CODE SIGNING AGREEMENT
Company has provided certain code through the Windows Hardware Dev Center for Microsoft to evaluate for digital code signing in accordance with this Code Signing Agreement (“Agreement”).
1. DEFINITIONS
(a) “Code” means computer code in object code form that is designed to execute on Windows operating systems and submitted by Company to Microsoft for digital signing under this Agreement.
(b) “Data Protection Law” means any law, rule, regulation, decree, statute, or other enactment, order, mandate or resolution, applicable to Company or Microsoft, relating to data security, data protection, or privacy, and any implementing, derivative or related legislation, rule, regulation, and regulatory guidance, as amended, extended, repealed and replaced, or re-enacted.
(c) “EV Certificate” means an Extended Validation Certificate issued by a certificate authority under the guidelines published by the Certification Authority Browser Forum at www.cabforum.org.
(d) “Intellectual Property Rights” or “IPR” means all intellectual and proprietary rights existing under statute or at common law or equity, in force or recognized now or in the future in any jurisdiction. For the purpose of this agreement, IPR does not include trademark rights.
(e) “Malware” means any malicious or unwanted software, including any virus or worm.
(f) “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) and any other data or information that constitutes personal data or personal information under any applicable Data Protection Law. An identifiable natural person is one who can be identified, directly or indirectly, in particular by referencing an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
(g) “Policy” means the then-current policies, guidelines, procedures, and requirements periodically posted by Microsoft at the Portal.
(h) “Portal” means the websites at developer.microsoft.com/windows/hardware/ (where Company may set up an account, accept this Agreement, and submit Code for digital signing) and at developer.microsoft.com/, or any successor websites.
(i) “Processing” means any operation or set of operations that is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction. “Process” and “Processed” will have corresponding meanings.
(j) “Signed Code” means Code that Microsoft determines has passed all applicable tests, has been digitally signed by Microsoft and contains a valid Microsoft digital signature.
(k) “Vulnerability” means a flaw, weakness, or bug in software that can be exploited.
2. EVALUATION AND CODE SIGNING
(a) Company. (i) Company must have an active Portal account and EV Certificate to submit Code for digital signing. (ii) Company will submit Code to Microsoft in accordance with Policy and, on request, also provide user, installation, and technical information associated with Code. (iii) If Company modifies any Signed Code (including any enhancement, bug fix, or update) and wants the modified Code to be re-signed by Microsoft, Company must submit the modified Code for evaluation under this §2. (iv) Company will not submit Code on behalf of third parties. (v) Company will cooperate with Microsoft to provide all information necessary for Microsoft to assess compliance with local rules and regulations, including the Software Bill of Materials (“SBOM”) and Executive Order 14028.
(b) Microsoft. (i) Microsoft may evaluate any Code or other information submitted. (ii) If Microsoft determines the Code has passed evaluation and complies with Policy, then Microsoft may digitally sign the Code. (iii) Microsoft will in its sole discretion, within a reasonable time after submission, provide Company either Signed Code or notice why the Code will not be signed.
3. BLOCKED CODE AND REVOCATION
(a) Microsoft may (and without conducting an audit under §6) block end users’ access to Signed Code by adding its file properties to an untrusted list, revoke some or all Microsoft digital signatures, remove Company from the Hardware Dev Center, and remove Company from the Microsoft Partner Network (collectively, “Microsoft Actions”) if Company engages in untrustworthy behavior such as (i) breaching this Agreement, (ii) failing to comply with Policy, (iii) failing an audit or fails to comply with an audit request as described in §6, (iv) ceasing to provide support for the Signed Code, (v) submitting Code on behalf of third parties, or (vi) submitting Code that contains Malware or Vulnerabilities (including if such Malware or Vulnerabilities are later discovered in Signed Code) (collectively, “Company Actions”), and Microsoft determines that any such Company Action or Signed Code undermines the security or integrity of the signing process or of any Microsoft ecosystem or its users. (b) Microsoft may in its sole discretion elect to make Microsoft Actions permanent if (i) Company submits Code on behalf of another entity or (ii) Company repeatedly engages in the actions described in Section 3(a)(i)-(v). (c) Depending on the seriousness of Company Actions, Microsoft may in its sole discretion elect to take Microsoft Actions immediately or give Company a 15-day cure period before implementing Microsoft Actions. (d) Microsoft will notify Company within 30 days after such Microsoft Actions. If Microsoft notifies Company of any Microsoft Actions, Company will immediately stop referring to the blocked or revoked Code as having been signed or otherwise approved by Microsoft and cease distributing the blocked or revoked Code. The rights granted to Company in Section 4(b) terminate immediately for all blocked or revoked Code on Microsoft’s notice to Company. (e) End user, third party OEM, and distributor licenses granted prior to such Microsoft Actions will survive, but this may not be construed as a warranty that blocked or revoked Code will continue to function.
