AS FILED WITH THE SECURITIES AND EXCHANGE COMMISSION ON JANUARY 29, 1998
REGISTRATION NO. 333-40789
- -------------------------------------------------------------------------------
- -------------------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
WASHINGTON, D.C. 20549
---------------
AMENDMENT NO. 4
TO
FORM S-1
REGISTRATION STATEMENT
UNDER
THE SECURITIES ACT OF 1933
---------------
VERISIGN, INC.
(EXACT NAME OF REGISTRANT AS SPECIFIED IN ITS CHARTER)
DELAWARE 7371 94-3221585
(STATE OR OTHER JURISDICTION OF (PRIMARY STANDARD INDUSTRIAL (I.R.S. EMPLOYER
INCORPORATION OR ORGANIZATION) CLASSIFICATION CODE NUMBER) IDENTIFICATION NUMBER)
---------------
1390 SHOREBIRD WAY
MOUNTAIN VIEW, CALIFORNIA 94043
(650) 961-7500
(ADDRESS, INCLUDING ZIP CODE, AND TELEPHONE NUMBER, INCLUDING AREA CODE, OF
REGISTRANT'S PRINCIPAL EXECUTIVE OFFICES)
---------------
DANA L. EVAN
CHIEF FINANCIAL OFFICER
VERISIGN, INC.
1390 SHOREBIRD WAY
MOUNTAIN VIEW, CALIFORNIA 94043
(650) 961-7500
(NAME, ADDRESS, INCLUDING ZIP CODE, AND TELEPHONE NUMBER, INCLUDING AREA CODE,
OF AGENT FOR SERVICE)
---------------
COPIES TO:
LAIRD H. SIMONS III, ESQ. TIMOTHY TOMLINSON, ESQ. ROBERT P. LATTA, ESQ.
JEFFREY R. VETTER, ESQ. TOMLINSON ZISKO MOROSOLI & MASER LLP CHRIS F. FENNELL, ESQ.
MICHAEL J. MCADAM, ESQ. 200 PAGE MILL ROAD CHRIS E. MONTEGUT, ESQ.
FENWICK & WEST LLP SECOND FLOOR WILSON SONSINI GOODRICH & ROSATI,
TWO PALO ALTO SQUARE PALO ALTO, CALIFORNIA 94306 PROFESSIONAL CORPORATION
PALO ALTO, CALIFORNIA 94306 (650) 325-8666 650 PAGE MILL ROAD
(650) 494-0600 PALO ALTO, CALIFORNIA 94304-1050
(650) 493-9300
APPROXIMATE DATE OF COMMENCEMENT OF PROPOSED SALE TO THE PUBLIC: As soon as
practicable after the effective date of this Registration Statement.
If any of the securities being registered on this form are to be offered on
a delayed or continuous basis pursuant to Rule 415 under the Securities Act of
1933, check the following box. [_]
If this form is filed to register additional securities for an offering
pursuant to Rule 462(b) under the Securities Act, check the following box and
list the Securities Act registration statement number of the earlier effective
registration statement for the same offering. [_]__________
If this form is a post-effective amendment filed pursuant to Rule 462(c)
under the Securities Act, check the following box and list the Securities Act
registration statement number of the earlier effective registration statement
for the same offering. [_]________
If this form is a post-effective amendment filed pursuant to Rule 462(d)
under the Securities Act, check the following box and list the Securities Act
registration statement number of the earlier effective registration statement
for the same offering. [_]__________
If delivery of the prospectus is expected to be made pursuant to Rule 434,
check the following box. [_]
---------------
THE REGISTRANT HEREBY AMENDS THIS REGISTRATION STATEMENT ON SUCH DATE OR
DATES AS MAY BE NECESSARY TO DELAY ITS EFFECTIVE DATE UNTIL THE REGISTRANT
SHALL FILE A FURTHER AMENDMENT WHICH SPECIFICALLY STATES THAT THIS
REGISTRATION STATEMENT SHALL THEREAFTER BECOME EFFECTIVE IN ACCORDANCE WITH
SECTION 8(a) OF THE SECURITIES ACT OF 1933 OR UNTIL THE REGISTRATION STATEMENT
SHALL BECOME EFFECTIVE ON SUCH DATE AS THE COMMISSION, ACTING PURSUANT TO SAID
SECTION 8(a), MAY DETERMINE.
- -------------------------------------------------------------------------------
- -------------------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+INFORMATION CONTAINED HEREIN IS SUBJECT TO COMPLETION OR AMENDMENT. A +
+REGISTRATION STATEMENT RELATING TO THESE SECURITIES HAS BEEN FILED WITH THE +
+SECURITIES AND EXCHANGE COMMISSION. THESE SECURITIES MAY NOT BE SOLD NOR MAY +
+OFFERS TO BUY BE ACCEPTED PRIOR TO THE TIME THE REGISTRATION STATEMENT +
+BECOMES EFFECTIVE. THIS PROSPECTUS SHALL NOT CONSTITUTE AN OFFER TO SELL OR +
+THE SOLICITATION OF AN OFFER TO BUY NOR SHALL THERE BE ANY SALE OF THESE +
+SECURITIES IN ANY STATE IN WHICH SUCH OFFER, SOLICITATION OR SALE WOULD BE +
+UNLAWFUL PRIOR TO REGISTRATION OR QUALIFICATION UNDER THE SECURITIES LAWS OF +
+ANY SUCH STATE. +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
PROSPECTUS (Subject to Completion)
Issued January 29, 1998
3,000,000 Shares
[LOGO OF VERISIGN]
COMMON STOCK
-----------
ALL OF THE SHARES OF COMMON STOCK OFFERED HEREBY ARE BEING SOLD BY THE
COMPANY. PRIOR TO THIS OFFERING, THERE HAS BEEN NO PUBLIC MARKET FOR THE
COMMON STOCK OF THE COMPANY. IT IS CURRENTLY ESTIMATED THAT THE INITIAL
PUBLIC OFFERING PRICE WILL BE BETWEEN $11 AND $13 PER SHARE. SEE
"UNDERWRITERS" FOR A DISCUSSION OF THE FACTORS TO BE CONSIDERED IN
DETERMINING THE INITIAL PUBLIC OFFERING PRICE. THE SHARES OF COMMON STOCK
OFFERED HEREBY HAVE BEEN APPROVED FOR QUOTATION ON THE NASDAQ NATIONAL
MARKET UNDER THE SYMBOL "VRSN" SUBJECT TO OFFICIAL NOTICE OF ISSUANCE.
-----------
THIS OFFERING INVOLVES A HIGH DEGREE OF RISK. SEE "RISK FACTORS" COMMENCING ON
PAGE 5 HEREOF.
-----------
THESE SECURITIES HAVE NOT BEEN APPROVED OR DISAPPROVED BY THE SECURITIES AND
EXCHANGE COMMISSION OR ANY STATE SECURITIES COMMISSION NOR HAS THE
SECURITIES AND EXCHANGE COMMISSION OR ANY STATE SECURITIES COMMISSION
PASSED UPON THE ACCURACY OR ADEQUACY OF THIS PROSPECTUS. ANY
REPRESENTATION TO THE CONTRARY IS A CRIMINAL OFFENSE.
-----------
PRICE $ A SHARE
-----------
UNDERWRITING
PRICE TO DISCOUNTS AND PROCEEDS TO
PUBLIC COMMISSIONS(1) COMPANY(2)
-------- -------------- -----------
Per Share.................... $ $ $
Total(3)..................... $ $ $
- -----
(1) The Company has agreed to indemnify the Underwriters against certain
liabilities, including liabilities under the Securities Act of 1933, as
amended. See "Underwriters."
(2) Before deducting expenses payable by the Company estimated at
$1,000,000.
(3) The Company has granted the Underwriters an option, exercisable within
30 days of the date hereof, to purchase up to an aggregate of 450,000
additional Shares at the price to public less underwriting discounts and
commissions for the purpose of covering over-allotments, if any. If the
Underwriters exercise such option in full, the total price to public,
underwriting discounts and commissions and proceeds to Company will be
$ , $ and $ , respectively. See "Underwriters."
-----------
The Shares are offered, subject to prior sale, when, as and if accepted by
the Underwriters named herein and subject to approval of certain legal matters
by Wilson Sonsini Goodrich & Rosati, Professional Corporation, counsel for the
Underwriters. It is expected that delivery of the Shares will be made on or
about , 1998, at the office of Morgan Stanley & Co. Incorporated, New
York, N.Y., against payment therefor in immediately available funds.
-----------
MORGAN STANLEY DEAN WITTER
HAMBRECHT & QUIST
WESSELS, ARNOLD & HENDERSON
, 1998
NO PERSON IS AUTHORIZED IN CONNECTION WITH ANY OFFERING MADE HEREBY TO GIVE
ANY INFORMATION OR TO MAKE ANY REPRESENTATIONS OTHER THAN AS CONTAINED IN THIS
PROSPECTUS, AND, IF GIVEN OR MADE, SUCH INFORMATION OR REPRESENTATIONS MUST
NOT BE RELIED UPON AS HAVING BEEN AUTHORIZED BY THE COMPANY OR ANY
UNDERWRITER. THIS PROSPECTUS DOES NOT CONSTITUTE AN OFFER TO SELL, OR A
SOLICITATION OF AN OFFER TO BUY, ANY SECURITIES OTHER THAN THE REGISTERED
SECURITIES TO WHICH IT RELATES OR AN OFFER TO, OR A SOLICITATION OF, ANY
PERSON IN ANY JURISDICTION WHERE SUCH AN OFFER OR SOLICITATION WOULD BE
UNLAWFUL. NEITHER THE DELIVERY OF THIS PROSPECTUS NOR ANY SALE MADE HEREUNDER
SHALL, UNDER ANY CIRCUMSTANCES, CREATE ANY IMPLICATION THAT THERE HAS BEEN NO
CHANGE IN THE AFFAIRS OF THE COMPANY SINCE THE DATE HEREOF OR THAT THE
INFORMATION CONTAINED HEREIN IS CORRECT AS OF ANY TIME SUBSEQUENT TO THE DATE
HEREOF.
----------------
UNTIL , 1998 (25 DAYS AFTER THE DATE OF THIS PROSPECTUS), ALL DEALERS
EFFECTING TRANSACTIONS IN THE REGISTERED SECURITIES, WHETHER OR NOT
PARTICIPATING IN THIS DISTRIBUTION, MAY BE REQUIRED TO DELIVER A PROSPECTUS.
THIS DELIVERY REQUIREMENT IS IN ADDITION TO THE OBLIGATIONS OF DEALERS TO
DELIVER A PROSPECTUS WHEN ACTING AS UNDERWRITERS AND WITH RESPECT TO THEIR
UNSOLD ALLOTMENTS OR SUBSCRIPTIONS.
----------------
TABLE OF CONTENTS
PAGE PAGE
---- ----
Prospectus Summary.................. 3 Business......................... 30
The Company......................... 4 Management....................... 50
Risk Factors........................ 5 Certain Transactions............. 60
Use of Proceeds..................... 18 Principal Stockholders........... 64
Dividend Policy..................... 18 Description of Capital Stock..... 66
Capitalization...................... 19 Shares Eligible for Future Sale.. 69
Dilution............................ 20 Underwriters..................... 71
Selected Consolidated Financial Legal Matters.................... 72
Data............................... 21 Experts.......................... 72
Management's Discussion and Analysis Additional Information........... 73
of Financial Condition and Results Index to Consolidated Financial
of Operations...................... 22 Statements...................... F-1
----------------
The Company intends to furnish its stockholders with annual reports
containing consolidated financial statements audited by an independent public
accounting firm and quarterly reports containing unaudited consolidated
financial data for the first three quarters of each year.
----------------
VeriSign(TM) is a trademark exclusively licensed to the Company and Channel
Signing Digital IDSM, Digital IDSM, Digital ID CenterSM, EDI Server IDSM,
Financial Server IDSM, Global Server IDSM, NetSureSM, Secure Server IDSM,
Software Developer Digital IDSM, Universal Digital IDSM, VeriSign OnSiteSM,
VeriSign SETSM, VeriSign V-CommerceSM and WorldTrustSM are service marks of
the Company. This Prospectus also includes trademarks of companies other than
the Company.
----------------
Unless the context otherwise requires, the terms "VeriSign" and the
"Company" refer to VeriSign, Inc., a Delaware corporation, and its majority-
owned subsidiary, VeriSign Japan K.K. ("VeriSign Japan"). Except as otherwise
noted herein, information in this Prospectus (i) assumes no exercise of the
Underwriters' over-allotment option, (ii) gives effect to the conversion of
all outstanding shares of Preferred Stock of the Company into shares of Common
Stock of the Company, which will occur upon the closing of this offering,
(iii) gives effect to the increase in the authorized shares of Common Stock to
50,000,000 shares to be effected in January 1998 and (iv) gives effect to the
filing, upon the closing of this offering, of a Restated Certificate of
Incorporation, authorizing 5,000,000 shares of undesignated Preferred Stock.
----------------
CERTAIN PERSONS PARTICIPATING IN THIS OFFERING MAY ENGAGE IN TRANSACTIONS
THAT STABILIZE, MAINTAIN OR OTHERWISE AFFECT THE PRICE OF THE COMMON STOCK.
SPECIFICALLY, THE UNDERWRITERS MAY OVERALLOT IN CONNECTION WITH THE OFFERING,
AND MAY BID FOR, AND PURCHASE, SHARES OF COMMON STOCK IN THE OPEN MARKET. FOR
A DESCRIPTION OF THESE ACTIVITIES, SEE "UNDERWRITERS."
2
[ARTWORK]
DESCRIPTION OF ARTWORK
[VeriSign Logo]
HEADER: The leader in digital certificate solutions and infrastructure for
enabling trusted and secure electronic commerce and communications.
LEFT DIAGRAM: Schematic drawing of the Internet; contains cloud with the word
"Internet" inside, with drawings of various buildings and computer screen
prints. Contains the following text:
- --VeriSign issues and manages millions of digital certificates for a wide
variety of market and customer segments through its Digital ID Centers.
- --Digital certificates function as electronic credentials in the digital
world--verifying identity, authority, or privileges of the owner during
electronic communications and commerce transactions.
- --Employees access corporate information securely.
- --Global trading partners will be able to exchange data securely.
- --Software developers distribute applications
- --Companies exchange secure e-mail
- --Individuals shop at virtual store fronts.
- --Individuals conduct home banking transactions.
- --Web sites provide secure communication channels to customers
- --Individuals exchange secure e-mails
- --Government agencies communicate securely.
Bottom of left side contains box with the following bullet points:
- --Universal Digital IDs for Web site access and secure e-mail
- --Server Digital IDs for Web site authentication
- --Software Developer Digital IDs for application distribution
- --Channel Signal Digital IDs for "push" channel authentication
- --VeriSign OnSite for turnkey intranet and extranet solutions
- --VeriSign V-Commerce for integrated E-Commerce solutions
- --VeriSign SET services for card associations, banks and processors
- --Value-added transactional services and consulting
RIGHT DIAGRAM: Cut-away picture of large building representing the VeriSign
Digital ID Center, showing various computer and networking equipment within the
building.
Heading: The VeriSign Digital ID Center.
Contains the following text:
- --Distributed WorldTrust software architecture
- --Highly reliable and scaleable operations infrastructure
- --Comprehensive call center and Web-based support services
- --Redundant high-speed servers and high-bandwidth Internet connectivity
- --24 hour network monitoring and security
- --Stringent hiring and management practices for all "trusted" employees
- --Highly specialized construction, power and disaster recovery provisioning
The following text appears beneath the diagram:
- --VeriSign's Digital ID Centers are designed to provide the highest levels of
availability, security and scaleability to meet the needs of customers for high
volume digital certificate issuance and management.
PROSPECTUS SUMMARY
The following summary is qualified in its entirety by the more detailed
information and the Consolidated Financial Statements and notes thereto
appearing elsewhere in this Prospectus.
THE COMPANY
VeriSign is the leading provider of digital certificate solutions and
infrastructure needed by companies, government agencies, trading partners and
individuals to conduct trusted and secure communications and commerce over the
Internet and over intranets and extranets using the Internet Protocol
(collectively, "IP networks"). The Company has established strategic
relationships with industry leaders, including AT&T, British Telecommunications
plc, Cisco, Microsoft, Netscape, Network Associates (formerly McAfee
Associates), RSA, Security Dynamics, VeriFone and VISA, to enable widespread
deployment of the Company's digital certificate technology and products and to
assure their interoperability among a wide variety of applications. The
Company's digital certificates, called Digital IDs, are enabled in millions of
copies of Microsoft and Netscape Web browsers, tens of thousands of copies of
popular Web servers and a variety of other software applications. The Company
believes that it has issued more digital certificates than any other company,
having issued over 2.0 million of its Digital IDs for individuals and over
40,000 of its Digital IDs for Web sites. In addition to providing Digital IDs
for individuals and Web sites, the Company provides turn-key and custom
solutions needed by organizations, such as Dow Jones, NationsBank,
NOVUS/Discover and VISA, to conduct trusted and secure communications and
commerce over IP networks. The Company markets its products and services
worldwide through multiple distribution channels, including the Internet,
direct sales, telesales, VARs, systems integrators and OEMs, and intends to
continue to expand these distribution channels.
THE OFFERING
Common Stock offered....................... 3,000,000 shares
Common Stock to be outstanding after the
offering.................................. 20,151,244 shares(1)
Use of proceeds............................ For general corporate purposes,
including capital expenditures
and working capital. See "Use of
Proceeds."
Nasdaq National Market symbol.............. VRSN
SUMMARY CONSOLIDATED FINANCIAL DATA
(IN THOUSANDS, EXCEPT PER SHARE DATA)
PERIOD FROM
APRIL 12, 1995 YEAR ENDED
(INCEPTION) TO DECEMBER 31,
DECEMBER 31, -----------------
1995 1996 1997
-------------- -------- -------
CONSOLIDATED STATEMENT OF OPERATIONS DATA:
Revenues.................................... $ 382 $ 1,351 $ 9,382
Total costs and expenses.................... 2,524 12,365 31,264
Operating loss.............................. (2,142) (11,014) (21,882)
Net loss.................................... (1,994) (10,243) (19,195)
Pro forma basic and diluted net loss per
share(2)................................... $ (.74) $ (1.13)
Shares used in per share computations(2).... 13,836 17,018
DECEMBER 31, 1997
----------------------
ACTUAL AS ADJUSTED(3)
------- --------------
CONSOLIDATED BALANCE SHEET DATA:
Cash, cash equivalents and short-term investments....... $11,894 $44,374
Total assets............................................ 24,406 56,886
Stockholders' equity.................................... 12,469 44,949
- --------
(1) Based on the number of shares outstanding as of December 31, 1997. Excludes
(i) 2,516,818 shares of Common Stock issuable upon the exercise of options
then outstanding, with a weighted average exercise price of $2.95 per
share, and (ii) a maximum of 3,061,682 shares reserved for issuance under
the Company's stock plans. Also excludes 17,500 shares of Common Stock
subject to a warrant that would be issued in the event that the Company
borrows funds under an equipment loan agreement and 15,000 shares of Common
Stock that would be issued to a service provider if certain milestones are
met. See "Capitalization," "Management--Director Compensation," "--Employee
Benefit Plans" and Note 6 of Notes to Consolidated Financial Statements.
(2) See Note 1 of Notes to Consolidated Financial Statements for an explanation
of the determination of the number of shares used in per share
computations.
(3) As adjusted to reflect the sale of the 3,000,000 shares of Common Stock
offered hereby at an assumed initial public offering price of $12.00 per
share and after deducting estimated underwriting discounts and commissions
and estimated offering expenses payable by the Company. See "Use of
Proceeds" and "Capitalization."
3
THE COMPANY
VeriSign is the leading provider of digital certificate solutions and
infrastructure needed by companies, government agencies, trading partners and
individuals to conduct trusted and secure communications and commerce over IP
networks. A digital certificate functions as an electronic credential in the
digital world, identifying the certificate owner, authenticating the
certificate owner's membership in a given organization or community or
establishing the certificate owner's authority to engage in a given
transaction, thereby creating a framework for trusted interaction over IP
networks. The Company has established strategic relationships with industry
leaders, including AT&T, British Telecommunications plc ("BT"), Cisco,
Microsoft, Netscape, Network Associates (formerly McAfee Associates, Inc.)
("McAfee Associates"), RSA Data Security Inc. ("RSA"), Security Dynamics
Technologies, Inc. ("Security Dynamics"), VeriFone, Inc. ("VeriFone") and Visa
International Service Association ("VISA"), to enable widespread deployment of
the Company's digital certificate technology and products and to assure their
interoperability among a wide variety of applications. The Company's digital
certificates, called Digital IDs, are enabled in millions of copies of
Microsoft and Netscape Web browsers, tens of thousands of copies of popular
Web servers and a variety of other software applications. The Company believes
that it has issued more digital certificates than any other company, having
issued over 2.0 million of its Digital IDs for individuals and over 40,000 of
its Digital IDs for Web sites. In addition to providing Digital IDs for
individuals and Web sites, the Company also provides turn-key and custom
solutions needed by organizations, such as Dow Jones, NationsBank,
NOVUS/Discover and VISA, to conduct trusted and secure communications and
commerce over IP networks.
IP networks are revolutionizing communications and commerce because of their
global reach, accessibility, use of open standards and ability to enable real-
time interaction. The use of IP networks is beginning to extend beyond
informal messaging, general information browsing and the exchange of non-
sensitive data to a number of more valuable and sensitive activities including
business-to-business transactions and electronic data interchange ("EDI"),
online retail purchases and payments, Web-based access to account and benefits
information and secure messaging for both personal and business use.
International Data Corporation ("IDC") estimates that global Internet commerce
revenues will grow from approximately $10.6 billion in 1997 to approximately
$223.1 billion in 2001. However, despite the convenience and the compelling
economic incentives for the use of IP networks, they cannot reach their full
potential as a platform for global communications and commerce until the
current lack of trust and security associated with the use of these networks
is resolved. Digital certificates are emerging as the leading technology for
establishing a framework for trusted and secure communications and commerce
over IP networks, with many Internet security protocols dictating the use of
digital certificates. Just as an individual may have many forms of credit
cards and IDs, he or she may require multiple digital certificates, each
corresponding to a unique digital relationship between the individual and an
organization. Thus, there is the potential need over time for hundreds of
millions of digital certificates to be issued and managed.
The Company has invested significant resources to develop a highly reliable
and secure operations infrastructure, a modular software architecture and a
comprehensive set of security and trust practices to enable trusted and secure
communications and commerce over IP networks using digital certificates. The
Company's Digital ID Centers in Mountain View, California and Kawasaki, Japan
are designed to provide the high levels of availability, security and
scaleability required to meet the needs of customers for high volume digital
certificate issuance and management. The Company's modular WorldTrust software
architecture, which serves as the foundation for the Company's products and
services, automates many aspects of digital certificate issuance and lifecycle
management and provides the scaleability necessary to deploy millions of
digital certificates for distinct communities ranging from individual
corporations to the entire population of Internet users. The Company also has
been instrumental in defining comprehensive trust practices and procedures,
which the Company believes has been important in establishing its reputation
as the leading provider of digital certificate solutions.
The Company's objective is to enhance its position as the leading provider
of digital certificate solutions and infrastructure needed to conduct trusted
and secure communications and commerce over IP networks. The Company's
strategy to achieve this objective includes leveraging its leadership position
to drive market penetration, leveraging and expanding strategic relationships
with industry leaders, maintaining leadership in technology, infrastructure
and practices and continuing to build the VeriSign brand. The Company markets
its products and services worldwide through multiple distribution channels,
including the Internet, direct sales, telesales, value-added resellers
("VARs"), systems integrators and original equipment manufacturers ("OEMs"),
and intends to continue to expand these distribution channels.
The Company was incorporated in Delaware in April 1995. The Company's
executive offices are located at 1390 Shorebird Way, Mountain View, California
94043, its telephone number at this location is (650) 961-7500 and its Web
site is located at http://www.verisign.com. Information contained in the
Company's Web site is not part of this Prospectus.
4
RISK FACTORS
In addition to the other information in this Prospectus, the following
factors should be considered carefully in evaluating an investment in the
shares of Common Stock offered hereby. This Prospectus contains forward-
looking statements that involve risks and uncertainties. The Company's actual
results may differ materially from the results discussed in such forward-
looking statements. Factors that may cause such a difference include, but are
not limited to, those discussed below, in the sections entitled "Management's
Discussion and Analysis of Financial Condition and Results of Operations" and
"Business" and elsewhere in this Prospectus.
Limited Operating History; History of Losses and Anticipation of Future
Losses. The Company was incorporated in April 1995 and began introducing its
products and services in June 1995. Accordingly, the Company has only a
limited operating history on which to base an evaluation of its business and
prospects. The Company's prospects must be considered in light of the risks
and uncertainties encountered by companies in the early stages of development,
particularly companies in new and rapidly evolving markets. The Company's
success will depend on many factors, including, but not limited to, the
following: the rate and timing of the growth and use of IP networks for
communications and commerce and the extent to which digital certificates are
used for such communications and commerce; the demand for the Company's
products and services; the levels of competition; the perceived security of
communications and commerce over IP networks, and of the Company's
infrastructure, products and services in particular; and the Company's
continued ability to maintain its current, and enter into additional,
strategic relationships. To address these risks the Company must, among other
things: attract and retain qualified personnel; respond to competitive
developments; successfully introduce new products and services; successfully
introduce enhancements to its existing products and services to address new
technologies and standards; and successfully market its digital certificates
and its enterprise and electronic commerce solutions. There can be no
assurance that the Company will succeed in addressing any or all of these
risks, and the failure to do so would have a material adverse effect on the
Company's business, operating results and financial condition. In addition,
the Company has experienced substantial net losses in each fiscal period since
its inception and, as of December 31, 1997, had an accumulated deficit of
$31.4 million. Such net losses and accumulated deficit resulted from the
Company's lack of substantial revenues and the significant costs incurred in
the development and sale of the Company's products and services and in the
establishment and deployment of the Company's operations infrastructure and
practices. The Company's limited operating history, the emerging nature of its
market and the factors described under "--Adoption of IP Networks" and "--
Potential Fluctuations in Quarterly Operating Results; Unpredictability of
Future Revenues," among other factors, make prediction of the Company's future
operating results difficult. In addition, the Company intends to increase its
expenditures in all areas in order to execute its business plan. As a result,
the Company expects to incur substantial additional losses for the foreseeable
future. Furthermore, to the extent the Company's majority-owned subsidiary,
VeriSign Japan, is unable to continue to fund its operations with investments
from minority shareholders, the Company may be required to fund the operations
of VeriSign Japan, which could have a material adverse effect on the Company's
business, operating results and financial condition. Although the Company has
experienced revenue growth in recent periods, there can be no assurance that
such growth rates are sustainable and, therefore, they should not be
considered indicative of future operating results. There can also be no
assurance that the Company will ever achieve significant revenues or
profitability or, if significant revenues and profitability are achieved, that
they could be sustained. See "Management's Discussion and Analysis of
Financial Condition and Results of Operations" and "Business--Strategy."
Adoption of IP Networks. In order for the Company to be successful, IP
networks must be adopted as a means of trusted and secure communications and
commerce to a sufficient extent and within an adequate time frame. Because
trusted and secure communications and commerce over IP networks is new and
evolving, it is difficult to predict with any assurance the size of this
market and its growth rate, if any. To date, many businesses and consumers
have been deterred from utilizing IP networks for a number of reasons,
including, but not limited to, potentially inadequate development of network
infrastructure, security concerns, inconsistent quality of service, lack of
availability of cost-effective, high-speed service, limited numbers of local
access points for corporate users, inability to integrate business
applications on IP networks, the need to interoperate with multiple
5
and frequently incompatible products, inadequate protection of the
confidentiality of stored data and information moving across IP networks and a
lack of tools to simplify access to and use of IP networks. The adoption of IP
networks for trusted and secure communications and commerce, particularly by
individuals and entities that historically have relied upon traditional means
of communications and commerce, will require a broad acceptance of new methods
of conducting business and exchanging information. Companies and government
agencies that already have invested substantial resources in other methods of
conducting business may be reluctant to adopt a new strategy that may limit or
compete with their existing efforts. Furthermore, individuals with established
patterns of purchasing goods and services and effecting payments may be
reluctant to alter those patterns.
The use of IP networks for trusted and secure communications and commerce
may not increase or may increase more slowly than expected because the
infrastructure required to support widespread trusted and secure
communications and commerce on such networks may not develop. For example, the
Internet has experienced, and may continue to experience, significant growth
in its number of users and amount of traffic. There can be no assurance that
the Internet infrastructure will continue to support the demands placed on it
by this continued growth or that the performance or reliability of the
Internet will not be adversely affected by this continued growth. In addition,
IP networks could lose their viability due to delays in the development or
adoption of new standards and protocols to handle increased levels of activity
or due to increased governmental regulation. Changes in, or insufficient
availability of, communications services to support IP networks could result
in slower response times and also adversely affect usage of IP networks. If
the market for trusted and secure communications and commerce over IP networks
fails to develop or develops more slowly than expected, or if the Internet
infrastructure does not adequately support any continued growth, the Company's
business, operating results and financial condition would be materially
adversely affected. See "--Industry Regulation" and "Business--Industry
Background" and "--Customers and Markets."
No Assurance of Market Acceptance for Digital Certificates and the Company's
Products and Services. The Company's products and services are targeted at the
market for trusted and secure communications and commerce over IP networks, a
market that is at an early stage of development and is rapidly evolving.
Accordingly, demand for and market acceptance of digital certificate solutions
are subject to a high level of uncertainty. There can be no assurance that
digital certificates will gain market acceptance as a necessary element of
trusted and secure communications and commerce over IP networks. In addition,
there can be no assurance that the market for the Company's products and
services will develop in a timely manner, or at all, or that demand for the
Company's products and services will emerge or be sustainable. The factors
that may affect the level of market acceptance of digital certificates and,
consequently, the Company's products and services, include the following:
market acceptance of products and services based upon authentication
technologies other than those used by the Company; public perception of the
security of digital certificates and of the inherent security levels of IP
networks; the ability of the Internet infrastructure to accommodate increased
levels of usage; and the enactment of government regulations affecting
communications and commerce over IP networks. Even if digital certificates
achieve market acceptance, there can be no assurance that the Company's
products and services will adequately address the market's requirements. If
digital certificates do not achieve market acceptance in a timely manner and
sustain such acceptance, or if the Company's products and services in
particular do not achieve or sustain market acceptance, the Company's
business, operating results and financial condition would be materially
adversely affected. See "Business--Industry Background" and "--Customers and
Markets."
Potential Fluctuations in Quarterly Operating Results; Unpredictability of
Future Revenues. The Company's operating results have varied on a quarterly
basis during its short operating history and may fluctuate significantly in
the future as a result of a variety of factors, many of which are outside the
Company's control. Factors that may affect the Company's quarterly operating
results include the following: market acceptance of digital certificates;
market acceptance of its products and services, particularly VeriSign OnSite,
VeriSign V-Commerce and VeriSign SET; the long sales and implementation cycles
for and potentially large order sizes of certain of the Company's products and
services; the timing and execution of individual contracts; the timing of
releases of new versions of Internet browsers or other third-party software
products in which the Company's public root keys are embedded; customer
renewal rates for the Company's products and services; the Company's
6
success in marketing other products and services to its existing customer base
and to new customers; development of the Company's direct and indirect
distribution channels; market acceptance of the Company's or competitors' new
products and services; the amount and timing of expenditures relating to
expansion of the Company's operations; price competition or pricing changes;
general economic conditions and economic conditions specific to the Internet,
intranet and extranet industries. Any one of these factors could cause the
Company's revenues and operating results to vary significantly in the future.
In addition, the Company will need to expand its operations and attract,
integrate, retain and motivate a substantial number of sales and marketing and
research and development personnel. The timing of such expansion and the rate
at which new personnel become productive could cause material fluctuations in
the Company's quarterly results of operations. See "Business--Industry
Background" and "--Strategy."
The Company's limited operating history and the emerging nature of its
market make prediction of future revenues difficult. The Company's expense
levels are based, in part, on its expectations regarding future revenues, and
to a large extent such expenses are fixed, particularly in the short term.
There can be no assurance that the Company will be able to predict its future
revenues accurately and the Company may be unable to adjust spending in a
timely manner to compensate for any unexpected revenue shortfall. Accordingly,
any significant shortfall of revenues in relation to the Company's
expectations could cause significant declines in the Company's quarterly
operating results.
Due to all of the foregoing factors, the Company's quarterly revenues and
operating results are difficult to forecast. The Company believes that period-
to-period comparisons of its operating results will not necessarily be
meaningful and should not be relied upon as an indication of future
performance. Also, it is likely that the Company's operating results will fall
below the expectations of the Company, securities analysts or investors in
some future quarter. In such event, the market price of the Company's Common
Stock could be materially and adversely affected. See "Management's Discussion
and Analysis of Financial Condition and Results of Operations."
System Interruption and Security Breaches. The Company's success is largely
dependent on the uninterrupted operation of its Digital ID Centers and its
other computer and communications systems, which is dependent on the Company's
ability to protect such systems from loss, damage or interruption caused by
fire, earthquake, power loss, telecommunications failure or other events
beyond the Company's control. Most of the Company's systems are located at,
and most of its customer information is stored in, its facilities in Mountain
View, California and Kawasaki, Japan, areas susceptible to earthquakes.
Although the Company believes that its existing and planned precautions are
adequate to prevent any significant loss of information or system outage,
there can be no assurance that unanticipated problems will not cause such loss
or failure. Any damage or failure that causes interruptions in the Company's
Digital ID Centers and its other computer and communications systems could
have a material adverse effect on the Company's business, operating results
and financial condition. In addition, the ability of the Company to issue
digital certificates is also dependent on the efficient operation of the
Internet connections from customers to its Digital ID Centers. Such
connections, in turn, are dependent upon efficient operation of Web browsers,
Internet Service Providers ("ISPs") and Internet backbone service providers,
all of which have had periodic operational problems or experienced outages in
the past. Any such problems or outages could adversely affect customer
satisfaction with the Company's products and services, which could have a
material adverse effect on the Company's business, operating results and
financial condition. The Company's success also depends in large part upon the
scaleability of its systems, which have not been tested at high volumes. As
such, it is possible that a substantial increase in demand for the Company's
products and services could cause interruptions in the Company's systems that
could adversely affect the Company's ability to deliver its products and
services. Any such interruptions could have a material adverse effect on the
Company's business, operating results and financial condition.
The Company retains confidential customer information in its Digital ID
Centers. It is critical to the Company's business strategy that the Company's
facilities and infrastructure remain secure and that such facilities and
infrastructure are perceived by the marketplace to be secure. Despite the
implementation of security measures, the Company's infrastructure may be
vulnerable to physical break-ins, computer viruses, attacks by
7
hackers or similar disruptive problems, and it is possible that in the future
the Company may have to expend additional financial and other resources to
further address such problems. Any physical or electronic break-ins or other
security breaches or compromises of the private root keys stored at the
Company's Digital ID Centers may jeopardize the security of information stored
on the Company's premises or stored in and transmitted through the computer
systems and networks of the businesses and individuals utilizing the Company's
products or services, which could result in significant liability to the
Company and could deter existing and potential customers from using the
Company's products and services. Such an occurrence could result in adverse
publicity and therefore adversely affect the market's perception of the
security of communications and commerce over IP networks as well as of the
security or reliability of the Company's products and services, which would
have a material adverse effect on the Company's business, operating results
and financial condition. See "Business--The VeriSign Solution," "--Strategy,"
"--Infrastructure," "--Security and Trust Practices" and "--Facilities."
Competition. The Company's digital certificate solutions are targeted at the
new and rapidly evolving market for trusted and secure communications and
commerce over IP networks. Although the competitive environment in this market
has yet to develop fully, the Company anticipates that it will be intensely
competitive, subject to rapid change and significantly affected by new product
and service introductions and other market activities of industry
participants.
The Company's primary competitors are Entrust Technologies, Inc.
("Entrust"), GTE CyberTrust Solutions Incorporated ("GTE/CyberTrust") and
International Business Machines Corporation ("IBM"). The Company also
experiences competition from a number of smaller companies that provide
digital certificate solutions. The Company expects that competition from
established and emerging companies in the financial and telecommunications
industries will increase in the near term, and that the Company's primary
long-term competitors may not yet have entered the market. Netscape has
introduced software products that enable the issuance and management of
digital certificates, and the Company believes that other companies could
introduce such products. There can be no assurance that additional companies
will not offer digital certificate solutions that are competitive with those
of the Company. Increased competition could result in pricing pressures,
reduced margins or the failure of the Company's products and services to
achieve or maintain market acceptance, any of which could have a material
adverse effect on the Company's business, operating results and financial
condition.
Several of the Company's current and potential competitors have longer
operating histories and significantly greater financial, technical, marketing
and other resources than the Company and therefore may be able to respond more
quickly than the Company to new or changing opportunities, technologies,
standards and customer requirements. Many of these competitors also have
broader and more established distribution channels that may be used to deliver
competing products or services directly to customers through bundling or other
means. If such competitors were to bundle with their products competing
products or services for their customers, the demand for the Company's
products and services might be substantially reduced and the ability of the
Company to distribute its products successfully and the utilization of its
services would be substantially diminished. In addition, browser companies
that embed the Company's root keys or otherwise feature the Company as a
provider of digital certificate solutions in their Web browsers or on their
Web sites could also promote competitors of the Company or charge the Company
substantial fees for such promotions in the future. New technologies and the
expansion of existing technologies may increase the competitive pressures on
the Company. There can be no assurance that competing technologies developed
by others or the emergence of new industry standards will not adversely affect
the Company's competitive position or render its products or technologies
noncompetitive or obsolete. In addition, the market for digital certificates
is nascent and is characterized by announcements of collaborative
relationships involving competitors of the Company. The existence or
announcement of such relationships could adversely affect the Company's
ability to attract and retain customers. As a result of the foregoing and
other factors, there can be no assurance that the Company will compete
effectively with current or future competitors or that competitive pressures
faced by the Company will not have a material adverse effect on the Company's
business, operating results and financial condition.
In connection with the Company's first round of financing, RSA contributed
certain technology to the Company and entered into a noncompetition agreement
with the Company pursuant to which RSA agreed that it
8
would not compete with the Company's certificate authority business for a
period of five years. This noncompetition agreement will expire in April 2000.
The Company believes that, because RSA (which is now a wholly-owned subsidiary
of Security Dynamics) has already developed expertise in the area of
cryptography, its barriers to entry would be lower than those that would be
encountered by other potential competitors of the Company should it choose to
enter any of the Company's markets. If RSA were to enter into the digital
certificate market, the Company's business, operating results and financial
condition could be materially adversely affected. See "Business--Competition."
Rapid Technological Change; New Product and Services
Introductions. Substantially all of the Company's limited revenues to date
have been derived from the sale of digital certificate products and related
services. These products and services are expected to account for
substantially all of the Company's revenues for the foreseeable future. The
emerging market for digital certificate products and related services is
characterized by rapid technological developments, frequent new product
introductions and evolving industry standards. The emerging nature of this
market and its rapid evolution will require that the Company continually
improve the performance, features and reliability of its products and
services, particularly in response to competitive offerings, and that it
introduce new products and services or enhancements to existing products and
services as quickly as possible and prior to its competitors. The success of
new product introductions is dependent on several factors, including proper
new product definition, timely completion and introduction of new products,
differentiation of new products from those of the Company's competitors and
market acceptance of the Company's new products and services. There can be no
assurance that the Company will be successful in developing and marketing new
products and services that respond to competitive and technological
developments and changing customer needs. The failure of the Company to
develop and introduce new products and services successfully on a timely basis
and to achieve market acceptance for such products and services could have a
material adverse effect on the Company's business, operating results and
financial condition. In addition, the widespread adoption of new Internet,
networking or telecommunication technologies or standards or other
technological changes could require substantial expenditures by the Company to
modify or adapt its products and services. To the extent that a method other
than digital certificates is adopted to enable trusted and secure
communications and commerce over IP networks, sales of the Company's existing
and planned products and services will be adversely affected and the Company's
products and services could be rendered unmarketable or obsolete, which would
have a material adverse effect on the Company's business, operating results
and financial condition. The Company believes there is a time-limited
opportunity to achieve market share, and there can be no assurance that the
Company will be successful in achieving widespread acceptance of its products
and services or in achieving market share before competitors offer products
and services with features similar to the Company's current offerings. Any
such failure by the Company could have a material adverse effect on the
Company's business, operating results and financial condition. See "Business--
Products and Services" and "--Research and Development."
