EXHIBIT 10.23
[CONFIDENTIAL TREATMENT REQUESTED]
PLA Number:____________________
Date of Agreement: ____________
VERISIGN PRIVATE LABEL AGREEMENT
(Customer Root Key)
Customer: VISA International Service Association, a Delaware
------------------------------------------------------------
------------------------------------------------------------
Customer Address: 900 Metro Center Boulevard, Foster City California 94404 or
------------------------------------------------------------
P.O. Box 8999, San Francisco, California 94128-8999
------------------------------------------------------------
Customer Contact: Peter R. Hill
------------------------------------------------------------
Effective Date: April 2. 1996
------------------------------------------------------------
Term of Agreement: Two and one half (2.5) years from the earlier of the
----------------------------------------------------
Commencement of Pilot Program or April 1, 1997.
----------------------------------------------
Exhibits Attached: Exhibit "A": Definitions
Exhibit "B": Fees
Exhibit "C": Logo Usage Guide
Exhibit "D": Project Plan Elements
Exhibit "E": System Design Specifications
Exhibit "F": Customer Requirements for ECS
Exhibit "G": Acceptance Test Procedures
Exhibit "H": VeriSign Marketing Rights and Royalty
Exhibit "I": Escrow Agreement
Exhibit "J": License Agreement
Exhibit "K": Service Level Specification
Exhibit "L": Support Levels
Exhibit "M": Timetable for Resolution of Outstanding
THIS VERISIGN PRIVATE LABEL AGREEMENT ("AGREEMENT"), effective as of the
--------- Effective Date set forth above, is entered into by and between VeriSign, Inc., a Delaware corporation, having its principal place of business at 2593 Coast Avenue, Mountain View, California 94043 ("VERISIGN"), and the party identified
-------- above ("CUSTOMER"), having a principal address as set forth above.
--------
VeriSign provides Certificate-issuing and certain other services to members of both public and private hierarchies. Customer wishes VeriSign to design, build and operate a Private Label Certificate System based on Customer's Root Key for the use by Customer to provide certificate registration, issuing and management functions to its member banks, all on the terms and subject to the conditions set forth in this Agreement.
NOW, THEREFORE, the parties hereto agree as follows: VeriSign Private Label Agreement Page 2
1. DEFINITIONS
-----------
Capitalized terms shall have the meanings shown in Exhibit "A" hereto.
2. VERISIGN SERVICES TO CUSTOMER
-----------------------------
2.1 DEVELOPMENT OF PRIVATE LABEL CERTIFICATE SYSTEM. VeriSign will design and develop a Private Label Certificate System based on Customer's Root Keys, a Protocol specified by Customer and specifications agreed upon by VeriSign and Customer in accordance with Section 4.1 below. The Private Label Certificate System will include Certificate servers, custom enrollment and verification processes for each Certificate type specified for use by Subscribers, management of the Certificate repository and renewal process, and procedures for operation of the system.
2.2 OWNERSHIP AND LICENSE OF PRIVATE LABEL CERTIFICATE SYSTEM. VeriSign will acquire and assemble the components of the Private Label Certificate System, consisting of hardware, software and telecommunications equipment. All right, title and interest to the Private Label Certificate System shall belong solely and exclusively to VeriSign, and Customer shall have no right, title or ownership interest therein. VeriSign shall have the right to obtain and hold in its name copyrights, registrations, patents and any similar protection which may be available for the Private Label Certificate System or components thereof and any derivative works thereof. In the event that any technology included in the VSE as delivered to Customer by VeriSign (the "VSE Technology") is hereafter covered by a claim of a patent issued to or assigned to VeriSign, VeriSign shall grant to Customer a nonexclusive, worldwide, perpetual, irrevocable, royalty- free license under the relevant claim(s) to make, use, have made and sell any product incorporating technology included in the VSE as delivered by VeriSign, provided that such license shall extend only to the VSE Technology and not to any other technology incorporated in any such product. In the event that any technology included in the Private Label Certificate System as delivered to Customer by VeriSign is hereafter covered by a claim of a patent issued to or assigned to VeriSign, VeriSign shall grant to Customer a nonexclusive, worldwide, royalty-free license under the relevant claim(s) to the extent necessary for Customer to use the Private Label Certificate System as provided in this Agreement.
Commencing April 1, 1998, Customer on ninety (90) days' prior written notice shall have the right to license the Private Label Certificate System pursuant to a license agreement substantially in the form of Exhibit "J". To the extent portions of the Private Label Certificate System are not owned by VeriSign, VeriSign will arrange to obtain the right to use such items by Customer or arrange for Customer to obtain the right to purchase or otherwise license such items.