4. INTELLECTUAL PROPERTY
(a) Licenses to Microsoft. Company grants Microsoft, under all Company’s IPR, a worldwide, nonexclusive, royalty-free, fully paid up right to, solely in relation to performing under this Agreement, reproduce and use, directly or indirectly, any Code and any installation and technical reference information provided by Company.
(b) Licenses to Company. Microsoft grants Company, under all Microsoft’s IPR, a worldwide, nonexclusive, royalty-free, revocable, fully paid up right to reproduce, use, and distribute, directly or indirectly, Microsoft digital signatures solely as applied by or on behalf of Microsoft to Company’s Signed Code. This license applies solely to Microsoft digital signatures and does not extend to any Code itself or any other Microsoft IPR.
(c) No Distribution. Microsoft covenants not to externally distribute Company’s Code without Company’s written consent.
5. SUPPORT
Microsoft does not provide support to end-users. Company will support its end-users and Microsoft for the Signed Code . For end users with paid support agreements, Company will either provide and maintain a customer support telephone number (available 9am-5pm in the local market served) or a Company email address to which Microsoft can transfer or send end user support inquiries. Company will contact the identified end user promptly after receiving such an inquiry. Subject to Section 3, Company may terminate support for any Signed Code on 90 days’ notice to Microsoft.
6. AUDIT
Microsoft may, on 30 days’ notice to Company (including by email) audit any Signed Code. Within 15 days after such notice, Company will send to Microsoft the Signed Code, related installation and technical reference information, and any other documentation reasonably necessary to complete the audit.
7. PAYMENT
Microsoft will not charge any fees to Company for evaluation or signing of Code or with respect to any other Microsoft obligation under this Agreement.
8. REPRESENTATIONS AND WARRANTIES
Company represents and warrants that: (a) it has the power and authority to enter into, and fully perform under, this Agreement; (b) every submission of Code by Company is an attestation of Company’s full compliance with Section 2 and with the Business Integrity Principles from the Microsoft Partner Network Agreement; (c) submitted Code is ready for release for general public distribution, is free from Malware and Vulnerabilities, and Company has fully tested such Code and remediated all known errors materially affecting the Code’s functionality; (d) submitted Code is subject to ongoing support, error detection, and correction; (e) it has not granted and will not grant to any third party any rights in Code that are inconsistent with the rights granted to Microsoft in this Agreement; (f) submitted Code does not infringe any third-party IPR; and (g) submitted Code is not, in whole or in part, governed by a license that requires recipients of a product including that Code be provided with any authorization keys necessary to make modified versions of the Code operate with such product. Microsoft does not assume any obligations under such a license, and Microsoft will not disclose its keys used to sign Code to help Company comply with such a license agreement.
9. INDEMNIFICATION
If a Claim is brought against Microsoft or its Affiliates, agents, licensees, or successors, or any agents, directors, officers, or employees of any of them (collectively, “Indemnitees”), Company will defend, indemnify, and hold the Indemnitees harmless from the Claim (including by paying litigation costs and reasonable attorneys’ fees). Company has no liability under this Section 9, however, to the comparative extent a Claim results from the gross negligence or willful misconduct of any Indemnitee. Microsoft: (a) will promptly notify Company of any Claim for which it seeks a defense, and permit Company, using mutually-agreed counsel, to answer and defend; (b) at Company’s reasonable request and expense, will assist in, and provide non-confidential information necessary to, the defense; and (c) at its sole expense, may participate in the defense with separate counsel. Company is not liable for settlements it does not consent to and will not settle Claims under this Section 9 without Microsoft’s consent (with both parties’ consent not unreasonably withheld). No party will stipulate, admit, or acknowledge fault or liability on the other’s part without the other’s written consent. Company will not publicize any settlement without Microsoft’s written consent. “Claim” means an unaffiliated third party’s demand, suit, or other action to the extent, if true as alleged, reflects or relates to the use and distribution by or on behalf of Company of Signed Code (expressly excluding only claims that allege a defect in the digital signature itself or that such digital signature infringes or misappropriates third-party IPR).
