Subscriber Agreement

This agreement governs the relationship between DDSign (Centric Limited) and any individual who applies for and receives a digital certificate under our E-CSP licence.

Document Reference: CENT-ECSP-SA-001 · Version 1.0

Preamble

This Subscriber Agreement ("Agreement") is entered into between Centric Limited, a company incorporated under the laws of the Republic of Kenya ("the E-CSP", "we", "us", or "our"), operating the ddsign Certification Authority under its Electronic Certification Service Provider licence issued by the Communications Authority of Kenya, and the individual identified in the certificate application ("the Subscriber", "you", or "your").

By submitting a certificate application through the ddsign platform, you acknowledge that you have read, understood, and agree to be bound by the terms of this Agreement, the Certification Practice Statement (CPS), and the Certificate Policy (CP) published by the E-CSP.

1. Definitions

Term	Definition
Certificate	An electronic document issued by the ddsign Certification Authority that binds a public key to the identity of the Subscriber, in accordance with the X.509 v3 standard.
Certification Authority (CA)	The ddsign CA operated by Centric Limited, responsible for issuing, managing, and revoking digital certificates.
Certificate Policy (CP)	The document that defines the named policies under which certificates are issued and the assurance level each policy provides.
Certification Practice Statement (CPS)	The document that describes the practices and procedures the ddsign CA follows in issuing, managing, and revoking certificates.
Key Pair	A mathematically related pair of cryptographic keys consisting of a private key and a corresponding public key.
Private Key	The cryptographic key in a key pair that is kept confidential by the Subscriber and used to create digital signatures.
Public Key	The cryptographic key in a key pair that is made publicly available within the certificate and used by relying parties to verify digital signatures.
Registration Authority (RA)	The entity responsible for verifying the identity of the Subscriber before a certificate is issued.
Relying Party	Any person or entity that relies on a certificate or a digital signature created using that certificate to verify the identity of the Subscriber.
Subscriber	The natural person named in a certificate issued by the ddsign CA, who has accepted this Agreement and to whom the corresponding private key has been assigned.

2. Eligibility

To be eligible for a certificate issued by the ddsign CA, you must:

Be a natural person of legal age under the laws of the Republic of Kenya.
Hold a valid, government-issued identification document (Kenyan national identity card or passport).
Submit to the identity verification process conducted by the Registration Authority, including in-person verification where required.
Provide accurate, complete, and truthful information in the certificate application.
Have the legal capacity to enter into this Agreement.

3. Certificate Application and Issuance

3.1 Application Process

To obtain a certificate, the Subscriber shall:

Complete the certificate application form on the ddsign platform, providing all required personal information.
Present valid identification documents to the Registration Authority for identity verification.
Generate a key pair using the ddsign platform or approved client-side software, and submit a Certificate Signing Request (CSR) containing the Subscriber's public key.
Review and accept this Agreement, the CPS, and the CP before the certificate is issued.

3.2 Identity Verification

The Registration Authority shall verify the Subscriber's identity in accordance with CPS Section 3.2 (Initial Identity Validation). The E-CSP reserves the right to reject any application where the identity of the applicant cannot be satisfactorily verified.

3.3 Certificate Issuance

Upon successful verification of the Subscriber's identity and validation of the CSR, the ddsign CA shall issue the certificate. The Subscriber shall be notified of issuance by email with instructions for certificate retrieval.

3.4 Certificate Acceptance

The Subscriber shall review the contents of the issued certificate to confirm that all information is accurate. Use of the certificate or failure to object within seven (7) days of issuance constitutes acceptance. If any information in the certificate is inaccurate, the Subscriber shall immediately notify the E-CSP and request revocation.

4. Subscriber Obligations

By accepting a certificate, the Subscriber agrees to the following obligations:

4.1 Accuracy of Information

The Subscriber shall ensure that all information provided in the certificate application is accurate, complete, and not misleading. The Subscriber shall promptly notify the E-CSP of any change in the information contained in the certificate.