2.3 ASSISTANCE IN DEFINING PROTOCOL. VeriSign will assist Customer in defining a workable Protocol for secure management and handling of Certificates in Customer's Private Hierarchy. VeriSign will provide Customer with a copy of VeriSign's Certification Practice Statement which governs Certificate operations in the VeriSign Public Hierarchies and a copy of the VeriSign Public Key Infrastructure (PKI) specification, which details management and VeriSign Private Label Agreement Page 3
handling of Certificates under a policy-based delegation of operating authority. VeriSign will also recommend a set of operating and security practices and procedures to mitigate risks associated with Private Key compromise and Root Key distribution and to protect Customer's confidential authorization information.
2.4 MAINTENANCE OF PRIVATE LABEL CERTIFICATE SYSTEM AT VERISIGN SITE. VeriSign will provide a high-security facility on VeriSign's premises in Mountain View, California for operation of the Certificate server(s) and for storage of Certificate Signing Units containing Customer's Private Keys when not in use in a secure vault. VeriSign shall be responsible for maintaining the security on its premises and shall be liable for any damages that arise out of a breach of its security. VeriSign may move the Private Label Certificate System to another location under VeriSign's control which provides a comparable level of security, and VeriSign shall provide notice to Customer in advance of such relocation. VeriSign shall establish a secure backup site at a mutually agreeable location that ensures continued operation in the event of a technical failure, natural disaster or any other event that disables the Mountain View (or relocated) facility.
2.5 CERTIFICATE MANAGEMENT SERVICES. VeriSign will provide to Customer the following services for Certificate management and operations:
2.5.1 SCOPE OF SERVICES. In accordance with Customer's specified Protocol, VeriSign will provide the following services with respect to the Certificate server(s): maintain adequate Certificate-issuing capacity to meet Customer's reasonable forecast requirements, provide firewall security for all appropriate portions of the Private Label Certificate System, maintain such firewall security for the portion of the Private Label Certificate System located on VeriSign premises, maintain a Certificate repository. renew, revoke and suspend Certificates. and provide Certificate status services.
2.5.2 ENROLLMENT AND RENEWAL SERVICES. Using an enrollment process based on security-enhanced HTML or e-mail with interfaces to Certificate Signing Units and authorization systems, VeriSign will issue Certificates under Customer's name and containing Customer's Root Keys to Subscribers in Customer's Private Hierarchy in accordance with the Protocol. VeriSign will process renewals of Certificates in accordance with the Protocol. Within ten (10) days after the end of each month, VeriSign will provide Customer with a monthly report on the number of Certificates issued and renewed.
2.5.3 CERTIFICATE REPOSITORY, REVOCATION AND STATUS SERVICES. VeriSign will maintain a repository of Certificates issued in Customer's Private Hierarchy. VeriSign will revoke and suspend Certificates in accordance with the Protocol
2.6 CUSTOMER SUPPORT. During the term of this Agreement, VeriSign will supply maintenance for the Private Label Certificate System as described in this Section 2.6 without additional charge to Customer.
2.6.1 TELEPHONE SUPPORT. VeriSign will provide telephone support as is reasonably necessary for Customer to meet the performance criteria for the Private Label VeriSign Private Label Agreement Page 4
Certificate System as provided in Exhibit "K". VeriSign will also provide telephone support for a reasonable volume of calls to Customer-related entities as provided in Exhibit "L". VeriSign shall provide the support specified in this Section 2.6.1 to Customer's employees responsible for developing and maintaining Customer Products. VeriSign will provide the names of employees who will serve as primary points of contact for technical support for Customer. VeriSign may change the names of designated employees at any time by providing written notice to Customer. On VeriSign's request, Customer will provide a list with the names of the employees designated to receive support from VeriSign. Customer may change the names on the list at any time by providing written notice to VeriSign.
2.6.2 ESCALATION PROCEDURES. Customer and VeriSign shall agree upon a procedure for resolution of operating problems in the Private Label Certificate System which provides for escalation of effort based on the problem severity.
2.6.3 REIMBURSEMENT FOR CORRECTION OF CUSTOMER ERRORS. In the event VeriSign is required to take actions to correct an error which is caused by Customer errors, modifications, enhancements, software or hardware, then VeriSign may charge Customer for the correction or repair on a time-and- materials basis at VeriSign's rates then in effect, plus reimbursement for reasonable travel to and from Customer's sites and out-of-pocket expenses. as may be necessary in connection with duties performed under this Section 2.6 by VeriSign.