Management of Growth and Expansion. The Company is currently experiencing a
period of significant expansion. The Company's historical growth has placed,
and such growth and any further growth is likely to continue to place, a
significant strain on the Company's managerial, operational, financial and
other resources. The Company has grown from 26 employees at December 31, 1995
to 185 employees at December 31, 1997. In addition, the Company has opened
additional sales offices and has significantly expanded its operations during
this time period. The Company's future success will depend, in part, upon the
ability of its senior management to manage growth effectively, which will
require the Company to implement additional management information systems, to
develop further its operating, administrative, financial and accounting
systems and controls and to maintain close coordination among its engineering,
accounting, finance, marketing, sales and operations organizations. Any
failure to implement or improve systems or controls or to manage any future
growth and expansion effectively could have a material adverse effect on the
Company's business, operating results and financial condition. See
"Management's Discussion and Analysis of Financial Condition and Results of
Operations."
Dependence on Key Personnel. The Company's future success will be highly
dependent on the performance of its senior management team and other key
employees, many of whom have worked together for only a short
9
period of time. For example, the Company has only recently hired its Vice
President of Worldwide Sales. The Company's success will also depend on its
ability to attract, integrate, motivate and retain additional highly skilled
technical and sales and marketing personnel. There is intense competition for
senior management and technical and sales and marketing personnel in the areas
of the Company's activities. In addition, the Company's stringent hiring
practices for all operations personnel and executive management and for
certain engineering personnel, which consist of background checks into
prospective employees' criminal and financial histories, further limit the
number of qualified persons for such positions. See "Business--Security and
Trust Practices." The Company has no employment agreements with any of its key
executives. In addition, the Company does not maintain key person life
insurance for any of its officers or key employees other than Stratton D.
Sclavos, its President and Chief Executive Officer. The loss of the services
of any of the Company's senior management team or other key employees or the
failure of the Company to attract, integrate, motivate and retain additional
key employees could have a material adverse effect on the Company's business,
operating results and financial condition. See "Business--Employees" and
"Management."
Need to Establish and Maintain Strategic Relationships. A significant
business strategy of the Company is to enter into strategic or other similar
collaborative relationships in order to offer products and services to a
larger customer base than could be reached through direct sales and marketing
efforts. The Company will need to enter into additional strategic
relationships to execute its business plan. There can be no assurance that the
Company will be able to enter into additional, or maintain its existing,
strategic relationships on commercially reasonable terms, if at all. If the
Company were unable to enter into additional strategic relationships or
maintain its existing strategic relationships, it would be required to devote
substantially more resources to the distribution, sale and marketing of its
products and services than it would otherwise plan to do. Furthermore, as a
result of the Company's emphasis on these relationships, the Company's success
will depend both on the ultimate success of the other parties to such
relationships, particularly in the use and promotion of IP networks for
trusted and secure communications and commerce, and on the ability of these
parties to market the Company's products and services successfully. Failure of
one or more of the Company's strategic relationships to result in the
development and maintenance of a market for the Company's products and
services could have a material adverse effect on the Company's business,
operating results and financial condition.
In addition, the Company's existing strategic relationships do not, and any
future strategic relationships may not, afford the Company any exclusive
marketing or distribution rights. There can be no assurance that the other
parties to such relationships view their relationships with the Company as
significant for their own businesses or that they will not reduce their
commitment to the Company at any time in the future. In addition, there can be
no assurance that such parties will not pursue alternative technologies or
develop alternative products and services in addition to or in lieu of the
Company's products and services either on their own or in collaboration with
others, including the Company's competitors. Any future inability of the
Company to maintain its strategic relationships or to enter into additional
strategic relationships could have a material adverse effect on the Company's
business, operating results and financial condition. See "Business--Strategy,"
"--Strategic Relationships" and "--Marketing, Sales and Distribution."
Risk of Defects. Products as complex as those offered or developed by the
Company frequently contain undetected defects or failures that may be detected
at any point in the product's life. There can be no assurance that, despite
testing by the Company and potential customers, defects or errors will not
occur in existing or new products, which could result in loss of or delay in
revenues, loss of market share, failure to achieve market acceptance,
diversion of development resources, injury to the Company's reputation,
increased insurance costs or increased service and warranty costs, any of
which could have a material adverse effect on the Company's business,
operating results and financial condition. Furthermore, the Company often
renders implementation, customization, consulting and other technical services
in connection with the implementation of the Company's enterprise and
electronic commerce solutions and its digital certificate service and product
development agreements. The performance of these services typically involves
working with sophisticated software, computing and networking systems. The
Company's failure or inability to meet customer expectations or project
milestones in a timely manner could also result in loss of or delay in
revenues, loss of market share, failure to achieve market acceptance, injury
to reputation and increased costs. Because customers rely on the Company's
digital certificate solutions for critical security applications, any
significant defects or errors in the Company's
10
products or services, or in the products of third parties that embed the
Company's products, might discourage such third parties or other customers
from utilizing the Company's products and services or result in tort or
warranty claims, which could have a material adverse effect on the Company's
business, operating results and financial condition. Although the Company
attempts to reduce the risk of losses resulting from such claims through
warranty disclaimers and liability limitation clauses in its sales agreements,
there can be no assurance that such contractual provisions would be
enforceable in every instance or at all. Furthermore, although the Company
maintains errors and omissions insurance, there can be no assurance that such
insurance coverage will adequately cover the Company for such claims or that
such other measures will be effective in limiting the Company's liability. If
a court refused to enforce the liability-limiting provisions of the Company's
contracts for any reason, or if liabilities arose that were not contractually
limited or adequately covered by insurance, the Company's business, operating
results and financial condition could be materially and adversely affected.
See "Business--Products and Services" and "--Research and Development."
Potentially Lengthy Sales and Implementation Cycles for Certain Products and
Services. A key element of the Company's strategy is to market certain of its
products and services directly to large companies and government agencies.
Based on its sales experience to date, the Company expects that the sale and
implementation of its enterprise and electronic commerce solutions to such
entities will typically involve a lengthy education process and a significant
technical evaluation and commitment of capital and other resources. The sale
and implementation of the Company's enterprise and electronic commerce
solutions will be subject to the risk of delays associated with customers'
internal budget and other procedures for approving large capital expenditures,
deploying new technologies within their networks and testing and accepting new
technologies that affect key operations. For these and other reasons, the
sales and implementation cycles associated with certain of the Company's
products and services are expected to be lengthy, potentially lasting from
three to 12 months, and are expected to be subject to a number of significant
risks that are beyond the Company's control. Because of the anticipated
lengthy sales and implementation cycle and the potentially large size of such
orders, if orders forecasted for a specific customer for a particular quarter
are not realized or revenues are not otherwise recognized in that quarter, the
Company's operating results for that quarter could be materially adversely
affected. See "--Potential Fluctuations in Quarterly Operating Results;
Unpredictability of Future Revenues" and "Management's Discussion and Analysis
of Financial Condition and Results of Operations."
Risks Relating to Public Key Cryptography Technology. The Company's digital
certificate products and related services are dependent on the use of public
key cryptography technology. In utilizing public key cryptography technology,
a user is given a public key and a private key, both of which are required to
encrypt and decode messages. The security afforded by this technology is
dependent upon the integrity of a user's private key and that it is not
stolen, misappropriated or otherwise compromised. The integrity of private
keys also depends in part on the application of certain mathematical
principles known as "factoring" which is predicated on the assumption that the
factoring of the composite of large prime numbers is difficult. Should a
substantial number of private keys be misappropriated or an easy factoring
method be developed, then the security afforded by encryption products
utilizing public key cryptography technology would be reduced or eliminated.
Furthermore, any significant advance in techniques for attacking cryptographic
systems could also render some or all of the Company's existing products and
services obsolete or unmarketable. There can be no assurance that such
developments will not occur. Moreover, even if no breakthroughs in factoring
or other methods of attacking cryptographic systems are made, factoring
problems can theoretically be solved by computer systems significantly faster
and more powerful than those presently available. If such improved techniques
for attacking cryptographic systems are ever developed, the Company would
likely have to reissue digital certificates to some or all of its customers,
which could adversely affect market perception of the reliability of the
Company's products and services or otherwise have a material adverse effect on
the Company's business, operating results and financial condition. In the past
there have been public announcements of the successful decoding of certain
cryptographic messages and of the potential misappropriation of private keys.
The publicity around any breaches could adversely affect the public perception
as to the safety of the public key cryptography technology included in the
Company's digital certificates. Such adverse public perception could have a
material adverse effect on the Company's business, operating results and
financial condition. See "Business--Industry Background" and "--Products and
Services."
11
Risks Associated with International Operations. Revenues of VeriSign Japan
and revenues from other international customers accounted for approximately
13% of the Company's revenues in 1997. A key component of the Company's
strategy is to expand its international operations and its international sales
and marketing activities. Expansion into these markets has required and will
continue to require significant management attention and resources and may
require the Company to localize its products and services for a particular
market and to enter into international distribution and operating
relationships. The Company has limited experience in localizing its products
and in developing international distribution or operating relationships. There
can be no assurance that the Company will be successful in expanding its
product and service offerings into international markets. In addition to the
uncertainty regarding the Company's ability to generate revenues from foreign
operations and expand its international presence, there are certain risks
inherent in doing business on an international basis, including, among others,
regulatory requirements, legal uncertainty regarding liability, export and
import restrictions, tariffs and other trade barriers, difficulties in
staffing and managing foreign operations, longer payment cycles, problems in
collecting accounts receivable, political instability, seasonal reductions in
business activity and potentially adverse tax consequences, any of which could
adversely affect the success of the Company's international operations. All of
the Company's international revenues from sources other than VeriSign Japan
are denominated in U.S. dollars. To the extent the Company expands its
international operations and has additional portions of its international
revenues denominated in foreign currencies, the Company could become subject
to increased risks relating to foreign currency exchange rate fluctuations.
There can be no assurance that one or more of the factors discussed above will
not have a material adverse effect on the Company's future international
operations and, consequently, on the Company's business, operating results and
financial condition. See "--Industry Regulation," "Management's Discussion and
Analysis of Financial Condition and Results of Operations" and "Business--
Strategy" and "--Marketing, Sales and Distribution."
Uncertain Maintenance and Strengthening of the VeriSign Brand. The Company
believes that maintaining and strengthening the VeriSign brand is critical to
achieving widespread acceptance of its digital certificates and related
products and services and that the importance of brand recognition will
increase as competition in the market for digital certificates and related
products and services increases. Promoting and positioning the VeriSign brand
will depend largely on the success of the Company's marketing efforts and the
ability of the Company to provide, on an uninterrupted basis, high quality,
secure, trustworthy and cost effective digital certificate solutions. The
Company will also be dependent on the success of its strategic relationships
in order to promote its brand and increase brand awareness. See "--Need to
Establish and Maintain Strategic Relationships." If current or potential
customers do not perceive the Company's products and services as secure or
trustworthy, the Company will be unsuccessful in maintaining and strengthening
its brand. Furthermore, in order to promote the VeriSign brand in response to
competitive pressures, the Company may find it necessary to increase its
marketing budget or otherwise increase its financial commitment to creating
and maintaining brand loyalty among customers. If the Company fails to promote
and maintain its brand or incurs excessive expenses in an attempt to promote
and maintain its brand, or if the Company's existing or future strategic
relationships fail to promote the Company's brand or increase brand awareness,
the Company's business, operating results and financial condition could be
materially adversely affected. See "Business--Strategy" and "--Marketing,
Sales and Distribution."
Dependence on Authentication Information. The Company relies upon
information provided by third-party sources to authenticate the identity of
customers requesting certain of the Company's digital certificates. This
information is presently only available from a limited number of sources and
the Company currently procures such information from single sources. The
Company's reliance on these single sources involves certain risks and
uncertainties, including the possibility of delayed or discontinued
availability. Any such delay or unavailability, coupled with any inability of
the Company to develop alternative sources quickly and cost-effectively, could
materially impair the Company's ability to deliver certain of its digital
certificates on a timely basis and result in the cancellation of orders,
increased costs and injury to reputation, which could have a material adverse
effect on the Company's business, operating results and financial condition.
The Company's reliance on third-party information sources for authentication
has also limited the distribution of certain of its digital certificates
outside of the United States, where access to such sources has been
unavailable or limited. Additionally, accurate authentication of the identity
of the individuals and entities to which the Company issues its digital
certificates is necessary for such digital certificates to provide security.
Therefore, the inaccuracy of authentication information
12
on which the Company relies, including information the Company receives from
third parties, could result in material injury to the Company's reputation and
tort or warranty claims from customers relying upon the Company's digital
certificates, which could have a material adverse effect on the Company's
business, operating results and financial condition. See "--Risk of Defects"
and "Business--Products and Services."
Industry Regulation. Exports of software products utilizing encryption
technology are generally restricted by the U.S. and various foreign
governments. All cryptographic products require export licenses from certain
U.S. government agencies. Although the Company has obtained approval to export
its Global Server ID product and none of the Company's other products and
services is currently subject to export controls under U.S. law, there can be
no assurance that the list of products and countries for which export approval
is required, and the regulatory policies with respect thereto, will not be
revised from time to time to include digital certificate products and related
services, or that the Company will be able to obtain necessary regulatory
approvals for the export of future products. The inability of the Company to
obtain required approvals under these regulations could adversely affect the
ability of the Company to make international sales. Furthermore, competitors
of the Company may also seek to obtain approvals to export products that could
increase the amount of competition faced by the Company. There are currently
no federal laws or regulations that specifically control certification
authorities, but a limited number of states have enacted legislation or
regulations with respect to certification authorities. If the market for
digital certificates grows, the United States, state or foreign governments
may choose to enact further regulations governing digital certificate
authorities or other providers of digital certificate products and related
services. Such regulations or the costs of complying with such regulations
could have a material adverse effect on the Company's business, operating
results and financial condition.
Many companies conducting commercial transactions over IP networks do not
collect sales or other similar taxes with respect to shipments of goods into
other states or foreign countries or with respect to other transactions
conducted between parties in different states or countries. It is possible
that states or foreign countries may seek to impose sales taxes on out of
state companies that engage in commerce over IP networks. In the event that
states or foreign countries succeed in imposing sales or other taxes on
Internet commerce, the growth of the use of IP networks for commerce could
slow substantially, which could have a material adverse effect on the
Company's business, operating results and financial condition.
Due to the increasing popularity of the Internet and other IP networks, it
is possible that laws and regulations may be enacted covering issues such as
user privacy, pricing, content and quality of products and services. For
example, the Telecommunications Act of 1996 prohibits the transmission over
the Internet of certain types of information and content. The increased
attention focused upon these issues as a result of the adoption of other laws
or regulations may reduce the rate of growth of the Internet or the use of
other IP networks, which in turn could result in decreased demand for the
Company's products and services or could otherwise have a material adverse
effect on the Company's business, operating results and financial condition.
See "Business--Industry Background."
Intellectual Property; Potential Litigation. The Company relies primarily on
a combination of copyrights, trademarks, trade secret laws, restrictions on
disclosure and other methods to protect its intellectual property and trade
secrets. The Company also enters into confidentiality agreements with its
employees and consultants, and generally controls access to and distribution
of its documentation and other proprietary information. Despite these
precautions, it may be possible for a third party to copy or otherwise obtain
and use the Company's intellectual property or trade secrets without
authorization. In addition, there can be no assurance that others will not
independently develop substantially equivalent intellectual property. There
can be no assurance that the precautions taken by the Company will prevent
misappropriation or infringement of its technology. A failure by the Company
to protect its intellectual property in a meaningful manner could have a
material adverse effect on the Company's business, operating results and
financial condition. In addition, litigation may be necessary in the future to
enforce the Company's intellectual property rights, to protect the Company's
trade secrets or to determine the validity and scope of the proprietary rights
of others. Such litigation could result in substantial costs and diversion of
management and technical resources, either of which could have a material
adverse effect on the Company's business, operating results and financial
condition.
13
The Company also relies on certain licensed third-party technology, such as
public key cryptography technology licensed from RSA and other technology that
is used in the Company's products to perform key functions. There can be no
assurance that these third-party technology licenses will continue to be
available to the Company on commercially reasonable terms or at all, and the
loss of any of these technologies could have a material adverse effect on the
Company's business, operating results and financial condition. Moreover, in
the Company's current license agreements, the licensor has agreed to defend,
indemnify and hold the Company harmless with respect to any claim by a third
party that the licensed software infringes any patent or other proprietary
right. Although these licenses are fully paid, there can be no assurance that
the outcome of any litigation between the licensor and a third party or
between the Company and a third party will not lead to royalty obligations of
the Company for which the Company is not indemnified or for which such
indemnification is insufficient, or that the Company will be able to obtain
any additional license on commercially reasonable terms or at all. In the
future, the Company may seek to license additional technology to incorporate
in its products and services. There can be no assurance that any third-party
technology licenses that the Company may be required to obtain in the future
will be available to the Company on commercially reasonable terms or at all.
The loss of or inability to obtain or maintain any of these technology
licenses could result in delays in introduction of the Company's products or
services until equivalent technology, if available, is identified, licensed
and integrated, which could have a material adverse effect on the Company's
business, operating results and financial condition.
From time to time, the Company has received, and may receive in the future,
notice of claims of infringement of other parties' proprietary rights. In
September 1995, the Company applied to the United States Patent and Trademark
Office to register the VeriSign name as a trademark. VeriFone, Inc.
("VeriFone") challenged the validity of the Company's application in August
1996 and, in September 1996, commenced a civil action in federal district
court alleging trademark infringement and unfair competition. The parties
settled this litigation on November 21, 1997, entered into a licensing
arrangement and are currently negotiating an OEM agreement. The Company also
issued an aggregate of 250,000 shares of Common Stock to VeriFone in
connection with the foregoing transactions. There can be no assurance that
infringement or other claims will not be asserted or prosecuted against the
Company in the future or that any past or future assertions or prosecutions
will not materially adversely affect the Company's business, operating results
and financial condition. Any such claims, with or without merit, could be
time-consuming, result in costly litigation and diversion of technical and
management personnel, cause product shipment delays or require the Company to
develop non-infringing technology or enter into royalty or licensing
agreements. Such royalty or licensing agreements, if required, may not be
available on terms acceptable to the Company, or at all. In the event of a
successful claim of product infringement against the Company and the failure
or inability of the Company to develop non-infringing technology or license
the infringed or similar technology on a timely basis, the Company's business,
operating results and financial condition could be materially adversely
affected. See "Business--Intellectual Property."
Year 2000 Compliance. Many currently installed computer systems and software
products are coded to accept only two digit entries in the date code field.
These date code fields will need to accept four digit entries to distinguish
21st century dates from 20th century dates. As a result, many companies'
software and computer systems may need to be upgraded or replaced in order to
comply with such "Year 2000" requirements. Although the Company believes that
its products and systems are Year 2000 compliant, the Company utilizes third-
party equipment and software that may not be Year 2000 compliant. Failure of
such third-party equipment or software to operate properly with regard to the
year 2000 and thereafter could require the Company to incur unanticipated
expenses to remedy any problems, which could have a material adverse effect on
the Company's business, operating results and financial condition.
Furthermore, the purchasing patterns of customers or potential customers may
be affected by Year 2000 issues as companies expend significant resources to
correct their current systems for Year 2000 compliance. These expenditures may
result in reduced funds available to implement the infrastructure needed to
conduct trusted and secure communications and commerce over IP networks or to
purchase products and services such as those offered by the Company, which
could have a material adverse effect on the Company's business, operating
results and financial condition. See "Business--Industry Background."
14
Future Capital Needs; Uncertainty of Additional Funding. The Company may
require additional capital to finance its growth and marketing and research
and development projects beyond the next 12 months. The Company's capital
requirements will depend on many factors including, but not limited to, demand
for the Company's products and services and the extent to which such products
achieve market acceptance and the timing of such market acceptance, the timing
of and extent to which the Company invests in new technology, the expenses of
sales and marketing and new product development, the extent to which
competitors are successful in developing their own products and services and
increasing their own market share and brand awareness, the success of the
Company's strategic relationships, the costs involved in maintaining and
enforcing intellectual property rights, the level and timing of revenues,
available borrowings under line of credit arrangements, the degree and timing
of growth of IP networks for trusted and secure communications and commerce,
and other factors. To the extent that resources are insufficient to fund the
Company's activities, the Company may need to raise additional funds through
public or private financing, strategic relationships or other arrangements.
There can be no assurance that such additional funding, if needed, will be
available on terms attractive to the Company, or at all. Strategic
relationships, if necessary to raise additional funds, may require the Company
to relinquish rights to certain of its technologies or products. The failure
of the Company to raise capital when needed could have a material adverse
effect on the Company's business, operating results and financial condition.
If additional funds are raised through the issuance of equity securities, the
percentage ownership of the Company by its then-current stockholders would be
reduced. Furthermore, such equity securities might have rights, preferences or
privileges senior to those of the Company's Common Stock. See "Management's
Discussion and Analysis of Financial Condition and Results of Operations--
Liquidity and Capital Resources."
Certain Anti-Takeover Provisions. Upon completion of this offering, the
Company's Board of Directors will have the authority to issue up to 5,000,000
shares of Preferred Stock and to determine the price, rights, preferences,
privileges and restrictions, including voting rights, of those shares without
any further vote or action by the stockholders. The rights of the holders of
Common Stock will be subject to, and may be adversely affected by, the rights
of the holders of any Preferred Stock that may be issued in the future. The
issuance of Preferred Stock, while providing flexibility in connection with
possible financings, acquisitions or other corporate purposes, may have the
effect of delaying, deferring or preventing a change in control of the
Company, may discourage bids for the Company's Common Stock at a premium over
the market price of the Common Stock and may adversely affect the market price
of, and the voting and other rights of the holders of, the Common Stock. The
Company has no current plans to issue shares of Preferred Stock. In addition,
certain provisions of the Company's Amended and Restated Bylaws will have the
effect of delaying, deferring or preventing a change of control of the
Company. These provisions will provide, among other things, that the Board of
Directors is divided into three classes to serve staggered three-year terms,
that stockholders may not take actions by written consent and that the ability
of stockholders to call special meetings will be restricted. In addition, the
Company is subject to the anti-takeover provisions of Section 203 of the
Delaware General Corporation Law, which will prohibit the Company from
engaging in a "business combination" with an "interested stockholder" for a
period of three years after the date of the transaction in which the person
became an interested stockholder, unless the business combination is approved
in a prescribed manner. The Company's indemnity agreements provide and the
Company's Amended and Restated Certificate of Incorporation and Amended and
Restated Bylaws will provide that the Company will indemnify officers and
directors against losses that they may incur in investigations and legal
proceedings resulting from their services to the Company, which may be broad
enough to include services in connection with takeover defense measures. Such
provisions may have the effect of preventing changes in the management of the
Company. See "Description of Capital Stock."
Shares Eligible for Future Sale. Sales of a substantial number of shares of
Common Stock in the public market following this offering could adversely
affect the market price of the Company's Common Stock. The number of shares of
Common Stock available for sale in the public market is limited by
restrictions under the Securities Act of 1933, as amended (the "Securities
Act"), and lock-up agreements executed by each of the security holders of the
Company under which such security holders have agreed not to sell or otherwise
dispose of any of their shares for a period of 180 days after the date of this
Prospectus without the prior written consent
15
of Morgan Stanley & Co. Incorporated. Morgan Stanley & Co. Incorporated may,
however, in its sole discretion and at any time without notice, release all or
any portion of the shares subject to lock-up agreements. In addition to the
3,000,000 shares of Common Stock offered hereby (assuming no exercise of the
Underwriters' over-allotment option), there will be 17,151,244 shares of
Common Stock outstanding as of the date of this Prospectus, all of which are
"restricted" shares under the Securities Act. On the date of this Prospectus,
no shares other than the 3,000,000 shares offered hereby will be eligible for
sale. Upon the expiration of lock-up agreements 180 days after the date of
this Prospectus, an additional 16,801,244 shares will become eligible for sale
in the public market, subject in the case of all but 2,661,052 shares to the
volume limitations and other conditions of Rule 144 adopted under the
Securities Act ("Rule 144"). The remaining 350,000 shares will become eligible
for sale in November 1998, subject to the volume limitations and other
conditions of Rule 144. In addition, the Company intends to file a
registration statement on Form S-8 with the Securities and Exchange Commission
shortly after this offering covering (i) the 2,625,000 shares of Common Stock
reserved for issuance under the Company's Equity Incentive Plan, Purchase Plan
and Directors Plan, (ii) an additional number of shares of Common Stock to be
reserved for issuance under the Equity Incentive Plan equal to the number of
shares reserved for future issuance under the 1995 Stock Option Plan and 1997
Stock Option Plan as of the date of this Prospectus (436,682 as of December
31, 1997), and (iii) the shares subject to outstanding options granted under
the Company's 1995 Stock Option Plan and 1997 Stock Option Plan as of the date
of this Prospectus (2,516,818 as of December 31, 1997). The holders of
approximately 15,069,339 shares of Common Stock are also entitled to certain
rights with respect to registration of such shares of Common Stock for offer
or sale to the public. If such holders, by exercising their registration
rights, cause a large number of shares to be registered and sold in the public
market, such sales could have a material adverse effect on the market price
for the Company's Common Stock. See "Management--Director Compensation," "--
Employee Benefit Plans," "Description of Capital Stock--Registration Rights"
and "Shares Eligible for Future Sale."
Acquisitions. The Company from time to time may acquire or invest in
businesses, technologies and product lines that are complementary to the
Company's business. Although the Company currently has no understandings,
commitments or agreements with respect to any acquisitions, any such
acquisitions would be accompanied by the risks commonly encountered in such
transactions, including, among others, the difficulty of assimilating the
operations and personnel of the acquired businesses, the potential disruption
of the Company's ongoing business, the diversion of the Company's management
from the day-to-day operations of the Company, the inability of the Company to
incorporate acquired technologies successfully into the Company's products and
services, the additional expense associated with amortization of acquired
intangible assets, the potential impairment of the Company's relationships
with its employees, customers and strategic partners, the inability of the
Company to retain key technical and managerial personnel of the acquired
business and the inability of the Company to maintain uniform standards,
controls, procedures and policies. Because of these and other factors, any
such acquisitions, if consummated, could have a material adverse affect on the
Company's business, operating results and financial condition. See "Use of
Proceeds."
No Prior Trading Market; Possible Volatility of Stock Price. Prior to this
offering, there has been no public market for the Common Stock of the Company
and there can be no assurance that an active trading market will develop or be
sustained upon completion of this offering. The initial public offering price,
which will be established by negotiations between the Company and the
representatives of the Underwriters based upon a number of factors, may not be
indicative of prices that will prevail in the trading market. See
"Underwriters" for a discussion of the factors to be considered in determining
the initial public offering price. The stock market from time to time has
experienced significant price and volume fluctuations. In addition, the market
prices of securities of other technology companies, particularly Internet-
related companies, have been highly volatile. Factors such as fluctuations in
the Company's operating results, announcements of technological innovations or
new products or services by the Company or its competitors, analysts' reports
and projections, regulatory actions and general market conditions may have a
significant effect on the market price of the Company's Common Stock. See
"Underwriters."
16
Control by Existing Stockholders. Upon completion of this offering, the
present executive officers, directors and 5% stockholders of the Company and
their affiliates will beneficially own approximately 49.2% of the Company's
outstanding Common Stock (48.1% if the Underwriters' over-allotment option is
exercised in full). As a result, these stockholders would be able to
significantly influence the management and affairs of the Company and all
matters requiring stockholder approval, including the election of directors
and approval of significant corporate transactions such as a merger,
consolidation or sale of substantially all of the Company's assets. Such
concentration of ownership might have the effect of delaying or preventing a
change in control of the Company and might affect the market price of the
Company's Common Stock and the voting and other rights of the Company's other
stockholders. See "Principal Stockholders."
Immediate and Substantial Dilution. Investors participating in this offering
will incur immediate, substantial dilution in the amount of $9.77 per share
(based on an assumed initial public offering price of $12.00 per share). To
the extent that outstanding options to purchase the Company's Common Stock are
exercised, there will be further dilution. See "Dilution."
Unspecified Use of Proceeds. The Company plans to use substantially all of
the net proceeds from this offering for general corporate purposes, including
working capital and capital expenditures. The Company may also use a portion
of the net proceeds from this offering to acquire or invest in businesses,
technologies and product lines that are complementary to the Company's
business. The Company has no present plans or commitments and is not currently
engaged in any negotiations with respect to such transactions. As a result,
the Company will have significant discretion as to the use of the net proceeds
from this offering. Pending such uses, the Company intends to invest the net
proceeds from this offering in short-term, interest-bearing, investment-grade
securities. See "Use of Proceeds."
17
USE OF PROCEEDS
The net proceeds to the Company from the sale of the 3,000,000 shares of
Common Stock offered by the Company hereby are estimated to be approximately
$32.5 million (approximately $37.5 million if the Underwriters' over-allotment
option is exercised in full), at an assumed initial public offering price of
$12.00 per share and after deducting estimated underwriting discounts and
commissions and estimated offering expenses payable by the Company. The
primary purposes of this offering are to obtain additional equity capital,
create a public market for the Company's Common Stock and facilitate future
access by the Company to the public equity markets.
The Company intends to use approximately $5.0 million of the net proceeds of
this offering to fund its capital expenditures for 1998 and to utilize the
remainder of the net proceeds of this offering primarily for general corporate
purposes, including working capital. The Company may also use a portion of the
net proceeds from this offering to acquire or invest in businesses,
technologies and product lines that are complementary to the Company's
business. The Company has no present plans or commitments and is not currently
engaged in any negotiations with respect to such transactions. As a result,
the Company will have significant discretion as to the use of the net proceeds
from this offering. Pending such uses, the Company intends to invest the net
proceeds from this offering in short-term, interest-bearing, investment-grade
securities. See "Risk Factors--Acquisitions" and "--Unspecified Use of
Proceeds."
DIVIDEND POLICY
The Company has never declared or paid any cash dividends on its Common
Stock or other securities and does not anticipate paying any cash dividends in
the foreseeable future. In addition, the terms of the Company's equipment line
of credit agreement prohibit the payment of dividends on its capital stock.
18
CAPITALIZATION
The following table sets forth the capitalization of the Company (i) as of
December 31, 1997, (ii) on a pro forma basis giving effect to the conversion
of all outstanding shares of Preferred Stock into shares of Common Stock upon
the closing of this offering and (iii) on a pro forma as adjusted basis to
reflect the receipt by the Company of the estimated net proceeds from the sale
of the 3,000,000 shares of Common Stock offered by the Company hereby at an
assumed initial public offering price of $12.00 per share and after deducting
estimated underwriting discounts and commissions and estimated offering
expenses payable by the Company.
DECEMBER 31, 1997
--------------------------------
PRO FORMA
ACTUAL PRO FORMA AS ADJUSTED
-------- --------- -----------
(IN THOUSANDS)
Stockholders' equity:
Convertible Preferred Stock, $.001 par value;
actual--10,282,883 shares authorized,
10,031,006 shares issued and outstanding; pro
forma and pro forma as adjusted--5,000,000
shares authorized, no shares issued and
outstanding ................................. $ 10 $ -- $ --
Common Stock, $.001 par value; actual--
21,592,117 shares authorized, 7,120,238
shares issued and outstanding; pro forma--
50,000,000 shares authorized, 17,151,244
shares issued and outstanding; pro forma as
adjusted--20,151,244 shares issued and
outstanding(1)............................... 7 17 20
Additional paid-in capital.................... 44,908 44,908 77,385
Notes receivable from stockholders............ (644) (644) (644)
Deferred compensation......................... (380) (380) (380)
Accumulated deficit........................... (31,432) (31,432) (31,432)
-------- -------- -------
Total stockholders' equity................... 12,469 12,469 44,949
-------- -------- -------
Total capitalization....................... $ 12,469 $ 12,469 $44,949
======== ======== =======
- --------
(1) Excludes (i) 2,102,518 shares of Common Stock issuable upon the exercise
of options outstanding as of December 31, 1997 under the Company's 1995
Stock Option Plan (the "1995 Stock Option Plan"), with a weighted average
exercise price of $2.17 per share, and 50,982 shares of Common Stock
reserved for issuance thereunder, (ii) 414,300 shares of Common Stock
issuable upon the exercise of options outstanding as of December 31, 1997
under the Company's 1997 Stock Option Plan (the "1997 Stock Option Plan"),
with a weighted average exercise price of $6.91, and 385,700 shares of
Common Stock reserved for issuance thereunder, (iii) 2,000,000 additional
shares of Common Stock reserved for issuance under the Company's 1998
Equity Incentive Plan (the "Equity Incentive Plan"), (iv) 500,000 shares
of Common Stock reserved for issuance under the Company's 1998 Employee
Stock Purchase Plan (the "Purchase Plan"), (v) 125,000 shares of Common
Stock reserved for issuance under the Company's 1998 Directors Stock
Option Plan (the "Directors Plan"), (vi) 15,000 shares of Common Stock
that would be issued to a service provider if certain milestones are met
and (vii) 17,500 shares of Common Stock subject to a warrant that would be
issued in the event that the Company borrows funds under an equipment loan
agreement. See "Management--Director Compensation," "--Employee Benefit
Plans," "Description of Capital Stock" and Note 6 of Notes to Consolidated
Financial Statements.
19
DILUTION
The pro forma net tangible book value of the Company's Common Stock as of
December 31, 1997 was $12.4 million, or $0.72 per share. Pro forma net
tangible book value per share is equal to the Company's total tangible assets
less its total liabilities, divided by the pro forma shares of Common Stock
outstanding as of December 31, 1997. After giving effect to the issuance and
sale of the 3,000,000 shares of Common Stock offered by the Company hereby (at
an assumed initial public offering price of $12.00 per share and after
deducting estimated underwriting discounts and commissions and estimated
offering expenses payable by the Company), the Company's as adjusted net
tangible book value as of December 31, 1997 would have been $44.9 million, or
$2.23 per share. This represents an immediate increase in pro forma net
tangible book value of $1.51 per share to existing stockholders and an
immediate dilution of $9.77 per share to new public investors. The following
table illustrates the per share dilution:
Assumed initial public offering price per share............... $12.00
Pro forma net tangible book value per share at December 31,
1997....................................................... $0.72
Increase in pro forma net tangible book value per share
attributable to new public investors....................... 1.51
-----
As adjusted net tangible book value per share after offering.. 2.23
------
Dilution per share to new public investors.................... $ 9.77
======
The following table summarizes on a pro forma basis, as of December 31,
1997, the difference between the existing stockholders and the purchasers of
shares of Common Stock in this offering (at an assumed initial public offering
price of $12.00 per share and before deducting estimated underwriting
discounts and commissions and estimated offering expenses payable by the
Company) with respect to the number of shares of Common Stock purchased from
the Company, the total cash consideration paid and the average price paid per
share.
SHARES PURCHASED TOTAL CONSIDERATION AVERAGE
------------------ ------------------- PRICE
NUMBER PERCENT AMOUNT PERCENT PER SHARE
---------- ------- ----------- ------- ---------
Existing stockholders(1)...... 17,151,244 85.1% $38,885,000 51.9% $ 2.27
New public investors.......... 3,000,000 14.9 36,000,000 48.1 12.00
---------- ----- ----------- -----
Total....................... 20,151,244 100.0% $74,885,000 100.0%
========== ===== =========== =====
- --------
(1) Reflects the conversion of the Preferred Stock upon the closing of this
offering.
The foregoing discussion and tables assume no exercise of any stock options
outstanding as of December 31, 1997, no exercise of a warrant to purchase
17,500 shares of Common Stock that would be issued in the event that the
Company borrows funds under an equipment loan agreement, and no issuance of
15,000 shares of Common Stock that would be issued to a service provider if
certain milestones are met. As of December 31, 1997, there were options
outstanding to purchase a total of 2,516,818 shares of Common Stock with a
weighted average exercise price of $2.95 per share. To the extent that any of
these options or the warrant are exercised, there will be further dilution to
new public investors. See "Capitalization," "Management--Director
Compensation," "--Employee Benefit Plans" and Note 6 of Notes to Consolidated
Financial Statements.
20
SELECTED CONSOLIDATED FINANCIAL DATA
The following selected consolidated financial data should be read in
conjunction with the Company's Consolidated Financial Statements and the notes
thereto and "Management's Discussion and Analysis of Financial Condition and
Results of Operations" appearing elsewhere in this Prospectus. The selected
consolidated statement of operations data presented below for the period from
April 12, 1995 (inception) to December 31, 1995 and for each of the years in
the two-year period ended December 31, 1997, and the selected consolidated
balance sheet data as of December 31, 1996 and 1997, are derived from
consolidated financial statements of the Company that have been audited by
KPMG Peat Marwick LLP, independent auditors, and are included elsewhere in
this Prospectus. The selected consolidated balance sheet data as of December
31, 1995 are derived from consolidated financial statements of the Company
that have been audited by KPMG Peat Marwick LLP, independent auditors, but
that are not included elsewhere in this Prospectus.
PERIOD FROM
APRIL 12, 1995 YEAR ENDED
(INCEPTION) TO DECEMBER 31,
DECEMBER 31, ------------------
1995 1996 1997
-------------- -------- --------
(IN THOUSANDS, EXCEPT PER SHARE
DATA)
CONSOLIDATED STATEMENT OF OPERATIONS DATA:
Revenues .................................. $ 382 $ 1,351 $ 9,382
Costs and expenses:
Cost of revenues.......................... 412 2,791 7,833
Sales and marketing....................... 790 4,876 10,839
Research and development.................. 642 2,058 5,188
General and administrative................ 680 2,640 4,604
Nonrecurring charges...................... -- -- 2,800
------- -------- --------
Total costs and expenses................ 2,524 12,365 31,264
------- -------- --------
Operating loss.......................... (2,142) (11,014) (21,882)
Other income (expense)..................... 148 (67) 1,149
------- -------- --------
Loss before minority interest........... (1,994) (11,081) (20,733)
Minority interest in net loss of subsidi-
ary....................................... -- (838) (1,538)
------- -------- --------
Net loss................................ $(1,994) $(10,243) $(19,195)
======= ======== ========
Pro forma basic and diluted net loss per
share(1).................................. $ (.74) $ (1.13)
======== ========
Shares used in per share computations (1).. 13,836 17,018
DECEMBER 31,
-----------------------
1995 1996 1997
------- ------- -------
(IN THOUSANDS)
CONSOLIDATED BALANCE SHEET DATA:
Cash, cash equivalents and short-term investments...... $ 2,687 $29,983 $11,894
Working capital........................................ 2,284 24,823 5,227
Total assets........................................... 4,052 36,503 24,406
Long-term obligations.................................. -- -- --
Stockholders' equity................................... 3,376 28,555 12,469
- --------
(1) See Note 1 of Notes to Consolidated Financial Statements for an
explanation of the determination of the number of shares used in per share
computations.
21
MANAGEMENT'S DISCUSSION AND ANALYSIS
OF FINANCIAL CONDITION AND RESULTS OF OPERATIONS
The following discussion should be read in conjunction with the Consolidated
Financial Statements and notes thereto appearing elsewhere in this Prospectus.
The following discussion contains forward-looking statements. The Company's
actual results may differ significantly from those projected in the forward-
looking statements. Factors that might cause future results to differ
materially from those projected in the forward-looking statements include, but
are not limited to, those discussed in "Risk Factors" and elsewhere in this
Prospectus.
OVERVIEW
VeriSign is the leading provider of digital certificate solutions and
infrastructure needed by companies, government agencies, trading partners and
individuals to conduct trusted and secure communications and commerce over IP
networks. The Company's Digital IDs are enabled in millions of copies of
Microsoft and Netscape Web browsers, tens of thousands of copies of popular
Web servers and a variety of other software applications. The Company believes
that it has issued more digital certificates than any other company, having
issued over 2.0 million of its Digital IDs for individuals and over 40,000 of
its Digital IDs to organizations, primarily businesses, for their Web sites.
Because the Company has issued most of its Digital IDs for individuals on a
trial or promotional basis, a significant majority of the Company's revenues
to date have been derived from businesses.
The Company was incorporated in April 1995 and introduced its first product,
the Secure Server ID for Netscape Commerce Servers, in June 1995. In October
1995, the Company introduced additional Server Digital IDs for the Web server
products of Microsoft, IBM, Open Market and other vendors. In May 1996, the
Company began providing online enrollment and issuance of client Digital IDs
for Netscape Navigator through its Digital ID Center and began shipping
another form of Digital ID known as a Software Developer Digital ID for
Microsoft's Authenticode program. The Company began issuing Digital IDs for
Microsoft's Internet Explorer through the Company's Digital ID Center in
August 1996. During 1997, the Company introduced its Universal Digital IDs and
three new types of server digital certificate products--its Global Server ID,
Financial Server ID and EDI Server ID.
In April 1996, the Company entered the enterprise and electronic commerce
markets by introducing custom SET digital certificate solutions targeted at
certified banks, payment processors and major card brands. During 1997, the
Company introduced VeriSign OnSite and VeriSign V-Commerce, which are
enterprise and electronic commerce digital certificate solutions that are
targeted at mid-sized to large companies, managed intranets and extranets,
payment card industry service providers and Web sites with large customer or
user bases. During 1997, the Company began providing technology and products
for digital certificate management to OEMs.