4.2 Private Key Protection

The Subscriber shall:

Maintain sole control of the private key corresponding to the public key in the certificate.
Protect the private key from unauthorised access, disclosure, modification, or use.
Use the private key only on systems and in environments that provide adequate security.
Never share, transfer, or delegate use of the private key to any other person or entity.
Immediately notify the E-CSP and request certificate revocation if the private key is compromised, lost, or suspected of being compromised.

4.3 Lawful Use

The Subscriber shall:

Use the certificate only for the purposes permitted by the Certificate Policy (signing electronic documents through the ddsign platform).
Not use the certificate for any purpose that is prohibited by the CPS, the CP, or applicable law.
Not use the certificate for authentication, encryption, code signing, or any purpose other than creating Advanced Electronic Signatures on documents.

4.4 Prompt Notification

The Subscriber shall notify the E-CSP without delay if:

The private key has been compromised or is suspected of being compromised.
Any information in the certificate has become inaccurate.
The Subscriber wishes to cease using the certificate.
The Subscriber becomes aware of any misuse of the certificate.

5. Permitted and Prohibited Uses

5.1 Permitted Uses

The certificate may be used solely for:

Creating Advanced Electronic Signatures on electronic documents within the ddsign platform.
Producing long-lived signatures with embedded validation data for document integrity and non-repudiation.

5.2 Prohibited Uses

The certificate shall not be used for:

Authentication or login to systems or services.
Encryption or decryption of data.
Code signing or software distribution.
Any illegal, fraudulent, or deceptive purpose.
Any purpose not explicitly authorised by the Certificate Policy.
Signing on behalf of another person without proper legal authority (e.g., power of attorney).

6. Third-Party Disclosure and Consent

This section sets out the circumstances under which the E-CSP may disclose Subscriber data to third parties, and the Subscriber's explicit consent to such disclosures.

6.1 Disclosures Inherent to the PKI Trust Model

The Subscriber acknowledges and agrees that the following information is disclosed as an inherent and necessary function of the public key infrastructure:

The Subscriber's name as it appears in the certificate Subject Distinguished Name.
The certificate serial number, public key, validity period, and issuer information.
The certificate revocation status, published via Certificate Revocation Lists (CRL) and the Online Certificate Status Protocol (OCSP).

This information is publicly accessible to any relying party and is essential for the trust model to function. By applying for a certificate, the Subscriber consents to this publication.

6.2 Disclosures to Regulatory Authorities

The Subscriber acknowledges and consents to the disclosure of personal data, certificate records, and transactional data to the following regulatory authorities where required by law:

The Communications Authority of Kenya, in the exercise of its supervisory powers over E-CSPs.
The Office of the Data Protection Commissioner, in connection with data protection inquiries or breach notifications.
Any court of competent jurisdiction pursuant to a valid court order or subpoena.

6.3 Disclosures to Third-Party Service Providers

The E-CSP may engage third-party service providers (such as hosting providers, backup service providers, or hardware security module vendors) to support the operation of the ddsign CA. The Subscriber consents to the disclosure of personal data to such providers, subject to the following safeguards:

Each third-party provider is bound by a written data processing agreement that meets the requirements of the Kenya Data Protection Act, 2019.
Each provider is subject to confidentiality obligations no less protective than those imposed on the E-CSP.
The E-CSP retains the right to audit the provider's data protection practices.
A current list of third-party providers and their roles may be requested by the Subscriber from the E-CSP at any time.

6.4 Disclosures Not Permitted Without Additional Consent

The E-CSP shall not disclose the Subscriber's personal data, identity verification records, or transactional data to any party not described in Sections 6.1 through 6.3 without obtaining the Subscriber's separate, explicit, informed consent at the time of the proposed disclosure. Such consent shall specify:

The identity of the third party.
The categories of data to be disclosed.
The purpose of the disclosure.
The duration for which consent is granted.