2.6.4 SYSTEM RELEASES. In the event operating problems in the Private Label Certificate System are not resolved by the escalation procedures, Customer and VeriSign agree to evaluate the desirability of changing to a later available release version of ECS, ECAS, and other applications employed by VeriSign in provision of the Private Label Certificate System. A change to release level in the Private Label Certificate System will also be evaluated at the time new releases are tested.
2.7 ESCROW AGREEMENT. VeriSign will place in escrow pursuant to the Escrow Agreement set forth at Exhibit "I" all information necessary to build. support. maintain and operate the Private Label Certificate System. This information will be released to Customer upon occurrence of the events specified in such Escrow Agreement.
2.8 CUSTOMER MARKETING RIGHTS. VeriSign acknowledges and understands that Customer will be marketing Certificates and Certificate services using the Private Label Certificate Service being produced by VeriSign to Customer hereunder. VeriSign will be entitled to market Customer to Members as a Certification Authority and to sell Certificates issued in Customer's Private Hierarchy at royalty rates specified on Exhibit "H". All pricing of Certificates to Customer Members under the Certificate Authority Service marketed by Customer shall be determined by Customer, independent of any obligation to support and operate the Private Label Certificate Service by VeriSign hereunder. Customer shall charge its Members directly for use of the Private Label Certificate System.
2.9 CUSTOMER PERSONNEL. Customer may, at its own cost, upon reasonable notice and for the purpose of problem resolution, provide personnel to monitor or participate in the VeriSign Private Label Agreement Page 5
operation of the Private Label Certificate Service and provision of Customer service pursuant to Section 2.6. VeriSign agrees to cooperate with Customer personnel to permit them to assist in establishing appropriate levels of Customer service, participate in problem verification and determination, and prepare to transfer operation of the Private Label Certificate Service to Customer pursuant to the license set forth in Exhibit "J".
2.10 FINANCIAL DATA. In the event Customer ceases to have access to financial information concerning VeriSign pursuant to its rights under that certain Investors' Rights Agreement dated February 20, 1996, or pursuant to filings made in accordance with the Securities Exchange Act of 1934, VeriSign shall make available to Customer on a quarterly basis, an unaudited balance sheet and statement of operations. Such information shall be kept confidential by Customer in accordance with Section 6.
3. CUSTOMER OBLIGATIONS TO VERISIGN
--------------------------------
3.1 PROTOCOL. In addition to specifying SET-based functionality as incorporated in the Customer Requirements for ECS and the System Design Specifications, Customer will specify a Protocol, consisting of policies, procedures and resources to control the entire Certificate process for its Private Hierarchy and the transactional use of Certificates within the Private Hierarchy. The Protocol is not required to be consistent with the requirements of VeriSign's Certification Practice Statement for operation of VeriSign Public Hierarchies.
3.2 VERIFICATION OF SUBSCRIBER INFORMATION. Customer will provide VeriSign with verification of enrollment information submitted by a Subscriber who wishes to become a member of Customer's Private Hierarchy prior to VeriSign's issuance of a Certificate to such Subscriber. Customer will provide VeriSign with verification of a Subscriber's identity to the extent required by the Protocol.
3.3 FORECAST. Customer agrees to provide VeriSign on a confidential basis at the end of each calendar quarter with an updated forecast of the volume of Certificates it expects to be required for Customer's Private Hierarchy for the next six (6) months. The forecasts shall be by product line and based upon good faith estimates and assumptions believed by Customer to be reasonable at the time made.
3.4 CUSTOMER PERSONNEL. To the extent Customer personnel are provided or take action pursuant to Sections 2.9, 4.1.5, or 4.2, such personnel shall be provided solely at Customer's cost, and, upon request, Customer shall provide evidence of satisfaction of all state and federal employment laws and worker compensation requirements in connection with such personnel. Such personnel shall execute confidentiality agreements as VeriSign shall reasonably request, and shall agree to abide by all reasonable VeriSign visitor regulations. Customer understands that VeriSign operates a secure facility and that there are portions of such facility that Customer's personnel will not be permitted to enter. In the event that VeriSign determines that any of Customer's personnel has breached a VeriSign visitor regulation, Customer shall immediately cause such person to be removed from VeriSign's facility, and may provide a replacement. VeriSign Private Label Agreement Page 6
4. DEVELOPMENT
-----------
4.1 DEVELOPMENT OF PROJECT PLAN. Attached as Exhibit D is the Project Plan that specifies the major phases of the development of the Customer's Private Label Certificate System, the major tasks to be completed, the deliverables to be produced and their scheduled completion dates.