Historically, the Company has derived substantially all of its revenues from
the sale of Digital IDs and from fees for services rendered in connection with
the Company's digital certificate solutions and digital certificate service
and product development agreements. Sales of Digital IDs and fees for services
each resulted in approximately one-half of the Company's revenues in 1997. The
purchase of a Digital ID allows the customer to use the Digital ID for a
limited period of time, generally 12 months. After this period, the Digital ID
must be renewed for continued usage by the customer. Renewal fees are
typically lower than the fees charged for the initial Digital ID. Revenues
from the sale or renewal of Digital IDs are deferred and recognized ratably
over the life of the digital certificate. Revenues from the Company's
enterprise and electronic commerce solutions consist of fees for the issuance
of digital certificates, which are recognized ratably over the term of the
particular license agreement relating to the enterprise or electronic commerce
solution, and fees for set-up services, which are recognized upon completion
of the service. Revenues from other services are recognized using the
percentage-of-completion method for fixed-fee development arrangements, on a
time-and-materials basis for consulting and training services or ratably over
the term of the agreement for support and maintenance services. Deferred
revenues increased from $46,000 at December 31, 1995 to $1.9 million at
December 31, 1996 and to $4.8 million at December 31, 1997. In the future, the
Company anticipates that it may receive additional revenues from sales
22
of software products and value-added services, licensing and royalty fees from
licenses of digital certificates and related technology and maintenance, and
fees for customer support services.
The Company markets its products and services worldwide through multiple
distribution channels, including the Internet, direct sales, telesales, VARs,
systems integrators and OEMs. Although a significant portion of its revenues
to date has been generated through sales from the Company's Web site, the
Company intends to increase its direct sales force, both domestically and
internationally, and intends to continue to expand its other distribution
channels.
In February 1996, the Company formed VeriSign Japan to provide digital
certificate solutions to the Japanese market. In connection with the formation
of this subsidiary, the Company licensed certain technology and contributed
other assets to VeriSign Japan. Subsequent to its formation, additional
investors purchased minority interests in VeriSign Japan, and, as of December
31, 1997, the Company owned 50.5% of the outstanding capital stock of VeriSign
Japan. Accordingly, the Company's consolidated financial statements include
the accounts of the Company and this subsidiary and the Company's consolidated
statements of operations reflect the elimination of the minority shareholders'
share of the net losses of the subsidiary. Historically, VeriSign Japan has
funded its net losses with investments from its shareholders. However, to the
extent VeriSign Japan is unable to continue to fund its operations principally
from investments by shareholders, the Company may be required to fund the
operations of this subsidiary, which could have a material adverse effect on
the Company's business, operating results and financial condition. See
"Business--VeriSign Japan."
The Company has experienced substantial net losses in each fiscal period
since its inception and, as of December 31, 1997, had an accumulated deficit
of $31.4 million. Such net losses and accumulated deficit resulted from the
Company's lack of substantial revenues and the significant costs incurred in
the development and sale of the Company's products and services and in the
establishment and deployment of the Company's operations infrastructure and
practices. The Company intends to increase its expenditures in all areas in
order to execute its business plan. As a result, the Company expects to incur
substantial additional losses for the foreseeable future. Although the Company
has experienced revenue growth in recent periods, there can be no assurance
that such growth rates are sustainable and, therefore, they should not be
considered indicative of future operating results. There can be no assurance
that the Company will ever achieve significant revenues or profitability or,
if significant revenues and profitability are achieved, that they could be
sustained. See "Risk Factors--Limited Operating History; History of Losses and
Anticipation of Future Losses."
RESULTS OF OPERATIONS
REVENUES
The Company's revenues increased from $382,000 for the period from April 12,
1995 (inception) to December 31, 1995 (the "Inception Period") to $1.4 million
for 1996 and to $9.4 million for 1997. Revenues from inception through
December 31, 1996 were primarily derived from sales of the Company's Server
Digital ID products. The increase in revenues from the Inception Period to
1996 was due primarily to increased market acceptance of Server Digital IDs
and, to a lesser extent, SET digital certificate solutions. The increase in
revenues from 1996 to 1997 was due primarily to increased sales of Server
Digital IDs and to increased services revenues, which included revenues from
digital certificate service and product development agreements. Revenues from
the sale of Universal Digital IDs have been nominal because substantially all
of the Company's Universal Digital IDs have been issued free of charge on a
promotional basis.
Revenues attributable to VISA accounted for approximately 21% and 14% of
revenues for 1996 and 1997, respectively. No other customer accounted for more
than 10% of the Company's revenues during the Inception Period, 1996 or 1997.
Revenues of VeriSign Japan and revenues from other international customers
accounted for less than 10% of revenues for the Inception Period and 1996 and
approximately 13% of revenues for 1997.
23
COSTS AND EXPENSES
The Company's costs and expenses have increased in absolute dollars since
inception, primarily due to the overall growth of the Company. The total
number of the Company's employees increased from 26 at December 31, 1995 to
185 at December 31, 1997. In addition, the Company opened several new offices,
increased its sales and marketing and research and development efforts, and
expanded its headquarters and Digital ID Centers during this period. The
Company believes that it will need to continue to expand its operations in
order to execute its business strategy. Accordingly, the Company intends to
continue to increase its costs and expenses in all areas for the foreseeable
future.
Cost of Revenues. Cost of revenues consists primarily of costs related to
personnel providing digital certificate enrollment and issuance services,
customer support and training, consulting and development services, and
facilities and computer equipment used in such activities. Cost of revenues
also includes fees paid to third parties to verify certificate applicants'
identities and insurance premiums for the Company's NetSure warranty plan and
errors and omission insurance. Cost of revenues increased from $412,000 for
the Inception Period to $2.8 million for 1996 and to $7.8 million for 1997.
Cost of revenues was not material during the Inception Period as a result of
the Company's minimal revenues. The increases in 1996 and 1997 were due
primarily to increased facilities costs and related overhead that resulted
from building the Company's operations infrastructure, hiring full-time and
temporary personnel to support the additional volume of issuances of Server
Digital IDs, introduction of additional Server Digital ID products,
introduction of the Company's NetSure warranty program, increased costs of
errors and omission insurance, increased expenses for access to third-party
databases and, during 1997, implementation of the Company's disaster recovery
plan. Given the Company's limited operating history, limited history of
issuing Digital IDs and evolving industry and business model, the Company
believes that analysis of cost of revenues as a percentage of revenues is not
yet meaningful.
Sales and Marketing. Sales and marketing expenses consist primarily of costs
related to sales, marketing and practices and external affairs personnel,
including salaries, sales commissions and other personnel-related expenses,
computer equipment and support services used in such activities, facilities
costs, consulting fees and costs of marketing programs. Sales and marketing
expenses increased from $790,000 for the Inception Period to $4.9 million for
1996 and to $10.8 million for 1997. These increases were due primarily to
increased headcount and, to a lesser extent, increased expenditures for
marketing programs. The Company anticipates that sales and marketing expenses
will continue to increase in absolute dollars as it expands its direct sales
force, hires additional marketing personnel and increases its marketing and
promotional activities during 1998.
Research and Development. Research and development expenses consist
primarily of costs related to research and development personnel, including
salaries and other personnel-related expenses, consulting fees, facilities,
and computer equipment and support services used in product and technology
development. Research and development expenses increased from $642,000 for the
Inception Period to $2.1 million for 1996 and to $5.2 million for 1997. These
increases were due primarily to increased personnel to support the design,
testing and deployment of, and technical support for, the Company's expanded
product offerings and technology. The Company believes that timely development
of new and enhanced products and technology are necessary to remain
competitive in the marketplace. Accordingly, the Company intends to continue
recruiting and hiring experienced research and development personnel and make
other investments in research and development. Therefore, the Company expects
that research and development expenditures will continue to increase in
absolute dollars. To date, all research and development expenses have been
expensed as incurred.
General and Administrative. General and administrative expenses consist
primarily of salaries and other personnel-related expenses for the Company's
administrative, finance and human resources personnel, facilities and computer
equipment, support services and professional services fees. General and
administrative expenses increased from $680,000 for the Inception Period to
$2.6 million for 1996 and $4.6 million for 1997. These increases were due
primarily to increased staffing levels to manage and support the Company's
expanding operations. The Company anticipates hiring additional personnel and
incurring additional costs related to being a
24
public company, including directors' and officers' liability insurance,
investor relations programs and professional services fees. Accordingly, the
Company anticipates that general and administrative expenses will continue to
increase in absolute dollars.
Nonrecurring Charges. In September 1996, VeriFone, which subsequently became
a wholly-owned subsidiary of Hewlett-Packard Company ("Hewlett-Packard"),
filed a lawsuit against the Company alleging, among other things, trademark
infringement. In November 1997, the parties executed a definitive agreement
under which, among other things, the Company issued an aggregate of 250,000
shares of Common Stock, which were transferred to Hewlett-Packard, and the
Company and VeriFone settled such claims. The settlement amount was recorded
during 1997 as a $2.0 million charge to operations. In November 1997, the
Company entered into a preferred provider agreement with Microsoft whereby the
companies will develop, promote and distribute a variety of client-based and
server-based digital certificate solutions and the Company will be designated
as the premier provider of digital certificates for Microsoft customers. In
connection with the agreement, the Company issued 100,000 shares of Common
Stock to Microsoft resulting in an $800,000 charge to operations.
OTHER INCOME (EXPENSE)
Other income (expense) consists primarily of interest earned on the
Company's cash, cash equivalents and short-term investments, less interest
expense on bank borrowings of VeriSign Japan and the effect of foreign
currency transaction gains and losses. The Company had other income of
$148,000 for the Inception Period, other expense of $67,000 for 1996 and other
income of $1.1 million for 1997. The increase for 1997 was due to interest
earned on the cash proceeds from the Company's November 1996 Series C
Preferred Stock financing.
INCOME TAXES
No provision for federal and California income taxes has been recorded
because the Company has experienced net losses since inception. As of December
31, 1997, the Company had federal and California net operating loss
carryforwards of approximately $26.9 million and $27.1 million, respectively.
These federal and California net operating loss carryforwards will expire, if
not utilized, in years 2010 through 2014 and in 2003, respectively. The Tax
Reform Act of 1986 imposes substantial restrictions on the utilization of net
operating losses and tax credits in the event of an "ownership change" of a
corporation. The Company's ability to utilize net operating loss carryforwards
may be limited as a result of an "ownership change" as defined in the Internal
Revenue Code. The Company does not anticipate that a material limitation on
its ability to use such carryforwards and credits will result from this
offering. The Company has provided a full valuation allowance on the deferred
tax asset because of the uncertainty regarding its realization. The Company's
accounting for deferred taxes under Statement of Financial Accounting
Standards No. 109 involves the evaluation of a number of factors concerning
the realizability of the Company's deferred tax assets. In concluding that a
full valuation allowance was required, management primarily considered such
factors as the Company's history of operating losses and expected future
losses and the nature of the Company's deferred tax assets. Although
management's operating plans assume taxable and operating income in future
periods, management's evaluation of all the available evidence in assessing
the realizability of the deferred tax assets indicates that such plans were
not considered sufficient to overcome the available negative evidence. See
Note 7 of Notes to Consolidated Financial Statements.
MINORITY INTEREST IN NET LOSS OF SUBSIDIARY
Minority interest in the net losses of VeriSign Japan was $838,000 for 1996
and $1.5 million for 1997. This increase was due to the increased expenses
incurred in establishing and expanding the operations of VeriSign Japan prior
to recognizing significant revenues and to an increasing percentage of
VeriSign Japan's capital stock being held by minority shareholders. VeriSign
Japan is still in an early stage of operations and, therefore, the Company
expects that the minority interest in net loss of subsidiary will continue to
fluctuate in future periods.
SELECTED QUARTERLY OPERATING RESULTS
The following table sets forth certain consolidated statement of operations
data for each quarter of 1996 and 1997. This information has been derived from
the Company's unaudited consolidated financial statements,
25
which, in management's opinion, have been prepared on the same basis as the
annual consolidated financial statements and include all adjustments,
consisting only of normal recurring adjustments, necessary for a fair
presentation of the information for the quarters presented. This information
should be read in conjunction with the Consolidated Financial Statements and
notes thereto included elsewhere in this Prospectus. The operating results for
any quarter are not necessarily indicative of the results for any future
period.
THREE MONTHS ENDED
------------------------------------------------------------------------------
MAR. 31, JUNE 30, SEPT. 30, DEC. 31, MAR. 31, JUNE 30, SEPT. 30, DEC. 31,
1996 1996 1996 1996 1997 1997 1997 1997
-------- -------- --------- -------- -------- -------- --------- --------
(IN THOUSANDS)
Revenues................ $ 153 $ 246 $ 375 $ 577 $ 1,267 $ 2,249 $ 2,599 $ 3,267
Costs and expenses:
Cost of revenues....... 304 552 737 1,198 1,419 1,733 2,014 2,667
Sales and marketing.... 540 1,015 1,213 2,108 2,254 2,686 2,324 3,575
Research and
development........... 350 417 523 768 1,029 1,222 1,309 1,628
General and
administrative........ 396 408 713 1,123 953 864 1,084 1,703
Nonrecurring charges... -- -- -- -- -- -- 2,000 800
------- ------- ------- ------- ------- ------- ------- -------
Total costs and
expenses............ 1,590 2,392 3,186 5,197 5,655 6,505 8,731 10,373
------- ------- ------- ------- ------- ------- ------- -------
Operating loss....... (1,437) (2,146) (2,811) (4,620) (4,388) (4,256) (6,132) (7,106)
Other income (expense).. 35 35 14 (151) 469 166 225 289
------- ------- ------- ------- ------- ------- ------- -------
Loss before minority
interest............ (1,402) (2,111) (2,797) (4,771) (3,919) (4,090) (5,907) (6,817)
Minority interest in net
loss of subsidiary..... (2) (128) (228) (480) (305) (482) (407) (344)
------- ------- ------- ------- ------- ------- ------- -------
Net loss............. $(1,400) $(1,983) $(2,569) $(4,291) $(3,614) $(3,608) $(5,500) $(6,473)
======= ======= ======= ======= ======= ======= ======= =======
REVENUES
The Company has experienced quarter-to-quarter sequential growth in revenues
since its inception. These quarterly increases were due primarily to the
increased number of Server Digital IDs sold during these periods. In addition,
during the first quarter of 1997, the Company completed certain work required
under various certificate service and product development agreements and,
therefore, recognized the related portion of revenues during that quarter. The
Company realized additional services fees during the second quarter of 1997 as
a result of entering into new certificate service and product development
agreements and completing work under existing certificate service and product
development agreements. During the third and fourth quarters of 1997, revenues
attributable to digital certificates grew as a result of the increased number
of digital certificates sold and an approximately 15% per unit price increase.
Revenues also increased in the third and fourth quarters of 1997 as a result
of the completion of work under other certificate service and product
development agreements.
COSTS AND EXPENSES
Cost of Revenues. Throughout 1996, the Company was developing a secure
operations and customer support infrastructure as well as related systems.
During the fourth quarter of 1996, the Company began building its new Digital
ID Center to manage enrollment and issuance of large volumes of Digital IDs
and moved its customer support and information systems teams into the new
Digital ID Center. Accordingly, facilities costs and related overhead
increased significantly in the first quarter of 1997. During the second and
third quarters of 1997, the Company added full-time and temporary personnel,
particularly for customer support and information systems, in order to support
the additional volume of issuances of Server Digital IDs. The Company also
devoted additional personnel resources to support work under the Company's
product development agreements during this time period. During the second
quarter of 1997, the Company introduced its NetSure warranty program,
resulting in higher insurance premiums. During the third quarter of 1997, the
Company also incurred increased
26
expenses for access to third-party databases to verify certificate applicants'
identities and expenses relating to the implementation of the Company's
disaster recovery plan. During the fourth quarter of 1997, expenses for access
to third-party databases continued to increase as the Secure Server ID volume
increased. In addition, the Company accelerated the amortization of certain
software that the Company plans to replace during 1998.
Sales and Marketing. The quarterly increases in sales and marketing expenses
resulted primarily from the building of the Company's sales and marketing
organization, which began in 1996. During the third and fourth quarters of
1996, the Company began expanding its marketing organization to include
corporate, channel and product marketing programs. In each of the first three
quarters of 1997, the Company added sales and marketing personnel to support
its expanding product lines, which resulted in higher recruiting, benefits,
travel and facilities costs. Sales and marketing expenses were higher in the
second quarter of 1997 than the preceding two quarters and the following
quarter due to increased expenses incurred pursuing international and domestic
strategic relationships, increased public relations activities, Web site
management costs and channel development activities. Sales and marketing
expenses increased in the fourth quarter of 1997 as the Company continued to
develop a direct sales force and increased spending for new marketing
programs.
Research and Development. The sequential quarterly increases in research and
development expenses were due primarily to increased personnel and related
costs to support the design, testing and deployment of, and technical support
for, the Company's expanded product offerings and technology.
General and Administrative. The sequential quarterly increases in general
and administrative expenses over the four quarters of 1996 were primarily
related to the addition of personnel and related costs to support expansion of
the Company's operations. During the fourth quarter of 1996, the Company
incurred additional expenses for consulting services, increased legal fees
relating to a large number of contract negotiations and increased expenses
resulting from a growth in headcount. During the fourth quarter of 1996 and
into 1997, the Company incurred increased expenses for a larger facility and
for the implementation of additional systems and procedures. In addition to
building administrative infrastructure during the fourth quarter of 1997, the
Company increased its allowance for doubtful accounts commensurately with the
growth in accounts receivable.
Nonrecurring Charges. Nonrecurring charges in the third and fourth quarters
of 1997 are discussed above under "--Results of Operations--Costs and
Expenses--Nonrecurring Charges."
FACTORS AFFECTING OPERATING RESULTS
The Company's operating results have varied on a quarterly basis during its
short operating history and may fluctuate significantly in the future as a
result of a variety of factors, many of which are outside the Company's
control. Factors that may affect the Company's quarterly operating results
include the following: market acceptance of digital certificates; market
acceptance of its products and services, particularly VeriSign OnSite,
VeriSign V-Commerce and VeriSign SET; the long sales and implementation cycles
for and potentially large order sizes of certain of the Company's products and
services; the timing and execution of individual contracts; the timing of
releases of new versions of Internet browsers or other third-party software
products in which the Company's public root keys are embedded; customer
renewal rates for the Company's products and services; the Company's success
in marketing other products and services to its existing customer base and to
new customers; development of the Company's direct and indirect distribution
channels; market acceptance of the Company's or competitors' new products and
services; the amount and timing of expenditures relating to expansion of the
Company's operations; price competition or pricing changes; general economic
conditions and economic conditions specific to the Internet, intranet and
extranet industries. Any one of these factors could cause the Company's
revenues and operating results to vary significantly in the future. In
addition, the Company will need to expand its operations and attract,
integrate, retain and motivate a substantial number of sales and marketing and
research and development personnel. The timing of such expansion and the rate
at which new personnel become productive could cause material fluctuations in
the Company's quarterly operating results.
The Company's limited operating history and the emerging nature of its
market make prediction of future revenues difficult. The Company's expense
levels are based, in part, on its expectations regarding future revenues, and
to a large extent such expenses are fixed, particularly in the short term.
There can be no assurance that the Company will be able to predict its future
revenues accurately and the Company may be unable to adjust
27
spending in a timely manner to compensate for any unexpected revenue
shortfall. Accordingly, any significant shortfall of revenue in relation to
the Company's expectations could cause significant declines in the Company's
quarterly operating results.
Due to all of the foregoing factors, the Company's quarterly revenues and
operating results are difficult to forecast. The Company believes that period-
to-period comparisons of its operating results will not necessarily be
meaningful and should not be relied upon as an indication of future
performance. Also, it is likely that the Company's operating results will fall
below the expectations of the Company, securities analysts or investors in
some future quarter. In such event, the market price of the Company's Common
Stock could be materially and adversely affected.
LIQUIDITY AND CAPITAL RESOURCES
Since inception, the Company and its Japanese subsidiary financed their
operations primarily through private sales of equity securities raising
approximately $45.6 million. At December 31, 1997, the principal source of
liquidity for the Company was $11.9 million of cash, cash equivalents and
short-term investments. The Company also has an equipment loan agreement under
which it may borrow up to $3.0 million for purchases of equipment. This
equipment loan agreement expires on March 31, 1999. Any amounts borrowed under
this equipment loan agreement would bear interest at the rate of 7.5% per
annum and would be secured by the equipment purchased with the loan proceeds.
In the event that the Company borrows under this equipment loan agreement, it
will be obligated to issue to the lender a warrant to purchase 17,500 shares
of Common Stock. The Company currently has no plans to borrow any amounts
under this equipment loan agreement. VeriSign Japan has available a revolving
line of credit of up to $500,000 with a bank that bears interest at 1.625% per
annum and expires in May 1998. The line of credit is secured by a letter of
credit from the Company in the same amount. There were no borrowings
outstanding under this line of credit as of December 31, 1997.
The Company has had significant negative cash flows from operating
activities in each fiscal period to date. Net cash used in operating
activities for the Inception Period, 1996 and 1997 was $1.5 million, $6.0
million and $13.6 million, respectively. Net cash used in operating activities
in each of these periods was primarily the result of net losses, offset in
part by increases in accounts payable and accrued liabilities for the
Inception Period and 1996 and deferred revenues in all three fiscal periods.
Net cash used in investing activities for the Inception Period, 1996 and
1997 was $1.0 million, $4.4 million and $15.0 million, respectively. Net cash
used in investing activities in these periods was primarily the result of
capital expenditures for computer equipment, purchased software, office
equipment, furniture, fixtures and leasehold improvements. In addition, for
1997, cash used in investing activities included $8.0 million of net purchases
of short-term investments. Capital expenditures for property and equipment for
the Inception Period, 1996 and 1997 aggregated $1.0 million, $4.2 million and
$6.6 million, respectively. The Company's planned capital expenditures for
1998 are approximately $5.0 million, primarily for computer equipment and
other leasehold improvements. As of December 31, 1997, the Company also had
commitments under noncancelable operating leases of $6.3 million through 2002.
Net cash provided by financing activities for the Inception Period, 1996 and
1997 was $5.3 million, $37.8 million and $2.6 million, respectively, resulting
primarily from net proceeds from the sale of Preferred Stock by the Company.
In addition, for 1996 and 1997, net cash provided by financing activities of
VeriSign Japan was $4.2 million and $2.5 million, respectively, resulting from
the sale of its capital stock to minority investors and from the proceeds of
its bank borrowings.
The Company believes that the net proceeds from this offering, together with
existing cash, cash equivalents and short-term investments, will be sufficient
to meet its working capital and capital expenditure requirements for at least
the next 12 months. The Company may need to raise additional funds through
public or private financing, strategic relationships or other arrangements.
There can be no assurance that such additional funding,
28
if needed, will be available on terms attractive to the Company, or at all.
Strategic relationships, if necessary to raise additional funds, may require
the Company to relinquish rights to certain of its technologies or products.
The failure of the Company to raise capital when needed could have a material
adverse effect on the Company's business, operating results and financial
condition. If additional funds are raised through the issuance of equity
securities, the percentage ownership of the Company of its then-current
stockholders would be reduced. Furthermore, such equity securities might have
rights, preferences or privileges senior to those of the Company's Common
Stock. See "Risk Factors--Future Capital Needs; Uncertainty of Additional
Financing."
RECENT ACCOUNTING PRONOUNCEMENT
In October 1997, the American Institute of Certified Public Accountants
issued Statement of Position ("SOP") No. 97-2, Software Revenue Recognition,
which supersedes SOP No. 91-1. The Company will be required to adopt SOP No.
97-2 prospectively for software transactions entered into beginning January 1,
1998. SOP No. 97-2 generally requires revenue earned on software arrangements
involving multiple elements to be allocated to each element based on the
relative fair values of the elements. The fair value of an element must be
based on evidence that is specific to the vendor. If a vendor does not have
evidence of the fair value for all elements in a multiple-element arrangement,
all revenue from the arrangement is deferred until such evidence exists or
until all elements are delivered. The Company's management anticipates that
the adoption of SOP No. 97-2 will not have a material effect on the Company's
operating results.
29
BUSINESS
VeriSign is the leading provider of digital certificate solutions and
infrastructure needed by companies, government agencies, trading partners and
individuals to conduct trusted and secure communications and commerce over IP
networks. The Company has established strategic relationships with industry
leaders, including AT&T, BT, Cisco, McAfee Associates, Microsoft, Netscape,
RSA, Security Dynamics, VeriFone and VISA, to enable widespread deployment of
the Company's digital certificate technology and products and to assure their
interoperability among a wide variety of applications over IP networks. The
Company's Digital IDs are enabled in millions of copies of Microsoft and
Netscape Web browsers, tens of thousands of copies of popular Web servers and
a variety of other software applications. The Company believes that it has
issued more digital certificates than any other company, having issued over
2.0 million of its Digital IDs for individuals and over 40,000 of its Digital
IDs for Web sites. In addition to providing Digital IDs for individuals and
Web sites, the Company provides turn-key and custom solutions needed by
organizations such as Dow Jones, NationsBank, NOVUS/Discover and VISA, to
conduct trusted and secure communications and commerce over IP networks. The
Company markets its products and services worldwide through multiple
distribution channels, including the Internet, direct sales, telesales, VARs,
systems integrators and OEMs, and intends to continue to expand these
distribution channels.
INDUSTRY BACKGROUND
GROWTH OF INTERNET COMMERCE AND COMMUNICATIONS
IP networks are revolutionizing the ways in which companies, government
agencies, trading partners and individuals communicate and conduct business.
IP networks provide an attractive medium for communications and commerce
because of their global reach, accessibility, use of open standards and
ability to enable real-time interaction. Organizations are seeking to leverage
the capabilities of IP networks to attract new customers, access new markets,
improve customer service and satisfaction and lower support and distribution
costs. Until recently, IP networks have been used primarily for informal
messaging, general information browsing and the exchange of non-sensitive
data. The use of IP networks is now beginning to extend beyond these initial
uses to a number of more valuable and sensitive activities, including
business-to-business transactions and Internet-based EDI, online retail
purchases and payments, Web-based access to account and benefits information
and secure messaging for both personal and business use. IDC estimates that
global Internet commerce revenues will grow from approximately $10.6 billion
in 1997 to approximately $223.1 billion in 2001.
REQUIREMENT FOR TRUSTED INTERACTION OVER IP NETWORKS
Although openness represents a fundamental strength of IP networks, their
accessibility and the anonymity of users resulting from the lack of "face-to-
face" interaction create threats to the privacy and integrity of information
that is transmitted across or stored on these networks. Despite the
convenience and the compelling economic incentives for the use of IP networks,
they cannot reach their full potential as a platform for global communications
and commerce until the current lack of security and trust associated with
these networks is resolved. According to a study conducted in 1997 by Zona
Research, Inc., 70% of the businesses and consumers surveyed listed concerns
about trust and security as the main impediment to broader use of the Internet
for commercial applications. Business concerns include the potential for theft
of corporate or customer information, impersonation of employees, loss of
reputation and economic loss through fraud. Consumer concerns include the
possibility of merchant impersonation and fraud and the risk that third
parties may be able to intercept and use personal information such as credit
card numbers. Traditional security mechanisms such as passwords and personal
identification numbers do not adequately address these issues, as they can be
easily lost, forgotten or misappropriated. Some security concerns are being
addressed through technologies such as encryption and firewalls, but these
technologies do not address the need to establish and maintain a common
framework of trust between parties conducting transactions or exchanging
sensitive information in the digital world.
30
In the physical world, trust in communications and commerce is established
through a combination of social, business and legal practices that, in some
cases, have been developed over hundreds of years. These practices often
include the use of physical credentials, such as credit cards, business
licenses or employee badges, and the associated legal protections to avoid
loss from theft or fraud. The diligence, practices, policies and reputations
of the organizations standing behind the issuance, delivery, revocation and
renewal of physical credentials provide a readily understood and accepted
framework of trust for a given communication or transaction. The physical
credentials that embody these proven practices and frameworks of trust and the
social interactions that accompany their use cannot be utilized in the digital
world. As a result, there is a need for a trusted and convenient way to verify
the identity, authority and privilege of the parties involved in
communications and commerce over IP networks and to assure their proper and
trusted association with a specific organization or community.
EMERGENCE OF DIGITAL CERTIFICATE TECHNOLOGY
Digital certificates are emerging as the leading technology for establishing
a framework for trusted and secure communications and commerce over IP
networks, with many Internet security protocols dictating the use of digital
certificates. A digital certificate is a specially prepared software file that
functions as an electronic credential in the digital world, identifying the
certificate owner, authenticating the certificate owner's membership in a
given organization or community (credit card holder, employee, supply chain
participant or citizen) and establishing the certificate owner's authority to
engage in a given transaction. Utilizing the principles of public key
cryptography, a digital certificate binds a pair of unique mathematical keys,
one designated as "private" and securely maintained by its owner, and the
other designated as "public" and embedded in the digital certificate. What the
owner's private key digitally signs, only the corresponding public key can
verify. When properly prepared, issued and administered, digital certificates
create a framework for trusted interaction over IP networks, making it
possible, for example, to verify with certainty the identity of an account
holder or a Web-based business, the source of an electronic message or the
integrity of electronically distributed software or content.
Significant efforts are underway to utilize digital certificates as
"vehicles of trust" for securely transmitting e-mail, accessing information on
public and private Web sites, purchasing retail goods and services and
conducting other financial transactions such as electronic securities trading.
The leading vendors of Web browser, Web server, electronic mail, electronic
payment and content distribution applications have incorporated digital
certificate technology as the framework for establishing trusted and secure
communications and commerce over IP networks and are embedding support for
digital certificates in their products. A number of standard protocols that
are being widely adopted for communications and commerce require the use of
digital certificates. These protocols include the Secure Sockets Layer
protocol ("SSL") for browser/server authentication and secure data
transmission, the Secure Multipurpose Internet Mail Extensions protocol
("S/MIME") for secure e-mail and EDI, the Secure Electronic Transactions
protocol ("SET") for secure electronic payments, and the Internet Protocol
Security standard ("IP/SEC") for authentication of networking devices. Just as
an individual may have many forms of credit cards and IDs, he or she may
require multiple digital certificates, each corresponding to a unique digital
relationship between the individual and an organization. Thus, there is the
potential need over time for hundreds of millions of digital certificates to
be issued and managed.
CERTIFICATION AUTHORITIES AND THE NEED FOR TRUSTED INFRASTRUCTURE
Digital certificates are prepared and managed by trusted parties known as
Certification Authorities ("CAs"). To prepare a digital certificate for
issuance, a CA embeds an individual's or an organization's public key along
with specific personal information (name or e-mail address) or organizational
information (domain name or affiliation) in the digital certificate, which is
then cryptographically "signed" by the CA. The CA's digital signature acts as
a tamper-proof electronic seal that verifies the integrity of the information
within the digital certificate and validates its use within a specific
organization or community. This digital signature is linked to the CA's public
"root key," which is embedded in the browser, server or other application used
by the
31
organization or community. Through the embedded public root key, a community
member can automatically confirm the authenticity of a digital certificate--
and hence the certificate owner's identity, authority and privilege--to verify
the source and integrity of any accompanying message or transaction request.
A CA may digitally sign certificates for multiple organizations or
communities, each having different rules, qualifications or procedures
governing the admission of members. The CA may sign and issue certificates
directly to the members of a given community or sign certificates on behalf of
other entities (credit card issuers, corporations or government agencies) that
wish to control the admission of members into their organizations and grant to
them certain authority and privileges.
The successful implementation and management of digital certificates as a
mechanism for trusted and secure commerce and communications present a number
of issues and challenges for a CA. The CA must establish and maintain rigorous
practices, policies and procedures to manage the technical complexities of
cryptographic key management and provide for the secure creation and
distribution of digital certificates. The CA must carefully manage the entire
lifecycle of all digital certificates issued, including identifying and
conducting initial due diligence on the owners, tracking digital certificates,
providing customer support for digital certificate owners, confirming in real-
time the continued validity of each digital certificate and revoking or
renewing the digital certificates. To be effective for large public and
private communities needing digital certificates, a CA must also have a highly
scaleable and flexible infrastructure, be able to provide a full range of
digital certificate services in high volume on a 24 hour x 7 day basis and
have its public root key embedded in and supported by a wide variety of
applications utilized across IP networks.
THE VERISIGN SOLUTION
VeriSign is the leading provider of digital certificate solutions and
infrastructure needed by companies, government agencies, trading partners and
individuals to conduct trusted and secure communications and commerce over IP
networks. The Company has established strategic relationships with industry
leaders, including AT&T, BT, Cisco, McAfee Associates, Microsoft, Netscape,
RSA, Security Dynamics, VeriFone and VISA to enable widespread deployment of
the Company's digital certificate technology and products and to assure their
interoperability among a wide variety of applications. The Company believes
that it has issued more digital certificates than any other company, having
issued over 2.0 million of its Digital IDs for individuals and over 40,000 of
its Digital IDs for Web sites. The Company's digital certificates are enabled
in millions of copies of Microsoft and Netscape browsers, tens of thousands of
copies of popular Web servers and a variety of software applications. In
addition, Microsoft and Netscape have integrated enrollment for the Company's
digital certificates into the registration process for their Web browsers,
prominently feature the Company and its digital certificate solutions in
certain of their products and on their Web sites, have integrated the
Company's public root key into their browsers and engage in a variety of joint
marketing activities with the Company. In addition to providing Digital IDs
for individuals and Web sites, the Company also provides turn-key and custom
solutions needed by organizations, such as Dow Jones, NationsBank,
NOVUS/Discover and VISA, to conduct trusted and secure communications and
commerce over IP networks.
The Company issues and manages digital certificates directly from its
Digital ID Centers for consumers, businesses and organizations that use IP
networks for trusted and secure communications and commerce. The Company also
offers a comprehensive range of digital certificate solutions tailored to meet
the specific needs of customers, such as financial institutions and
governmental agencies, that wish to issue their own, or have VeriSign issue on
their behalf, digital certificates for use within their private intranets and
extranets. These solutions vary based on the nature and complexity of the
applications, the degree of control customers desire to maintain and the
degree of operational responsibility customers wish to delegate. Each of the
Company's solutions leverages its infrastructure for managing digital
certificates to relieve customers from the burdensome responsibilities and
costs of designing, establishing, maintaining and staffing their own digital
certificate operations.
The key components of the Company's solution are its scaleable, modular
software architecture, highly reliable and secure operations and comprehensive
security and trusted practices, which together provide a
32
platform designed for the timely, rapid deployment of large volumes of digital
certificates and the ongoing management of such digital certificates
throughout their lifecycles.
. Scaleable, Modular Software Architecture. The Company has designed its
software to provide the scaleability necessary to support the issuance and
management of millions of certificates for distinct communities ranging
from individual corporations to the entire population of Internet users.
The Company's WorldTrust software automates many of the processes for
digital certificate issuance and lifecycle management, including subscriber
enrollment, authentication and administration services. The Company's
modular software is also distributable over one or many computer systems to
enhance scaleability and allow for certain functions of the digital
certificate issuance and lifecycle management process to be deployed at
customer or affiliate locations while maintaining a secure and reliable
link to the Company's Digital ID Centers for back-end processing.
. Highly Reliable and Secure Operations. The Company's Digital ID Centers,
which are located in Mountain View, California and Kawasaki, Japan and
operate on a 24 hour x 7 day basis, support all aspects of issuance and
management of digital certificates as well as the delivery of its related
digital certificate services. Through the use of state-of-the-art computer,
telecommunications, network and monitoring systems, the Company's Digital
ID Centers are designed to provide the high levels of availability,
security and scaleability necessary to meet the needs of customers for high
volume digital certificate issuance and management.
. Comprehensive Security and Trusted Practices. The Company has been
instrumental in defining comprehensive, industry-endorsed practices and
procedures for the legal and business frameworks in which digital
certificate relationships are established as well as the physical security
and controls that are essential to operate secure, large-scale digital
certificate management operations. The Company believes that these
practices and procedures are a critical component to the creation of a
digital certificate infrastructure required for trusted and secure
communications and commerce over IP networks.
STRATEGY
The Company's objective is to enhance its position as the leading provider
of digital certificate solutions and infrastructure needed by companies,
government agencies, trading partners and individuals to conduct trusted and
secure communications and commerce over IP networks. The Company's strategy to
achieve this objective includes the following key elements:
Leverage Leadership Position to Drive Market Penetration. The Company
believes that it has developed a leading position in the market for digital
certificate solutions and underlying trust infrastructure by being the first
to market with a variety of digital certificate products and services,
building strategic relationships with industry leaders, issuing more digital
certificates than any other company, embedding its public root key in a
variety of communications, commerce and other software applications and
investing significant resources in developing its comprehensive trust
infrastructure. The Company intends to leverage this leadership position to
drive further adoption and deployment of its digital certificate solutions and
associated trust services. In addition, the Company intends to maintain its
first-to-market position by applying its knowledge and experience to new
products and services that the Company believes will have significant market
potential.
Leverage and Expand Strategic Relationships with Industry Leaders. The
Company has established strategic relationships with industry leaders,
including AT&T, BT, Cisco, McAfee Associates, Microsoft, Netscape, RSA,
Security Dynamics, VeriFone and VISA. The Company believes that these
relationships, as well as others that it intends to pursue, will enable the
widespread deployment of the Company's Digital IDs by allowing it to
capitalize on the brand recognition and broad customer bases of such strategic
partners. For example, both Microsoft and Netscape have incorporated the
Company's public root key in their Web browsers and feature the Company and
its digital certificate solutions in their products and on their Web sites.
The Company believes that this support from Microsoft and Netscape enhances
market awareness of the Company and provides a powerful endorsement of the
Company's digital certificate solutions and infrastructure. Certain of
33
the Company's strategic relationships also involve joint marketing activities,
which enhance the Company's ability to target large customers and expand
overall brand awareness. The Company intends to pursue additional strategic
relationships that the Company believes will enhance the marketing and
distribution of its products and services.
Maintain Leadership in Technology, Infrastructure and Practices. The Company
has developed technical, operational and procedural expertise for the
widespread implementation of secure digital certificate solutions. The Company
intends to continue to enhance its technology, infrastructure and distributed
product architecture to enable further operational scaleability in order to
provide digital certificate solutions for a variety of industries with high
volume certificate issuance requirements. In order to ensure the alignment of
its technology with emerging trends, the Company actively participates in
industry consortia, standards setting organizations and other trade groups. In
addition, the Company is continually enhancing its internal "best practices"
and controls to ensure the physical security of its facilities, maintain
quality in the execution of its operations, verify the quality and consistency
of its services and promote the global acceptance of its digital certificate
solutions.
Continue to Build the VeriSign Brand. The Company will continue to promote
the VeriSign brand as synonymous with trusted and secure communications and
commerce over IP networks. In order to accelerate the acceptance and
penetration of its digital certificate solutions, the Company has developed
joint marketing relationships with brand leaders such as BT, Microsoft,
Netscape, VeriFone and VISA and intends to pursue additional relationships
with entities whose brands are well known and widely respected. The Company
also utilizes a variety of marketing programs to promote market awareness of
the Company and promote the VeriSign brand.
Expand Global Marketing and Distribution. The Company will continue to
expand its global marketing and distribution efforts to address the range of
markets and applications for digital certificate solutions. The Company
intends to add direct sales personnel and expand indirect channels, both
domestically and internationally. The Company also plans to leverage its
technology infrastructure to establish Digital ID Centers in appropriate
international markets. The Company believes that this strategy affords the
opportunity to create an international network of digital certificate
providers operating under common technology, operations and legal practices to
provide a standard for global interoperability.
34
PRODUCTS AND SERVICES
The Company provides a comprehensive line of digital certificate solutions
that are designed to enable trusted and secure communications and commerce
over IP networks. All of these solutions and services are based upon the
Company's WorldTrust software architecture, scaleable operations
infrastructure and comprehensive security and trust practices. See "--
Technology and Architecture," "--Infrastructure" and "--Security and Trust
Practices."
The following table illustrates the range of the Company's products:
VERISIGN END-USER
MARKET/CATEGORY PRODUCT/SERVICE DESCRIPTION LIST PRICE*
Internet IDs
Client Digital Universal Digital Digital certificates for $9.95-$29.95
Certificates IDs individuals for secure e-mail, per year
access control and password
replacement
Server Digital Server Digital IDs Digital certificates for $249-$1,195
Certificates organizations' Web sites for per year
encrypted server operations
Content Signing Software Developer Digital certificates for $20-$400
Digital Certificates Digital IDs software developers, content per year
publishers and distributors
Channel Signing for authenticated software and
Digital IDs content distribution
- ----------------------------------------------------------------------------------------------
Enterprise and
Electronic
Commerce
Enterprise Solutions VeriSign OnSite Turn-key digital certificate $5,000-$50,000
solutions for managed IP per year
network applications for a
wide range of mid-sized to
large enterprises
Integrated Electronic VeriSign V-Commerce Customized solutions for $50,000-$500,000
Commerce Solutions Fortune 1000 companies and Web per year
sites with very large customer
or user bases
SET Certificate VeriSign SET Managed solutions for card $50,000-$500,000
Solutions brands, banks and payment per year
processors
* The Company typically receives a percentage of the end-user list price for
Internet IDs that are sold through the Company's distribution channels. The
terms and conditions for the Company's enterprise, integrated electronic
commerce and SET certificate solutions, including sales prices and
discounts from list prices, may be negotiated in individual transactions
based on certificate volumes, associated services and required
customization and thus may vary from customer to customer.
