003.

12.2 All data the Subscriber and/or the Subject provided to Intesi Group will be used to execute the Contract, to fulfil any kind of obligations required by laws or regulations, by legislation, including taxation legislation and for the others purposes indicated in the Privacy Information.

12.3 The use of the personal data for the other purposes indicates in the Privacy Information require the Subscriber’s and Subject’s consent.

12.4 The Subscriber and the Subject are informed of his right to access their Personal Data and, if necessary, to request the correction of such.

12.5 The communication of Personal Data necessary for execution of the Contract is obligatory for the Subscriber and the Subject. Any modification of personal data must be notified without delay by the Subscriber and/or the Subject to Intesi Group.

13 – Miscellaneous Provisions

13.1 Entire Agreement

This Contract and each attachment and/or each document executed and delivered pursuant to them contains the entire understanding and supersedes all prior agreements of the Parties. There are no agreements, promises, warranties or undertakings other than those expressly set forth herein and therein.

Updates to these Terms and Conditions will be posted on the Intesi Group website at www.intesigroup.com.

Updates to the TSP Policy and TSP Practice Statement will be posted on the Intesi Group website at www.intesigroup.com.

13.2 Severability

If any term or condition contained in the Contract, its execution or application to any Party or circumstances is to any extent to be held invalid or unenforceable under any Applicable Law, then:

a) said term or condition will be ineffective to the extent of such invalidity or unenforceability;

b) the remainder of the Contract, the execution of the application of such term or condition to Parties or circumstances other than those as to which it is held invalid or unenforceable, will not be affected thereby and each term or condition contained in this Contract will be valid and enforceable to the fullest extent permitted by Applicable Law;

c) the Parties convene and agree to renegotiate any such term or application in good faith in order to provide a reasonably acceptable alternative to the term or condition of this Contract, or its execution or application, that is invalid or unenforceable giving otherwise effect to the intentions pursued by the Parties under this Contract.

14 – Information of the Version