4.1.1 DEVELOPMENT OF INTERFACE SPECIFICATIONS. In accordance with the Project Plan. Customer will create Interface Specifications for software interface of the Private Label Certificate System to Customer's Subscriber enrollment and authorization information and deliver the Interface Specifications to VeriSign for review and approval. VeriSign shall deliver written acceptance or rejection of the Interface Specifications within fourteen (14) days. VeriSign shall promptly notify Customer of any deficiencies in the Interface Specifications. Such notification shall be in writing and shall contain sufficient detail to allow Customer to resolve such deficiencies. If VeriSign fails to respond within the fourteen (14) days, Customer may submit written notice of such failure. If VeriSign does not respond with written notice of deficiencies as described above within two (2) days of receipt of such notice then such failure to respond shall be deemed an acceptance by VeriSign. Customer shall respond to deficiencies identified by VeriSign by either making modifications or refuting VeriSign's arguments regarding the deficiency. Any modification to the Interface Specifications shall be resubmitted to VeriSign for review and approval in accordance with the procedures outlined in this Section 4.1.1 .
4.1.2 DEVELOPMENT OF PROTOCOL. In accordance with the Project Plan, Customer will create the Protocol and deliver it to VeriSign for review and approval. VeriSign shall deliver written acceptance or rejection of the Protocol within fourteen ( 14) days. VeriSign shall promptly notify Customer of any deficiencies in the Protocol. Such notification shall be in writing and shall contain sufficient detail to allow Customer to resolve such deficiencies. If VeriSign fails to respond within the fourteen (14) days, Customer may submit written notice of such failure. If VeriSign does not respond with written notice of deficiencies as described above within two (2) days of receipt of such notice then such failure to respond shall be deemed an acceptance by VeriSign. Customer shall respond to deficiencies identified by VeriSign by either making modifications or refuting VeriSign's arguments regarding the deficiency. Any modification to the Protocol shall be resubmitted to VeriSign for review and approval in accordance with the procedures outlined in this Section 4.1.2.
4.1.3 DEVELOPMENT OF SYSTEM DESIGN SPECIFICATIONS. In accordance with the Project Plan, VeriSign will create System Design Specifications for the Private Label Certificate System and deliver the System Design Specifications to Customer to determine material conformity to Exhibit "F" and the Protocol and for Customer acceptance. Customer shall deliver written acceptance or rejection of the System Design Specifications within fourteen (14) days. Customer shall promptly notify VeriSign of any deficiencies in the System Design Specifications. Such notification shall be in writing and shall contain sufficient detail to allow VeriSign to resolve such deficiencies. If Customer fails to respond within the fourteen (14) days, VeriSign may submit written notice of such failure. If Customer does not respond with written VeriSign Private Label Agreement Page 7
notice of deficiencies as described above within two (2) days of receipt of such notice then such failure to respond shall be deemed an acceptance by Customer. VeriSign shall respond to deficiencies identified by Customer by either making modifications or refuting Customer' s arguments regarding the deficiency. Any modification to the System Design Specifications shall be resubmitted to Customer for review and approval in accordance with the procedures outlined in this Section 4.1.3.
4.1.4 DEVELOPMENT OF ACCEPTANCE TEST PROCEDURES. In accordance with the Project Plan, Customer shall create the Acceptance Test Procedures and deliver them to VeriSign for review and approval. VeriSign shall deliver written acceptance or rejection of the Acceptance Test Procedures within fourteen (14) days. VeriSign shall promptly notify Customer of any deficiencies in the Acceptance Test Procedures. Such notification shall be in writing and shall contain sufficient detail to allow Customer to resolve such deficiencies. If VeriSign tails to respond within the fourteen (14) days, Customer may submit written notice of such failure. If VeriSign does not respond with written notice of deficiencies as described above within two (2) days of receipt of such notice then such failure to respond shall be deemed an acceptance by VeriSign. Customer shall respond to deficiencies identified by VeriSign by either making modifications or refuting VeriSign's arguments regarding the deficiency. Any modification to the Acceptance Test Procedures shall be resubmitted to VeriSign for review and approval in accordance with the procedures outlined in this Section 4.1.4.
4.1.5 DEVELOPMENT OF PRIVATE LABEL CERTIFICATE SYSTEM. In accordance with the Project Plan, VeriSign will develop the Private Label Certificate System in material conformity to the Interface Specifications and the System Design Specifications. Development of the Private Label Certificate System will take place at VeriSign's facility located in Mountain View, California or such other place as VeriSign shall reasonably select. VeriSign will deliver notice to Customer that the Private Label Certificate System is in material conformity to the Interface Specifications and the System Design Specifications and ready for acceptance testing on or before the date set forth in the Project Plan. Customer shall have the option to place two Customer employees on VeriSign's development team for the Private Label Certificate System. Such Customer personnel will be fully integrated into the development process and have access to all project information. Such personnel shall be subject to Sections 3.4 and 6 of this Agreement.