The Company derived approximately one-half of its revenues in 1997 from
Internet IDs, principally Server Digital IDs for businesses, and approximately
one-third of its revenues in 1997 from enterprise and electronic commerce
products. There can be no assurance that the Company will be able to continue
to increase its revenues from these sources or that these products and
services will achieve widespread market acceptance. See "Risk Factors--Limited
Operating History; History of Losses and Anticipation of Future Losses" and
"--No Assurance of Market Acceptance for Digital Certificates and the
Company's Products and Services."
35
INTERNET IDS
The Company issues Internet IDs directly to individuals and organizations
engaged in communications and commerce over the Internet. These Internet IDs
allow individuals, organizations and software developers to protect the
privacy and integrity of their communications by establishing the identity,
authority or privilege of the parties involved to avoid impersonations or
identity "spoofing" and malicious security breaches. Since its inception, the
Company has issued over 2.0 million of its Digital IDs for individuals and
over 40,000 of its Digital IDs for Web sites. The purchase of a Digital ID
allows the customer to use the Digital ID for a limited period of time,
generally 12 months. After this period, the Digital ID must be renewed for
continued usage by the customer. The Company has also established a warranty
protection program, the NetSure Protection Plan, that provides warranty
coverage to its customers at varying levels up to $250,000 in the event of
economic loss due to the theft, impersonation, corruption or loss of an
Internet ID. VeriSign has insured itself against losses under such coverage
with United States Fidelity and Guaranty Company.
Client Digital Certificates. VeriSign's Universal Digital IDs are issued
directly to individuals to enable users to exchange digitally signed and
encrypted e-mail using the S/MIME protocol. Universal Digital IDs can also be
used to replace passwords for more convenient access to and enhanced security
of Web sites.
The Company currently offers two versions of Universal Digital IDs and plans
to offer a third version in the second half of 1998. These versions are
differentiated principally by the subscriber identity authentication
procedures and due diligence performed by the Company prior to issuance and
the amount of NetSure warranty protection provided:
Universal Digital ID-Class 1. Class 1 Universal Digital IDs are the class
of Universal Digital ID most commonly issued by the Company. The Company
issues a Class 1 Universal Digital ID after authenticating a user's e-mail
address by providing an activation code, via e-mail, that can be used to
download the digital certificate from VeriSign's Web site. Class 1
Universal Digital IDs have NetSure warranty protection of $1,000. The
Company offers a Class 1 Universal Digital ID for free on a 60-day trial
basis, but the trial version does not include replacement, revocation,
NetSure warranty protection or other related digital certificate services.
To date, substantially all of the Class 1 Universal Digital IDs have been
issued without charge on a trial or promotional basis.
Universal Digital ID-Class 2. The Company issues a Class 2 Universal
Digital ID after authenticating a user's personal identity by matching
personal information provided by the user with information contained in
established third-party consumer credit databases. To date, the Company has
issued Class 2 Universal Digital IDs primarily to North American residents.
Class 2 Universal Digital IDs have NetSure warranty protection of up to
$25,000.
Universal Digital ID-Class 3. VeriSign expects to introduce a Class 3
Universal Digital ID in the second half of 1998. A Class 3 Universal
Digital ID will be issued after authentication of a user's identity through
personal presence verification by VeriSign or one of its certified agents
or affiliates. The Company anticipates that Class 3 Universal Digital IDs
will have NetSure warranty protection of up to $50,000.
Server Digital Certificates. The VeriSign Server Digital ID product line
enables organizations to implement and operate secure Web sites using the SSL
or S/MIME protocols in order to establish authenticated and private
communications and commerce on IP networks. Prior to issuing a Server Digital
ID, VeriSign establishes the authenticity of a Web site through a series of
background checks that corroborate an organization's authority to do business
under a given business name, as well as its right to operate a server with a
specific domain name or URL. These procedures protect an organization against
another server "spoofing" its site and also allows site visitors to establish
the site's authenticity. VeriSign's Server Digital IDs enable an individual's
Web browser to verify a Web site's identity automatically by checking the
site's Server Digital ID. Once this authentication has occurred, an encrypted
session based on SSL or the S/MIME messaging protocol can commence. These
private communications sessions are virtually impenetrable by external
parties, thereby protecting sensitive information from unauthorized access.
36
The Company currently offers four versions of its Server Digital IDs,
differentiated by the target application of the server that hosts the Server
Digital ID. The Company provides NetSure warranty protection of up to $100,000
on each Secure Server ID, Global Server ID and Financial Server ID and up to
$250,000 on each EDI Server ID.
Secure Server ID. VeriSign Secure Server IDs enable Web sites to
implement SSL security features for transactions and communications
conducted between their Web servers and individual end users. A Secure
Server ID can also be used in conjunction with a Universal Digital ID to
restrict access to account information and content on a server hosted on an
IP network. The Company's public root key is embedded in more than 40
server software applications.
Global Server ID. VeriSign Global Server IDs enable organizations to
establish worldwide 128-bit encrypted SSL sessions using Netscape
Communicator or appropriately configured Microsoft Internet Explorer
software. Global Server IDs are available for use by U.S. corporations and
U.S. and foreign banks approved by the United States Department of Commerce
Bureau of Export Administration. VeriSign Global Server IDs are currently
the only commercially available server digital certificates for Netscape
and Microsoft products that utilize 128-bit encryption and can be used by
approved organizations on a global basis.
Financial Server ID. VeriSign Financial Server IDs are intended for use
with financial applications using the Open Financial Exchange specification
developed by Microsoft, Intuit Inc. ("Intuit") and CheckFree Corporation.
Financial Server IDs are used by financial institutions for authentication
of their Web servers and to enable the secure exchange of data between
these organizations and customers engaged in home banking, brokerage and
insurance services on the Internet. The Company's financial server public
root key is embedded in Intuit's Quicken product and will be embedded in
the next version of Microsoft Money.
EDI Server ID. VeriSign EDI Server IDs are intended for organizations or
individuals who participate in large online trading networks and who wish
to engage in secure communications. EDI Server IDs ensure the integrity of
messages, allow encrypted messages to be sent using a variety of EDI
standards and enable messages to be digitally signed to ensure
nonrepudiation. The Company's public root key is embedded in the Actra
ECXpert product and other EDI applications.
Content Signing Digital Certificates. The VeriSign content signing digital
certificate product line enables content providers, publishers and vendors to
digitally sign their content or distribution channels in order to ensure the
authenticity and integrity of content delivered to end users. All of the
Company's content signing digital certificates have NetSure warranty
protection of between $25,000 and $50,000.
The Company currently offers three versions of its content signing digital
certificates, differentiated principally by the subscriber identity
authentication procedures and due diligence performed by the Company prior to
issuance and the amount of NetSure warranty protection provided:
Individual Software Developer Digital ID. Individual Software Developer
Digital IDs are issued after VeriSign authenticates the identity of an
individual software publisher through the use of established third- party
consumer credit and other databases.
Commercial Software Developer Digital ID. Commercial Software Developer
Digital IDs are issued after VeriSign authenticates the identity of a
commercial software publisher by using registered credentials and online
commercial databases to verify the company's identity.
Both the Individual Software Developer Digital IDs and the Commercial
Software Developer Digital IDs are designed for use by software developers
that wish to digitally sign and distribute code electronically via the
Internet, including ActiveX controls under the Microsoft Authenticode
program or JAVA code in conjunction with the Netscape object signing
technology.
37
Channel Signing Digital ID. Channel Signing Digital IDs authenticate a
distribution channel for software and content that is automatically
distributed or "pushed" via IP networks using an application such as
Marimba's Castanet, by authenticating that the software or content is from
the indicated source and establishing that the software or content has not
been tampered with or modified while en route over IP networks.
ENTERPRISE AND ELECTRONIC COMMERCE
The Company offers a broad range of turn-key and custom solutions tailored
to meet the specific needs of companies, government agencies and other
organizations that wish to issue digital certificates to customers, employees,
trading partners or citizens. The Company's enterprise and electronic commerce
solutions can be used for a variety of applications, including: controlling
access to sensitive data and account information; facilitating and protecting
online payment card transactions; enabling digitally signed e-mail; or
creating an electronic trading community. These solutions give customers the
option of issuing private label digital certificates, which have limited use
within their intranets and extranets, or VeriSign Digital IDs, which are
interoperable with IP network applications enabled with the Company's public
root key and can be customized to include customer-specified data.
Enterprise and electronic commerce solutions vary based on the nature and
complexity of the application, the degree of control customers desire to
maintain, and the degree of operational responsibility customers wish to
delegate. The modularity of the Company's WorldTrust architecture allows
certain functions of the certification process, such as registration,
authentication, issuance, revocation, renewal or replacement, to be deployed
at customer sites while maintaining a link to VeriSign's Digital ID Centers
for back-end processing. As a result, customers enjoy significant time-to-
market and cost reduction benefits by leveraging the Company's trusted,
scaleable infrastructure with complete certificate lifecycle management, high-
speed servers, redundant telecommunications, data storage and daily back-up,
full disaster recovery, availability of 24 hour x 7 day customer service and
rigorous network and physical security.
VeriSign OnSite. VeriSign OnSite combines the ease of use and low entry cost
of a turn-key software product with the flexibility and scaleability of a
fully managed service. VeriSign OnSite targets mid- to large-scale companies
and government agencies that wish to set up and administer their own digital
certificate solutions using VeriSign's trusted infrastructure. VeriSign OnSite
provides browser-based software for front-end processing complete with
configuration wizards, enrollment templates, authentication and administration
tools, directory files and a secure link to the Company's Digital ID Centers
for back-end processing. VeriSign OnSite provides several key benefits,
including complete control over configuration, quick deployment, low cost and
flexibility. VeriSign OnSite can be downloaded from one of the Company's
Digital ID Centers or sold through one of the Company's direct or indirect
sales channels and is priced on an annual subscription basis for a fixed
quantity of digital certificates.
VeriSign V-Commerce. VeriSign V-Commerce is a comprehensive, custom solution
that enables large-scale electronic commerce activities on IP networks, such
as virtual storefronts, electronic subscription services, content delivery and
information access and broadcast. VeriSign V-Commerce targets Fortune 1000
companies, financial institutions and large government agencies with high-
volume digital certificate issuance and management requirements. VeriSign V-
Commerce solutions involve special set-up and consulting services to support
the development and installation of custom digital certificate formats,
subscriber services, authentication interfaces, administration tools and root
keys. VeriSign V-Commerce solutions also support the deployment of certain of
the digital certificate service functions at the customer's site or remote
offices to allow for maximum control and flexibility. VeriSign V-Commerce
enables companies and government agencies to realize the full potential of IP
networks as a medium for trusted and secure communications and commerce by
relying on the Company to develop, deploy and administer a large scale digital
certificate implementation. VeriSign V-Commerce terms are negotiated based on
the annual volume of digital certificates, associated services and
customization required.
38
VeriSign SET. VeriSign SET is an electronic commerce solution targeted at
certified banks, payment processors or major credit card brands to enable
cardholders, merchants and payment gateways to enroll for and obtain digital
certificates for use with the SET specification without the expense of
developing and hosting a custom digital certificate solution. The SET
specification was developed by an industry consortium, including MasterCard
and VISA, to enable secure payments and purchases over IP networks. SET
digital certificates are used to identify the identity of participants in a
SET transaction. The Company delivers SET services directly to certified banks
or payment processors and to banks on behalf of major credit card brands,
including Air Travel Card, Diner's Club, MasterCard, NOVUS/Discover and VISA.
There are currently approximately 100 VISA member banks that are using
VeriSign SET solutions in pilot programs.
SERVICES
In addition to its broad set of digital certificate solutions, the Company
also provides, or intends to provide, a range of services that augment its
solutions with added value or trust functionality. These services include:
Professional Consulting Services. The Company employs experts in
cryptography and digital certificate management who offer consulting and
training services to organizations implementing digital certificate solutions.
VeriSign's professional services group provides a variety of design,
development and implementation services, including interfacing with existing
applications and databases, consulting on policies and procedures related to
the management and deployment of digital certificates and the selection of
related software and hardware (e.g., smart cards and readers) to complement a
digital certificate solution. These consulting and training services are
billed on a time and materials basis.
Key Generation Ceremonies. For larger organizations wishing to establish
customized storage of their digital certificate root keys as well as an
auditable record of the root key generation process, the Company provides a
custom "key generation ceremony" as part of its setup services, complete with
videography, dedicated hardware and secret key sharing among trusted parties.
These key generation services provide an added measure of security and an
audit trail for the issuance and management of digital certificates.
Status Services. The Company has currently developed services that will
support real-time confirmation of the status of a particular digital
certificate used in specific applications by providing a digitally signed
receipt acknowledging "good," "revoked" or "unknown" status of a digital
certificate to the requesting party. The Company currently uses a real-time
status service to support Microsoft's Authenticode program. The Company
expects to broaden the use of status services to other digital certificate
markets during the first half of 1998.
Time Stamping Services. The Company offers a time stamping service that
allows software developers to add a verifiable time and date stamp to software
content that they digitally sign with their Software Developer Digital IDs.
The Company is currently developing time stamping services for a variety of
other applications.
Warranty and Insurance Plans. To extend its NetSure Protection Plan
offerings, the Company is developing programs to make insurance products
available to its enterprise and electronic commerce customers so that these
customers can purchase insurance from third-party insurers to cover losses
resulting from the use of digital certificates on both a per certificate and
per transaction basis.
CUSTOMERS AND MARKETS
VeriSign's target customers for its enterprise and electronic commerce
digital certificate solutions include consumers, government agencies,
financial institutions, content providers and other organizations requiring
trusted and secure communications and commerce over IP networks. The following
examples illustrate how certain organizations use VeriSign's digital
certificate solutions:
Credit Cards. VISA wants to promote the use of its cards as the preferred
payment method for purchases over the Internet. To accomplish this goal, it
must give consumers the confidence to use their account numbers
39
safely over the Internet while reducing the potential for losses due to fraud.
VISA has adopted the SET protocol, which dictates the use of digital
certificates for all parties involved in transactions, including cardholders,
merchants, issuing banks, acquiring banks and payment gateways. VISA chose
VeriSign to provide SET digital certificate solutions to, and on behalf of,
its member banks. The benefits that VISA and its member banks expect to
receive include increased use of the card for purchases over the Internet,
increased customer loyalty and a reduction in losses due to credit card fraud.
VISA currently is conducting a pilot program with a number of member banks
using VeriSign SET solutions and anticipates full scale deployment of the
program in 1998.
Banking. NationsBank wants to provide secure services such as home banking,
commercial banking and credit card purchases to its business and consumer
clients over the Internet. VeriSign will provide 128-bit Server Digital IDs
and bank-branded client digital certificates for home and commercial banking
as well as VeriSign SET digital certificates for NationsBank's credit card
holders. The benefits that NationsBank expects to receive include improved
customer service, reduced service costs and broader geographic reach.
NationsBank is currently utilizing VeriSign's 128-bit Server Digital IDs for
home banking and commercial banking and anticipates offering bank-branded
client digital certificates and VeriSign SET digital certificates in mid-1998.
VISA accounted for approximately 21% and 14% of the Company's revenues for
1996 and 1997, respectively. VISA also accounted for 13% and 11% of the
Company's accounts receivable as of December 31, 1996 and 1997, respectively.
In addition, two other customers, a South African systems integrator and a
financial services provider, accounted for approximately 28% and 13%,
respectively, of accounts receivables as of December 31, 1996 and one other
customer, a network equipment provider, accounted for approximately 13% of
accounts receivable as of December 31, 1997.
TECHNOLOGY AND ARCHITECTURE
The Company employs a modular set of software applications and toolkits,
which collectively make up its proprietary WorldTrust architecture, as the
core platform for all of its digital certificate solutions. The modular design
of the WorldTrust architecture enables the Company's digital certificate
services to be distributed over one or many co-located or dispersed computer
systems, allowing certain functions of the certification process, such as
registration, authentication, issuance, revocation, renewal or replacement, to
be deployed at customer or affiliate locations while maintaining a secure and
reliable link to one of the Company's Digital ID Centers for back-end
processing. These modules can also be replicated in order to handle increased
volumes of digital certificates. Digital certificate service modules
incorporated in the WorldTrust architecture include:
Subscriber Services Module. The subscriber services module supports requests
for digital certificate issuance, revocation, renewal and replacement.
Software toolkits are provided to permit rapid customization and integration
of digital certificate services with a customer's business-specific Web-based
solutions.
Authentication Services Module. The authentication services module supports
manual, automated and delegated authentication of subscribers by designated
sources prior to certificate issuance. Software toolkits and APIs are provided
to allow for integration with various process models and database systems.
Administration and Support Modules. The administration and support modules
provide lifecycle services such as digital certificate revocation, renewal and
reissuance, as well as a customer support knowledge base to facilitate general
reporting of CA activity and Web-based and e-mail-based support of customers
and end users.
Directory Services Module. The directory services module utilizes database
applications typically hosted at one of the Company's Digital ID Centers to
support the storage of and access to digital certificates and associated
information for a particular customer. Enterprise and electronic commerce
customers can also download updated copies of their directory information to
their systems.
Service Control Module. The service control module is hosted at one of the
Company's Digital ID Centers and acts as a gatekeeper, decoding and routing
all certificate service requests based on customer type, application
40
type, security protocol, authentication policies, certificate content and
billing rules. This module utilizes a proprietary, data-driven programming
model to define each service and dispatch the appropriate control and error
commands to other modules.
Certificate Processing Module. The certificate processing module is hosted at
one of the Company's Digital ID Centers and creates digital certificates with
digital signatures on each certificate, delivers certificates to subscribers
and stores a copy of each digital certificate for archive, audit and directory
purposes.
INFRASTRUCTURE
The Company believes that its highly reliable and scaleable operations
infrastructure represents a strategic advantage in providing digital
certificate solutions. The Company's Digital ID Centers are located in Mountain
View, California and Kawasaki, Japan. These centers operate on a 24 hour x 7
day basis, and support all aspects of issuance and management of digital
certificates as well as delivery of related digital certificate services. By
leveraging the Company's WorldTrust architecture, certain functionality of the
Company's Digital ID Centers can be distributed in optimum configurations based
on customer requirements for availability and capacity. Key features of the
Company's infrastructure include:
Distributed Servers. The Company deploys a large number of high-speed servers
to support capacity and availability demands. Additional servers can be added
to support increases in certificate volumes, new services introductions, new
customers and higher levels of redundancy without service interruptions or
response time degradation. The WorldTrust architecture provides automatic fail-
over, load balancing and threshold monitoring on critical servers.
Advanced Telecommunications. The Company deploys redundant telecommunications
and routing hardware and maintains high-speed connections to multiple ISPs and
throughout its internal network to ensure that its mission critical services
are readily accessible to customers at all times.
Network Security. The Company incorporates advanced architectural concepts
such as protected domains, restricted nodes and distributed access control in
its system architecture. The Company has also developed proprietary
communications protocols within and between the WorldTrust architecture modules
that it believes can prevent most known forms of electronic attacks. In
addition, the Company employs the latest network security technologies
including firewalls and intrusion detection software, and contracts with
security consultants who perform periodic attacks and security risk
assessments. The Company will continue to evaluate and deploy new technological
defenses as they become available. See "Risk Factors--System Interruption and
Security Breaches."
Call Center and Help Desk. The Company provides a wide range of customer
support services through a phone-based call center, e-mail help desk and Web-
based self-help system. The Company's call center is staffed from 8 a.m. to 5
p.m. PST and employs an Automated Call Director system. The Web-based support
services are available on a 24 hour x 7 day basis. E-mail support utilizes
customized auto response systems to provide self-help recommendations and a
staff of trained customer support agents.
Disaster Recovery Plans. Although the Company believes its operations
facilities are highly resistant to systems failure and sabotage, it has
developed, and is in the process of implementing, a disaster recovery and
contingency operations plan and has an agreement with Comdisco Corporation to
provide replication of customer data, facilities and systems at another site so
that its main services can be re-instated within 24 hours of a failure. In
addition, all of the Company's digital certificate services are linked to
advanced storage systems that provide data protection through techniques such
as mirroring and replication. See "Risk Factors--System Interruption and
Security Breaches."
41
SECURITY AND TRUST PRACTICES
The Company believes that its perceived level of trustworthiness as a CA will
continue to be a significant determining factor in the acceptance of the
Company's digital certificate solutions. The Company believes that its
reputation as a trusted party will be based, to a large extent, on both the
security of its physical infrastructure and the special practices used in its
operations. The Company's Digital ID Centers include state-of-the-art physical
and network security. The Company also seeks to take a leading role in defining
and adhering to industry-endorsed trust practices and procedures, which the
Company believes are also critical to establishing its perceived
trustworthiness as a CA. The Company has invested significant capital and human
resources in its security and practices including:
Employees. The Company uses stringent hiring and personnel management
practices for all operations and certain engineering personnel as well as all
executive management. The Company utilizes a licensed private investigation
firm to conduct background checks into potential employees' criminal and
financial histories and conducts periodic investigations of such personnel on
an ongoing basis.
Security Monitoring Systems. The Company has sophisticated access control and
monitoring systems that help prevent unauthorized access to secure areas and
provide 24 hour x 7 day monitoring and logging of activities within its
facilities. These systems include electronic key and biometric access control
devices, video monitoring and recording devices, deployment and automatic
arming of motion detectors, glass breakage detectors and remote alarm system
monitoring.
Site Construction. The Company's Digital ID Centers have been built using
construction techniques modeled after U.S. Army specifications for facilities
accredited to handle classified information and contain a robust set of
physical and environmental defenses. These defenses include double layer, slab-
to-slab wall design, self-closing and locking metal doors at all secure
entrances, man traps, tamper proof enclosures for cryptographic materials and
fire prevention systems.
Back-up Power Systems. The Company has invested in back-up power systems that
automatically activate in the event of a failure in its primary power sources.
These include uninterruptible power supply systems and a diesel generator and
fuel supply. To ensure reliability, these systems are tested on a periodic
basis.
Audits. The Company's Practices and External Affairs Department periodically
performs, and retains accredited third parties to perform, audits of its
operational procedures under both internally-developed procedures and
externally-recognized standards.
Practices. The Company's Practices and External Affairs Department is
responsible for the development of the Company's practices for issuing and
managing digital certificates. These practices are set forth in the Company's
Certification Practice Statement, which the Company provides in order to assure
potential customers and strategic partners as to the trustworthiness of the
Company's digital certificate solutions. The Practices and External Affairs
Department is also responsible for the Company's accountability and security
controls and regularly monitors all aspects of the Company's Digital ID
Centers.
Policy Making Activities. The Practices and External Affairs Department also
takes a leading role in a variety of organizations that are defining standards
for trusted and secure communications and commerce over IP networks. For
example, the Company actively participates in the United Nations Commission on
International Trade Law, which created the United Nations Model Law on
Electronic Commerce, the American Bar Association's Information Security
Committee, Section of Science and Technology, which has drafted digital
signature guidelines, the International Chamber of Commerce ETERM Working
Party, which is chaired by the Company's Vice President of Practices and
External Affairs, and the U.S. State Department Advisory Committee on
Electronic Commerce.
42
VERISIGN JAPAN
In February 1996, the Company formed VeriSign Japan in order to market and
deliver its digital certificate solutions in Japan. VeriSign Japan has built
and operates a secure Digital ID Center in Kawasaki, Japan, maintains sales and
marketing, engineering and administrative staffs and offers customer support
services, thus enabling it to provide the Company's digital certificate
solutions to the Japanese market. As of December 31, 1997, VeriSign Japan had
23 employees. In 1996 and 1997, additional strategic investors acquired 49.5%
of the outstanding capital stock of VeriSign Japan. These investors included
the following: The Long Term Credit Bank of Japan, Ltd.; Matsushita Graphic
Communication Systems Co., Ltd.; Mitsubishi Corporation; NEC Corporation;
Nippon Investment & Finance Co., Ltd.; Nippon Steel Corporation; NISSHO IWAI
Corporation; NTT Data Corporation; NTT Electronics Corporation; NTT PC
Communications, Inc.; The Sakura Bank, Limited; The Sanwa Bank, Limited; Sharp
Corporation; SOFTBANK Corporation; Sony Corporation; The Sumitomo Credit
Service Co., Ltd.; The Sumitomo Trust and Banking Company, Limited; and Toshiba
Corporation.
STRATEGIC RELATIONSHIPS
The Company has established strategic relationships with leading companies
across a number of industry segments, including AT&T, BT, Cisco, Microsoft,
Netscape, SecureOne (a consortium of McAfee Associates, RSA and Security
Dynamics), Security Dynamics, VeriFone and VISA.
AT&T. The Company has entered into an agreement with AT&T that will enable
AT&T to offer VeriSign's digital certificates in conjunction with AT&T's
Internet services. AT&T plans to act as a certificate authority and issue
digital certificates under the AT&T brand beginning in 1998.
British Telecommunications plc. BT plans to issue digital certificates and to
provide a range of digital certificate services for secure Internet access and
electronic commerce under a license from VeriSign. Certain of these services
will be available in the Spring of 1998. With support from VeriSign, BT plans
to establish a certificate authority in the United Kingdom, and both companies
plan to collaborate to develop legal practices and policies to gain and
maintain compliance with United Kingdom and European-based regulations and
standards as they emerge.
Cisco. The Company has developed a custom software product to provide digital
certificate functionality in Cisco-based intranet environments. As a result,
intranets utilizing Cisco products will support applications that rely on
VeriSign digital certificates for authentication and network management. The
Company and Cisco also engage in a variety of joint marketing efforts. Cisco is
a stockholder of the Company.
Microsoft. The Company works with Microsoft to develop, promote and
distribute a variety of client-based and server-based digital certificate
solutions and has been designated as the preferred provider of digital
certificates for Microsoft customers. The Company's public root key has been
embedded in Microsoft's Internet Explorer since version 3.0, and users can
easily enroll for VeriSign's Universal Digital IDs through this product. The
Company also provides Server Digital IDs for Microsoft's Internet Information
Server product. The Company and Microsoft also jointly promote a set of
technologies and security policies for the secure authentication and
distribution of software over the Internet and engage in other joint marketing
activities. Microsoft is a 5% stockholder of the Company.
Netscape. The Company works with Netscape on a variety of technology projects
and joint marketing activities. The Company's public root key has been embedded
in Netscape's Navigator since version 2.0 and in Netscape's Communicator since
version 4.0. The Company also has an agreement with Netscape through February
1998 which provides that Netscape will exclusively feature the Company as the
premier provider of
43
digital certificates on the Netscape Web site and also provides for the Company
to have a first right of participation for any new Netscape products
incorporating digital certificate technology. Enrollment for free, limited-use
versions of the Company's Universal Digital IDs is integrated into the
registration process of Netscape's Netcenter online service and users of
Netscape browsers can easily enroll for standard VeriSign Universal Digital IDs
through these products. Netscape SuiteSpot and SuiteSpot with 128-bit
encryption capabilities can also utilize the Company's Server Digital IDs. The
Company also supports Netscape's object signing technology, enabling software
developers to digitally sign Java and JavaScript objects in order to
authenticate the developer's identity and assure end users that the downloaded
objects have not been tampered with or modified.
SecureOne. The Company, McAfee Associates, RSA and Security Dynamics are
jointly developing the SecureOne framework, which is designed to provide
enterprises with a platform for developing and maintaining secure networks that
link anti-virus, authentication, encryption and digital certificate
technologies. The SecureOne framework will integrate the programming interfaces
of McAfee Associates' Virus Interface for Protective Early Response, Security
Dynamics' Enterprise Security Services ("ESS") architecture, RSA's digital
signature, cryptographic, messaging and transaction security engines and a
VeriSign software developer toolkit to enable digital certificate functionality
in secure applications. The companies have also agreed to integrate their
security technologies through a series of cross-licensing agreements, and, as a
result, the Company's Class 1 Universal Digital IDs are being issued on a trial
basis to users of McAfee Associates' VirusScan Security Suite. Security
Dynamics, together with its wholly-owned subsidiaries, is the largest
stockholder of the Company.
Security Dynamics. The Company has entered into an agreement with Security
Dynamics under which Security Dynamics will incorporate custom digital
certificate technology developed by VeriSign into Security Dynamics' ESS
architecture, which is used in certain of Security Dynamics' security
solutions. Security Dynamics has also agreed to be a reseller of the Company's
VeriSign OnSite product. The Company believes that Security Dynamics is a
market leader in enterprise security and that, by including VeriSign technology
and products in Security Dynamics' products, the Company will have a broader
potential market for its digital certificate solutions. Security Dynamics,
through a controlled entity, is the largest stockholder of the Company. See
"Certain Transactions" and "Principal Stockholders."
VeriFone. The Company and VeriFone have executed a term sheet which provides
that VeriFone will become a reseller of the Company's SET services and Server
Digital ID products in connection with VeriFone's Internet payment solutions.
In addition, VeriFone has agreed to promote VeriSign as the preferred provider
of SET digital certificate services to its current and prospective customers
and to use its best efforts to position the Company as a premier provider of
SET and non-SET digital certificate services for use by Hewlett-Packard and its
affiliated entities. VeriFone has also agreed to engage in a variety of joint
marketing activities with the Company. Hewlett-Packard, VeriFone's parent
company, is a stockholder of the Company.
VISA. The Company has an agreement with VISA under which the Company provides
SET digital certificate solutions to VISA on behalf of its member banks
enabling them to offer branded SET-compliant digital certificates to their
cardholders and merchants. To date, approximately 100 member banks worldwide
are using VeriSign SET solutions in pilot programs. VISA is a 6% stockholder of
the Company. See "Certain Transactions" and "Principal Stockholders."
MARKETING, SALES AND DISTRIBUTION
MARKETING
The Company utilizes a variety of marketing programs to increase brand
awareness. In addition to joint marketing arrangements, the Company also
engages in a variety of direct marketing programs that are focused on owners of
Web servers, home and business PC users and enterprise professionals in mid-
sized and large organizations. The Company addresses these customers through
outbound e-mail, telemarketing and printed mail campaigns to stimulate product
trial, purchase and usage. The Company also uses banner ads that link to the
Company's Web site, participates in industry-specific events, trade shows,
executive seminars, industry association activities and various national and
international standards bodies.
44
SALES AND DISTRIBUTION
The Company markets its digital certificate solutions worldwide through
multiple distribution channels. To date, direct sales and Internet sales have
accounted for a substantial majority of the Company's revenues. The Company has
recently begun to market its digital certificate solutions through other
distribution channels, including telesales, VARs, systems integrators and OEMs.
Internet Sales. The Company distributes many of its products through its Web
sites. The Company believes that Internet distribution is particularly well-
suited for sales of certain of its enterprise solutions and Internet IDs and
can be used to serve a large number of Internet users from multiple countries.
The Company also utilizes its Web site to assist in disseminating product
information and in generating product leads and trials for a number of its
products and services.
Direct Sales. The Company's direct sales force targets mid-sized and large
corporations, financial institutions, commercial Web sites and federal and
state government agencies. The Company believes that these organizations have a
substantial installed base of PCs, Web servers, IP networks and high-speed
access to the Internet and are most likely to be able to benefit quickly from
the use of digital certificates. The direct sales force also targets
international organizations that the Company believes are the most suitable to
act as VeriSign affiliates. In certain instances, the Company's direct sales
force works with complementary VARs, hardware OEMs and systems integrators to
deliver complete solutions for major customers. As of December 31, 1997, the
Company had 26 direct sales and sales support personnel. The Company maintains
sales offices and personnel in California, Illinois, Maryland, Massachusetts,
New York and Japan.
Telesales. The Company currently outsources its telemarketing operations to a
third party for use in customer prospecting, lead generation and lead follow-
up. This marketing activity qualifies leads for further follow up by the direct
sales force or resellers or leads the prospect to VeriSign's Web site so that
the prospect can access information or enroll for enterprise or electronic
commerce solutions. The Company anticipates taking its telemarketing operations
in-house in the first half of 1998.
VARs and Systems Integrators. The Company works with VARs and systems
integrators to package and sell its enterprise and electronic commerce
solutions and Internet IDs. The Company also has a VeriSign Business Partner
Program that allows leading ISPs to offer VeriSign Server Digital IDs as an
integral part of their secure Web site hosting services. Current members of
this program include AOL Primehost, Epoch Internet, Hiway Technologies,
Internet Servers, Inc., pcbank.net and PSINET, Inc.
OEMs. The Company provides technology and products for certificate management
to OEMs, which integrate the technology and products with value-added software
or service offerings and sell the bundled solution to end user customers. Cisco
and Security Dynamics have OEM relationships with the Company. See "--Strategic
Relationships."
International. The Company intends to market its products and services to
international markets directly over the Internet and through resellers and
affiliate relationships. The Company markets its products and services in Japan
through VeriSign Japan, which maintains a secure Digital ID Center in Kawasaki,
Japan, and employed 23 persons as of December 31, 1997. Revenues of VeriSign
Japan and from other international customers accounted for less than 10% of
revenues through 1996 and for approximately 13% of revenues for 1997. See "--
VeriSign Japan."
RESEARCH AND DEVELOPMENT
The Company believes that its future success will depend in large part on its
ability to continue to maintain and enhance its current technologies, products
and services. To this end, the Company leverages the modular nature of its
WorldTrust software architecture to enable it to rapidly develop enhancements
to its WorldTrust software and to deliver complementary new products and
services. In the past, the Company has developed products and services both
independently and through efforts with leading application developers and major
customers. The Company has also, in certain circumstances, acquired or licensed
technology from third parties,
45
including public key cryptography technology from RSA. Although the Company
will continue to work closely with developers and major customers in its
product development efforts, it expects that most of its future enhancements to
existing products and new products will be developed internally.
The Company has several significant projects currently in development. These
include the continued enhancement of the WorldTrust architecture and associated
software toolkits to broaden functionality and provide additional packaging and
integration options and the development of new services such as real-time
status checking, secure timestamping and smart card personalization.
As of December 31, 1997, VeriSign had 46 employees dedicated to research and
development. The Company also employs independent contractors for
documentation, usability, artistic design and editorial review. Research and
development expenses were $642,000, $2.1 million and $5.2 million for the
period from April 12, 1995 (inception) to December 31, 1995, 1996 and 1997,
respectively. To date, all development costs have been expensed as incurred.
The Company believes that timely development of new and enhanced products and
technology are necessary to remain competitive in the marketplace. Accordingly,
the Company intends to continue recruiting and hiring experienced research and
development personnel and to make other investments in research and
development.
The market for digital certificate products and related services is an
emerging market characterized by rapid technological developments, frequent new
product introductions and evolving industry standards. The emerging nature of
this market and its rapid evolution will require that the Company continually
improve the performance, features and reliability of its products and services,
particularly in response to competitive offerings and that it introduce new
products and services or enhancements to existing products and services as
quickly as possible and prior to its competitors. The success of new product
introductions is dependent on several factors, including proper new product
definition, timely completion and introduction of new products, differentiation
of new products from those of the Company's competitors and market acceptance
of the Company's new products and services. There can be no assurance that the
Company will be successful in developing and marketing new products and
services that respond to competitive and technological developments and
changing customer needs. The failure of the Company to develop and introduce
new products and services successfully on a timely basis and to achieve market
acceptance for such products and services could have a material adverse effect
on the Company's business, operating results and financial condition. In
addition, the widespread adoption of new Internet, networking or
telecommunication technologies or standards or other technological changes
could require substantial expenditures by the Company to modify or adapt its
products and services. To the extent that a specific method other than digital
certificates is adopted to enable trusted and secure commerce and
communications over IP networks, sales of the Company's existing and planned
products and services will be adversely affected and the Company's products and
services could be rendered unmarketable or obsolete, which would have a
material adverse effect on the Company's business, operating results and
financial condition. The Company believes there is a time-limited opportunity
to achieve market share, and there can be no assurance that the Company will be
successful in achieving widespread acceptance of its products and services or
in achieving market share before competitors offer products and services with
features similar to the Company's current offerings. Any such failure by the
Company could have a material adverse effect on the Company's business,
operating results and financial condition. See "Risk Factors--Rapid
Technological Change; New Product and Services Introductions."
CUSTOMER SUPPORT
The Company believes that a high level of customer support for commerce and
enterprise customers as well as end users of digital certificates is necessary
to achieve acceptance of its digital certificates and related products and
services. The Company provides a wide range of customer support services
through a staff of customer service personnel, call center, e-mail help desk
and a Web-based self-help system. Since it introduced its first products over
two years ago, the Company has developed a substantial knowledge base of
customer support information based on its customer interactions and believes
that this offers the Company a competitive advantage. The Company's call center
is staffed from 8 a.m. to 5 p.m. PST and employs an Automated Call Director
system
46
to provide self-help services and, if necessary, to route support calls to
available support personnel. The Company also offers Web-based support services
that are available on a 24 hour x 7 day basis and that are frequently updated
to improve existing information and to support new services. The Company's e-
mail customer support service utilizes customized auto response systems to
provide self-help recommendations and also utilizes a staff of trained customer
support agents who typically respond to customer inquiries within 24 hours. As
of December 31, 1997, the Company had 57 employees in its customer support
organization.
The Company also employs technical support personnel who work directly with
its direct sales force, distributors and customers of its electronic commerce
and enterprise solutions. The Company's annual maintenance agreements for its
electronic commerce and enterprise solutions include technical support and
upgrades. The Company also provides training programs for customers of its
enterprise and electronic commerce solutions.
COMPETITION
The Company's digital certificate solutions are targeted at the new and
rapidly evolving market for trusted and secure communications and commerce over
IP networks. Although the competitive environment in this market has yet to
develop fully, the Company anticipates that it will be intensely competitive,
subject to rapid change and significantly affected by new product and service
introductions and other market activities of industry participants.
The Company's primary competitors are Entrust, GTE CyberTrust and IBM. The
Company also experiences competition from a number of smaller companies that
provide digital certificate solutions. The Company expects that competition
from established and emerging companies in the financial and telecommunications
industries will increase in the near term, and that the Company's primary long-
term competitors may not yet have entered the market. Netscape has introduced
software products that enable the issuance and management of digital
certificates, and the Company believes that other companies could introduce
such products. There can be no assurance that additional companies will not
offer digital certificate solutions that are competitive with those of the
Company. Increased competition could result in pricing pressures, reduced
margins or the failure of the Company's products and services to achieve or
maintain market acceptance, any of which could have a material adverse effect
on the Company's business, operating results and financial condition.
Several of the Company's current and potential competitors have longer
operating histories and significantly greater financial, technical, marketing
and other resources than the Company and therefore may be able to respond more
quickly than the Company to new or changing opportunities, technologies,
standards and customer requirements. Many of these competitors also have
broader and more established distribution channels that may be used to deliver
competing products or services directly to customers through bundling or other
means. If such competitors were to bundle competing products or services for
their customers, the demand for the Company's products and services might be
substantially reduced and the ability of the Company to distribute its products
successfully and the utilization of its services would be substantially
diminished. In addition, browser companies that embed the Company's root keys
or otherwise feature the Company as a provider of digital certificate solutions
in their Web browsers or on their Web sites could also promote competitors of
the Company or charge the Company substantial fees for such promotions in the
future. New technologies and the expansion of existing technologies may
increase the competitive pressures on the Company. There can be no assurance
that competing technologies developed by others or the emergence of new
industry standards will not adversely affect the Company's competitive position
or render its products or technologies noncompetitive or obsolete. In addition,
the market for digital certificates is nascent and is characterized by
announcements of collaborative relationships involving competitors of the
Company. The existence or announcement of such relationships could adversely
affect the Company's ability to attract and retain customers. As a result of
the foregoing and other factors, there can be no assurance that the Company
will compete effectively with current or future competitors or that competitive
pressures faced by the Company will not have a material adverse effect on the
Company's business, operating results and financial condition. See "Risk
Factors--Competition."
47
INTELLECTUAL PROPERTY
The Company relies primarily on a combination of copyrights, trademarks,
trade secret laws, restrictions on disclosure and other methods to protect its
intellectual property and trade secrets. The Company also enters into
confidentiality agreements with its employees and consultants, and generally
controls access to and distribution of its documentation and other proprietary
information. Despite these precautions, it may be possible for a third party to
copy or otherwise obtain and use the Company's intellectual property or trade
secrets without authorization. In addition, there can be no assurance that
others will not independently develop substantially equivalent intellectual
property. There can be no assurance that the precautions taken by the Company
will prevent misappropriation or infringement of its technology. A failure by
the Company to protect its intellectual property in a meaningful manner could
have a material adverse effect on the Company's business, operating results and
financial condition. In addition, litigation may be necessary in the future to
enforce the Company's intellectual property rights, to protect the Company's
trade secrets or to determine the validity and scope of the proprietary rights
of others. Such litigation could result in substantial costs and diversion of
management and technical resources, either of which could have a material
adverse effect on the Company's business, operating results and financial
condition.