The Subscriber may withdraw consent for any non-mandatory disclosure at any time by notifying the E-CSP in writing. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

6.5 Explicit Consent Declaration

By accepting this Agreement, the Subscriber expressly declares:

"I consent to the disclosure of my personal data as described in Sections 6.1, 6.2, and 6.3 of this Agreement. I understand that disclosures under Sections 6.1 and 6.2 are necessary for the operation of the certification service and for compliance with applicable law, and that disclosures under Section 6.3 are limited to service providers bound by data protection agreements. I understand that any disclosure beyond these categories requires my separate, explicit consent, which I may grant or withhold at my discretion."

7. Data Protection and Privacy

7.1 Data Controller

Centric Limited is the data controller for all personal data collected and processed in connection with the ddsign E-CSP operation.

7.2 Categories of Data Processed

The E-CSP processes the following categories of Subscriber data:

Identity data: Full name, national ID or passport number, date of birth, nationality.
Contact data: Email address, phone number, postal address.
Certificate data: Public key, certificate serial number, validity period, Subject DN.
Transactional data: Certificate requests, issuance records, revocation records, signing event metadata.
Technical data: IP address, browser information, platform access logs.

7.3 Purpose of Processing

Subscriber data is processed for the following purposes:

Verifying the identity of the Subscriber as required by the CPS and applicable regulations.
Issuing, managing, renewing, re-keying, and revoking certificates.
Publishing certificate status information (CRL, OCSP).
Maintaining audit trails as required by the E-CSP licensing conditions.
Responding to support requests from the Subscriber.
Complying with legal and regulatory obligations.

7.4 Retention

Subscriber data is retained in accordance with the Subscriber Data Confidentiality and Privacy Protection Policy. Identity verification records and certificate lifecycle records are retained for a minimum of seven (7) years from certificate expiry or revocation, as required by the Kenya Information and Communications Act (KICA Section 411A).

7.5 Subscriber Rights

The Subscriber has the rights set out in the Kenya Data Protection Act, 2019, including the right of access, rectification, erasure (subject to legal retention obligations), restriction of processing, data portability, and objection. Requests may be submitted to the E-CSP's Data Protection Officer at the contact details provided in Section 15.

8. Fees

Certificate issuance, renewal, and re-key fees are published on the ddsign platform and may be updated from time to time. The Subscriber shall pay all applicable fees before a certificate is issued or renewed.

The E-CSP does not charge fees for certificate revocation, access to certificate status information (CRL and OCSP), or access to the CPS, CP, or PKI Disclosure Statement.

Refunds are available only where the E-CSP is unable to issue a certificate after the Subscriber has paid the application fee, and the inability is not attributable to the Subscriber (e.g., failure to complete identity verification).

9. Certificate Revocation

9.1 Revocation by the Subscriber

The Subscriber may request revocation of their certificate at any time by submitting a signed revocation request through the ddsign platform or by contacting the E-CSP directly. The E-CSP shall authenticate the request and process the revocation without undue delay.

9.2 Revocation by the E-CSP

The E-CSP may revoke a certificate without the Subscriber's consent if:

The private key corresponding to the certificate is known or reasonably suspected to be compromised.
The Subscriber has breached any material term of this Agreement.
The information in the certificate is or has become inaccurate or misleading.
The certificate was issued in error or based on fraudulent information.
The E-CSP is required to do so by a court order or regulatory directive.
The E-CSP ceases operations or its E-CSP licence is revoked or not renewed.
Continued use of the certificate would pose a risk to the trust model or to relying parties.

9.3 Effect of Revocation

Upon revocation, the Subscriber shall immediately cease using the certificate and the associated private key for signing purposes. The revocation is published via CRL and OCSP. Revocation is permanent and irreversible; if the Subscriber requires a new certificate, they must submit a new application.

10. Representations and Warranties

10.1 E-CSP Warranties

The E-CSP represents and warrants that it shall:

Operate the ddsign CA in accordance with the CPS, the CP, and applicable law.
Issue certificates only after successful identity verification by the RA.
Publish accurate and timely certificate status information via CRL and OCSP.
Protect Subscriber data in accordance with the Subscriber Data Confidentiality and Privacy Protection Policy.
Notify affected Subscribers without undue delay in the event of a CA key compromise or other material security incident.