4.1.6 DEVELOPMENT OF SERVICE LEVEL SPECIFICATION. Customer and VeriSign have specified a preliminary set of performance criteria against which to measure the adequacy of the Private Label Certificate System in Exhibit "K" hereto, which is acceptable at the Effective Date of this Agreement. Customer and VeriSign recognize that after completion of the major phases of development of the Private Label Certificate System some modification of the Service Level Specification may be desirable. After the Acceptance Test Procedures have been approved by VeriSign, Customer and VeriSign shall cooperate in evaluating whether the Service Level Specification should be amended by Change Order in accordance with Section 4.1.8 and shall negotiate in good faith with respect to this Exhibit K. VeriSign Private Label Agreement Page 8
4.1.7 ACCEPTANCE. Acceptance testing of the Private Label Certificate System in accordance with the Acceptance Test Procedures shall take place at VeriSign's facility located in Mountain View, California, or such other place as VeriSign shall reasonably select, using test data supplied by Customer and supplemented and approved by VeriSign, and shall establish material conformity of the Private Label Certificate System with the Interface Specifications and the System Design Specifications. VeriSign shall be entitled, but not obligated, to have a representative present at all such tests. Customer shall promptly notify VeriSign of any failure of the Private Label Certificate System discovered in testing, and any retesting required will be performed after redelivery of a modified version of the Private Label Certificate System to Customer by VeriSign. Customer shall deliver written acceptance of the Private Label Certificate System after establishment of material conformance to the Interface Specifications and the System Design Specifications and material satisfaction of the Acceptance Test Procedures within fourteen (14) days of the completion of the testing. Such notification acceptance shall be in writing. If Customer fails to respond within the fourteen (14) days, VeriSign may submit written notice of such failure. If Customer does not respond with written notice of acceptance as described above within two (2) days of receipt of such notice then such failure to respond shall be deemed an acceptance by Customer.
4.1.8 CHANGE ORDERS. Any amendment to a Program Document after its acceptance, shall only be effected by a change order ("CHANGE ORDER") approved
------------ as follows:
4.1.8.1 CUSTOMER INITIATED. Customer may initiate a Change Order by delivering to VeriSign a writing signed by Customer's Program Manager requesting VeriSign to prepare a proposed Change Order. Such writing shall specify the requested change and cross-reference to Sections of the Program Documents that are proposed to be amended.
4.1.8.2 VERISIGN INITIATED. VeriSign may initiate a Change Order by delivering to Customer a proposed Change Order meeting the requirements of Section 4.1.8.3.
4.1.8.3 PREPARATION. Upon receipt of a written request as set forth above in this Section 4. 1.8, VeriSign shall, on or before fifteen (15) days after receipt of such request, prepare for Customer's review a proposed Change Order. Such proposed Change Order shall contain:
(i) a detailed description of the proposed amendments to the Program Documents;
(ii) the change, if any, to scheduled delivery of any item;
(iii) change in amounts due VeriSign under Exhibit "B" as a result of such Change Order. It is the expectation of the parties that enhancements, over and above the work initially specified in the Program Documents, which both parties deem necessary to permit reasonable implementation of the Private Label Certificate System, will be jointly funded in a spirit of cooperation between VeriSign and Customer. Those changes specifically requested by Customer, which are considered out of the scope of the original Program Documents, will be provided by VeriSign at its then-current time and materials rates. VeriSign Private Label Agreement Page 9
4.1.8.4 EVALUATION. Customer shall evaluate, and respond to VeriSign with respect to, any proposed Change Order on or before the fifteenth (15) business day after receipt.
4.1.8.5 APPROVAL. Change Orders shall become effective and shall act as amendments to this Agreement and to portions of the Program Documents specified in such Change Orders only upon their execution by an officer or the Program Manager of VeriSign and by an officer or the Program Manager of Customer.
4.1.8.6 TECHNICAL SERVICES. In the event that a Change Order alters the scope of the project as originally defined, VeriSign will provide the following technical services to Customer at VeriSign's then standard rates:
4.1.8.6.1 Engineering assistance in developing interfaces for Certificate services to Customer's proprietary databases containing authorization and enrollment information regarding Subscribers.
...
*End of Preview*
Click the 'Add to Cart' button to download the complete and formatted agreement.