The Company also relies on certain licensed third-party technology, such as
public key cryptography technology licensed from RSA and other technology that
is used in the Company's products to perform key functions. In particular, the
Company has been granted a perpetual, royalty free, nonexclusive, worldwide
license to distribute products it develops that contain or incorporate the RSA
BSAFE and TIPEM products and that relate to digital certificate issuing
software, software for the management of private keys and for digitally signing
computer files on behalf of others, software for customers to preview and
forward digital certificate requests to the Company, or such other products
that, in RSA's reasonable discretion, are reasonably necessary for the
implementation of a digital certificate business. RSA is also required to
provide maintenance and technical support for these products to the Company.
RSA's BSAFE product is a software tool kit that allows for the integration of
encryption and authentication features into software applications and TIPEM is
a secure e-mail development tool kit that allows for secure e-mail messages to
be sent using one vendor's e-mail product and read by another vendor's e-mail
product. There can be no assurance that these third-party technology licenses
will continue to be available to the Company on commercially reasonable terms
or at all, and the loss of any of these technologies could have a material
adverse effect on the Company's business, operating results and financial
condition. Moreover, in the Company's current license agreements, the licensor
has agreed to defend, indemnify and hold the Company harmless with respect to
any claim by a third party that the licensed software infringes any patent or
other proprietary right. Although these licenses are fully paid, there can be
no assurance that the outcome of any litigation between the licensor and a
third party or between the Company and a third party will not lead to royalty
obligations of the Company for which the Company is not indemnified or for
which such indemnification is insufficient, or that the Company will be able to
obtain any additional license on commercially reasonable terms or at all. In
the future, the Company may seek to license additional technology to
incorporate in its products and services. There can be no assurance that any
third party technology licenses that the Company may be required to obtain in
the future will be available to the Company on commercially reasonable terms or
at all. The loss of or inability to obtain or maintain any of these technology
licenses could result in delays in introduction of the Company's products or
services until equivalent technology, if available, is identified, licensed and
integrated, which could have a material adverse effect on the Company's
business, operating results and financial condition.
From time to time, the Company has received, and may receive in the future,
notice of claims of infringement of other parties' proprietary rights. There
can be no assurance that infringement or other claims will not be asserted or
prosecuted against the Company in the future or that any past or future
assertions or prosecutions will not materially adversely affect the Company's
business, operating results and financial condition. Any such claims, with or
without merit, could be time-consuming, result in costly litigation and
diversion of technical and management personnel, cause product shipment delays
or require the Company to develop non-infringing technology or enter into
royalty or licensing agreements. Such royalty or licensing agreements, if
required, may not be available on terms acceptable to the Company, or at all.
In the event of a
48
successful claim of product infringement against the Company and the failure or
inability of the Company to develop non-infringing technology or license the
infringed or similar technology on a timely basis, the Company's business,
operating results and financial condition could be materially adversely
affected. See "Risk Factors--Intellectual Property; Potential Litigation."
EMPLOYEES
As of December 31, 1997, the Company had 185 full-time employees. Of the
total, 55 were employed in sales and marketing, 46 in research and development,
57 in customer support, four in practices and external affairs, three in
federal markets, and 20 in finance and administration. The Company has never
had a work stoppage, and no employees are represented under collective
bargaining agreements. The Company considers its relations with its employees
to be good. The Company's ability to achieve its financial and operational
objectives depends in large part upon its continuing ability to attract,
integrate, retain and motivate highly qualified sales, technical and managerial
personnel, and upon the continued service of its senior management and key
sales and technical personnel, none of whom is bound by an employment
agreement. Competition for such qualified personnel in the Company's industry
and geographical location in the San Francisco Bay Area is intense,
particularly in software development and product management personnel. See
"Risk Factors--Dependence on Key Personnel."
FACILITIES
The Company's principal administrative, sales, marketing, research and
development and operations facilities are located in two adjacent buildings in
Mountain View, California, where they occupy approximately 44,000 square feet
under leases expiring in 2001. The Company intends to obtain additional office
space in 1998 contiguous to its headquarters. The Company believes that this
additional space will be available and that its current facilities, together
with this additional space, will be adequate to meet its needs for the
foreseeable future.
The Company also leases space for sales and support offices in Rosemont,
Illinois; Linthicum, Maryland; Cambridge, Massachusetts; and Uniondale, New
York. In addition, VeriSign Japan leases space in Kawasaki, Japan for its
offices and Digital ID Center. The Company's success is largely dependent on
the uninterrupted operation of its Digital ID Centers and computer and
communications systems. See "Risk Factors--System Interruption and Security
Breaches."
49
MANAGEMENT
EXECUTIVE OFFICERS AND DIRECTORS
The following table sets forth certain information regarding the executive
officers and directors of the Company as of December 31, 1997.
NAME AGE POSITION
---- --- --------
D. James Bidzos (1).............. 42 Chairman of the Board
Stratton D. Sclavos.............. 36 President, Chief Executive Officer and
Director
Michael S. Baum.................. 45 Vice President of Practices and
External Affairs
Ethel E. Daly.................... 53 Vice President of Worldwide Operations
Dana L. Evan..................... 38 Vice President of Finance and
Administration
and Chief Financial Officer
Quentin P. Gallivan.............. 40 Vice President of Worldwide Sales
Nicholas F. Piazzola............. 51 Vice President of Federal Markets
Arnold Schaeffer................. 34 Vice President of Engineering
Richard A. Yanowitch............. 41 Vice President of Marketing
Timothy Tomlinson (2)............ 47 Secretary and Director
William Chenevich (1)(2)......... 54 Director
Kevin R. Compton (2)............. 39 Director
David J. Cowan (1)............... 31 Director
- --------
(1) Member of the Compensation Committee
(2) Member of the Audit Committee
D. JAMES BIDZOS has served as Chairman of the Board of the Company since its
founding in April 1995 and served as Chief Executive Officer of the Company
from April 1995 to July 1995. He has also served as President and Chief
Executive Officer of RSA since 1986. RSA was acquired by Security Dynamics in
July 1996 and has been a wholly-owned subsidiary of Security Dynamics since
that time. Mr. Bidzos has been an Executive Vice President and a director of
Security Dynamics since its acquisition of RSA.
STRATTON D. SCLAVOS has served as President and Chief Executive Officer and
as a director of the Company since he joined the Company in July 1995. From
October 1993 to June 1995, he was Vice President, Worldwide Marketing and
Sales of Taligent, Inc. ("Taligent"), a software development company that was
a joint venture among Apple Computer, Inc. ("Apple"), IBM and Hewlett-Packard.
From May 1992 to September 1993, Mr. Sclavos was Vice President of Worldwide
Sales and Business Development of GO Corporation, a pen-based computer
company. Prior to that time, he served in various sales and marketing
capacities for MIPS Computer Systems, Inc. and Megatest Corporation. Mr.
Sclavos is also a director and a member of the compensation committee of
Network Solutions, Inc. Mr. Sclavos holds a B.S. degree in Electrical and
Computer Engineering from the University of California at Davis.
MICHAEL S. BAUM has served as Vice President of Practices and External
Affairs of the Company since he joined the Company in November 1995. From 1987
to October 1995, he was the founder and a principal of Independent Monitoring,
a consulting firm specializing in digital commerce and information security
law. Prior to that time, Mr. Baum was employed by BBN Corporation in various
capacities. Mr. Baum holds a B.A. degree in History from Carnegie Mellon
University, an M.B.A. degree in Management of Technology from the Wharton
School of the University of Pennsylvania and a J.D. degree from Western New
England School of Law.
ETHEL E. DALY has served as Vice President of Worldwide Operations of the
Company since she joined the Company in June 1996. From January 1995 to June
1996, she was Senior Vice President, Product Management and Marketing of
Knight-Ridder Information, Inc., an online information services company. Prior
to that time, from 1986 to January 1995, Ms. Daly worked for Charles Schwab
and Company, a stock brokerage firm, most
50
recently as Managing Director, International Division. Prior to that time, she
held the positions of Vice President of Marketing for Attalla Corporation and
Vice President Electronic Banking of Crocker National Bank. Ms. Daly holds a
B.A. degree in Psychology from San Francisco State University and a Masters of
Business Management degree from Stanford University.
DANA L. EVAN has served as Vice President of Finance and Administration and
Chief Financial Officer of the Company since she joined the Company in June
1996. From 1988 to June 1996, she worked as a financial consultant in the
capacity of chief financial officer, vice president of finance or corporate
controller for various public and private companies and partnerships,
including the Company from November 1995 to June 1996, Delphi Bioventures, a
venture capital firm, from 1988 to June 1995, and Identix Incorporated, a
manufacturer of biometric identity verification and imaging products, from
1991 to August 1993. Prior to 1988, she was employed by KPMG Peat Marwick LLP,
most recently as a senior manager. Ms. Evan is a certified public accountant
and holds a B.S. degree in Commerce with a concentration in Accounting and
Finance from the University of Santa Clara.
QUENTIN P. GALLIVAN has served as Vice President of Worldwide Sales of the
Company since he joined the Company in October 1997. From April 1996 to
October 1997, he was Vice President for Asia Pacific and Latin America of
Netscape, a software company. Prior to that time, Mr. Gallivan was with
General Electric Information Services, an electronic commerce services
company, most recently as Vice President, Sales and Services for the Americas.
NICHOLAS F. PIAZZOLA has served as Vice President of Federal Markets of the
Company since he joined the Company in December 1996. From 1969 to November
1996, he was employed by the United States National Security Agency (the
"NSA"), most recently as Chief, Network Security Group from May 1994 to
November 1996 and Chief, Infosec Research & Technology Group until April 1994.
Mr. Piazzola holds a B.S. degree in Electrical Engineering from Villanova
University and an M.S. degree in Electrical Engineering from the University of
Maryland.
ARNOLD SCHAEFFER has served as Vice President of Engineering of the Company
since he joined the Company in January 1996. From March 1992 to December 1995,
he was employed by Taligent, most recently as Vice President of Engineering,
CommonPoint Products. Prior to working at Taligent, he served as a software
engineer for Apple, Intellicorp and Hewlett-Packard. Mr. Schaeffer holds a
B.S. degree in Information and Computer Science from the Georgia Institute of
Technology and an M.B.A. degree from the University of California at Berkeley.
RICHARD A. YANOWITCH has served as Vice President of Marketing of the
Company since he joined the Company in May 1996. From July 1995 to May 1996,
he was a management consultant to private software companies. From 1989 to
June 1995, he held a series of marketing positions with Sybase, Inc., a
software company, most recently as Vice President of Corporate Marketing.
Prior to that time, he held various sales, marketing and operating positions
with The Santa Cruz Operation, Inc., Digital Equipment Corporation, Lanier
Harris Corporation and Brooks International Corporation. Mr. Yanowitch holds a
B.A. degree in History from Swarthmore College and an M.B.A. degree in
Entrepreneurial Management and Marketing from Harvard Business School.
TIMOTHY TOMLINSON has been Secretary and a director of the Company since its
founding in April 1995. He has been a partner of Tomlinson Zisko Morosoli &
Maser LLP, a law firm, since 1983. Mr. Tomlinson is also a director of Portola
Packaging, Inc. and Oak Technology, Inc. Mr. Tomlinson holds a B.A. degree in
Economics, an M.B.A. degree and a J.D. degree from Stanford University.
WILLIAM CHENEVICH has been a director of the Company since its founding in
April 1995. He has been the Group Executive Vice President, Data Processing
Systems of VISA, a financial services company, since October 1993. From May
1992 to October 1993, he was Executive Vice President and Chief Information
Officer of Ahmanson Corporation, a financial services company. Mr. Chenevich
holds a B.B.A. degree in Business and an M.B.A. degree in Management from the
City College of New York.
51
KEVIN R. COMPTON has been a director of the Company since February 1996. He
has been a general partner of Kleiner Perkins Caufield & Byers, a venture
capital firm, since January 1990. Mr. Compton is also a director of Citrix
Systems, Inc., Corsair Communications, Inc., Digital Generation Systems, Inc.
and Global Village Communication Inc. Mr. Compton holds a B.S. degree in
Business Management from the University of Missouri.
DAVID J. COWAN has been a director of the Company since its founding in
April 1995. He has been a general partner of Bessemer Venture Partners, a
venture capital investment firm, since August 1996. Mr. Cowan has also been a
manager of Deer IV & Co. LLC, a venture capital investment firm, since August
1996. Previously he was an associate with Bessemer Venture Partners from
August 1992 to August 1996. Mr. Cowan also served as President and Chief
Executive Officer of Visto Corporation, a computer software and service firm,
from August 1996 to April 1997, and as Chief Financial Officer of the Company
from April 1995 to June 1996. Mr. Cowan is also a director of Worldtalk
Communications Corporation. Mr. Cowan holds an A.B. degree in Mathematics and
Computer Science and an M.B.A. degree from Harvard University.
The Company's Bylaws currently authorize no fewer than five and no more than
seven directors. The Company's Board of Directors (the "Board") is currently
comprised of six directors. Directors are elected by the stockholders at each
annual meeting of stockholders to serve until the next annual meeting of
stockholders or until their successors are duly elected and qualified. The
existing directors were elected pursuant to the provisions of the
Stockholders' Agreement described in "Certain Transactions," which agreement
terminates upon the closing of this offering. Executive officers are elected
by, and serve at the discretion of, the Board. The Company's Amended and
Restated Bylaws, which will become effective upon the completion of this
offering, provide that the Board will be divided into three classes, Class I,
Class II and Class III, with each class serving staggered three-year terms.
The Class I directors, initially Messrs. Sclavos and Tomlinson, will stand for
reelection or election at the 1999 annual meeting of stockholders. The Class
II directors, initially Messrs. Compton and Cowan will stand for reelection or
election at the 2000 annual meeting of stockholders and the Class III
directors, initially Messrs. Bidzos and Chenevich will stand for reelection or
election at the 2001 annual meeting of stockholders.
BOARD COMMITTEES
The Board has established an Audit Committee to meet with and consider
suggestions from members of management, as well as the Company's independent
accountants, concerning the financial operations of the Company. The Audit
Committee also has the responsibility to review audited financial statements
of the Company and consider and recommend the employment of, and approve the
fee arrangements with, independent accountants for both audit functions and
for advisory and other consulting services. The Audit Committee is currently
comprised of Messrs. Chenevich, Compton and Tomlinson. The Board has also
established a Compensation Committee to review and approve the compensation
and benefits for the Company's key executive officers, administer the
Company's stock purchase, equity incentive and stock option plans and make
recommendations to the Board regarding such matters. The Compensation
Committee is currently comprised of Messrs. Bidzos, Chenevich and Cowan.
DIRECTOR COMPENSATION
Directors do not receive any cash fees for their service on the Board or any
Board committee, but they are entitled to reimbursement of all reasonable out-
of-pocket expenses incurred in connection with their attendance at Board and
Board committee meetings. At the Company's founding in April 1995, the Company
granted an option to purchase 25,000 shares of its Common Stock under the
Company's 1995 Stock Option Plan to D. James Bidzos with an exercise price of
$.12 per share. All Board members are eligible to receive stock options under
the Company's stock option plans, and outside directors receive stock options
pursuant to automatic grants of stock options under the 1995 Stock Option
Plan. In July 1996, the Company granted to each of Messrs. Bidzos, Chenevich,
Compton, Cowan and Tomlinson an option to purchase 10,000 shares of its Common
Stock under the Company's 1995 Stock Option Plan with an exercise price of
$8.00 per share. In June 1997, the Company granted to each of Messrs. Bidzos,
Compton, Cowan and Tomlinson an option to purchase 3,500 shares of its Common
Stock under the Company's 1995 Stock Option Plan with an exercise price of
$8.00 per share.
52
In October 1997, the Board adopted, and in January 1998 the stockholders
approved, the 1998 Directors Stock Option Plan (the "Directors Plan") and
reserved a total of 125,000 shares of the Company's Common Stock for issuance
thereunder. Members of the Board who are not employees of the Company, or any
parent, subsidiary or affiliate of the Company, are eligible to participate in
the Directors Plan. The option grants under the Directors Plan are automatic
and nondiscretionary, and the exercise price of the options is 100% of the
fair market value of the Common Stock on the date of grant. Each eligible
director who first becomes a member of the Board on or after the effective
date of the Registration Statement of which this Prospectus forms a part (the
"Effective Date") will initially be granted an option to purchase 15,000
shares (an "Initial Grant") on the date such director first becomes a
director. On each anniversary of a director's Initial Grant (or most recent
grant if such director was ineligible to receive an Initial Grant), each
eligible director will automatically be granted an additional option to
purchase 7,500 shares if such director has served continuously as a member of
the Board since the date of such director's Initial Grant (or most recent
grant if such director did not receive an Initial Grant). The term of such
options is ten years, provided that they will terminate seven months following
the date the director ceases to be a director or, if the Company so specifies
in the grant, a consultant of the Company (twelve months if the termination is
due to death or disability). All options granted under the Directors Plan will
vest as to 6.25% of the shares each quarter after the date of grant, provided
the optionee continues as a director or, if the Company so specifies in the
grant, as a consultant of the Company. Additionally, immediately prior to the
dissolution or liquidation of the Company or a "change in control"
transaction, all options granted pursuant to the Directors Plan will
accelerate and will be exercisable for a period of up to six months following
the transaction, after which period any unexercised options will expire.
COMPENSATION COMMITTEE INTERLOCKS AND INSIDER PARTICIPATION
Mr. Bidzos, a member of the Compensation Committee, is an Executive Vice
President and a director of Security Dynamics, which, with its wholly-owned
subsidiaries, beneficially owns approximately 26.2% of the Company's Common
Stock, and also served as the Company's Chief Executive Officer from April to
July 1995. See "Certain Transactions." No interlocking relationship exists
between the Board or Compensation Committee and the board of directors or
compensation committee of any other company, nor has any such interlocking
relationship existed in the past.
53
EXECUTIVE COMPENSATION
The following table sets forth certain summary information concerning the
compensation awarded to, earned by, or paid for services rendered to the
Company in all capacities during 1997 by the Company's Chief Executive Officer
and the four most highly compensated executive officers, other than the Chief
Executive Officer, who were serving as executive officers at the end of 1997
(collectively, the "Named Executive Officers").
SUMMARY COMPENSATION TABLE
LONG-TERM
COMPENSATION
------------
ANNUAL COMPENSATION AWARDS
------------------------------ ------------
SECURITIES
OTHER ANNUAL UNDERLYING
NAME AND PRINCIPAL POSITION SALARY BONUS COMPENSATION OPTIONS(#)
--------------------------- -------- -------- ------------ ------------
Stratton D. Sclavos................. $200,000 $183,022 -- 100,000
President and Chief Executive
Officer
Dana L. Evan........................ 145,000 46,349 -- 45,000
Vice President of Finance and
Administration and Chief Financial
Officer
Michael S. Baum..................... 145,000 35,788 $15,000(1) 25,000
Vice President of Practices and
External Affairs
Arnold Schaeffer.................... 145,000 30,226 -- 58,000
Vice President of Engineering
Richard A. Yanowitch................ 140,000 59,084 -- --
Vice President of Marketing
- --------
(1) Represents compensation that the Company paid Mr. Baum in exchange for his
agreement to forego certain consulting projects.
54
OPTION GRANTS IN FISCAL 1997
The following table sets forth certain information regarding stock options
granted to each of the Named Executive Officers during the year ended December
31, 1997.
INDIVIDUAL GRANTS(1)
----------------------------------------------------
POTENTIAL REALIZABLE
VALUE AT ASSUMED
ANNUAL RATES OF
NUMBER OF PERCENT OF STOCK PRICE
SECURITIES TOTAL OPTIONS APPRECIATION
UNDERLYING GRANTED TO EXERCISE FOR OPTION TERMS(2)
OPTIONS EMPLOYEES IN PRICE EXPIRATION ---------------------
NAME GRANTED FISCAL YEAR(%)(3) PER SHARE(4) DATE 5% 10%
- ---- ---------- ----------------- ------------ ---------- ---------- ----------
Stratton D. Sclavos..... 100,000 7.1 $7.00 11/4/04 $ 284,970 $ 664,102
Dana L. Evan............ 45,000 3.2 6.00 10/6/04 109,917 256,154
Michael S. Baum......... 25,000 1.8 6.00 10/6/04 61,065 142,308
Arnold Schaeffer........ 58,000 4.1 6.00 10/6/04 141,671 330,154
Richard A. Yanowitch.... -- -- -- -- -- --
- --------
(1) Options granted in 1997 were granted under the Company's 1995 Stock Option
Plan or, in the case of Mr. Sclavos, the Company's 1997 Stock Option Plan.
These options become exercisable with respect to 25% of the shares covered
by the option on the first anniversary of the date of grant and with
respect to an additional 6.25% of these shares each quarter thereafter.
These options have a term of seven years. Upon certain changes in control
of the Company, this vesting schedule will accelerate as to 50% of any
shares that are then unvested. See "--Employee Benefit Plans" and "--
Compensation Arrangements" for a description of the material terms of
these options.
(2) Potential realizable values are net of exercise price but before taxes,
and are based on the assumption that the Common Stock of the Company
appreciates at the annual rate shown (compounded annually) from the date
of grant until the expiration of the seven-year term. These numbers are
calculated based on Securities and Exchange Commission requirements and do
not reflect the Company's projection or estimate of future stock price
growth.
(3) The Company granted options to purchase 1,407,650 shares of Common Stock
to employees during 1997.
(4) Options were granted at an exercise price equal to the fair market value
of the Company's Common Stock, as determined by the Board of Directors.
AGGREGATE OPTION EXERCISES IN FISCAL 1997 AND FISCAL YEAR-END OPTION VALUES
The following table sets forth for each of the Named Executive Officers the
shares acquired and the value realized on each exercise of stock options
during the year ended December 31, 1997 and the year-end number and value of
exercisable and unexercisable options:
NUMBER OF SECURITIES VALUE OF UNEXERCISED
SHARES UNDERLYING UNEXERCISED IN-THE-MONEY OPTIONS
ACQUIRED OPTIONS AT 12/31/97(1) AT 12/31/97(2)
ON VALUE ------------------------- -------------------------
NAME EXERCISE REALIZED EXERCISABLE UNEXERCISABLE EXERCISABLE UNEXERCISABLE
- ---- -------- -------- ----------- ------------- ----------- -------------
Stratton D. Sclavos..... -- -- -- 100,000 -- $500,000
Dana L. Evan............ -- -- -- 45,000 -- 270,000
Michael S. Baum......... -- -- -- 25,000 -- 150,000
Arnold Schaeffer........ -- -- -- 58,000 -- 348,000
Richard A. Yanowitch.... -- -- -- -- -- --
- --------
(1) Options shown were granted under the Company's 1995 Stock Option Plan or,
in the case of Mr. Sclavos, under the Company's 1997 Stock Option Plan,
and are subject to vesting as described in footnote (1) to the option
grant table above. See "--Employee Benefit Plans" and "--Compensation
Arrangements" for a description of the material terms of these options.
(2) Based on an assumed initial public offering price of $12.00 per share and
net of the option exercise price.
55
No options were exercised during 1997 by the Named Executive Officers. No
compensation intended to serve as incentive for performance to occur over a
period longer than one year was paid pursuant to a long-term incentive plan
during 1997 to any Named Executive Officer. The Company does not have any
defined benefit or actuarial plan under which benefits are determined
primarily by final compensation and years of service with any of the Named
Executive Officers.
EMPLOYEE BENEFIT PLANS
1995 Stock Option Plan. In April 1995, the Board adopted and the
stockholders approved the 1995 Stock Option Plan. At that time, 2,145,000
shares of Common Stock were reserved for issuance under the 1995 Stock Option
Plan, which number was increased to 4,145,000 shares in May 1996. As of
December 31, 1997, options to purchase 1,991,500 shares had been exercised
(net of repurchases), options to purchase an additional 2,102,518 shares of
Common Stock were outstanding under the 1995 Stock Option Plan with a weighted
average exercise price of $2.17 and 50,982 shares remained available for
future grants. Following the closing of this offering, no additional options
will be granted under the 1995 Stock Option Plan. Options granted under the
1995 Stock Option Plan are subject to terms substantially similar to those
described below with respect to options to be granted under the Equity
Incentive Plan. The 1995 Stock Option Plan does not provide for issuance of
restricted stock or stock bonus awards.
1997 Stock Option Plan. In October 1997, the Board adopted and the Company's
stockholders approved the 1997 Stock Option Plan. At that time, 800,000 shares
of Common Stock were reserved for issuance under the 1997 Stock Option Plan.
At December 31, 1997, options to purchase 414,300 shares of Common Stock were
outstanding under the 1997 Stock Option Plan with a weighted average exercise
price of $6.91 and 385,700 shares remained available for future grants.
Following the closing of this offering, no options will be granted under the
1997 Stock Option Plan. Options granted under the 1997 Stock Option Plan are
subject to terms substantially similar to those described below with respect
to options granted under the Equity Incentive Plan. The 1997 Stock Option Plan
does not provide for issuance of restricted stock or stock bonus awards.
1998 Equity Incentive Plan. In October 1997, the Board adopted, and in
January 1998 the stockholders approved, the Equity Incentive Plan. The total
number of shares of Common Stock reserved for issuance thereunder is 2,000,000
plus an additional number of shares described in (a) - (d) below. The Equity
Incentive Plan will become effective on the Effective Date and will serve as
the successor to the 1995 Stock Option Plan and the 1997 Stock Option Plan
(the "Prior Plans"). Options granted under the Prior Plans before their
termination will remain outstanding according to their terms, but no further
options will be granted under the Prior Plans after the Effective Date. Shares
that: (a) are subject to issuance upon exercise of an option granted under the
Prior Plans, or the Equity Incentive Plan that cease to be subject to such
option for any reason other than exercise of such option; (b) have been issued
pursuant to the exercise of an option granted under the Prior Plans or the
Equity Incentive Plan with respect to which the Company's right of repurchase
has not lapsed and are subsequently repurchased by the Company; (c) are
subject to an award granted pursuant to restricted stock purchase agreements
under the Equity Incentive Plan that are forfeited or are repurchased by the
Company at the original issue price; or (d) are subject to stock bonuses
granted under the Equity Incentive Plan that otherwise terminate without
shares being issued, will again be available for grant and issuance under the
Equity Incentive Plan. Any authorized shares not issued or subject to
outstanding grants under the Prior Plans on the Effective Date will no longer
be available for grant and issuance under the Prior Plans but will be
available for grant and issuance under the Equity Incentive Plan. The Equity
Incentive Plan will terminate in October 2007, unless sooner terminated in
accordance with the terms of the Equity Incentive Plan. The Equity Incentive
Plan authorizes the award of options, restricted stock awards and stock
bonuses (each an "Award"). No person will be eligible to receive more than
400,000 shares in any calendar year pursuant to Awards under the Equity
Incentive Plan other than a new employee of the Company who will be eligible
to receive no more than 1,000,000 shares in the calendar year in which such
employee commences employment. The Equity Incentive Plan will be administered
by the Compensation Committee. The Compensation Committee has the authority to
56
construe and interpret the Equity Incentive Plan and any agreement made
thereunder, grant Awards and make all other determinations necessary or
advisable for the administration of the Equity Incentive Plan.
The Equity Incentive Plan provides for the grant of both incentive stock
options ("ISOs") that qualify under Section 422 of the Internal Revenue Code
of 1986, as amended (the "Code"), and nonqualified stock options ("NQSOs").
ISOs may be granted only to employees of the Company or of a parent or
subsidiary of the Company. NQSOs (and all other Awards other than ISOs) may be
granted to employees, officers, directors, consultants, independent
contractors and advisors of the Company or any parent or subsidiary of the
Company, provided such consultants, independent contractors and advisors
render bona fide services not in connection with the offer and sale of
securities in a capital-raising transaction ("Eligible Service Providers").
The exercise price of ISOs must be at least equal to the fair market value of
the Company's Common Stock on the date of grant. The exercise price of NQSOs
must be at least equal to 85% of the fair market value of the Company's Common
Stock on the date of grant. The maximum term of options granted under the
Equity Incentive Plan is ten years. Awards granted under the Equity Incentive
Plan may not be transferred in any manner other than by will or by the laws of
descent and distribution and may be exercised during the lifetime of the
optionee only by the optionee (unless otherwise determined by the Compensation
Committee and set forth in the Award agreement with respect to Awards that are
not ISOs). Options granted under the Equity Incentive Plan generally expire
three months after the termination of the optionee's service to the Company or
a parent or subsidiary of the Company, except in the case of death or
disability, in which case the options generally may be exercised up to 12
months following the date of death or termination of service. Options will
generally terminate immediately upon termination for cause. In the event of
the Company's dissolution or liquidation or a "change in control" transaction,
outstanding Awards may be assumed or substituted by the successor corporation
(if any). If a successor corporation (if any) does not assume or substitute
the Awards, they will expire upon the effectiveness of the transaction. The
Committee, in its discretion, may provide that the vesting of any or all
Awards will accelerate prior to the effectiveness of the transaction.
1998 Employee Stock Purchase Plan. In December 1997, the Board adopted, and
in January 1998 the stockholders approved, the Purchase Plan and reserved
500,000 shares of the Company's Common Stock for issuance thereunder. The
Purchase Plan will be administered by the Compensation Committee of the Board.
The Compensation Committee will have the authority to construe and interpret
the Purchase Plan and its decisions in such capacity will be final and
binding. The Purchase Plan will become effective on the first business day on
which price quotations for the Company's Common Stock are available on the
Nasdaq National Market. Employees generally will be eligible to participate in
the Purchase Plan if they are customarily employed by the Company (or its
parent or any subsidiaries that the Company designates) for more than 20 hours
per week and more than five months in a calendar year and are not (and would
not become as a result of being granted an option under the Purchase Plan) 5%
stockholders of the Company (or its designated parent or subsidiaries).
Eligible employees may select a rate of payroll deduction between 2% and 10%
of their compensation and are subject to certain maximum purchase limitations
that will be described in the Purchase Plan. A participant may change the rate
of payroll deductions or withdraw from an Offering Period by notifying the
Company in writing. Participation in the Purchase Plan will end automatically
upon termination of employment for any reason. Except for the first offering,
each offering under the Purchase Plan will be for a period of 24 months (the
"Offering Period") and will consist of six-month purchase periods (each a
"Purchase Period"). The first Offering Period is expected to begin on the
first business day on which price quotations for the Company's Common Stock
are available on the Nasdaq National Market and, depending on the effective
date of this Registration Statement, may be greater or less than 24 months
long. Offering Periods thereafter will begin on February 1 and August 1. Each
participant will be granted an option on the first day of the Offering Period
and such option will be automatically exercised on the last day of each
Purchase Period during the Offering Period. The purchase price for the
Company's Common Stock purchased under the Purchase Plan is 85% of the lesser
of the fair market value of the Company's Common Stock on the first day of the
applicable Offering Period and the last day of the applicable Purchase Period.
The Committee will have the power to change the duration of Offering Periods
and Purchase Periods without stockholder approval, if such change is announced
at least 15 days prior to the
57
beginning of the Offering or Purchase Period to be affected. The Purchase Plan
will be intended to qualify as an "employee stock purchase plan" under Section
423 of the Code. Rights granted under the Purchase Plan will not be
transferable by a participant other than by will or the laws of descent and
distribution. The Purchase Plan will provide that, in the event of the
proposed dissolution or liquidation of the Company, the Offering Period will
terminate immediately prior to the consummation of such proposed action,
provided that the Compensation Committee may fix a different date for
termination of the Purchase Plan and may give each participant the opportunity
to purchase shares under the Purchase Plan prior to such termination. The
Purchase Plan will provide that, in the event of certain "change of control"
transactions, the Plan will continue for all Offering Periods that began prior
to the transaction and shares will be purchased based on the fair market value
of the surviving corporation's stock on each Purchase Date. The Purchase Plan
will terminate in December 2007, unless earlier terminated pursuant to the
terms of the Purchase Plan. The Board will have the authority to amend,
terminate or extend the term of the Purchase Plan, except that no such action
may adversely affect any outstanding options previously granted under the
Purchase Plan and stockholder approval is required to increase the number of
shares that may be issued or change the terms of eligibility under the
Purchase Plan.
401(k) Plan. The Board maintains the VeriSign, Inc. 401(k) Plan (the "401(k)
Plan"), a defined contribution plan intended to qualify under Section 401 of
the Code. All eligible employees who are at least 18 years old and have been
employed by the Company for one month may participate in the 401(k) Plan. An
eligible employee of the Company may begin to participate in the 401(k) Plan
on the first day of January, April, July or October of the plan year
coinciding with or following the date on which such employee meets the
eligibility requirements. A participating employee may make pre-tax
contributions of a whole percentage (not more than 15%) of his or her eligible
compensation and up to 100% of any cash bonus, subject to limitations under
the federal tax laws. Employee contributions and the investment earnings
thereon are fully vested at all times. The 401(k) Plan permits, but does not
require, additional matching and profit-sharing contributions by the Company
on behalf of the participants. The Company has not made matching or profit-
sharing contributions. Contributions by employees or the Company to the 401(k)
Plan, and income earned on plan contributions, are generally not taxable to
employees until withdrawn, and contributions by the Company, if any, should be
deductible by the Company when made. The trustee under the 401(k) Plan, at the
direction of each participant, invests the assets of the 401(k) Plan in
selected investment options.
Executive Loan Program of 1996. In November 1996, the Compensation Committee
adopted the Company's Executive Loan Program of 1996 (the "Executive Loan
Program"). Pursuant to the Executive Loan Program, the Company's Chief
Executive Officer and each Vice President of the Company (each a "Qualified
Borrower") are each entitled to borrow an aggregate of up to $250,000 from the
Company. Each loan made under the Executive Loan Program is a full recourse
loan and bears interest at the then-minimum interest rate to avoid imputation
of income under federal, state and local tax laws. Interest on any loan made
under the Executive Loan Program is due and payable on December 31 of each
year in which such loan is outstanding. Principal and accrued interest are
payable in full on any such loan upon the earlier of December 31, 2005 or 90
days after the termination of the Qualified Borrower's employment with the
Company, unless extended by a separate written agreement approved by the
Board. Each loan made under the Executive Loan Program must be secured by
collateral represented by Common Stock of the Company or other marketable
securities acceptable to the Board having a fair market value equaling or
exceeding the principal amount of the loan.
COMPENSATION ARRANGEMENTS
Mr. Sclavos's employment offer letter of June 1995, as amended in October
1995, provided for an initial annual salary of $175,000 and an initial annual
bonus of up to $50,000 per year. In addition, it provided for a loan to Mr.
Sclavos of $48,000 which was to be forgiven after the first anniversary of Mr.
Sclavos's employment with the Company. This loan was forgiven by the Board in
October 1996. Mr. Sclavos was also granted an option to purchase 616,000
shares of Common Stock with an exercise price of $.12 per share. In October
1996, this
58
option was amended such that it became immediately exercisable. Mr. Sclavos
exercised this option in full in November 1996. In connection with this
exercise, the Company loaned Mr. Sclavos $73,920 pursuant to the terms of the
Executive Loan Program, representing the full exercise price of such option.
As of December 31, 1997, 269,500 of the shares Mr. Sclavos received upon
exercise of the option were subject to a right of repurchase on behalf of the
Company. This right lapses as to 38,500 shares per quarter. Mr. Sclavos's
employment is "at will" and thus can be terminated at any time, with or
without cause.
Michael S. Baum, Dana L. Evan, Arnold Schaeffer and Richard A. Yanowitch
were granted options to purchase 150,000, 170,000, 200,000 and 290,000 shares,
respectively, of Common Stock under the 1995 Stock Option Plan, at exercise
prices ranging from $.12 to $6.00. Each of these options is subject to the
standard four-year vesting schedule under the 1995 Stock Option Plan or, in
certain circumstances, is immediately exercisable, subject to the Company's
right to repurchase shares subject to such options, which repurchase right
lapses on a schedule similar to the vesting schedule for options granted under
the 1995 Stock Option Plan. However, upon the occurrence of certain change-in-
control transactions, 50% of each such Named Executive Officer's then-unvested
options will become vested or, if applicable, the right of repurchase will
lapse as to 50% of the shares covered by such right of repurchase.
INDEMNIFICATION OF DIRECTORS AND EXECUTIVE OFFICERS AND LIMITATION OF
LIABILITY
As permitted by the Delaware General Corporation Law (the "DGCL"), the
Company's Third Amended and Restated Certificate of Incorporation, which will
become effective upon the closing of this offering, includes a provision that
eliminates the personal liability of its directors for monetary damages for
breach of fiduciary duty as a director, except for liability (i) for any
breach of the director's duty of loyalty to the Company or its stockholders,
(ii) for acts or omissions not in good faith or that involve intentional
misconduct or a knowing violation of law, (iii) under section 174 of the DGCL
(regarding unlawful dividends and stock purchases) or (iv) for any transaction
from which the director derived an improper personal benefit.
As permitted by the DGCL, the Company's Amended and Restated Bylaws, which
will become effective upon the completion of this offering, provide that (i)
the Company is required to indemnify its directors and officers to the fullest
extent permitted by the DGCL, subject to certain very limited exceptions, (ii)
the Company may indemnify its other employees and agents to the extent that it
indemnifies its officers and directors, unless otherwise required by law, its
Certificate of Incorporation, its Amended and Restated Bylaws, or agreement,
(iii) the Company is required to advance expenses, as incurred, to its
directors and executive officers in connection with a legal proceeding to the
fullest extent permitted by the DGCL, subject to certain very limited
exceptions and (iv) the rights conferred in the Amended and Restated Bylaws
are not exclusive.
The Company has entered into Indemnification Agreements with each of its
current directors and certain of its executive officers and intends to enter
into such Indemnification Agreements with each of its other executive officers
to give such directors and executive officers additional contractual
assurances regarding the scope of the indemnification set forth in the
Company's Certificate of Incorporation and Amended and Restated Bylaws and to
provide additional procedural protections. At present, there is no pending
litigation or proceeding involving a director, officer or employee of the
Company regarding which indemnification is sought, nor is the Company aware of
any threatened litigation that may result in claims for indemnification.
59
CERTAIN TRANSACTIONS
Since April 12, 1995, the Company's inception date, there has not been nor
is there currently proposed, any transaction or series of similar transactions
to which the Company or any of its subsidiaries was or is to be a party in
which the amount involved exceeded or will exceed $60,000 and in which any
director, executive officer, holder of more than 5% of the Common Stock of the
Company or any member of the immediate family of any of the foregoing persons
had or will have a direct or indirect material interest other than (i)
compensation agreements and other arrangements, which are described where
required in "Management," and (ii) the transactions described below.
TRANSACTIONS WITH DIRECTORS, EXECUTIVE OFFICERS AND 5% STOCKHOLDERS
The Company has financed its operations to date through a series of private
Common Stock and Preferred Stock financings. Upon the closing of this
offering, all shares of Preferred Stock will be converted into shares of
Common Stock at a conversion rate of one share of Common Stock for each share
of Preferred Stock. See "Description of Capital Stock."
Common Stock at Formation. In April 1995, the Company sold an aggregate of
4,688,333 shares of its Common Stock at a purchase price of $.12 per share to
certain individuals and entities. Among the purchasers were the following 5%
stockholders, directors and entities affiliated with directors of the Company,
who purchased the number of shares set forth opposite their respective names:
RSA--4,000,000 shares; Bessemer Venture Partners DCI--258,333 shares; D. James
Bidzos--125,000 shares; Kairdos L.L.C.--100,000 shares; and TZM Investment
Fund--80,000 shares. Mr. Bidzos is the Chairman of the Board of the Company,
the President and Chief Executive Officer of RSA and the General Manager and a
member of Kairdos L.L.C. Mr. Tomlinson, a director of the Company, is a
general partner of TZM Investment Fund and TZM Investment Fund is a member of
Kairdos L.L.C. Mr. Cowan, a director of the Company, is a general partner of
the general partner of Bessemer Venture Partners DCI. All purchasers paid cash
except RSA, which assigned and transferred to the Company equipment, assets
and technology, which assets and technology included certain specified
software developed or under development by RSA relating to digital certificate
issuance and management, certain tangible personal property, consisting mostly
of computer equipment, and all of RSA's right, title and interest in certain
specified agreements to provide digital certificate services. In connection
with the contribution of these assets to the Company, RSA entered into a
BSAFE/TIPEM OEM Master License Agreement with the Company pursuant to which
the Company was granted a perpetual, royalty free, nonexclusive, worldwide
license to distribute products it develops that contain or incorporate the RSA
BSAFE and TIPEM products and that relate to digital certificate issuing
software, software for the management of private keys and for digitally
signing computer files on behalf of others, software for customers to preview
and forward digital certificate requests to the Company, or such other
products that, in RSA's reasonable discretion, are reasonably necessary for
the implementation of a digital certificate business. RSA is also required to
provide maintenance and technical support for these products to the Company.
