PKI as a Service Subscriber Agreement

This Subscriber Agreement (this “Agreement”) is a legal agreement between Cogito Group Pty Ltd a corporation registered in Australia (“Service Provider”), and you, either as an individual, company or other legal entity (“Subscribing Party”), effective as of the date of the last signature affixed to the Order Form (the “Effective Date”). Service Provider and Subscribing Party may be collectively referred to herein as the “Parties,” and each may be referred to individually as a “Party.”

BY USING THE SERVICE, SUBSCRIBING PARTY REPRESENTS THAT SUBSCRIBING PARTY REGISTERED FOR THE SERVICE FROM AN APPROVED SOURCE AND SUBSCRIBING PARTY AGREES TO BE BOUND BY THE TERMS OF THIS AGREEMENT. IF SUBSCRIBING PARTY IS ACCEPTING THESE TERMS ON BEHALF OF ANOTHER PERSON, COMPANY OR OTHER LEGAL ENTITY, SUBSCRIBING PARTY REPRESENTS AND WARRANTS THAT SUBSCRIBING PARTY HAS FULL AUTHORITY TO BIND THAT PERSON, COMPANY OR LEGAL ENTITY TO THESE TERMS. IF SUBSCRIBING PARTY DECLINES TO ACCEPT ALL TERMS AND CONDITIONS SET FORTH HEREIN, SUBSCRIBING PARTY SHALL REFRAIN FROM USING THE SERVICE.

The Terms of Use are intended to explain Cogito Group obligations as a service provider for this offering and your obligations as a Subscribing Party. Please read them carefully.

The Service will evolve over time based on user feedback. These Terms are not intended to answer every question or address every issue raised by the use of the Cogito Service. Cogito reserves the right to change these terms at any time, effective upon the posting of modified terms and Cogito will make every effort to communicate these changes to the Subscribing Party via email or notification via the Website. It is likely the terms of use will change over time. It is the Subscribing Party’s obligation to ensure that they have read, understood and agree to the most recent terms available on the Website.

By registering to use the Service the Subscribing Party acknowledge that they have read and understood these Terms.

1 Interpretation

For the purposes of this Agreement:

1. Cogito means Cogito Group Pty Ltd
2. Tools means the tools described in clauses 4 to 6 of this Agreement;
3. PKI Token has the meaning set out in clause 4 of this Agreement.
4. Subscriber means a person who is to be issued with Cogito PKI Tools; and
5. Relying Party means a recipient of a certificate who acts in reliance on that certificate and/or digital signatures verified using that certificate.

Any other defined terms in this Deed shall have the meaning given to them in the applicable Certificate Policy (CP) or Certification Practice Statement (CPS).

2 User obligations

By signing this Deed, you:

1. agree to abide by the terms of this Deed, both in your capacity as a Subscriber and a Relying Party;
2. agree to read and abide by Cogito PKIaaS policy regarding the use of Cogito PKIaaS resources, and any specific instruction applicable to the use of Cogito PKIaaS Tools;
3. acknowledge that you have read and understood the privacy acknowledgement at clauses 11 and 12 of this Agreement;
4. acknowledge that, should you breach the terms of the Agreement, your access to the Cogito PKIaaS may be withdrawn by Cogito and further appropriate action may be pursued;
5. confirm that your identity matches the documentation presented during the registration process; and
6. agree to comply with and be bound by the provisions of the relevant CP and CPS as amended from time to time as if they were provisions of this Deed. This includes but is not limited to all provisions in those documents relating to fees, confidentiality, privacy, intellectual property rights, representations and warranties, disclaimers, limitations of liability, indemnities, term and termination, notices, dispute resolution procedures, governing law, compliance with applicable law, miscellaneous and other provisions. If there is any inconsistency between the terms of this Subscriber Agreement and the relevant CP or CPS, the CP and CPS take precedence.

3 Cogito PKIaaS Tools

You will be issued with the PKI Token to enable you to communicate securely with other Subscribers and, where applicable, external third parties and authorised applications, for the purposes of your association with Cogito. When you receive the PKI Token, you must only use the token for this purpose.

The PKI Token consists of:
a) a signing private key, which you use for creating your digital signature, and its associated signing public key which is incorporated into your signature certificate; this will be used by other Subscribers, and where applicable external third parties, to verify your digital signature; and where required,
b) an encryption public key incorporated into your encryption certificate, which is used by other Subscribers to encrypt to you for confidentiality purposes (suitable for ‘need to know’ purposes), and an encryption private key which you use to decrypt any encrypted contents you receive.

The public key certificates issued by the Cogito PKIaaS:

a) does not provide any indication of the level of authority, delegation or privileges that Subscribers may hold. These can only be determined using the subscribing agencies existing policies and procedures; and
b) does not provide encryption services suitable for protection of National Security classified material.

4 Subscriber Responsibilities

In consideration of the Cogito PKIaaS providing access to the PKI Token, you agree to:

1. provide accurate and complete information to the Registration Officer (RO) during registration;
2. inform the RO immediately if there is any change in information included in your certificate or provided during registration, and provide the correct information;
3. ensure that your private keys, and token Personal Identification Number (PIN), are protected at all times against loss, disclosure to any unauthorised party, modification or unauthorised use;
4. use the PKI token, including keys, only for the purposes you are authorised by the Cogito PKIaaS to use them for and not for any other purpose, including for any unlawful or improper purpose;
5. immediately notify the RO if you suspect that a private token or keys have, or may have been, compromised;
6. immediately notify Cogito in the event that your token PIN, has, or may have been, compromised;
7. be responsible for the contents of any information signed using your signing private keys; and
8. not sign any information with your signing private key after the associated certificate expires.

5 Relying Party Responsibilities

You, as a Relying Party, also agree to:

a) confirm the validity of the signing party’s certificate (using the features provided in authorised Cogito PKIaaS applications); and

b) rely on the signing party’s certificate, and their digital signature, only if such reliance is reasonable in all the circumstances. Cogito Responsibilities

As far as reasonably practicable, Cogito will comply with its obligations as provided for in the applicable CP.

6 Subscribers Encryption Private Key

The Cogito PKI may create an archive copy of your encryption private key, but the Cogito PKI will restrict access to, and use of, that encryption private key, and that key can be retrieved by the Cogito PKI and used as follows:

1. at your request, to recover from a damaged current key or to restore a key that has previously expired;
2. to decrypt data in your absence, on receipt of signed request from your manager detailing the justification and a copy of the encrypted data. You will be notified of the data that has been decrypted using your Private Key, the identity of the requestor, and the justification used.

7 Privacy Statement

1. The primary role of PKIaaS is establishing digital identities that can be trusted. In order to provide an audit and evidentiary trail of the verification process, and documentation presented to confirm an individual’s identity, Cogito is required to collect personal information. The collection, use and disclosure of such information is governed by the terms of the Australian Privacy Principles (APPs) found in the Privacy Act 1988 (Privacy Act).
2. By using the Service, you acknowledge and agree that your personal information, such as email address and name, may be used or disclosed for the purpose of identification, maintaining the efficient functioning of the Cogito PKIaaS, and investigating any potential misuse of that system. You further acknowledge that your Personal Information which forms part of the Certificate Information may be published through the Cogito PKIaaS Certificate Directory and Certificate Revocation List and you agree to the use of your Personal Information by Cogito for any other purposes set out in the Cogito PKI Privacy Statement as amended from time to time.