10. WARRANTY DISCLAIMER
Policy and all digital signatures are provided “as is” and with all faults, and, except as provided in Section 8, both parties disclaim all warranties (express, implied, or statutory), including implied warranties of merchantability and fitness for a particular purpose. Also, there is no warranty of title or non-infringement with respect to Policy or any digital signatures.
11. LIMITED LIABILITIES
Neither party will be liable for any indirect, consequential, incidental, punitive, or special damages (including for lost profits, lost opportunities, or delays or errors in testing) relating in any way to this Agreement, even if such party has been advised such damages are possible. Each party’s entire liability related in any way to this Agreement will be limited to direct damages incurred in reasonable reliance, not to exceed $5.00. The foregoing limitations, exclusions, and disclaimers will apply to the maximum extent permitted by applicable law, regardless of the form or cause of action, even if any remedy fails its essential purpose. This Section 11 will not apply to breach or performance of Section 9, or any breach of Sections 8 or 14.
12. TERM AND TERMINATION
This Agreement begins on the Effective Date and continues until terminated under this Section 12 (“Term”). Either party may terminate this Agreement, for any reason or no reason, on 30 days’ notice to the other (which may be by email). Sections 1, 3, 8, 9, 10, 11, 12, 13, 14, and 15 will survive termination of this Agreement.
13. DATA PRIVACY
Each party will comply with its obligations under Data Protection Law. Microsoft may, annually or on customer complaint, conduct a compliance review of Company’s adherence to or execution of privacy obligations under this Agreement. Absent customer complaint, however, Company may submit an attestation of compliance in lieu of participating in a compliance review. The nature, purpose, and subject matter of the Processing, including the types of Personal Data and categories of data subjects involved, are described in the Agreement. Company will not Process Personal Data for any other purpose. Company warrants that its Code has been developed to operate with data received from Microsoft in a secure manner. Company’s network, operating system, and the software of its servers, databases, and computer systems must be properly configured to securely operate its Code and store data, including Personal Data, collected through the Code. Company’s Code and any related service must use reasonable security measures to protect Personal Data of its users. With respect to Personal Data transferred under this Agreement, both Company and Microsoft are independent data controllers, and not joint controllers (defined in the the European Union’s General Data Protection Regulation (2016/679) (“GDPR”)) of the Personal Data that each independently Processes. Company will delete all Personal Data within 30 days of receipt.
14. CONFIDENTIALITY
During and for five years after the Term, each party: (a) will not disclose the other’s Confidential Information to any third party; (b) will not use the other’s Confidential Information except as this Agreement expressly permits or as the other party otherwise consents in writing; (c) will protect the other’s Confidential Information from unauthorized use and disclosure with the same degree of care that such party uses to protect its own like information (but no less than reasonable care). Each party may, however, disclose the other’s Confidential Information if required to comply with a court order or other government demand that has the force of law. Before doing so, disclosing party will use commercially reasonable efforts to seek the highest level of protection available and, when possible, give the other enough prior notice to provide a reasonable chance to seek a protective order. Except as expressly provided in this Agreement, no ownership or license right is granted in any Confidential Information. Neither party is required to restrict work assignments of representatives who have had access to the other’s Confidential Information. If any of a party’s Confidential Information is retained in the unaided memories of the other’s representatives, and that retained Confidential Information is used in development or deployment of the other party’s products or services, such use does not create liability under this Agreement or trade secret law, and each party will limit what it discloses to the other accordingly. “Confidential Information” means non-public information, know-how, and trade secrets in any form that are designated as “confidential,” or that a reasonable person knows or reasonably should understand to be confidential and which, in each case, are disclosed by a party in relation to this Agreement. Confidential Information will not include any information, however designated, that: (u) is or becomes publicly available without a breach of this Agreement; (v) was lawfully known to the receiver of the information without an obligation to keep it confidential; (w) is received from another source who can disclose it lawfully and without an obligation to keep it confidential; (x) is independently developed; (y) is a comment or suggestion one party volunteers about the other’s business, products, or services; or (z) are reports or other information regarding any Code, including digital signatures that have been applied to Code.