RSA's BSAFE product is a software tool kit that allows for the integration of
encryption and authentication features into software applications and TIPEM is
a secure e-mail development tool kit that allows for secure e-mail messages to
be sent using one vendor's e-mail product and read by another vendor's e-mail
product. Also in connection with this contribution of assets, RSA entered into
a Non-Compete and Non-Solicitation Agreement pursuant to which RSA agreed, for
a five-year period, not to compete with the Company's certificate authority
business.
Series A Preferred Stock. In April 1995, the Company also sold an aggregate
of 4,306,883 shares of its Series A Preferred Stock at a cash purchase price
of $1.20 per share to nine entities. Among the purchasers were the following
5% stockholders and entities affiliated with directors of the Company, who
purchased the number of shares set forth opposite their respective names:
Bessemer Venture Partners DCI--850,000 shares; VISA--850,000 shares; Intel
Corporation--850,000 shares; Security Dynamics--425,000 shares and First TZMM
Investment Partnership--23,550 shares. Mr. Bidzos is an Executive Vice
President and a director of Security Dynamics. Mr. Tomlinson, a director of
the Company, is a general partner of First TZMM Investment Partnership.
60
Series B Preferred Stock. In February 1996, the Company sold an aggregate of
2,099,123 shares of its Series B Preferred Stock at a cash purchase price of
$2.45 per share to 12 entities. Among the purchasers were the following 5%
stockholders and entities affiliated with directors of the Company, who
purchased the number of shares set forth opposite their respective names:
Kleiner Perkins Caufield & Byers VII--1,153,207 shares; Bessemer Venture
Partners DCI--187,819 shares; Intel Corporation--144,052 shares; VISA --
144,052 shares; KPCB VII Founders Fund--125,947 shares; Security Dynamics--
72,026 shares; KPCB Information Science Zaibatsu Fund II--32,799 shares; and
First TZMM Investment Partnership--17,554 shares. Mr. Compton, a director of
the Company, is a general partner of the general partner of Kleiner Perkins
Caufield & Byers VII, KPCB VII Founders Fund and KPCB Information Science
Zaibatsu Fund II.
Series C Preferred Stock. In November and December 1996, the Company sold an
aggregate of 3,625,000 shares of its Series C Preferred Stock at a cash
purchase price of $8.00 per share to 13 entities. Among the purchasers was
Microsoft, a 5% stockholder, which purchased 812,500 shares. No other 5%
stockholder, officer, director or entity affiliated with a director of the
Company purchased Series C Preferred Stock.
Stockholders' Agreement. In April 1995, the Company and each of the persons
who were then stockholders (the "Parties") entered into a Stockholders'
Agreement, which was amended at the time of the Series B Preferred Stock
financing and again in November 1996, when the Series C Preferred Stock
financing was closed, to include as parties to the agreement the new holders
of Preferred Stock. The Stockholders' Agreement, as amended, prohibits the
Parties from transferring any of their shares of capital stock of the Company,
without the prior consent of the Board and a majority in interest of the other
Parties, to certain specified corporations and entities affiliated with such
corporations. The Stockholders' Agreement also provides that no Party can vote
shares of capital stock of the Company with voting rights in excess of 45% of
the voting rights of the total voting capital stock of the Company entitled to
vote on any matter, thereby prohibiting a Party with more than 45% of the
voting rights of the total voting capital stock of the Company from
controlling the voting on any given matter. Finally, the Stockholders'
Agreement provides that, so long as any of Kleiner Perkins Caufield & Byers
VII, Bessemer Venture Partners DCI, VISA and Intel Corporation retained at
least 50% of the shares issued to them in the Series A or Series B Preferred
Stock financing, or so long as RSA retains not less than the lesser of 10% of
the issued and outstanding voting shares of the Company or 75% of the shares
of Common Stock held by it immediately following the Series A Preferred Stock
financing, the Company and the stockholders would cause and maintain the
election to the Board of a representative of each of those five entities that
satisfied their respective requirement. The Stockholders' Agreement terminates
upon the closing of this offering.
Co-Sale Agreement. In February 1996, the Company, each of the purchasers of
Series B Preferred Stock and RSA entered into a Co-Sale Agreement, pursuant to
which the holders of Series B Preferred Stock were granted rights to
participate in certain sales of capital stock of the Company owned by RSA.
Such co-sale rights will terminate upon the closing of this offering.
Investors' Rights Agreement. In November 1996, the Company, all of the
current holders of Preferred Stock and the purchasers of Common Stock in April
1995 entered into an Amended and Restated Investors' Rights Agreement (the
"Investors' Rights Agreement") pursuant to which the holders of all such
Preferred or Common Stock (the "Investors") have certain registration rights
with respect to their shares of Common Stock following this offering. See
"Description of Capital Stock--Registration Rights." Pursuant to the terms of
the Investors' Rights Agreement, each of the Investors and Stratton Sclavos,
the Company's President and Chief Executive Officer and a director of the
Company, were granted a right of first offer with respect to certain future
sales of securities by the Company.
Officer Loans. In November 1996, in connection with the exercise of stock
options granted under the 1995 Stock Option Plan, the Company permitted four
executive officers, Richard A. Yanowitch, Ethel E. Daly, Dana L. Evan and
Stratton D. Sclavos to purchase shares of Common Stock in exchange for
promissory notes issued under its Executive Loan Program in the amounts of
$217,500, $105,000, $93,750 and $73,920, respectively. See "Management--
Employee Benefit Plans--Executive Loan Program of 1996." In June 1997, in
connection
61
with the exercise of a stock option granted under the 1995 Stock Option Plan,
the Company permitted Nicholas F. Piazzola, an executive officer, to purchase
shares of Common Stock in exchange for a promissory note issued under the
Executive Loan Program in the amount of $115,425. Each note is a recourse note
that is secured by the shares purchased with that note. The notes bear
interest at the rate of 6.95% per annum (6.87% in the case of Mr. Piazzola),
payable quarterly, and are due and payable on the earlier of December 31, 2005
or the date the borrowers' employment relationship with the Company is
terminated, unless otherwise extended by a separate written agreement approved
by the Board. During 1997, the Company paid a bonus in the amount of the
interest accrued under each such executive officer's promissory note --
$23,603, $11,395, $10,174 and $8,022 for Mr. Yanowitch, Ms. Daly, Ms. Evan
and Mr. Sclavos, respectively.
Development Agreement. In September 1997, the Company and Security Dynamics,
the parent company of RSA, entered into a Master Development and License
Agreement (the "Development Agreement"). Mr. Bidzos, the Chairman of the Board
of the Company, is also a director of Security Dynamics. Pursuant to the
Development Agreement, the Company will develop a customized certificate
authority product based upon the Company's WorldTrust software application in
order to enable Security Dynamics to offer a product with encryption and
digital certificate authority functionality. The Company has retained the
ownership rights to the technology developed under this agreement, except to
the extent such technology constitutes derivatives of Security Dynamics's pre-
existing technology or such technology is solely created by Security Dynamics.
However, the Company has granted Security Dynamics a non-exclusive, royalty-
free, perpetual, worldwide license under the Company's intellectual property
rights in its technology to the extent that its technology is incorporated in
the customized product being developed for Security Dynamics, for the purpose
of facilitating Security Dynamics' derivative works or distributing the
customized product to end users. The Development Agreement provides that
Security Dynamics will pay the Company an aggregate of $2.7 million as an
initial license fee, $900,000 of which was paid in October 1997 and the
remainder of which will be payable upon the achievement of certain technical
milestones, which include a software code completion milestone of February 6,
1998, the release of a beta version of this product by February 27, 1998 and
the release of the final version of the product by April 1, 1998. Commencing
in March 1998, Security Dynamics will also be required to pay the Company a
monthly product support fee for a three-year period, and thereafter for
successive annual terms, unless either of the parties elects to terminate such
product support within 60 days prior to the end of the term or Security
Dynamics terminates support services at any time on 60 days prior written
notice to the Company. For a yearly fee, Security Dynamics can purchase
product maintenance services. If Security Dynamics pays both support and
maintenance fees, such fees would aggregate approximately $200,000 for a one-
year period. For so long as Security Dynamics is paying such maintenance fees,
the Company will be obligated, at no additional cost, to provide Security
Dynamics with updates and enhancements that it develops to the customized
product and with non-exclusive first-to-market access to new technologies
developed by the Company that are relevant to the business of providing
enterprise security solutions or solutions for secure business communications.
The Company is also obligated, upon the request of Security Dynamics, to make
its other technology available to Security Dynamics and to offer maintenance
after the term of the agreement on certain "most favored pricing" terms. The
Company believes that the terms of the Development Agreement, taken as a
whole, were no less favorable to the Company than the Company could have
obtained from unaffiliated third parties.
Microsoft Agreement. In November 1997, the Company entered into a
Certificate Authority Preferred Provider Agreement (the "Microsoft Agreement")
under which the Company will be featured as the preferred provider of digital
certificates for Microsoft customers. Upon the execution of this agreement,
the Company issued Microsoft 100,000 shares of Common Stock valued at
$800,000. The Company believes that the terms of the Microsoft Agreement,
taken as a whole, were no less favorable to the Company than the Company could
have obtained from unaffiliated third parties.
VISA Agreements. In April 1996, the Company entered into a Private Label
Agreement with VISA under which the Company developed and operates a digital
certificate system for VISA's member banks, based on a private VISA root key.
The Company provides certificate registration and issuing and management
functions through its Digital ID Center and retains the ownership rights to
this digital certificate system developed for
62
VISA. The Company provides, at no additional charge, all maintenance and
support for the VISA digital certificate system. If the Company does not meet
certain minimum service standards, or if the VISA system experiences a
degradation in the quality of service, the Company would be required to pay
monetary penalties in the event that the system is unavailable. VISA could
terminate this agreement in the event the service, once fully available in
final form, is unavailable for a significant amount of time. This agreement
expires two and one-half years from the earlier of the commencement of the
pilot program or April 8, 1997. The Company received aggregate payments from
VISA of $455,000 during 1996 and $1.1 million during 1997, in the form of
development fees, set-up fees and certificate volume-based subscriber fees.
VISA is obligated to continue to pay subscriber fees for the remainder of the
term of this agreement. VISA prepays these fees on a quarterly basis ($250,000
per quarter in 1998 and the first three quarters of 1999), and these fees are
subject to offset against per certificate fees for all certificates issued
until such time as the total prepayment for a given period is exhausted. VISA
is not entitled to any refunds in the event that sufficient certificates are
not issued to offset any remaining prepaid subscriber fees. The Company is
also obligated to provide VISA with certain "most favored pricing" rights.
VISA has the right to terminate this agreement after April 1, 1998 by entering
into a license agreement with the Company and paying licensing fees as well as
a royalty for future certificates issued. Otherwise, the agreement is
terminable upon the completion of its term (or earlier in the event of a
material breach of the agreement by the other party), upon bankruptcy or
insolvency of the other party or upon the Company's failure to provide
support.
In October 1996, the Company entered into a Private Label Agreement with
VISA under which the Company developed a pilot digital certificate system,
based on a private VISA root key, which provides certificate registration and
issuing and management functions through VeriSign's operations and Digital ID
Center in connection with the VISA Cash stored value card and the Chip Card
Payment Service. During 1998, the Company is entitled to receive an additional
$20,000 of operations fees under the agreement, as well as subscriber fees
based on the number of certificates issued. This agreement expired in October
1997. The Company received aggregate payments of $40,000 during 1996 and
$221,600 during 1997, in the form of development fees, operation fees and
subscriber fees. The Company believes that the terms of the agreements with
VISA, taken as a whole, were no less favorable to the Company than the Company
could have obtained from unaffiliated third parties.
Sublease with Security Dynamics. Since September 1996, the Company has
sublet approximately 12,700 square feet of space for its offices in Cambridge,
Massachusetts. This space is subleased from Security Dynamics pursuant to a
sublease that expires in March 1998. The Company made lease payments to
Security Dynamics of $17,646 during 1996 and $179,000 during 1997. The Company
is obligated to pay monthly rent of approximately $20,000 from January 1998
through the expiration date. The Company is also obligated to pay all
electricity, heating, ventilation and air conditioning costs for the subleased
premises.
CERTAIN BUSINESS RELATIONSHIPS
Legal Fees. During 1996 and 1997, the law firm of Tomlinson Zisko Morosoli &
Maser LLP, of which Mr. Tomlinson is a partner, provided legal services to the
Company on a variety of matters. During 1996 and 1997, the Company paid to or
accrued for Tomlinson Zisko Morosoli & Maser LLP an aggregate of $344,120 and
$239,051, respectively.
The Company believes that the terms of each of the transactions described
above, taken as a whole, were no less favorable to the Company than the
Company could have obtained from unaffiliated third parties.
63
PRINCIPAL STOCKHOLDERS
The following table sets forth certain information with respect to the
beneficial ownership of the Company's Common Stock as of December 31, 1997 and
as adjusted to reflect the sale of the shares of Common Stock offered hereby
by: (i) each person who is known by the Company to own beneficially more than
5% of the Company's Common Stock, (ii) each director of the Company, (iii)
each of the Named Executive Officers and (iv) all directors and executive
officers of the Company as a group.
PERCENTAGE OF COMMON
STOCK BENEFICIALLY
NUMBER OF OWNED(1)
SHARES --------------------
BENEFICIALLY BEFORE AFTER
NAME OF BENEFICIAL OWNER OWNED OFFERING OFFERING(2)
- ------------------------ ------------ -------- -----------
D. James Bidzos
Security Dynamics Technologies, Inc. (3)... 4,742,442 27.6% 23.5%
Kevin R. Compton
Kleiner Perkins Caufield & Byers (4)....... 1,315,703 7.7 6.5
David J. Cowan
Bessemer Venture Partners DCI (5).......... 1,299,902 7.6 6.4
William Chenevich
Visa International Service Association
(6)....................................... 997,802 5.8 5.0
Intel Corporation (7)....................... 994,052 5.8 4.9
Microsoft Corporation (8)................... 912,500 5.3 4.5
Stratton D. Sclavos (9)..................... 616,000 3.6 3.1
Richard A. Yanowitch (10)................... 290,000 1.7 1.4
Arnold Schaeffer (11)....................... 142,000 * *
Dana L. Evan (12)........................... 135,000 * *
Michael S. Baum (13)........................ 125,000 * *
Timothy Tomlinson (14)...................... 39,403 * *
All officers and directors as a group (13
persons) (15).............................. 9,933,252 57.8 49.2
- --------
* Less than 1% of the Company's outstanding Common Stock
(1) Percentage ownership is based on 17,151,244 shares outstanding as of
December 31, 1997, including shares issuable upon conversion of all
outstanding Preferred Stock into Common Stock in connection with this
offering, and 20,151,244 shares outstanding after the offering. Shares of
Common Stock subject to options currently exercisable or exercisable
within 60 days of December 31, 1997 are deemed outstanding for the
purpose of computing the percentage ownership of the person holding such
options but are not deemed outstanding for computing the percentage
ownership of any other person. Unless otherwise indicated below, the
persons and entities named in the table have sole voting and sole
investment power with respect to all shares beneficially owned, subject
to community property laws where applicable.
(2) Assumes the Underwriters' over-allotment option is not exercised.
(3) Represents 4,497,026 shares held of record by Security Dynamics or by
wholly-owned subsidiaries thereof, 113,000 shares held of record by D.
James Bidzos, 103,125 shares held of record by Kairdos L.L.C., 12,000
shares held of record by relatives and other associates of Mr. Bidzos,
16,666 shares subject to options held of record by D. James Bidzos that
are exercisable within 60 days of December 31, 1997 and 625 shares
subject to options that are held of record by Kairdos L.L.C. that are
exercisable within 60 days of December 31, 1997. Mr. Bidzos, the Chairman
of the Board of the Company, is the President of RSA, an Executive Vice
President and a director of Security Dynamics and the General Manager and
a member of Kairdos L.L.C. Mr. Bidzos disclaims beneficial ownership of
the shares held by Kairdos L.L.C. except for his proportional interest
therein, and disclaims beneficial ownership of the shares held by
Security Dynamics or its wholly-owned subsidiaries. The address for Mr.
Bidzos and Security Dynamics is 20 Crosby Drive, Bedford, Massachusetts
01730.
64
(4) Represents 1,279,154 shares held of record by Kleiner Perkins Caufield &
Byers VII L.P., 32,799 shares held of record by KPCB Information Science
Zaibatsu Fund II and 3,750 shares subject to options held of record by
Kevin Compton that are exercisable within 60 days of December 31, 1997.
Mr. Compton, a director of the Company, is a general partner of the
general partner of each of these entities. Mr. Compton disclaims
beneficial ownership of shares held by such entities except for his
proportional interest therein. The address for Mr. Compton and these
entities is c/o Kleiner Perkins Caufield & Byers, 2750 Sand Hill Road,
Menlo Park, California 94025.
(5) Represents 1,296,152 shares held of record by Bessemer Venture Partners
DCI and 3,750 shares subject to options held of record by Deer III & Co.
LLC that are exercisable within 60 days of December 31, 1997. Mr. Cowan,
a director of the Company, is a general partner of the general partner of
Bessemer Venture Partners DCI and is a manager of Deer III & Co. LLC. Mr.
Cowan disclaims beneficial ownership of shares held by Bessemer Venture
Partners DCI except for his proportional interest therein. The address
for Mr. Cowan and Bessemer Venture Partners DCI is 535 Middlefield Road,
Menlo Park, California 94025.
(6) Represents 994,052 shares held by VISA and 3,750 shares subject to
options held of record by VISA that are exercisable within 60 days of
December 31, 1997. Mr. Chenevich, a director of the Company, is the Group
Executive Vice President, Data Processing Systems of VISA. Mr. Chenevich
disclaims beneficial ownership of shares held by VISA. The address for
Mr. Chenevich and VISA is 900 Metro Center, Foster City, California
94404.
(7) Represents shares held by Intel Corporation. The address for Intel
Corporation is 2200 Mission College Blvd., Building SC-4, Santa Clara,
California 95050.
(8) Represents shares held by Microsoft Corporation. The address of Microsoft
Corporation is One Microsoft Way, Redmond, Washington 98052.
(9) Includes 2,500 shares held of record by Stratton or Jody Sclavos as
Custodians under UTMA for Nicholas L. Sclavos and 2,500 shares held of
record by Stratton or Jody Sclavos as Custodians under UTMA for Alexandra
C. Sclavos. Mr. Sclavos is President, Chief Executive Officer and a
director of the Company. Of the shares shown in the table, as of December
31, 1997, 269,500 were subject to a repurchase right that lapses as to
38,500 of the shares each quarter.
(10) Mr. Yanowitch is Vice President of Marketing of the Company. Of the
shares shown in the table, as of December 31, 1997, 181,250 were subject
to a repurchase right that lapses as to 18,125 of the shares each
quarter.
(11) Mr. Schaeffer is Vice President of Engineering of the Company. Of the
shares shown in the table, as of December 31, 1997, 80,500 were subject
to a repurchase right that lapses as to 8,875 of the shares each quarter.
(12) Includes 2,500 shares held of record by Ms. Evan as Custodian under UTMA
for Christopher Thomas Evan and 2,500 shares held of record by Ms. Evan
as Custodian under UTMA for Ryan Joseph Evan. Ms. Evan is Vice President
of Finance and Administration and Chief Financial Officer of the Company.
Of the shares shown in the table, as of December 31, 1997, 78,125 were
subject to a repurchase right that lapses as to 7,812 of the shares each
quarter.
(13) Mr. Baum is Vice President of Practices and External Affairs of the
Company. Of the shares shown in the table, as of December 31, 1997,
58,594 were subject to a repurchase right that lapses as to 7,324 of the
shares each quarter.
(14) Includes 5,000 shares held of record by the Joy E. Tomlinson 1996 Trust,
5,000 shares held of record by the Tucker Tomlinson 1996 Trust and 625
shares subject to options held of record by TZM Investment Fund that are
exercisable within 60 days of December 31, 1997. Mr. Tomlinson is a
general partner of TZM Investment Fund and a trustee of each trust.
(15) Includes the shares described in footnotes (3)-(6) and (9)-(14) and an
additional 230,000 shares held by other executive officers, of which
155,000 were subject to repurchase rights as of December 31, 1997 that
lapse as to an aggregate of 14,375 of the shares each quarter.
65
DESCRIPTION OF CAPITAL STOCK
As of December 31, 1997, assuming the conversion of all outstanding shares
of Preferred Stock into shares of Common Stock, there were outstanding
17,151,244 shares of Common Stock, each with a par value of $.001, held of
record by approximately 144 stockholders, and outstanding options to purchase
2,516,818 shares of Common Stock.
The following summary of certain provisions of the Common Stock and
Preferred Stock does not purport to be complete and is subject to, and
qualified in its entirety by, the provisions of the Company's Certificate of
Incorporation, which is included as an exhibit to the Registration Statement,
of which this Prospectus forms a part, and by the provisions of applicable
law.
COMMON STOCK
Upon the closing of this offering, the Company will be authorized to issue
50,000,000 shares of Common Stock. Subject to preferences that may be
applicable to any Preferred Stock outstanding at the time, the holders of
outstanding shares of Common Stock are entitled to receive dividends out of
assets legally available therefor at such times and in such amounts as the
Board from time to time may determine. Holders of Common Stock are entitled to
one vote for each share held on all matters submitted to a vote of
stockholders. Cumulative voting for the election of directors will not be
authorized by the Company's Amended and Restated Certificate of Incorporation,
which means that the holders of a majority of the shares voted can elect all
of the directors then standing for election. The Common Stock is not entitled
to preemptive rights and is not subject to conversion or redemption. Upon
liquidation, dissolution or winding-up of the Company, the assets legally
available for distribution to stockholders are distributable ratably among the
holders of the Common Stock and any participating Preferred Stock outstanding
at that time after payment of liquidation preferences, if any, on any
outstanding Preferred Stock and payment of other claims of creditors. Each
outstanding share of Common Stock is, and all shares of Common Stock to be
outstanding upon completion of this offering will be upon payment therefor,
duly and validly issued, fully paid and nonassessable.
PREFERRED STOCK
Upon the closing of this offering, each outstanding share of Preferred Stock
(the "Convertible Preferred") will be converted into shares of Common Stock.
See Note 6 of Notes to Consolidated Financial Statements for a description of
the Convertible Preferred. Following the offering, the Company will be
authorized to issue up to 5,000,000 shares of "blank check" Preferred Stock.
The Board is authorized, subject to any limitations prescribed by Delaware
law, to provide for the issuance of Preferred Stock in one or more series, to
establish from time to time the number of shares to be included in each such
series, to fix the rights, preferences and privileges of the shares of each
wholly unissued series and any qualifications, limitations or restrictions
thereon, and to increase or decrease the number of shares of any such series
(but not below the number of shares of such series then outstanding), without
any further vote or action by the stockholders. The Board may authorize the
issuance of Preferred Stock with voting or conversion rights that could
adversely affect the voting power or other rights of the holders of Common
Stock. The issuance of Preferred Stock may have the effect of delaying,
deferring or preventing a change in control of the Company and may adversely
affect the market price of the Common Stock, and the voting and other rights
of the holders of Common Stock. The Company has no current plan to issue any
shares of Preferred Stock.
REGISTRATION RIGHTS
Following this offering, the holders of approximately 15,069,339 shares of
Common Stock (representing the purchasers of Common Stock at the founding of
the Company in April 1995, all of the purchasers of Preferred Stock, and
certain purchasers of Common Stock in November 1997) (the "Holders") will have
certain rights to cause the Company to register those shares (the "Registrable
Securities") under the Securities Act pursuant to the Investors' Rights
Agreement. The holders of at least a majority of the Registrable Securities
may require, after 180 days from the effective date of this offering, that the
Company use its best efforts to effect up
66
to two registrations. Holders not part of the initial registration demand are
entitled to notice of such registration and are entitled to include shares of
Registrable Securities therein. These registration rights are subject to
certain conditions and limitations, including (i) the right, under certain
circumstances, of the underwriters of an offering to limit the number of
shares included in such registration and (ii) the right of the Company to
delay the filing of a registration statement for not more than 120 days after
receiving the registration demand. The Company is obligated to pay all
registration expenses incurred in connection with such registration (other
than underwriters' discounts and commissions) and the reasonable fees and
expenses of a single counsel to the selling Holders.
In addition, if the Company proposes to register any of its securities under
the Securities Act (other than a registration relating solely to the sale of
securities to participants in a Company stock plan, a registration on a form
that does not include substantially the same information as would be required
in a registration statement covering the sale of the Registrable Securities or
a registration in which the only Common Stock being registered is Common Stock
issuable upon conversion of debt securities that are also being registered) in
connection with the sale of such securities solely for cash, whether or not
for sale for its own account, the Holders are entitled to notice of such
registration and are entitled to include Registrable Securities therein. These
rights are subject to certain conditions and limitations, including the right
of the underwriters of an offering to limit the number of shares included in
such registration under certain circumstances. The Company is obligated to pay
all registration expenses incurred in connection with such registration other
than underwriters' discounts and commissions. If the Company were to initiate
a registration and include shares pursuant to this "piggyback" right, such
sales might have an adverse effect on the Company's ability to raise capital.
The Holders may also require the Company, on no more than two occasions in
any twelve-month period, to register all or a portion of their Registrable
Securities on Form S-3 under the Securities Act when such form becomes
available for use by the Company, if the securities to be so registered
represent an aggregate selling price to the public of not less than $1.0
million. The Holders who are not part of the initial registration demand are
entitled to notice of such registration and are entitled to include shares of
Registrable Securities therein. These registration rights are subject to
certain conditions and limitations, including the right of the Company to
delay the filing of a registration statement on Form S-3 for a period of not
more than 60 days after receiving the registration demand. The Company is
obligated to pay all registration expenses incurred in connection with such
registration (other than underwriters' discounts and commissions) and the
reasonable fees and expenses of a single counsel to the selling Holders.
Each stockholder's registration rights will expire upon the earlier of the
fifth anniversary of the closing of this offering or at such time as the
stockholder can sell all of its securities under Rule 144(k).
DELAWARE ANTI-TAKEOVER LAW AND CERTAIN CHARTER AND BYLAW PROVISIONS
Upon the closing of this offering, the Company will be subject to the
provisions of Section 203 of the Delaware General Corporation Law (the "Anti-
Takeover Law") regulating corporate takeovers. The Anti-Takeover Law prevents
certain Delaware corporations, including those whose securities are listed on
the Nasdaq National Market, from engaging, under certain circumstances, in a
"business combination" (which includes a merger or sale of more than 10% of
the corporation's assets) with any "interested stockholder" (a stockholder who
owns 15% or more of the corporation's outstanding voting stock, as well as
affiliates and associates of any such persons) for three years following the
date that such stockholder became an "interested stockholder" unless (i) the
transaction is approved by the Board of Directors prior to the date the
"interested stockholder" attained such status, (ii) upon consummation of the
transaction that resulted in the stockholder's becoming an "interested
stockholder," the "interested stockholder" owned at least 85% of the voting
stock of the corporation outstanding at the time the transaction commenced
(excluding those shares owned by (a) persons who are directors and also
officers and (b) employee stock plans in which employee participants do not
have the right to determine confidentially whether shares held subject to the
plan will be tendered in a tender or exchange offer), or (iii) on or
subsequent to such date the "business combination" is approved by the Board of
Directors and authorized at an annual or special meeting of stockholders by
the affirmative vote of at least two-thirds of the outstanding
67
voting stock that is not owned by the "interested stockholder." A Delaware
corporation may "opt out" of the Anti-Takeover Law with an express provision
in its original certificate of incorporation or an express provision in its
certificate of incorporation or bylaws resulting from a stockholders'
amendment approved by at least a majority of the outstanding voting shares.
The Company has not "opted out" of the provisions of the Anti-Takeover Law.
The statute could prohibit or delay mergers or other takeover or change-in-
control attempts with respect to the Company and, accordingly, may discourage
attempts to acquire the Company.
The Company's Amended and Restated Bylaws, which will be in effect upon the
completion of this offering, will provide for the division of the Board into
three classes as nearly equal in size as possible with staggered three-year
terms. The classification of the Board could have the effect of making it more
difficult for a third party to acquire, or of discouraging a third party from
acquiring, control of the Company. In addition, the Amended and Restated
Bylaws will provide that any action required or permitted to be taken by the
stockholders of the Company at an annual meeting or special meeting of
stockholders may only be taken if it is properly brought before such meeting
and may not be taken by written action in lieu of a meeting. The Amended and
Restated Bylaws will provide that special meetings of the stockholders may
only be called by the Chairman of the Board, the Chief Executive Officer or,
if none, the President of the Company or by the Board.
The Company's Amended and Restated Certificate of Incorporation and Amended
and Restated Bylaws will provide that the Company will indemnify officers and
directors against losses that they may incur in investigations and legal
proceedings resulting from their services to the Company, which may include
services in connection with takeover defense measures. Such provisions may
have the effect of preventing changes in the management of the Company.
TRANSFER AGENT AND REGISTRAR
The Transfer Agent and Registrar for the Company's Common Stock is
ChaseMellon Shareholder Services, L.L.C.
LISTING
The shares of Common Stock offered hereby have been approved for quotation
on the Nasdaq National Market under the symbol "VRSN" subject to official
notice of issuance.
68
SHARES ELIGIBLE FOR FUTURE SALE
Prior to this offering, there has been no public market for the Common Stock
of the Company. Future sales of substantial amounts of Common Stock in the
public market could adversely affect prevailing market prices from time to
time. Furthermore, since no shares will be available for sale shortly after
this offering because of certain contractual and legal restrictions on resale
(as described below), sales of substantial amounts of Common Stock of the
Company in the public market after these restrictions lapse could adversely
affect the prevailing market price and the ability of the Company to raise
equity capital in the future.
Upon completion of this offering, the Company will have outstanding an
aggregate of 20,151,244 shares of Common Stock, assuming no exercise of the
Underwriters' over-allotment option and no exercise of outstanding options. Of
these shares, all of the shares sold in this offering will be freely tradable
without restriction or further registration under the Securities Act, unless
such shares are purchased by "affiliates" of the Company as that term is
defined in Rule 144 under the Securities Act (the "Affiliates"). The remaining
17,151,244 shares of Common Stock held by existing stockholders are
"restricted securities" as that term is defined in Rule 144 under the
Securities Act ("Restricted Shares"). Restricted Shares may be sold in the
public market only if registered or if they qualify for an exemption from
registration under Rule 144 or 701 promulgated under the Securities Act, which
rules are summarized below. All officers, directors, stockholders and option
holders of the Company have agreed not to offer, pledge, sell, contract to
sell, sell any option or contract to purchase, purchase any option or contract
to sell, grant any option, right or warrant to purchase, or otherwise transfer
or dispose of, directly or indirectly (or enter into any swap or other
arrangement that transfers to another, in whole or in part, any of the
economic consequences of ownership of), any shares of Common Stock or any
securities convertible into or exercisable or exchangeable for shares of
Common Stock, for a period of 180 days after the date of this Prospectus,
without the prior written consent of Morgan Stanley & Co. Incorporated. Morgan
Stanley & Co. Incorporated may in its sole discretion choose to release a
certain number of these shares from such restrictions prior to the expiration
of such 180 day period. As a result of such contractual restrictions and the
provisions of Rule 144 and 701, the Restricted Shares will be available for
sale in the public market as follows: (i) no shares will be eligible for
immediate sale on the date of this Prospectus; (ii) 16,801,244 shares will be
eligible for sale upon expiration of the lock-up agreements 180 days after the
date of this Prospectus, subject in the case of all but 2,661,052 shares to
the volume limitations and other conditions of Rule 144 described below; and
(iii) the remaining 350,000 shares will become eligible for sale in November
1998, subject to the volume limitations and other conditions of Rule 144.
In general, under Rule 144 as currently in effect, beginning 90 days after
the date of this Prospectus, a person (or persons whose shares are aggregated)
who has beneficially owned Restricted Shares for at least one year (including
the holding period of any prior owner except an Affiliate) would be entitled
to sell within any three-month period a number of shares that does not exceed
the greater of: (i) 1% of the number of shares of Common Stock then
outstanding (which will equal approximately 201,500 shares immediately after
this offering); or (ii) the average weekly trading volume of the Common Stock
on the Nasdaq National Market during the four calendar weeks preceding the
filing of a notice on Form 144 with respect to such sale. Sales under Rule 144
are also subject to certain manner of sale provisions and notice requirements
and to the availability of current public information about the Company. Under
Rule 144(k), a person who is not deemed to have been an Affiliate of the
Company at any time during the 90 days preceding a sale, and who has
beneficially owned the shares proposed to be sold for at least two years
(including the holding period of any prior owner except an Affiliate), is
entitled to sell such shares without complying with the manner of sale, public
information, volume limitation or notice provisions of Rule 144; therefore,
unless otherwise restricted, shares will qualify as "144(k) shares" on the
date of this Prospectus and may be sold immediately upon the completion of
this offering. Subject to certain limitations on the aggregate offering price
of a transaction and other conditions, employees, directors, officers,
consultants or advisors may rely on Rule 701 with respect to the resale of
securities originally purchased from the Company prior to the date the issuer
becomes subject to the reporting requirements of the Securities Exchange Act
of 1934, as amended (the "Exchange Act"), pursuant to written compensatory
benefit plans or written contracts relating to the compensation of such
persons. In addition, the Securities and Exchange Commission has indicated
that Rule 701 will apply to typical stock options granted by an issuer before
it
69
becomes subject to the reporting requirements of the Exchange Act, along with
the shares acquired upon exercise of such options (including exercises after
the date of this Prospectus). Securities issued in reliance on Rule 701 are
restricted securities and, subject to the contractual restrictions described
above, beginning 90 days after the date of this Prospectus, may be sold by
persons other than Affiliates subject only to the manner of sale provisions of
Rule 144, and by Affiliates under Rule 144 without compliance with its holding
period requirements.
Upon completion of this offering, the holders of approximately 15,069,339
shares of Common Stock currently outstanding or issuable upon conversion of
Preferred Stock, or their transferees, will be entitled to certain rights with
respect to the registration of such shares under the Securities Act. See
"Description of Capital Stock--Registration Rights." Registration of such
shares under the Securities Act would result in such shares becoming freely
tradable without restriction under the Securities Act (except for share
purchases by affiliates) immediately upon the effectiveness of such
registration.
The Company intends to file a registration statement under the Securities
Act covering (i) 2,625,000 shares of Common Stock reserved or to be reserved
for issuance under the Equity Incentive Plan, the Purchase Plan and the
Directors Plan, (ii) an additional number of shares of Common Stock to be
reserved for issuance under the Equity Incentive Plan equal to the number of
shares reserved for future issuance under the Prior Plans as of the date of
this Prospectus (436,682 as of December 31, 1997), and (iii) shares subject to
outstanding options under the Prior Plans as of the date of this Prospectus
(2,516,818 as of December 31, 1997). See "Management--Employee Benefit Plans."
Such registration statement is expected to be filed and become effective as
soon as practicable after the effective date of this offering. Accordingly,
shares registered under such registration statement will, subject to Rule 144
volume limitations applicable to Affiliates, be available for sale in the open
market, beginning 180 days after the date of the Prospectus, unless such
shares are subject to vesting restrictions with the Company.
70
UNDERWRITERS
Under the terms and subject to the conditions contained in an Underwriting
Agreement dated the date hereof (the "Underwriting Agreement"), the
Underwriters named below (the "Underwriters"), for whom Morgan Stanley & Co.
Incorporated, Hambrecht & Quist LLC and Wessels, Arnold & Henderson, L.L.C.
are acting as Representatives (the "Representatives"), have severally agreed
to purchase, and the Company has agreed to sell to them, severally, the
respective number of shares of Common Stock set forth opposite their
respective names below:
NUMBER OF
NAME SHARES
---- ---------
Morgan Stanley & Co. Incorporated.....................................
Hambrecht & Quist LLC.................................................
Wessels, Arnold & Henderson, L.L.C. ..................................
---------
Total............................................................. 3,000,000
=========
The Underwriting Agreement provides that the obligations of the several
Underwriters to pay for and accept delivery of the shares of Common Stock
offered hereby are subject to the approval of certain legal matters by their
counsel and to certain other conditions. The Underwriters are obligated to
take and pay for all of the shares of Common Stock offered hereby (other than
those covered by the over-allotment option described below) if any such shares
are taken.
The Underwriters initially propose to offer part of the shares of Common
Stock directly to the public at the initial public offering price set forth on
the cover page hereof and part to certain dealers at a price that represents a
concession not in excess of $ a share under the public offering price. Any
Underwriter may allow, and such dealers may reallow, a concession not in
excess of $ a share to other Underwriters or to certain dealers. After the
initial offering of the shares of Common Stock, the offering price and other
selling terms may from time to time be varied by the Representatives.
The Company has granted to the Underwriters an option, exercisable for 30
days from the date of this Prospectus, to purchase up to an aggregate of
450,000 additional shares of Common Stock at the initial public offering price
set forth on the cover page hereof, less underwriting discounts and
commissions. The Underwriters may exercise such option to purchase solely for
the purpose of covering over-allotments, if any, made in connection with the
offering of the shares of Common Stock offered hereby. To the extent such
option is exercised, each Underwriter will become obligated, subject to
certain conditions, to purchase approximately the same percentage of such
additional shares of Common Stock as the number set forth next to such
Underwriter's name in the preceding table bears to the total number of shares
of Common Stock set forth next to the names of all Underwriters in the
preceding table.
The Underwriters have informed the Company that they do not intend sales to
discretionary accounts to exceed five percent of the total number of shares of
Common Stock offered by them.
Each of the Company and the directors, executive officers, certain other
stockholders and option holders of the Company has agreed that, without the
prior written consent of Morgan Stanley & Co. Incorporated on behalf of the
Underwriters, it will not during the period ending 180 days after the date of
this Prospectus (i) offer, pledge, sell, contract to sell, sell any option or
contract to purchase, purchase any option or contract to sell, grant any
option, right or warrant to purchase or otherwise transfer, lend or dispose
of, directly or indirectly, any shares
71
of Common Stock or any securities convertible into or exercisable or
exchangeable for Common Stock or (ii) enter into any swap or other arrangement
that transfers to another, in whole or in part, any of the economic
consequences of ownership of the Common Stock, whether any such transaction
described in clause (i) or (ii) above is to be settled by delivery of Common
Stock or such other securities, in cash or otherwise, except under certain
limited circumstances. The restrictions described in this paragraph to not
apply to (a) the sale of Shares to the Underwriters, (b) the issuance by the
Company of shares of Common Stock upon exercise of an option or a warrant
outstanding on the date of this Prospectus and described as such in the
Prospectus, (c) the issuance by the Company of shares of Common Stock under
the Equity Incentive Plan, the Directors Plan and the Purchase Plan or (d)
transactions by any person other than the Company relating to shares of Common
Stock or other securities acquired in open market transactions after the
completion of the offering of the Shares.
In order to facilitate the offering of the Common Stock, the Underwriters
may engage in transactions that stabilize, maintain or otherwise affect the
price of the Common Stock. Specifically, the Underwriters may over-allot in
connection with the offering, creating a short position in the Common Stock
for their own account. In addition, to cover over-allotments or to stabilize
the price of the Common Stock, the Underwriters may bid for, and purchase,
shares of Common Stock in the open market. Finally, the underwriting syndicate
may reclaim selling concessions allowed to an Underwriter or a dealer for
distributing the Common Stock in the offering, if the syndicate repurchases
previously distributed Common Stock in transactions to cover syndicate short
positions, in stabilization transactions or otherwise. Any of these activities
may stabilize or maintain the market price of the Common Stock above
independent market levels. The Underwriters are not required to engage in
these activities, and may end any of these activities at any time.
In November and December 1996, the Company issued an aggregate of 3,625,000
shares of Series C Preferred Stock for an aggregate consideration of $29.0
million. In connection with such financing, Morgan Stanley & Co. Incorporated
received an aggregate of $730,000 as a financial advisory fee.
The Company and the Underwriters have agreed to indemnify each other against
certain liabilities, including liabilities under the Securities Act.
PRICING OF THE OFFERING
Prior to this offering, there has been no public market for the Common Stock
or any other securities of the Company. The initial public offering price for
the Common Stock will be determined by negotiations between the Company and
the Representatives. Among the factors to be considered in determining the
initial public offering price will be the future prospects of the Company and
its industry in general, sales, earnings and certain other financial and
operating information of the Company in recent periods, and the price-earnings
ratios, price-sales ratios, market prices of securities and certain financial
and operating information of companies engaged in activities similar to those
of the Company. The estimated initial public offering price range set forth on
the cover page of this Preliminary Prospectus is subject to change as a result
of market conditions and other factors.