10.2 Subscriber Warranties

The Subscriber represents and warrants that:

All information provided in the certificate application is accurate, complete, and not misleading.
The Subscriber is the person identified in the certificate and has the legal right to use the identity information.
The private key is and shall remain under the Subscriber's sole control.
The certificate shall be used only for the purposes permitted by the CP and this Agreement.
The Subscriber shall comply with all obligations set out in this Agreement.

11. Limitation of Liability

To the maximum extent permitted by the laws of the Republic of Kenya:

Aggregate cap: The E-CSP's total aggregate liability to the Subscriber for any and all claims arising out of or in connection with this Agreement, whether in contract, tort (including negligence), or otherwise, shall not exceed the total fees paid by the Subscriber to the E-CSP in the twelve (12) months preceding the event giving rise to the claim.
Exclusion of indirect damages: The E-CSP shall not be liable for any indirect, incidental, consequential, special, or punitive damages, including loss of profits, loss of data, loss of business opportunity, or reputational harm, even if advised of the possibility of such damages.
Subscriber fault: The E-CSP shall not be liable for any loss or damage arising from the Subscriber's failure to protect the private key, failure to request timely revocation, or use of the certificate for purposes not permitted by this Agreement.
Relying party fault: The E-CSP shall not be liable for any loss or damage arising from a relying party's failure to check the certificate status before reliance.

12. Indemnification

The Subscriber shall indemnify and hold harmless Centric Limited, its directors, officers, employees, and agents from and against any claims, losses, damages, liabilities, costs, and expenses (including reasonable legal fees) arising from or in connection with:

The Subscriber's breach of any term of this Agreement.
Inaccurate, incomplete, or misleading information provided by the Subscriber.
The Subscriber's failure to protect the private key.
Unauthorised or unlawful use of the certificate by the Subscriber or any person who obtained access through the Subscriber's negligence.

13. Term and Termination

13.1 Term

This Agreement takes effect upon the Subscriber's acceptance (whether by electronic acceptance on the ddsign platform or by signature) and remains in force for as long as any certificate issued to the Subscriber remains valid (not expired and not revoked).

13.2 Termination

This Agreement may be terminated:

By the Subscriber, at any time, by requesting revocation of all active certificates and notifying the E-CSP in writing.
By the E-CSP, upon revocation of all of the Subscriber's certificates for any of the grounds listed in Section 9.2.
Automatically, upon expiry or revocation of the Subscriber's last active certificate.

13.3 Survival

The following sections survive termination of this Agreement: Section 4 (Subscriber Obligations, to the extent relevant to post-termination conduct), Section 6 (Third-Party Disclosure and Consent, for the duration of data retention), Section 7 (Data Protection and Privacy), Section 10 (Representations and Warranties), Section 11 (Limitation of Liability), Section 12 (Indemnification), Section 14 (Governing Law and Dispute Resolution), and any other provision that by its nature is intended to survive.

14. Governing Law and Dispute Resolution

14.1 Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the Republic of Kenya.

14.2 Dispute Resolution

Any dispute arising out of or in connection with this Agreement shall first be submitted to good-faith negotiation between the parties. If the dispute is not resolved within thirty (30) days of the written notice of the dispute, either party may refer the matter to mediation under the Nairobi Centre for International Arbitration rules. If mediation fails, the dispute shall be submitted to the exclusive jurisdiction of the courts of Nairobi, Kenya.

15. Contact Information

For questions, notices, or requests relating to this Agreement, contact the E-CSP at:

Organisation	Centric Limited
Service Name	ddsign Certification Authority
Email	support@ddsign.app

16. Acceptance

By clicking "I Accept" on the ddsign platform, or by signing this document, the Subscriber confirms that they have read and understood this Agreement in its entirety and agree to be bound by its terms.