15. GENERAL
(a) Notices. All notices under this Agreement will be: (i) in writing; (ii) deemed given when received; (iii) sent by delivery service, messenger, or registered or certified mail (postage prepaid, return receipt requested); and (iv) addressed and sent, with any required copies, as provided in this Section 15(a). Notices to Microsoft will be sent by physical mail to Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, U.S.A. with a copy via facsimile to Microsoft Corporate, External, and Legal Affairs, Attn: CELA Azure Edge + Platform, (425) 936-7329. Communications to Company, as well as communication in the ordinary course of business to Microsoft (which do not include any notices related to alleged breach, disputes, or defense or handling of any third party claims), may be sent by email and need not be copied to counsel.
(b) Law. This Agreement is governed by Washington State law (disregarding conflicts of law principles), and the parties consent to exclusive jurisdiction and venue in the state and federal courts in King County, Washington, USA. Neither party will claim lack of personal jurisdiction or forum non conveniens in these courts.
(c) Assignment. Company may not assign this Agreement, or any rights or obligations under it, whether by operation of contract, law or otherwise, except with Microsoft’s express written consent. A change in the control of Company (including by merger or acquisition) is deemed to be an assignment for purposes of this §15(c).
(d) Export Restrictions. Both parties acknowledge that Code are subject to U.S. export jurisdiction. The parties agree to comply with all applicable international and national laws that apply to the Code, including the U.S. Export Administration Regulations, as well as end-user, end-use and destination restrictions issued by U.S. and other governments. For additional information, see www.microsoft.com/exporting/.
(e) Severability. If for any reason a court of competent jurisdiction finds any provision of this Agreement, or portion thereof, to be unenforceable, that provision of the Agreement will be enforced to the maximum extent permissible, and the remainder of this Agreement will continue in full force and effect. This Agreement has been negotiated by the parties and their respective counsel and will be interpreted fairly in accordance with its terms and without any strict construction in favor of or against either party.
(f) No Waiver. No failure or delay on the part of either party in the exercise of any right, power or remedy under this Agreement or under law, or to insist upon or enforce performance by the other party of any of the provisions of this Agreement or under law, will operate as a waiver thereof, nor will any single or partial exercise of any right, power or remedy preclude other or further exercise thereof, or the exercise of any other right, power or remedy; rather the provision, right, or remedy will be and remain in full force and effect.
(g) Miscellaneous. Each party is an independent contractor to the other and has no authority to act on behalf of or bind the other, and this Agreement does not create any other relationship (e.g., employment, partnership, agency, or any exclusive relationship). All rights and remedies under this Agreement are cumulative. Each party will pay its own costs to perform (except if expressly stated otherwise). When performing this Agreement, each party will comply with applicable laws. Only written waivers are effective. This Agreement does not create an exclusive relationship between the parties. There are no third-party beneficiaries under this Agreement. The parties will conduct all activities under this Agreement in English. During and for five years after the Term, Company will maintain commercially reasonable liability insurance customary in the industry, in amounts sufficient to meet its liabilities under this Agreement and applicable law. Neither party is liable for failing to perform its obligations under this Agreement due to acts of God, natural disasters, war, civil disturbance, pandemic, or government action where the cause is beyond the party’s reasonable control. This Agreement constitutes the entire agreement between the parties with respect to its subject matter and supersedes all prior and contemporaneous agreements or communications with respect to that subject. It will not be modified except by a written agreement dated after the date of this Agreement and signed on behalf of Company and Microsoft by their respective duly authorized representatives.
Revised August 2022.
[Rest of this page intentionally left blank]