LEGAL MATTERS
The validity of the shares of Common Stock offered hereby will be passed
upon for the Company by Fenwick & West LLP, Palo Alto, California. Certain
legal matters in connection with this offering will be passed upon for the
Underwriters by Wilson Sonsini Goodrich & Rosati, Professional Corporation,
Palo Alto, California.
EXPERTS
The consolidated financial statements and schedule of VeriSign, Inc. and
subsidiary as of December 31, 1996 and 1997 and for the period from April 12,
1995 (inception) to December 31, 1995 and for each of the years in the two-
year period ended December 31, 1997 have been included herein and in the
Registration Statement in reliance upon the reports of KPMG Peat Marwick LLP,
independent auditors, appearing elsewhere herein, and upon the authority of
said firm as experts in accounting and auditing.
72
ADDITIONAL INFORMATION
The Company has filed with the Securities and Exchange Commission (the
"Commission"), Washington, D.C. 20549, a Registration Statement on Form S-1
under the Securities Act with respect to the shares of Common Stock offered
hereby. This Prospectus, which constitutes a part of the Registration
Statement, does not contain all of the information set forth in the
Registration Statement and the exhibits and schedule thereto. Certain items
are omitted in accordance with the rules and regulations of the Commission.
For further information with respect to the Company and the Common Stock
offered hereby, reference is made to the Registration Statement and the
exhibits and schedule thereto. Statements contained in this Prospectus
regarding the contents of any contract or any other document to which
reference is made are not necessarily complete, and, in each instance,
reference is made to the copy of such contract or other document filed as an
exhibit to the Registration Statement, each such statement being qualified in
all respects by such reference. A copy of the Registration Statement, and the
exhibits and schedule thereto, may be inspected without charge at the public
reference facilities maintained by the Commission in Room 1024, 450 Fifth
Street, N.W., Washington, D.C. 20549, and at the Commission's regional offices
located at the Northwestern Atrium Center, 500 West Madison Street, Suite
1400, Chicago, Illinois 60661 and Seven World Trade Center, 13th Floor, New
York, New York 10048, and copies of all or any part of the Registration
Statement may be obtained from such offices upon the payment of the fees
prescribed by the Commission. The Commission maintains a World Wide Web site
that contains reports, proxy and information statements and other information
regarding registrants that file electronically with the Commission. The
address of the site is http://www.sec.gov.
73
VERISIGN, INC.
INDEX TO CONSOLIDATED FINANCIAL STATEMENTS
PAGE
----
Report of KPMG Peat Marwick LLP, Independent Auditors...................... F-2
Consolidated Balance Sheets................................................ F-3
Consolidated Statements of Operations...................................... F-4
Consolidated Statements of Stockholders' Equity............................ F-5
Consolidated Statements of Cash Flows...................................... F-6
Notes to Consolidated Financial Statements................................. F-7
F-1
INDEPENDENT AUDITORS' REPORT
The Board of Directors and Stockholders
VeriSign, Inc.:
We have audited the accompanying consolidated balance sheets of VeriSign,
Inc. and subsidiary as of December 31, 1996 and 1997, and the related
consolidated statements of operations, stockholders' equity, and cash flows
for the period from April 12, 1995 (inception) to December 31, 1995, and for
each of the years in the two-year period ended December 31, 1997. These
consolidated financial statements are the responsibility of the Company's
management. Our responsibility is to express an opinion on these consolidated
financial statements based on our audits.
We conducted our audits in accordance with generally accepted auditing
standards. Those standards require that we plan and perform the audit to
obtain reasonable assurance about whether the financial statements are free of
material misstatement. An audit includes examining, on a test basis, evidence
supporting the amounts and disclosures in the financial statements. An audit
also includes assessing the accounting principles used and significant
estimates made by management, as well as evaluating the overall financial
statement presentation. We believe that our audits provide a reasonable basis
for our opinion.
In our opinion, the consolidated financial statements referred to above
present fairly, in all material respects, the financial position of VeriSign,
Inc. and subsidiary as of December 31, 1996 and 1997, and the results of their
operations and their cash flows for the period from April 12, 1995 (inception)
to December 31, 1995, and for each of the years in the two-year period ended
December 31, 1997, in conformity with generally accepted accounting
principles.
KPMG Peat Marwick LLP
San Francisco, California
January 8, 1998
F-2
VERISIGN, INC. AND SUBSIDIARY
CONSOLIDATED BALANCE SHEETS
(IN THOUSANDS, EXCEPT SHARE DATA)
DECEMBER 31,
-----------------------------
PRO FORMA
1996 1997 1997
------- ------- -----------
ASSETS (UNAUDITED)
Current assets:
Cash and cash equivalents...................... $29,983 $ 3,943 $ 3,943
Short-term investments......................... -- 7,951 7,951
Accounts receivable, net of allowance for
doubtful accounts of $35 and $214,
respectively.................................. 751 2,274 2,274
Prepaid expenses and other current assets...... 786 750 750
------- ------- -------
Total current assets......................... 31,520 14,918 14,918
Property and equipment, net...................... 4,617 8,622 8,622
Other assets..................................... 366 866 866
------- ------- -------
$36,503 $24,406 $24,406
======= ======= =======
LIABILITIES AND STOCKHOLDERS' EQUITY
Current liabilities:
Notes payable.................................. $ 258 $ -- $ --
Accounts payable............................... 2,461 2,526 2,526
Accrued liabilities............................ 2,034 2,346 2,346
Deferred revenue............................... 1,944 4,819 4,819
------- ------- -------
Total current liabilities.................... 6,697 9,691 9,691
------- ------- -------
Minority interest in subsidiary.................. 1,251 2,246 2,246
------- ------- -------
Commitments
Stockholders' equity:
Convertible preferred stock, $.001 par value;
actual--10,282,883 shares authorized;
10,031,006 shares issued and outstanding in
1996 and 1997; aggregate liquidation
preference of $39,206 in 1996 and 1997; pro
forma--5,000,000 shares authorized; no shares
issued and outstanding........................ 10 10 --
Common stock, $.001 par value; actual--
21,592,117 shares authorized; 6,376,708 and
7,120,238 shares issued and outstanding in
1996 and 1997, respectively; pro forma--
50,000,000 shares authorized; 17,151,244
shares issued and outstanding................. 6 7 17
Additional paid-in capital..................... 41,319 44,908 44,908
Notes receivable from stockholders............. (543) (644) (644)
Deferred compensation.......................... -- (380) (380)
Accumulated deficit............................ (12,237) (31,432) (31,432)
------- ------- -------
Total stockholders' equity................... 28,555 12,469 12,469
------- ------- -------
$36,503 $24,406 $24,406
======= ======= =======
See accompanying notes to consolidated financial statements.
F-3
VERISIGN, INC. AND SUBSIDIARY
CONSOLIDATED STATEMENTS OF OPERATIONS
(IN THOUSANDS, EXCEPT PER SHARE DATA)
PERIOD FROM
APRIL 12, 1995 YEAR ENDED
(INCEPTION) TO DECEMBER 31,
DECEMBER 31, ------------------
1995 1996 1997
-------------- -------- --------
Revenues................................... $ 382 $ 1,351 $ 9,382
Costs and expenses:
Cost of revenues......................... 412 2,791 7,833
Sales and marketing...................... 790 4,876 10,839
Research and development................. 642 2,058 5,188
General and administrative............... 680 2,640 4,604
Nonrecurring charges..................... -- -- 2,800
------- -------- --------
Total costs and expenses............... 2,524 12,365 31,264
------- -------- --------
Operating loss......................... (2,142) (11,014) (21,882)
Other income (expense)..................... 148 (67) 1,149
------- -------- --------
Loss before minority interest.......... (1,994) (11,081) (20,733)
Minority interest in net loss of subsidi-
ary....................................... -- (838) (1,538)
------- -------- --------
Net loss............................... $(1,994) $(10,243) $(19,195)
======= ======== ========
Pro forma basic and diluted net loss per
share..................................... $ (.74) $ (1.13)
======== ========
Shares used in per share computations...... 13,836 17,018
See accompanying notes to consolidated financial statements.
F-4
VERISIGN, INC. AND SUBSIDIARY
CONSOLIDATED STATEMENTS OF STOCKHOLDERS' EQUITY
PERIOD FROM APRIL 12, 1995 (INCEPTION) TO DECEMBER 31, 1997
(IN THOUSANDS, EXCEPT SHARE DATA)
CONVERTIBLE NOTES
PREFERRED STOCK COMMON STOCK ADDITIONAL RECEIVABLE TOTAL
----------------- ----------------- PAID-IN FROM DEFERRED ACCUMULATED STOCKHOLDERS'
SHARES AMOUNT SHARES AMOUNT CAPITAL STOCKHOLDERS COMPENSATION DEFICIT EQUITY
---------- ------ --------- ------ ---------- ------------ ------------ ----------- -------------
Issuance of common
stock to founders... -- $ -- 688,333 $ 1 $ 82 $ -- $ -- $ -- $ 83
Issuance of common
stock to a founder
in exchange for
equipment, other
assets, and
technology.......... -- -- 4,000,000 4 115 -- -- -- 119
Issuance of common
stock............... -- -- 4,500 -- -- -- -- -- --
Issuance of Series A
convertible
preferred stock..... 4,306,883 4 -- -- 5,164 -- -- -- 5,168
Net loss............. -- -- -- -- -- -- -- (1,994) (1,994)
---------- ---- --------- --- -------- ------ ------ --------- --------
Balances, December
31, 1995............ 4,306,883 4 4,692,833 5 5,361 -- -- (1,994) 3,376
Issuance of Series B
convertible
preferred stock..... 2,099,123 2 -- -- 5,141 -- -- -- 5,143
Issuance of Series C
convertible
preferred stock..... 3,625,000 4 -- -- 28,192 -- -- -- 28,196
Exercise of common
stock options....... -- -- 1,637,375 1 559 (543) -- -- 17
Issuance of common
stock............... -- -- 46,500 -- 3 -- -- -- 3
Issuance of capital
stock by subsidiary
to minority
interest............ -- -- -- -- 2,063 -- -- -- 2,063
Net loss............. -- -- -- -- -- -- -- (10,243) (10,243)
---------- ---- --------- --- -------- ------ ------ --------- --------
Balances, December
31, 1996............ 10,031,006 10 6,376,708 6 41,319 (543) -- (12,237) 28,555
Deferred compensation
related to common
stock options, net
of amortization of
$34................. -- -- -- -- 414 -- (380) -- 34
Exercise of common
stock options and
advance to
stockholder......... -- -- 432,250 1 244 (116) -- -- 129
Issuance of common
stock............... -- -- 39,405 -- 141 -- -- -- 141
Issuance of common
stock for litigation
settlement.......... -- -- 250,000 -- 2,000 -- -- -- 2,000
Issuance of common
stock for preferred
provider agreement.. -- -- 100,000 -- 800 -- -- -- 800
Repurchase of common
stock............... -- -- (78,125) -- (10) 10 -- -- --
Payments on notes
receivable from
stockholders........ -- -- -- -- -- 5 -- -- 5
Net loss............. -- -- -- -- -- -- -- (19,195) (19,195)
---------- ---- --------- --- -------- ------ ------ --------- --------
Balances, December
31, 1997............ 10,031,006 $ 10 7,120,238 $ 7 $ 44,908 $ (644) $ (380) $ (31,432) $ 12,469
========== ==== ========= === ======== ====== ====== ========= ========
See accompanying notes to consolidated financial statements.
F-5
VERISIGN, INC. AND SUBSIDIARY
CONSOLIDATED STATEMENTS OF CASH FLOWS
(IN THOUSANDS)
PERIOD FROM
APRIL 12, 1995 YEAR ENDED
(INCEPTION) TO DECEMBER 31,
DECEMBER 31, ------------------
1995 1996 1997
-------------- -------- --------
Cash flows from operating activities:
Net loss.................................... $(1,994) $(10,243) $(19,195)
Adjustments to reconcile net loss to net
cash used in
operating activities:
Nonrecurring charges...................... -- -- 2,800
Depreciation and amortization............. 52 559 2,611
Minority interest in net loss of
subsidiary............................... -- (838) (1,538)
Changes in operating assets and
liabilities:
Accounts receivable..................... (195) (556) (1,523)
Prepaid expenses and other current
assets................................. (79) (708) 36
Accounts payable........................ 437 2,047 65
Accrued liabilities..................... 216 1,818 312
Deferred revenue........................ 42 1,898 2,875
------- -------- --------
Net cash used in operating activities... (1,521) (6,023) (13,557)
------- -------- --------
Cash flows from investing activities:
Purchases of short-term investments....... -- -- (14,918)
Maturities and sales of short-term
investments.............................. -- -- 6,967
Purchases of property and equipment....... (1,008) (4,168) (6,582)
Other assets.............................. (35) (281) (500)
------- -------- --------
Net cash used in investing activities... (1,043) (4,449) (15,033)
------- -------- --------
Cash flows from financing activities:
Proceeds from bank borrowings............. -- 258 2,481
Repayment of bank borrowings.............. -- -- (2,739)
Proceeds from issuance of convertible
preferred stock.......................... 5,168 33,339 --
Proceeds from issuance of common stock.... 83 20 275
Issuance of capital stock by subsidiary to
minority interest........................ -- 4,151 2,533
------- -------- --------
Net cash provided by financing
activities............................. 5,251 37,768 2,550
------- -------- --------
Net change in cash and cash equivalents..... 2,687 27,296 (26,040)
Cash and cash equivalents at beginning of
period..................................... -- 2,687 29,983
------- -------- --------
Cash and cash equivalents at end of year.... $ 2,687 $ 29,983 $ 3,943
======= ======== ========
Noncash financing and investing activities:
Issuance of common stock to a founder for
equipment, other assets, and technology.. $ 119 $ -- $ --
======= ======== ========
Issuance of notes receivable
collateralized by common stock........... $ -- $ 543 $ 116
======= ======== ========
See accompanying notes to consolidated financial statements.
F-6
VERISIGN, INC. AND SUBSIDIARY
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
DECEMBER 31, 1995, 1996 AND 1997
(1) DESCRIPTION OF BUSINESS AND SUMMARY OF SIGNIFICANT ACCOUNTING POLICIES
VeriSign, Inc. (the "Company") was incorporated in Delaware in April 1995
when RSA Data Security, Inc. ("RSA") contributed equipment, other assets, and
technology for common stock. This transfer of nonmonetary assets was recorded
at the founder's historical cost basis. The Company provides digital
certificate solutions and infrastructure needed by companies, government
agencies, trading partners and individuals to conduct trusted and secure
communications and commerce over the Internet and over intranets and extranets
using the Internet Protocol.
Consolidation
In February 1996, the Company established a subsidiary in Japan. As of
December 31, 1997, the Company owned approximately 50.5% of the subsidiary's
outstanding shares of capital stock. The subsidiary provides the Company's
digital certificate solutions throughout Japan. The accompanying consolidated
financial statements include the accounts of the Company and its subsidiary.
All significant intercompany balances and transactions have been eliminated in
consolidation. The Company accounts for changes in its proportionate share of
the net assets of the subsidiary resulting from sales of capital stock by the
subsidiary as equity transactions.
Foreign Currency Translation
The functional currency for the Company's subsidiary is the U.S. dollar;
however, its books of record are maintained in Japanese yen. As a result, its
financial statements are remeasured into U.S. dollars using a combination of
current and historical exchange rates and any remeasurement adjustments are
included in net loss, along with all transaction gains and losses for the
period.
Cash, Cash Equivalents, and Short-Term Investments
The Company considers all highly liquid investments with maturities of three
months or less at the date of acquisition to be cash equivalents. Cash and
cash equivalents include money market funds, commercial paper, and various
deposit accounts.
Investments held by the Company are classified as "available-for-sale" and
are carried at fair value based on quoted market prices. Such investments
consist of U.S. government or agency securities and corporate bonds with
original maturities beyond 3 months and less than 12 months. Unrealized gains
and losses as of December 31, 1996 and 1997, and realized gains and losses for
the periods presented were not material.
Property and Equipment
Property and equipment are stated at cost less accumulated depreciation.
Depreciation is calculated using the straight-line method over the estimated
useful lives of the assets, generally three to five years.
Revenue Recognition
Revenues from the sale or renewal of digital certificates are deferred and
recognized ratably over the life of the digital certificate, generally 12
months. Revenues from services are recognized using the percentage-of-
completion method, based on the ratio of costs incurred to total estimated
costs for fixed-fee development arrangements, on a time-and-materials basis
for consulting and training services or ratably over the term of the agreement
for support and maintenance services. To the extent costs incurred and
anticipated costs to complete
F-7
VERISIGN, INC. AND SUBSIDIARY
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)
fixed-fee contracts in progress exceed anticipated billings, a loss is accrued
for the excess. To date, the Company has not experienced such losses. Deferred
revenue principally consists of payments for unexpired digital certificates.
In October 1997, the American Institute of Certified Public Accountants
issued Statement of Position ("SOP") No. 97-2, Software Revenue Recognition,
which supersedes SOP No. 91-1. The Company will be required to adopt SOP No.
97-2 prospectively for software transactions entered into beginning January 1,
1998. SOP No. 97-2 generally requires revenue earned on software arrangements
involving multiple elements to be allocated to each element based on the
relative fair values of the elements. The fair value of an element must be
based on evidence that is specific to the vendor. If a vendor does not have
evidence of the fair value for all elements in a multiple-element arrangement,
all revenue from the arrangement is deferred until such evidence exists or
until all elements are delivered. The Company's management anticipates that
the adoption of SOP No. 97-2 will not have a material effect on the Company's
operating results.
Research and Development Costs
Research and development costs are expensed as incurred. Costs incurred
subsequent to establishing technological feasibility, in the form of a working
model, are capitalized and amortized over their estimated useful lives. To
date, software development costs incurred after technological feasibility has
been established have not been material.
Income Taxes
The Company uses the asset and liability method to account for income taxes.
Deferred tax assets and liabilities are recognized for the future tax
consequences attributable to differences between the financial statement
carrying amounts of existing assets and liabilities and their respective tax
bases. Deferred tax assets and liabilities are measured using enacted tax
rates expected to apply to taxable income in the years in which those
temporary differences are expected to be recovered or settled. The effect on
deferred tax assets and liabilities of a change in tax rates is recognized in
income in the period that includes the enactment date. A valuation allowance
is recorded for deferred tax assets whose realization is not sufficiently
likely.
Stock-Based Compensation
The Company accounts for its equity-based compensation plan using the
intrinsic value method.
Pro Forma Net Loss Per Share
Pro forma basic net loss per share is computed using the weighted average
number of shares of common stock and convertible preferred stock outstanding
on an as-if converted basis. Pro forma diluted net loss per share is computed
using the weighted average number of shares of common stock and convertible
preferred stock outstanding on an as-if converted basis and, when dilutive,
common equivalent shares from options to purchase common stock using the
treasury stock method. In accordance with certain Securities and Exchange
Commission Staff Accounting Bulletins, such computations included all common
and common equivalent shares issued within the 12 months preceding the initial
public offering ("IPO") date as if they were outstanding for all prior periods
presented using the treasury stock method and the estimated IPO price.
Concentration of Credit Risk, Related Party Transactions and Significant
Customers
Financial instruments that potentially subject the Company to significant
concentrations of credit risk consist principally of cash, cash equivalents,
short-term investments, and accounts receivable. The Company maintains
F-8
VERISIGN, INC. AND SUBSIDIARY
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)
its cash, cash equivalents, and short-term investments with high quality
financial institutions and, as part of its cash management process, performs
periodic evaluations of the relative credit standing of these financial
institutions. The Company also performs ongoing credit evaluations of its
customers and, generally, requires no collateral from its customers. The
Company maintains an allowance for potential credit losses, but to date has
not experienced significant write-offs.
The Company provided services to VISA International Services Association
("VISA"), a 6% stockholder of the Company on a fully-diluted basis, under an
agreement that included development and ongoing operations of a digital
certificate system for VISA's member banks. VISA accounted for approximately
21% and 14% of the Company's revenues for the year ended December 31, 1996 and
1997, respectively, and 13% and 11% of accounts receivable as of December 31,
1996 and 1997, respectively.
The Company entered into a development agreement in September 1997 with
Security Dynamics Technologies, Inc. ("Security Dynamics"), the parent company
of RSA, a 26% stockholder of the Company on a fully-diluted basis, to develop
a customized certificate authority product in order to enable Security
Dynamics to offer a product with encryption and digital certificate authority
functionality. The development agreement provides that Security Dynamics will
pay the Company an aggregate of $2.7 million as an initial license fee,
$900,000 of which was paid in October 1997 and the remainder of which will be
payable upon the achievement of certain milestones. The Company records
revenue related to the development agreement using the percentage-of-
completion method. Revenue from the development agreement accounted for
approximately 4% of the Company's revenues for the nine months ended
September 30, 1997.
The Company had one customer, a South African systems integrator, and
another customer, a financial services provider, which accounted for
approximately 28% and 13%, respectively, of accounts receivable as of December
31, 1996. One other customer, a network equipment provider, accounted for
approximately 13% of accounts receivable as of December 31, 1997.
Use of Estimates
The preparation of consolidated financial statements in conformity with
generally accepted accounting principles requires management to make estimates
and assumptions that affect the reported amounts of assets and liabilities and
disclosure of contingent assets and liabilities at the date of the
consolidated financial statements and reported amounts of revenues and
expenses during the reporting period. Actual results could differ from those
estimates.
Unaudited Pro Forma Consolidated Balance Sheet
Upon closing of the Company's proposed initial public offering, all
outstanding shares of preferred stock will be converted into 10,031,006 shares
of common stock. The unaudited pro forma consolidated balance sheet as of
December 31, 1997, reflects this conversion.
F-9
VERISIGN, INC. AND SUBSIDIARY
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)
(2) CASH, CASH EQUIVALENTS, AND SHORT-TERM INVESTMENTS
Available-for-sale securities included in cash, cash equivalents, and short-
term investments are as follows (in thousands):
DECEMBER 31,
--------------
1996 1997
------ -------
Corporate bonds.............................................. $ -- $ 3,244
Money market funds........................................... 521 3,311
U.S. government and agency securities........................ 84 1,000
Commercial paper............................................. -- 1,060
------ -------
$ 605 $ 8,615
====== =======
Included in cash and cash equivalents........................ $ 605 $ 664
====== =======
Included in short-term investments........................... $ -- $ 7,951
====== =======
(3) PROPERTY AND EQUIPMENT
Property and equipment are summarized as follows (in thousands):
DECEMBER 31,
--------------
1996 1997
------ -------
Computer equipment and purchased software.................... $3,501 $ 7,927
Office equipment, furniture and fixtures..................... 792 1,442
Leasehold improvements....................................... 934 2,425
------ -------
5,227 11,794
Less accumulated depreciation and amortization............... 610 3,172
------ -------
$4,617 $ 8,622
====== =======
(4) ACCRUED LIABILITIES
A summary of accrued liabilities follows (in thousands):
DECEMBER 31,
--------------
1996 1997
------ -------
Employee compensation........................................ $ 566 $ 1,443
Professional fees............................................ 354 95
Financing charges............................................ 732 --
Other........................................................ 382 808
------ -------
$2,034 $ 2,346
====== =======
(5) NOTES PAYABLE
The Company's Japanese subsidiary had an available credit facility of
250,000,000 yen with a bank, which bore interest at a rate of 1.625% per annum
and expired in December 1997. Borrowings were secured by certain assets of the
subsidiary. As of December 31, 1996, borrowings under this facility aggregated
$258,000.
F-10
VERISIGN, INC. AND SUBSIDIARY
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)
The Company's Japanese subsidiary has available a revolving line of credit
with a bank that provides up to $500,000, bears interest at 1.625% per annum
and expires in May 1998. The line of credit is secured by a letter of credit
in the same amount from the Company. There were no borrowings under this
arrangement as of December 31, 1996 or 1997.
In January 1997, the Company entered into an agreement for a non-revolving
equipment line of credit with a financing company that provides up to
$3,000,000, bears interest at 7.50% per annum and expires in March 1999. The
line of credit is secured by the Company's fixed assets. The Company is
obligated to grant a warrant to purchase up to 17,500 shares of common stock
at $8.00 per share in the event the Company borrows funds under the equipment
line of credit. There were no borrowings under this arrangement as of December
31, 1997.
(6) STOCKHOLDERS' EQUITY
Convertible Preferred Stock
In April 1995, the Company issued 4,306,883 shares of Series A convertible
preferred stock to previously unrelated third parties, except for 425,000
shares issued to Security Dynamics. In February 1996, the Company issued
2,099,123 shares of Series B convertible preferred stock. A majority of the
shares were issued to a previously unrelated third party venture capitalist
and the remainder were issued to existing investors, including Security
Dynamics and VISA. In November and December 1996, the Company issued 3,625,000
shares of Series C convertible preferred stock to previously unrelated third
parties.
As of December 31, 1997, convertible preferred stock consisted of the
following:
SHARES
SHARES ISSUED AND
SERIES AUTHORIZED OUTSTANDING
------ ---------- -----------
A.................................................... 4,306,883 4,306,883
B.................................................... 2,101,000 2,099,123
C.................................................... 3,875,000 3,625,000
---------- ----------
10,282,883 10,031,006
========== ==========
The rights, preferences, and privileges of the holders of convertible
preferred stock are as follows:
. The holders of Series A, B, and C preferred stock are entitled to
noncumulative dividends, if and when declared by the Board of Directors,
of $0.10, $0.20, and $0.64 per share, respectively.
. Shares of preferred stock are convertible to common stock at any time at
the rate of one share of common stock for each share of convertible
preferred stock. The convertible preferred stock automatically converts
to common stock upon the closing of an underwritten public offering of
the Company's common stock in which the aggregate proceeds for such
shares is at least $15,000,000 and the per share price is at least $9.00
per share.
. The holders of convertible preferred stock are protected by certain
antidilutive provisions.
. Shares of Series A, B, and C convertible preferred stock have a
liquidation preference of $1.20, $2.40, and $8.00 per share,
respectively, plus any declared and unpaid dividends.
. The convertible preferred stock generally votes equally with shares of
common stock on an "as if converted" basis.
No dividends have been declared or paid on the convertible preferred stock
or common stock since inception of the Company.
F-11
VERISIGN, INC. AND SUBSIDIARY
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)
Common Stock
As of December 31, 1997, a total of 7,070,000 shares of common stock were
authorized for issuance under the Company's equity incentive plans (the
"Plans"), including 4,145,000 shares authorized under the 1995 Stock Option
Plan, 800,000 shares authorized under the 1997 Stock Option Plan, an
additional 2,000,000 shares authorized under the 1998 Equity Incentive Plan,
and 125,000 shares authorized under the 1998 Directors Plan.
Options may be granted at an exercise price not less than 100% of the fair
market value of the Company's common stock on the date of grant, as determined
by the Board of Directors, for incentive stock options and 85% of such fair
market value for nonqualified stock options. All options are granted at the
discretion of the Company's Board of Directors and have a term not greater
than 7 years from the date of grant. Options issued generally vest 25% on the
first anniversary date and ratably over the following 12 quarters.
A summary of stock option activity under the Plans follows:
PERIOD FROM
APRIL 12, 1995 YEAR ENDED DECEMBER 31,
(INCEPTION) TO ------------------------------------------
DECEMBER 31, 1995 1996 1997
-------------------- --------------------- --------------------
WEIGHTED- WEIGHTED- WEIGHTED-
AVERAGE AVERAGE AVERAGE
EXERCISE EXERCISE EXERCISE
SHARES PRICE SHARES PRICE SHARES PRICE
--------- --------- ---------- --------- --------- ---------
Outstanding at beginning
of period.............. -- $ -- 1,274,750 $.12 1,608,075 $ .80
Granted................. 1,398,750 .12 2,022,700 .83 1,425,150 4.53
Exercised............... -- -- (1,637,375) .34 (432,250) .58
Canceled................ (124,000) .12 (52,000) .13 (84,157) .91
--------- ---------- ---------
Outstanding at end of
period................. 1,274,750 .12 1,608,075 .80 2,516,818 2.95
========= ========== =========
Exercisable at end of
period................. 86,457 152,163 249,963
========= ========== =========
Weighted average fair
value of options
granted during the
period................. .03 .22 1.33
==== ==== =====
The following table summarizes information about stock options outstanding
as of December 31, 1997:
WEIGHTED-
RANGE AVERAGE WEIGHTED-
OF REMAINING AVERAGE
EXERCISE NUMBER CONTRACTUAL EXERCISE NUMBER
PRICES OUTSTANDING LIFE PRICE EXERCISABLE
-------- ----------- ----------- --------- -----------
$.12-.25...................... 377,212 4.8 years $ .15 113,672
$.75-1.50..................... 709,206 5.7 years $ .86 126,791
$2.25......................... 569,050 6.3 years $2.25 125
$4.00-8.00.................... 861,350 6.7 years $6.35 9,375
F-12
VERISIGN, INC. AND SUBSIDIARY
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)
The Company applies the intrinsic value method in accounting for its equity-
based compensation plan. Had compensation cost for the Company's equity-based
compensation plans been determined consistent with the fair value approach set
forth in SFAS No. 123, Accounting for Stock-Based Compensation, the Company's
net loss for the period from April 12, 1995 (inception) to December 31, 1995,
and for each of the years in the two-year period ended December 31, 1997,
would have been as follows (in thousands, except per share data):
1995 1996 1997
------- -------- --------
Net loss as reported.......................... $(1,994) $(10,243) $(19,195)
Pro forma net loss under SFAS No. 123......... (1,999) (10,294) (19,472)
Pro forma basic and diluted net loss per share
as reported.................................. (.74) (1.13)
Pro forma basic and diluted net loss per share
under SFAS No. 123........................... (.74) (1.14)
The fair value of options granted during the period from April 12, 1995
(inception) to December 31, 1995 and the years ended December 31, 1996 and
1997, is estimated on the date of grant using the minimum value method with
the following weighted-average assumptions: no dividend yield; risk-free
interest rates of 6.11%, 6.21%, and 6.14%, respectively; and an expected life
of 5 years.
Notes Receivable From Stockholders
In November 1996, the Company loaned several officers an aggregate of
$543,000, due December 31, 2005, bearing interest at a rate per annum of
6.95%, payable quarterly. In August 1997, the Company loaned an officer an
aggregate of $116,000, due December 31, 2006, bearing interest at a rate per
annum of 6.87%, payable quarterly. The loans are full recourse, are
collateralized by pledges of shares of common stock of the Company that were
purchased and may be prepaid in part or in full without notice or penalty.
1998 Employee Stock Purchase Plan
In December 1997, the Board of Directors adopted, and in January 1998, the
stockholders approved, the 1998 Employee Stock Purchase Plan ("Purchase
Plan"), for which 500,000 shares of the Company's common stock have been
authorized. Eligible employees may select a rate of payroll deduction between
2% and 10% of their compensation and each participant will be granted an
option on the first day of each 24 month offering period and such option will
be automatically exercised on the last day of each six month purchase period
during the offering period. The purchase price for the Company's common stock
purchase under the Purchase Plan is 85% of the lesser of the fair market value
of the Company's common stock on the first day of the applicable offering
period and the last day of the applicable purchase period. The first offering
period is expected to begin on the first business day on which price
quotations for the Company's common stock are available on the Nasdaq National
Market and, depending on the effective date of the registration statement for
the Company's proposed initial public offering, may be greater or less than 24
months. Offering periods thereafter will begin at February 1 and August 1.
F-13
VERISIGN, INC. AND SUBSIDIARY
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)
(7) INCOME TAXES
The tax effects of temporary differences that give rise to significant
portions of the Company's deferred tax assets are as follows (in thousands):
DECEMBER 31,
-----------------
1996 1997
------- --------
Deferred tax assets:
Net operating loss carryforwards and deferred start-up
costs................................................ $ 4,016 $ 11,579
Tax credit carryforwards.............................. 177 839
Other................................................. 162 507
------- --------
4,355 12,925
Valuation allowance..................................... (4,355) (12,925)
------- --------
Net deferred tax assets............................. $ -- $ --
======= ========
As of December 31, 1997, the Company has available net operating loss
carryforwards for federal and California income tax purposes of approximately
$26,900,000 and $27,100,000, respectively. The federal net operating loss
carryforwards will expire, if not utilized, in years 2010 through 2014. The
California net operating loss carryforwards will expire, if not utilized, in
the year 2003.
As of December 31, 1997, the Company has available for carryover research
and experimental tax credits for federal and California income tax purposes of
approximately $411,000 and $248,000, respectively. The federal research and
experimental tax credits will expire, if not utilized, in years 2010 through
2014. California research and experimental tax credits carry forward
indefinitely until utilized. The Company also has federal foreign tax credits
of approximately $180,000, which expire, if not utilized, in the year 2003.
The Tax Reform Act of 1986 imposed substantial restrictions on the
utilization of net operating losses and tax credits in the event of an
"ownership change" of a corporation. Accordingly, the Company's ability to
utilize net operating loss and credit carryforwards may be limited as a result
of such an "ownership change" as defined in the Internal Revenue Code.
(8) COMMITMENTS
Leases
The Company leases its facilities under operating leases that extend through
2002. Future minimum lease payments under the Company's noncancelable
operating leases as of December 31, 1997, are as follows (in thousands):
1998................................................................. $1,645
1999................................................................. 1,667
2000................................................................. 1,679
2001................................................................. 1,293
2002................................................................. 9
------
Total minimum lease payments......................................... $6,293
======
Net rental expense under operating leases for the period from April 12, 1995
(inception) to December 31, 1995 and for the years ended December 31, 1996 and
1997, was $141,000, $621,000, and $1,700,000, respectively.
F-14
VERISIGN, INC. AND SUBSIDIARY
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)
(9) NONRECURRING CHARGES
VeriFone
In September 1996, VeriFone, Inc., which subsequently became a wholly-owned
subsidiary of Hewlett-Packard Company, filed a lawsuit against the Company
alleging, among other things, trademark infringement. In November 1997, both
parties executed a definitive agreement under which, among other things, the
Company issued an aggregate of 250,000 shares of common stock, which were
transferred to Hewlett-Packard, and the Company and VeriFone settled such
claims. The settlement amount was recorded during the year ended December 31,
1997 as a $2.0 million charge to operations.
Microsoft
In November 1997, the Company entered into a preferred provider agreement
with Microsoft Corporation ("Microsoft") whereby the companies will develop,
promote and distribute a variety of client-based and server-based digital
certificate solutions and the Company will be designated as the premier
provider of digital certificates for Microsoft customers. In connection with
the agreement, the Company issued 100,000 shares of common stock to Microsoft
resulting in an $800,000 charge to operations.
(10) GEOGRAPHIC INFORMATION
Financial information by geographic area is as follows (in thousands):
UNITED
DECEMBER 31, 1996 STATES JAPAN CONSOLIDATED
----------------- -------- ------- ------------
Revenues................................... $ 1,296 $ 55 $ 1,351
Operating loss............................. $ (9,281) $(1,733) $(11,014)
Total assets, excluding cash and cash
equivalents............................... $ 5,922 $ 598 $ 6,520
DECEMBER 31, 1997
Revenues................................... $ 9,009 $ 373 $ 9,382
Operating loss............................. $(18,747) $(3,135) $(21,882)
Total assets, excluding cash and cash
equivalents............................... $ 16,703 $ 3,760 $ 20,463
Intergeographic transactions have not been significant to date. Other
revenues derived from international customers aggregated $861,000 for the year
ended December 31, 1997.
F-15
[LOGO OF VERISIGN]
PART II
INFORMATION NOT REQUIRED IN PROSPECTUS
ITEM 13. OTHER EXPENSES OF ISSUANCE AND DISTRIBUTION.
The expenses to be paid by the Registrant in connection with this offering
are as follows. All amounts other than the SEC registration fee, NASD filing
fee and Nasdaq National Market application fee are estimates.
SEC Registration Fee............................................. $ 12,122
NASD Filing Fee.................................................. 4,500
Nasdaq National Market Application Fee........................... 50,000
Printing......................................................... 200,000
Legal Fees and Expenses.......................................... 425,000
Accounting Fees and Expenses..................................... 225,000
Road Show Expenses............................................... 50,000
Blue Sky Fees and Expenses....................................... 5,000
Transfer Agent and Registrar Fees................................ 5,000
Miscellaneous.................................................... 23,378
----------
Total.......................................................... $1,000,000
==========
ITEM 14. INDEMNIFICATION OF DIRECTORS AND OFFICERS.
Section 145 of the Delaware General Corporation Law authorizes a court to
award, or a corporation's Board of Directors to grant, indemnity to directors
and officers in terms sufficiently broad to permit such indemnification under
certain circumstances for liabilities (including reimbursement for expenses
incurred) arising under the Securities Act of 1933, as amended (the
"Securities Act").
As permitted by the Delaware General Corporation Law, the Registrant's Third
Amended and Restated Certificate of Incorporation, which will become effective
upon the completion of this offering, includes a provision that eliminates the
personal liability of its directors for monetary damages for breach of
fiduciary duty as a director, except for liability (i) for any breach of the
director's duty of loyalty to the Registrant or its stockholders, (ii) for
acts or omissions not in good faith or that involve intentional misconduct or
a knowing violation of law, (iii) under section 174 of the Delaware General
Corporation Law (regarding unlawful dividends and stock purchases) or (iv) for
any transaction from which the director derived an improper personal benefit.
As permitted by the Delaware General Corporation Law, the Registrant's
Amended and Restated Bylaws, which will become effective upon the completion
of this offering, provide that (i) the Registrant is required to indemnify its
directors and officers to the fullest extent permitted by the Delaware General
Corporation Law, subject to certain very limited exceptions, (ii) the
Registrant may indemnify its other employees and agents to the extent that it
indemnifies its officers and directors, unless otherwise required by law, its
Certificate of Incorporation, its Amended and Restated Bylaws, or agreement,
(iii) the Registrant is required to advance expenses, as incurred, to its
directors and executive officers in connection with a legal proceeding to the
fullest extent permitted by the Delaware General Corporation Law, subject to
certain very limited exceptions and (iv) the rights conferred in the Amended
and Restated Bylaws are not exclusive.
The Registrant has entered into Indemnification Agreements with each of its
current directors and certain of its executive officers and intends to enter
into such Indemnification Agreements with each of its other executive officers
to give such directors and executive officers additional contractual
assurances regarding the scope of the indemnification set forth in the
Registrant's Certificate of Incorporation and to provide additional procedural
protections. At present, there is no pending litigation or proceeding
involving a director, officer or employee of the Registrant regarding which
indemnification is sought, nor is the Registrant aware of any threatened
litigation that may result in claims for indemnification.
II-1
Reference is also made to Article VIII of the Underwriting Agreement, which
provides for the indemnification of officers, directors and controlling
persons of the Registrant against certain liabilities. The indemnification
provisions in the Registrant's Certificate of Incorporation, Amended and
Restated Bylaws and the Indemnification Agreements entered into between the
Registrant and each of its directors and executive officers may be
sufficiently broad to permit indemnification of the Registrant's directors and
executive officers for liabilities arising under the Securities Act.
The Registrant, with approval by the Registrant's Board of Directors, has
applied for, and expects to obtain, directors' and officers' liability
insurance.
Reference is made to the following documents filed as exhibits to this
Registration Statement regarding relevant indemnification provisions described
above and elsewhere herein:
EXHIBIT
DOCUMENT NUMBER
-------- -------
Underwriting Agreement (draft dated November 20, 1997)............. 1.01
Form of Third Amended and Restated Certificate of Incorporation of
Registrant........................................................ 3.03
Form of Amended and Restated Bylaws of Registrant.................. 3.05
Form of Indemnification Agreement.................................. 10.05
ITEM 15. RECENT SALES OF UNREGISTERED SECURITIES.
The following table sets forth information regarding all securities sold by
the Registrant since April 12, 1995, the Company's inception date.
AGGREGATE
NAME OR DATE TITLE OF NUMBER PURCHASE FORM OF
CLASS OF PURCHASER OF SALE SECURITIES OF SHARES PRICE CONSIDERATION
------------------ ------- ------------------ --------- --------- -------------
RSA Data Security, 4/18/95 Common Stock 4,000,000 $ 119,000 Property(1)
Inc....................
Bessemer Venture 4/18/95 Common Stock 258,333 31,000 Cash
Partners DCI...........
D. James Bidzos......... 4/18/95 Common Stock 125,000 15,000 Cash
Ronald Rivest........... 4/18/95 Common Stock 125,000 15,000 Cash
Kairdos L.L.C........... 4/18/95 Common Stock 100,000 12,000 Cash
TZM Investment Fund..... 4/18/95 Common Stock 80,000 9,600 Cash
Bessemer Venture 4/18/95 Series A Preferred 850,000 1,020,000 Cash
Partners DCI........... Stock(2)
Visa International 4/18/95 Series A Preferred 850,000 1,020,000 Cash
Service Association.... Stock(2)
Intel Corporation....... 4/18/95 Series A Preferred 850,000 1,020,000 Cash
Stock(2)
Fischer Security 4/18/95 Series A Preferred 425,000 510,000 Cash
Corporation L.L.C...... Stock(2)
Ameritech Development 4/18/95 Series A Preferred 425,000 510,000 Cash
Corporation............ Stock(2)
Mitsubishi Corporation.. 4/18/95 Series A Preferred 425,000 510,000 Cash
Stock(2)
Security Dynamics 4/18/95 Series A Preferred 425,000 510,000 Cash
Technologies, Inc...... Stock(2)
GC&H Investments........ 4/18/95 Series A Preferred 33,333 40,000 Cash
Stock(2)
First TZMM Investment 4/18/95 Series A Preferred 23,550 28,260 Cash
Partnership............ Stock(2)
Kleiner Perkins Caufield 2/20/96 Series B Preferred 1,153,207 2,825,357 Cash
& Byers VII............ Stock (2)
KPCB VII Founders Fund.. 2/20/96 Series B Preferred 125,947 308,570 Cash
Stock (2)
KPCB Information 2/20/96 Series B Preferred 32,799 80,358 Cash
Sciences Zaibatsu Fund Stock (2)
II.....................
II-2
AGGREGATE
NAME OR TITLE OF NUMBER PURCHASE FORM OF
CLASS OF PURCHASER DATE OF SALE SECURITIES OF SHARES PRICE CONSIDERATION
------------------ ------------ ------------------ --------- --------- -------------
Bessemer Venture 2/20/96 Series B Preferred 187,819 460,157 Cash
Partners DCI........... Stock (2)
Mitsubishi Corporation.. 2/20/96 Series B Preferred 72,026 176,464 Cash
Stock (2)
Security Dynamics 2/20/96 Series B Preferred 72,026 176,464 Cash
Technologies, Inc. .... Stock (2)
Intel Corporation....... 2/20/96 Series B Preferred 144,052 352,927 Cash
Stock (2)
Ameritech Development 2/20/96 Series B Preferred 72,026 176,464 Cash
Corporation............ Stock (2)
GC&H Investments........ 2/20/96 Series B Preferred 5,589 13,693 Cash
Stock (2)
Visa International 2/20/96 Series B Preferred 144,052 352,927 Cash
Service Association.... Stock (2)
Fischer Security 2/20/96 Series B Preferred 72,026 176,464 Cash
Corporation L.L.C. .... Stock (2)
First TZMM Investment 2/20/96 Series B Preferred 17,554 43,007 Cash
Partnership............ Stock (2)
Cisco Systems, Inc. .... 11/18/96 Series C Preferred 812,500 6,500,000 Cash
Stock (2)
Microsoft Corporation... 11/18/96 Series C Preferred 812,500 6,500,000 Cash
Stock (2)
Venture Fund I, L.P. ... 11/18/96 Series C Preferred 250,000 2,000,000 Cash
Stock (2)
COMCAST Investment 11/18/96 Series C Preferred 250,000 2,000,000 Cash
Holdings, Inc. ........ Stock (2)
First Data Corporation.. 11/18/96 Series C Preferred 250,000 2,000,000 Cash
Stock (2)
Intuit Inc. ............ 11/18/96 Series C Preferred 250,000 2,000,000 Cash
Stock (2)
Reuters New Media 11/18/96 Series C Preferred 250,000 2,000,000 Cash
Inc. .................. Stock (2)
SOFTBANK Ventures, 11/18/96 Series C Preferred 250,000 2,000,000 Cash
Inc. .................. Stock (2)
Merrill Lynch & Co., 11/18/96 Series C Preferred 250,000 2,000,000 Cash
Incorporated........... Stock (2)
Amerindo Technology 11/18/96 Series C Preferred 62,500 500,000 Cash
Growth Fund II......... Stock (2)
Attractor L.P. ......... 11/18/96 Series C Preferred 62,500 500,000 Cash
Stock (2)
Chancellor LGT Asset 11/18/96 Series C Preferred 62,500 500,000 Cash
Management............. Stock (2)
Gemplus................. 12/17/96 Series C Preferred 62,500 500,000 Cash
Stock (2)
26 consultants.......... 3/28/96-12/19/97 Common Stock 90,405 172,150 Services
63 employee or director 2/27/96-12/18/97 Common Stock 2,069,625(3) 796,543 Cash
optionees.............. (option exercises)
Microsoft Corporation... 11/20/97 Common Stock 100,000 800,000 (4)
VeriFone, Inc./Hewlett-
Packard Company........ 11/20/97 Common Stock 250,000 2,000,000 (5)
- --------
(1) All founding stockholders paid cash except RSA Data Security, Inc., which
contributed its equipment, other assets and technology, as described in
Exhibit A to its Founder's Subscription Agreement.
(2) Each share of Preferred Stock will convert automatically into one share of
Common Stock.
II-3
(3) Of these shares, 78,125 were repurchased by cancellation of a promissory
note in the amount of $9,375, and 822,969 were subject to repurchase at
December 31, 1997. The repurchase right lapses ratably over four years.
(4) The shares of Common Stock were issued in connection with a preferred
provider agreement with the Registrant.
(5) The shares of Common Stock were issued in connection with the execution of
certain agreements, including a settlement of claims, with VeriFone, Inc.,
which is owned by Hewlett-Packard Company.
All sales of Common Stock to employees made pursuant to the exercise of
stock options granted under the Registrant's stock option plans or pursuant to
restricted stock purchase agreements, and all sales to consultants for
services, were made pursuant to the exemption from the registration
requirements of the Securities Act afforded by Rule 701 promulgated under the
Securities Act.
All other sales were made in reliance on Section 4(2) of the Securities Act
and/or Regulation D promulgated under the Securities Act. These sales were
made without general solicitation or advertising. Each purchaser was a
sophisticated investor with access to all relevant information necessary to
evaluate the investment who represented to the Registrant that the shares were
being acquired for investment.
ITEM 16. EXHIBITS AND FINANCIAL STATEMENT SCHEDULES.
(a) The following exhibits are filed herewith:
EXHIBIT
NUMBER EXHIBIT TITLE
------- -------------
1.01 Underwriting Agreement (draft dated November 20, 1997).+
3.01 Second Amended and Restated Certificate of Incorporation of the
Registrant, as amended.+
3.02 Form of Amendment to Second Amended and Restated Certificate of
Incorporation of the Registrant.+
3.03 Form of Third Amended and Restated Certificate of Incorporation of the
Registrant to be effective upon the closing of this offering.+
3.04 Bylaws of Registrant.+
3.05 Form of Amended and Restated Bylaws of Registrant, to be adopted prior
to the closing of this offering.+
4.01 Investors' Rights Agreement, dated November 15, 1996, among the
Registrant and the parties indicated therein.+
4.02 Stockholders' Agreement, dated April 18, 1995, among the Registrant
and the parties indicated therein, and amendments dated February 20,
1996 and November 15, 1996.+
4.03 Co-Sale Agreement, dated February 20, 1996, among the Registrant and
the parties indicated therein.+
4.04 Form of Specimen Common Stock Certificate.+
5.01 Opinion of Fenwick & West LLP regarding legality of the securities
being registered.+
10.01 Series A Preferred Stock Purchase Agreement, dated April 18, 1995,
among the Registrant and the parties indicated therein.+
10.02 Series B Preferred Stock Purchase Agreement, dated February 20, 1996,
among the Registrant and the parties indicated therein.+
II-4
EXHIBIT
NUMBER EXHIBIT TITLE
------- -------------
10.03 Series C Preferred Stock Purchase Agreement, dated November 15, 1996,
among the Registrant and the parties indicated therein.+
10.04 Termination and Release Agreement, dated February 20, 1996, among the
Registrant and the parties indicated therein.+
10.05 Form of Indemnification Agreement entered into by the Registrant with
each of its directors and executive officers.+
10.06 Registrant's 1995 Stock Option Plan and related documents.+
10.07 Registrant's 1997 Stock Option Plan.+
10.08 Registrant's 1998 Directors' Stock Option Plan and related documents.+
10.09 Registrant's 1998 Equity Incentive Plan and related documents.+
10.10 Registrant's 1998 Employee Stock Purchase Plan and related documents.+
10.11 Registrant's Executive Loan Program of 1996.+
10.12 Founder's Subscription Agreement, dated April 18, 1995, between the
Registrant and RSA Data Security, Inc. for purchase of Common Stock.+
10.13 Form of Subscription Agreement, dated April 18, 1995, between the
Registrant and certain founding Common Stock holders for purchase of
Common Stock.+
10.14 Form of Full Recourse Secured Promissory Note and Form of Pledge and
Security Agreement entered into between the Registrant and certain
executive officers.+
10.15 Assignment Agreement, dated April 18, 1995, between the Registrant and
RSA Data Security, Inc.+
10.16 BSAFE/TIPEM OEM Master License Agreement, dated April 18, 1995,
between the Registrant and RSA Data Security, Inc., as amended.+
10.17 Non-Compete and Non-Solicitation Agreement, dated April 18, 1995,
between the Registrant and RSA Data Security, Inc.+
10.18 Microsoft/VeriSign Certificate Technology Preferred Provider
Agreement, effective as of May 1, 1997, between the Registrant and
Microsoft Corporation.*+
10.19 Master Development and License Agreement, dated September 30, 1997,
between the Registrant and Security Dynamics Technologies, Inc.*
10.20 License Agreement, dated December 16, 1996, between the Registrant and
VeriSign Japan K.K.+
10.21 Loan Agreement, dated January 30, 1997, between the Registrant and
Venture Lending & Leasing, Inc.+
10.22 Security Agreement, dated January 30, 1997, between the Registrant and
Venture Lending & Leasing, Inc.+
10.23 VeriSign Private Label Agreement, dated April 2, 1996, between the
Registrant and VISA International Service Association.*
10.24 VeriSign Private Label Agreement, dated October 3, 1996, between the
Registrant and VISA International Service Association.*
10.25 Lease Agreement, dated August 15, 1996, between the Registrant and
Shoreline Investments VII.+
10.26 Lease Agreement, dated September 18, 1996, between the Registrant and
Shoreline Investments VII.+
10.27 Sublease Agreement, dated September 5, 1996, between the Registrant
and Security Dynamics Technologies, Inc.+
10.28 Employment Offer Letter Agreement, between the Registrant and Stratton
Sclavos, dated June 12, 1995, as amended October 4, 1995.+
II-5
EXHIBIT
NUMBER EXHIBIT TITLE
------- -------------
11.01 Statement regarding computation of pro forma basic and diluted net
loss per share.+
21.01 Subsidiary of the Registrant.+
23.01 Consent of Fenwick & West LLP (included in Exhibit 5.01).+
23.02 Consent of KPMG Peat Marwick LLP (see Page S-1 of the Registration
Statement).
24.01 Power of Attorney.+
27.01 Financial Data Schedule (available in EDGAR format only).+
- --------
+ Previously filed.
* Confidential treatment is being sought with respect to certain portions of
this agreement. Such portions have been omitted from this filing and have
been filed separately with the Securities and Exchange Commission.
(b) The following financial statement schedule is filed herewith:
Schedule II -- Valuation and Qualifying Accounts--Page S-2
Other financial statement schedules are omitted because the information
called for is not required or is shown either in the financial statements or
the notes thereto.
ITEM 17. UNDERTAKINGS.
The undersigned Registrant hereby undertakes to provide to the Underwriters
at the closing specified in the Underwriting Agreement certificates in such
denominations and registered in such names as required by the Underwriters to
permit prompt delivery to each purchaser.
Insofar as indemnification for liabilities arising under the Securities Act
may be permitted to directors, officers and controlling persons of the
Registrant pursuant to the provisions described under Item 14 above, or
otherwise, the Registrant has been advised that in the opinion of the
Securities and Exchange Commission such indemnification is against public
policy as expressed in the Securities Act and is, therefore, unenforceable. In
the event that a claim for indemnification against such liabilities (other
than the payment by the Registrant of expenses incurred or paid by a director,
officer or controlling person of the Registrant in the successful defense of
any action, suit or proceeding) is asserted by such director, officer or
controlling person in connection with the securities being registered, the
Registrant will, unless in the opinion of its counsel the matter has been
settled by controlling precedent, submit to a court of appropriate
jurisdiction the question whether such indemnification by it is against public
policy as expressed in the Securities Act and will be governed by the final
adjudication of such issue.
The undersigned Registrant hereby undertakes that:
(1) For purposes of determining any liability under the Securities Act, the
information omitted from the form of prospectus filed as part of this
Registration Statement in reliance upon Rule 430A and contained in a form of
prospectus filed by the Registrant pursuant to Rule 424(b)(1) or (4) or 497(h)
under the Securities Act shall be deemed to be part of this Registration
Statement as of the time it was declared effective.
(2) For the purpose of determining any liability under the Securities Act,
each post-effective amendment that contains a form of prospectus shall be
deemed to be a new registration statement relating to the securities offered
therein, and the offering of such securities at that time shall be deemed to
be the initial bona fide offering thereof.
II-6
SIGNATURES
Pursuant to the requirements of the Securities Act, the Registrant has duly
caused this Amendment to be signed on its behalf by the undersigned, thereunto
duly authorized, in the City of Mountain View, State of California, on the
29th day of January, 1998.
VERISIGN, INC.
/s/ Stratton D. Sclavos
By: _________________________________
Stratton D. Sclavos
President and Chief Executive
Officer
In accordance with the requirements of the Securities Act, this Amendment
was signed by the following persons in the capacities and on the date
indicated.
SIGNATURE TITLE DATE
--------- ----- ----
PRINCIPAL EXECUTIVE OFFICER:
/s/ Stratton D. Sclavos President, Chief Executive January 29, 1998
____________________________________ Officer and Director
Stratton D. Sclavos
PRINCIPAL FINANCIAL AND PRINCIPAL ACCOUNTING OFFICER:
/s/ Dana L. Evan Vice President of Finance January 29, 1998
____________________________________ and Administration and
Dana L. Evan Chief Financial Officer
DIRECTORS:
* Chairman of the Board January 29, 1998
____________________________________
D. James Bidzos
* Director January 29, 1998
____________________________________
William Chenevich
* Director January 29, 1998
____________________________________
Kevin R. Compton
* Director January 29, 1998
____________________________________
David J. Cowan
* Director and Secretary January 29, 1998
____________________________________
Timothy Tomlinson
/s/ Dana L. Evan Attorney-in-Fact
* By _______________________________
Dana L. Evan
II-7
REPORT ON SCHEDULE AND CONSENT OF KPMG PEAT MARWICK LLP
The Board of Directors
VeriSign, Inc.:
The audits referred to in our report dated January 8, 1998 included the
related financial statement schedule for the period from April 12, 1995
(inception) to December 31, 1995 and for each of the years in the two-year
period ended December 31, 1997, included in the registration statement. This
financial statement schedule is the responsibility of the Company's
management. Our responsibility is to express an opinion on the financial
statement schedule based on our audits. In our opinion, such financial
statement schedule, when considered in relation to the basic consolidated
financial statements taken as a whole, present fairly in all material respects
the information set forth therein.
We consent to the use of our reports included herein and to the reference to
our firm under the headings "Selected Consolidated Financial Data" and
"Experts" in the prospectus.
KPMG Peat Marwick LLP
San Francisco, California
January 28, 1998
S-1
VERISIGN, INC.
SCHEDULE II--VALUATION AND QUALIFYING ACCOUNTS
BALANCE AT THE CHARGED TO BALANCE AT THE
BEGINNING OF COSTS AND END OF THE
DESCRIPTION THE PERIOD EXPENSES WRITE-OFFS YEAR
- ----------- -------------- ---------- ---------- --------------
(IN THOUSANDS)
Allowance for doubtful
accounts:
Period from April 12, 1995
(inception) to
December 31, 1995........ $ -- $ 30 $ -- $ 30
Year ended December 31,
1996..................... $ 30 $ 22 $ 17 $ 35
Year ended December 31,
1997..................... $ 35 $315 $136 $214
S-2
EXHIBIT INDEX
EXHIBIT
NUMBER EXHIBIT TITLE
------- -------------
10.19 Master Development and License Agreement, dated September 30, 1997,
between the Registrant and Security Dynamics Technologies, Inc.*
10.23 VeriSign Private Label Agreement, dated April 2, 1996, between the
Registrant and VISA International Service Association.*
10.24 VeriSign Private Label Agreement, dated October 3, 1996, between the
Registrant and VISA International Service Association.*
23.02 Consent of KPMG Peat Marwick LLP (see Page S-1 of the Registration
Statement).
- --------
* Confidential treatment is being sought with respect to certain portions of
this agreement. Such portions have been omitted from this filing and have
been filed separately with the Securities and Exchange Commission.
EXHIBIT 10.19
[CONFIDENTIAL TREATMENT REQUESTED]
MASTER DEVELOPMENT AND LICENSE AGREEMENT
This MASTER DEVELOPMENT AND LICENSE AGREEMENT (the "AGREEMENT"), is made by and
between Security Dynamics Technologies, Inc., a Delaware corporation having its
principal place of business at 20 Crosby Drive, Bedford, Massachusetts 01730
("SDTI"), and VeriSign, Inc., a Delaware corporation having its principal place
of business at 1390 Shorebird Avenue, Mountain View, California 94043
("VERISIGN"), and is effective as of September 30, 1997 (the "EFFECTIVE DATE").
RECITALS
WHEREAS, VeriSign has developed and owns certain computer software relating
to digital certificate authentication and local registration authority; and
WHEREAS, SDTI desires to engage VeriSign to customize such software to
SDTI's specifications and to obtain from VeriSign a license to distribute the
software in conjunction with other SDTI products, and VeriSign desires to accept
such engagement and grant such licenses on the terms set forth herein.
NOW, THEREFORE, in consideration of the foregoing and the mutual covenants,
promises and undertakings set forth herein, and for other good and valuable
consideration, SDTI and VeriSign agree as follows:
1. DEFINITIONS
1.1 "ACCEPTANCE CRITERIA" means the criteria for the acceptance of the
Developed Technology set forth in the Specifications.
1.2 "DELIVERABLE" means any of the deliverable items set forth on the
Statement of Work.
1.3 "DEVELOPED TECHNOLOGY" means the work product, including the
Technology and Documentation, to be developed by either party
hereunder, as more fully set forth in the Specifications.
1.4 "DEVELOPMENT EQUIPMENT" means the development hardware, software and
other equipment and supplies provided to VeriSign by SDTI hereunder,
if any, as more particularly described in Exhibit A attached hereto
---------
and incorporated herein by this reference.
1.5 "DEVELOPMENT PERIOD" means the period commencing on the Effective
Date and ending on the date of acceptance by SDTI of the last
Deliverable under a Statement of Work.
1.6 "DOCUMENTATION" means the documentation necessary to use and support
the Developed Technology, together, in each case, with any
modifications or enhancements thereto.
1.7 "END-USER" The ultimate user of the Developed Technology who
purchases or licenses the Product for use in the regular course of
such customer's business and not for resale or further sublicensing
by such customer.
1.8 "ERROR CORRECTION" means a modification to VeriSign's Pre-Existing
Technology, the Developed Technology or a Deliverable that
establishes material conformity to the current Specifications and
Documentation or eliminates the adverse effect of a Non-Conformance
in the operation of the Developed Technology or Deliverable,
including but not limited to bug fixes and work-arounds.
1.9 "INTELLECTUAL PROPERTY RIGHTS" means all worldwide: (a) patents,
patent applications and other patent rights; (b) rights associated
with works of authorship, including copyrights, copyright
applications, copyright restrictions, Trademarks, registrations and
applications for registration of Trademarks, mask work rights, mask
work applications and mask work registrations; (c) rights relating to
the protection of trade secrets and confidential information; (d)
rights analogous to those set forth herein and any other proprietary
rights relating to intangible property; and (e) divisions,
continuations, renewals, reissues and extensions of the foregoing (as
applicable) now existing or hereafter filed, issued, or acquired.
1.10 "NON-CONFORMANCE" means a failure of the Developed Technology to
conform materially to the Specifications or to materially perform
correctly when measured against the Specifications.
1.11 "OBJECT CODE FORM" means a form of software code resulting from the
translation or processing of Source Code by a computer into machine
language or intermediate code, which thus is in a form which would
not be convenient for human understanding of the program logic, but
which is appropriate for execution or interpretation by a computer.
1.12 "PRE-EXISTING TECHNOLOGY" means Technology owned by either party
prior to the Development Period, as identified in the applicable
Statement of Work. Any and all Pre-Existing Technology may be
incorporated into the Developed Technology will still be "Pre-
Existing Technology."
1.13 "PRODUCT" means any product developed, manufactured, marketed, sold
or distributed by SDTI which consists of or incorporates any
Developed Technology.
1.14 "SOURCE CODE FORM" means a form in which a computer program's logic
is easily deduced by a human being with skill in the art, such as a
printed listing of the program or a form from which a printed listing
can be generated.
1.15 "SPECIFICATIONS" means the document or documents that characterize
and define the logical, functional, performance and operational
aspects of the Developed Technology, as initially set forth on
Exhibit B attached hereto and incorporated herein by this reference.
1.16 "STATEMENT OF WORK" or "SOW" means a written instrument that meets
the following requirements:
(a) Includes substantially the following statement: "This is a
Statement of Work under the Master Development and License
Agreement between SDTI Systems, Inc. and VeriSign, Inc., dated
effective ____ , 1997;"
(b) Is signed on behalf of both parties by their authorized
representatives;
(c) Contains the following five mandatory items:
(i) Description and/or Specifications of the services to
be performed and the Deliverables to be delivered to
SDTI;
(ii) The name and address of a Project Manager for each of
SDTI and VeriSign;
(iii) The amount, schedule, and method of payment to be
made to VeriSign, including NRE fees, license fees,
and royalties, if any;
(iv) The time schedule, framework or dates for performance
and for delivery of the Deliverables (the
"MILESTONES"); and
(v) Completion and Acceptance Criteria for the
Deliverables; and
(d) When applicable, includes:
(i) Provisions for written and/or oral progress reports
by VeriSign;
2
(ii) Detailed functional and technical specifications and
standards for all services and Deliverables,
including quality standards, overall systems
architecture, project plan, identified dependencies
or contingencies and critical path issues;
(iii) Documentation standards;
(iv) Lists of any special equipment, including Development
Equipment, to be procured by VeriSign or provided by
SDTI for use in performance of the work;
(v) Identification of Pre-Existing Technology; and
(vi) Such other terms and conditions as may be mutually
agreeable between the parties.
1.17 "TECHNOLOGY" means technical information, knowledge, ideas, concepts,
processes, procedures, designs, schematics, works of authorship,
inventions and discoveries owned by or licensed to a party hereto and
subject to intellectual property protection and any and all
Intellectual Property Rights pertaining thereto.
1.18 "THIRD PARTY TECHNOLOGY" means software or other Technology owned by
a third party and used in connection with the Developed Technology as
set forth in Exhibit D attached hereto and incorporated herein by
this reference.
1.19 "DERIVATIVE" means, as applicable: (a) any computer software (whether
in source or object code form) port, work, product, service,
improvement, modification, alteration, enhancement, new version,
translation, adaptation, design, concept, materials and
documentation, in any medium, format or form whatsoever, that is
derived in any manner, directly or indirectly, from a pre-existing
work or any part or aspect thereof or that utilizes or incorporates
such a pre-existing work or any part or aspect thereof; (b) all
"derivative works," as defined in the copyright law of the United
States and (c) all materials and documentation related to each of the
foregoing.
1.20 "TRADEMARKS" means trademarks, service marks, trade names, trade
dress and logos.
1.21 "UPDATE" means a new revision of the Developed Technology that
includes bug fixes, corrections and minor modifications.
1.22 "ENHANCEMENT" means a new revision of the Developed Technology that
includes enhancements and new functionalities.
2. DEVELOPMENT WORK
2.1 ISSUANCE OF STATEMENTS OF WORK. The initial Statement(s) of Work
agreed to by both parties is attached to this Agreement. Additional
Statements of Work, regardless of whether they relate to the same
subject matter as the initial Statement of Work, shall become
effective upon execution by authorized representatives of both
parties and shall then also be attached to this Agreement.
2.2 CHANGES TO STATEMENTS OF WORK. Changes in any Statement of Work or in
any of the Specifications or Deliverables under any Statement of Work
shall become effective only when a written change request is executed
by authorized representatives of both parties. All change requests
with respect to this Agreement, any Statement of Work, or any
Specifications or Deliverables must be accepted by both parties.
2.3 DEVELOPMENT EFFORT. Each party agrees to use commercially reasonable
efforts to undertake and complete development of the Deliverables in
accordance with the Milestone Schedule and to timely deliver all the
Deliverables. Certain tasks to be undertaken by a party may require
information from the other party or completion of certain tasks by
the other party prior to a party undertaking its tasks. Each party
agrees that any delay in a party meeting the Milestones that is
caused by the failure of the other party to timely provide such
required information or complete performance shall not constitute a
default under this Agreement.
3
3. OWNERSHIP
3.1 PRE-EXISTING TECHNOLOGY. Each party acknowledges and agrees that, as
between the parties, each party is and shall remain the sole and
exclusive owner of all right, title, and interest in and to its Pre-
Existing Technology, and all associated Intellectual Property Rights,
and that this Agreement does not affect such ownership. Each party
acknowledges that it acquires no rights under this Agreement to the
other party's Pre-Existing Technology other than the limited rights
specifically granted in this Agreement.
3.2 MODIFICATIONS/DERIVATIVE WORKS TO PRE-EXISTING TECHNOLOGY. Each party
acknowledges and agrees that, as between the parties, each party is
and shall remain the sole and exclusive owner of all right, title,
and interest in and to any Derivatives to its Pre-Existing Technology
regardless of who created such Derivatives, and all associated
Intellectual Property Rights therein and thereto. Each party
acknowledges that it acquires no rights under this Agreement to the
Derivatives of the other party's Pre-Existing Technology other than
the limited rights specifically granted in this Agreement.
3.3 DEVELOPED TECHNOLOGY. Subject to the ownership rights specified in
Sections 3.1 and 3.2 above, each party shall own that portion of the
Developed Technology that it solely created. Except in the event that
portions of the Developed Technology (a) constitute Derivatives of
SDTI Pre-Existing Technology, or (b) are solely created by SDTI, then
VeriSign shall be the sole and exclusive owner of the Developed
Technology. To the extent that the items in (a) and (b) above are
incorporated into the Developed Technology, SDTI shall grant, and
hereby does grant, to VeriSign a royalty-free, perpetual and
irrevocable, worldwide, non-exclusive license to use, reproduce and
distribute such code as part of the Developed Technology.
Notwithstanding anything else in this Section 3.3, SDTI acknowledges
and agrees that all Developed Technology created by the SDTI
personnel on site at VeriSign, as set forth in the initial Statement
of Work, and all Intellectual Property Rights therein, shall be owned
solely and exclusively by VeriSign.
3.4 PORTS. In the event that SDTI creates ports of the Developed
Technology to new platforms pursuant to SDTI's license rights under
Section 4.2(a) ("PORTS") and VeriSign agrees to support the Port,
then SDTI will promptly provide the Ports to VeriSign in Source Code
and Object Code form, and SDTI hereby assigns all Intellectual
Property Rights in the Ports to VeriSign.
3.5 ASSIGNMENT AND FURTHER ASSURANCES. Each party agrees to cooperate
with the other party and take all reasonable actions required to vest
and secure in such party all ownership rights, including all
Intellectual Property Rights, as specified in this Section 3.
4. LICENSE GRANTS; ACCESS TO TECHNOLOGY
4.1 SDTI PRE-EXISTING TECHNOLOGY. On the terms and subject to the
conditions set forth herein, for the period necessary for VeriSign to
have access to SDTI's Pre-Existing Technology in order to accomplish
its obligations under this Agreement, SDTI grants to VeriSign a
nonexclusive, nontransferable, royalty-free, limited license under
SDTI's Intellectual Property Rights in the SDTI Pre-Existing
Technology to:
(a) use, copy and modify SDTI Pre-Existing Technology for internal
purposes only and solely to the extent necessary to develop the
Developed Technology; and
(b) incorporate SDTI Pre-Existing Technology to the extent necessary
into the Developed Technology for use and distribution by SDTI.
4
4.2 DEVELOPED TECHNOLOGY. On the terms and subject to the conditions set
forth herein, VeriSign grants to SDTI a non-exclusive, royalty-free,
perpetual, worldwide license, under VeriSign's Intellectual Property
Rights in its Pre-Existing Technology to the extent that it is
incorporated in the Developed Technology and the Developed Technology
to: (a) use, copy, modify, and prepare derivative works of the
Developed Technology in Source Code form and Object Code; and (b)
copy and distribute the Developed Technology solely in Object Code
Form to End-Users in combination with substantial added value in the
form of the Products. Except as expressly permitted herein, SDTI may
not (i) disassemble, decompile or reverse engineer the Developed
Technology, (ii) use the Developed Technology in any manner to
perform service bureau, time sharing, certification authority, or
other computer services to third parties or permit End Users to do
the same, or (iv) perform or permit any sublicensing or other
distribution of the Developed Technology in Source Code form. SDTI's
rights in the Developed Technology licensed hereunder shall be
limited to those expressly granted in this Agreement.
4.3 ACCESS TO TECHNOLOGY. VeriSign will provide SDTI first-to-market
access to new technologies which it develops that, in VeriSign's
reasonable discretion, have relevant impact to SDTI's business.
Similarly, SDTI will provide VeriSign with advanced notification of
security products and services it intends to launch and will make
reasonable efforts to utilize VeriSign technology, products and
services where appropriate. SDTI understands that VeriSign has a
similar arrangement with the following companies listed: Microsoft,
Netscape and Cisco Systems. VeriSign will notify and provide access
to these new technologies to SDTI and the above companies at the same
time. Any such disclosure by VeriSign to SDTI shall be subject to the
provisions of Section 10 of this Agreement.
4.4 TRADEMARKS.
(a) TRADEMARK LICENSE. During the term of this Agreement, VeriSign
hereby grants to SDTI a nonexclusive, nontransferable license to
advertise the Product and Developed Technology under the
VeriSign trademarks, trade names, logos and/or slogans listed on
Exhibit G ("TRADEMARKS") as updated by VeriSign and agreed to in
writing by SDTI from time to time. Such use must reference the
Trademarks as being owned by VeriSign. The rights granted to
SDTI in this license will terminate upon any termination or
expiration of this Agreement. Upon such termination or
expiration, SDTI will no longer make any use of any Trademarks.
(b) TRADEMARK OWNERSHIP. SDTI recognizes that VeriSign is the owner
of all right, title and interest in the Trademarks. SDTI's use
of the Trademarks shall inure to the benefit of VeriSign. SDTI
shall not at any time acquire any rights in the Trademarks by
virtue of any use it may make of the Trademarks. SDTI shall not
during the term of this Agreement, or thereafter, attack the
title or any rights of VeriSign in and to the Trademarks or
attack the validity of the Trademarks. SDTI shall not register
in any country any name or mark resembling or confusingly
similar to any of the Trademarks.
(c) QUALITY STANDARDS. SDTI shall use the Trademarks in accordance
with VeriSign's trademark usage guidelines specified in Exhibit
G, as amended by VeriSign from time to time and agreed to by
SDTI in writing. Upon VeriSign's request, SDTI shall furnish to
VeriSign free of cost a reasonable number of each printed item
of advertising, packaging, or other promotional material bearing
the Trademarks so that VeriSign may monitor SDTI's compliance
with the trademark usage guidelines set forth in Exhibit G, as
amended by VeriSign from time to time. If any of VeriSign's
Trademarks are to be used in conjunction with SDTI's or another
party's trademarks, on or in relation to the Product or
Developed Technology, then VeriSign's Trademarks shall be
presented legibly, but nevertheless separated from the other, so
that each appears to be a trademark in its own right, distinct
from the other mark.
5
4.5 OTHER AGREEMENTS BY SDTI.. SDTI may not distribute the Developed
Technology to any End User unless such End User is subject to an end
user license agreement with SDTI that: (i) protects VeriSign's
proprietary rights in the Developed Technology to at least the same
degree as the terms and conditions of this Agreement; (ii) requires
that such End User not reverse engineer, reverse compile or
disassemble the object code for the Developed Technology; (iii)
requires such End User to comply fully with all applicable laws and
regulations in any of its dealings with respect to the Developed
Technology; (iv) makes no representations or warranties on behalf of
VeriSign; and (v) does not grant any rights to such End User beyond
the scope of this Agreement. SDTI will promptly provide VeriSign with
reasonable access to such agreements following VeriSign's request.
4.6 U.S. GOVERNMENT AGENCIES. If SDTI distributes the Developed
Technology to any agency of the United States government, SDTI shall
require the government to agree that the Developed Technology is
"commercial computer software" or "commercial computer software
documentation" and that, absent written agreement to the contrary,
the government's rights with respect to the Developed Technology are
limited by the term of the End User license agreement, pursuant to
FAR Section 12.212(a) and/or DFARS Section 27.702-1(a) as applicable.
5. PROJECT MANAGEMENT AND DELIVERY
5.1 PROJECT MANAGERS. Each party will appoint a single project manager
("PROJECT MANAGER") and will promptly provide written notification to
the other party of the name and contact information for its Project
Manager. Each Project Manager will act as the principal liaison
between the parties with respect to his or her party's respective
performance under this Agreement and will identify to the other
party, and provide contact information for, the other individuals
responsible for specific tasks hereunder.
5.2 DELIVERY OF DELIVERABLES ON TARGET DATES. VeriSign shall use its
commercially reasonable efforts to deliver to SDTI the Deliverables
in accordance with the Milestones set forth on the Statement of Work.
5.3 DELIVERY OF ERROR CORRECTIONS. During the term of this Agreement and
for the period of VeriSign's warranty set forth in Section 13.1
below, VeriSign shall deliver to SDTI any Error Corrections for the
Developed Technology promptly upon their development.
5.4 DELIVERY OF DEVELOPED TECHNOLOGY. Upon completion of the Developed
Technology, VeriSign shall deliver it to SDTI for final evaluation
and testing pursuant to Section 8.
6. VERISIGN'S OBLIGATIONS AND DEVELOPMENT UNDERTAKINGS
6.1 USE OF DEVELOPMENT EQUIPMENT. VeriSign shall not use or permit use of
the Development Equipment for any purpose other than development of
the Developed Technology. The Development Equipment shall: (i) remain
the personal property of SDTI; (ii) be subject to inspection by SDTI
upon reasonable notice and during VeriSign's normal business hours;
and (iii) be kept free and clear of liens and encumbrances. VeriSign
shall use and maintain the Development Equipment in a careful and
proper manner and shall be responsible for all loss or damage which
occurs while the Development Equipment is in its possession. Upon the
termination of the Development Period, VeriSign shall return the
Development Equipment to SDTI in good condition, reasonable wear and
tear excepted, as may be directed by SDTI (and SDTI shall bear the
corresponding freight costs).
6.2 THIRD PARTY TECHNOLOGY. VeriSign shall obtain and secure the
worldwide rights to use and distribute any Third Party Technology
that is necessary for the Developed Technology to operate
6
without Non-Conformance and to be used, manufactured and distributed
by SDTI pursuant to the terms of this Agreement.
6.3 TESTING. For so long as VeriSign provides maintenance services
pursuant to Section 12.2, VeriSign shall perform and be responsible
for the testing and debugging of all releases of the Developed
Technology and shall provide to SDTI at no charge all Error
Corrections to the Developed Technology. VeriSign shall provide all
assistance necessary for SDTI fully to test and evaluate the
Developed Technology and each Deliverable to determine whether it
substantially conforms to the Specifications, including the
Acceptance Criteria.
6.4 SCHEDULE CHANGES. In the event VeriSign determines that a particular
Milestone will likely be missed, it promptly shall give notice to
SDTI setting forth in reasonable detail the reason for the
anticipated delay, any corrective measures VeriSign intends to
undertake and the estimated revised Milestone.
7. SDTI'S OBLIGATIONS AND RIGHT TO MODIFY SPECIFICATIONS.
7.1 SUPPORT AND INFORMATION. SDTI will provide any engineering support,
technical training and other resources, including SDTI Pre-Existing
Technology, reasonably requested by VeriSign to assist VeriSign with
a Statement of Work ("RESOURCES"). SDTI shall not be obligated to
provide specific Resources or specific levels of any Resource unless
agreed in writing by SDTI.
7.2 DEVELOPMENT EQUIPMENT. SDTI shall provide to VeriSign the Development
Equipment listed in Exhibit A. The Development Equipment shall be
shipped to VeriSign freight prepaid.
7.3 SDTI UPDATES. SDTI may, in its sole discretion, update the SDTI Pre-
Existing Technology, if any, provided to VeriSign if a new release
becomes available during the Development Period, subject to
VeriSign's written agreement to any modification to the
Specifications necessitated by such new release.
7.4 CHANGES. If, at any time, SDTI desires to modify the Specifications
or the Statement of Work, SDTISDTI shall present a written request to
VeriSign describing such modifications using VeriSign's standard
Project Change Request Form (each such request is a "CHANGE ORDER"),
which VeriSign may approve in its sole discretion. VeriSign will
promptly review each such Change Order and determine, in VeriSign's
reasonable discretion, whether such Change Order can be accomplished
by VeriSign, and whether the performance of such Change Order will
increase the costs and/or delay the original schedule for creating
the Deliverables. If the parties agree to the Change Order (including
without limitation any such increased costs and/or delays estimated
by VeriSign), the Change Order will be deemed to amend and become
part of the Statement of Work and VeriSign will perform the
Consulting Services in accordance with such amended Statement of
Work.
7.5 SDTI'S INTERNAL USE OF CERTIFICATE AUTHORITY ("CA") SERVICES. If and
for so long as VeriSign's CA services and products are superior or
competitive (at a minimum, in terms of pricing, performance and
features) with similar products available in the market, as
determined by SDTI in its sole discretion, SDTI will purchase and use
VeriSign's CA products and services for its internal use only.
7.6 To the extent SDTI personnel are provided or take action at
VeriSign's site pursuant to this Agreement, such personnel shall be
provided solely at SDTI's cost, and upon VeriSign's reasonable
request, SDTI shall provide evidence of satisfaction of all state and
federal employment laws and worker compensation requirements in
connection with such personnel. Such personnel shall, at VeriSign's
reasonable request, execute confidentiality agreements containing
terms and conditions substantially similar to those in Section 10,
and shall agree to
7
abide by all reasonable VeriSign visitor regulations. SDTI
understands that VeriSign operates a secure facility and that there
are portions of such facility that SDTI's personnel will not be
permitted to enter unless entry to such facility is necessary in
order to allow SDTI to exercise its rights hereunder. In the event
that VeriSign determines that any SDTI personnel has breached a
VeriSign visitor regulation, SDTI shall, upon receipt of notice from
VeriSign, immediately cause such person to be removed from VeriSign's
facility and provide a replacement.
8. EVALUATION AND ACCEPTANCE/REJECTION OF DEVELOPED TECHNOLOGY
Unless otherwise stated in the Statement of Work, SDTI shall advise
VeriSign in writing within forty five (45) days of receipt of the
completed Developed Technology for testing or evaluation whether SDTI
accepts or rejects such Developed Technology in accordance with the
Acceptance Criteria. In the event that SDTI does not respond in
writing within such forty five (45) day period, then the Developed
Technology shall be deemed accepted. If SDTI rejects the Developed
Technology, then SDTI shall provide to VeriSign a written statement
of the reasons for such rejection. Upon rejection, VeriSign shall
prepare an Error Correction within twenty (20) business days and
resubmit such Developed Technology to SDTI for evaluation pursuant to
this Section. In the event the Developed Technology still fails to
conform to the Acceptance Criteria after two (2) attempts to correct
and resubmit the Developed Technology, the matter shall be escalated
to the respective management of the parties for resolution. If the
parties cannot reach an agreement in good faith after such executive
escalation, either party may pursue whatever remedies it may have
under this Agreement, at law or in equity.
9. LICENSE FEES; ROYALTY PAYMENTS
9.1 LICENSE FEE. SDTI shall make the nonrefundable license payments to
VeriSign in accordance with Exhibit E attached hereto. Additional
license fees for subsequent projects shall be as set forth in the
applicable Statement of Work.
9.2 MAINTENANCE AND SUPPORT. In exchange for the receive maintenance and
support services and Updates and Enhancements for the Products from
VeriSign under Section 12, SDTI will pay VeriSign the nonrefundable
amounts specified in Exhibit E for such services.
9.3 PAYMENT TERMS. SDTI will make all initial payments to VeriSign when
specified in Exhibit E. SDTI will make all ongoing payments to
VeriSign due under Exhibit E within thirty (30) days after receipt of
VeriSign's invoice, unless otherwise set forth in a SOW. Payments
made under this Agreement after their due date will incur interest at
a rate equal to 1.5% per month or the highest rate permitted by
applicable law, whichever is lower.
9.4 TAXES. All amounts payable under this Agreement are exclusive of all
sales, use, value-added, withholding, and other taxes and duties.
SDTI will pay all taxes and duties assessed in connection with this
Agreement and its performance by any authority within or outside of
the U.S., except for taxes payable on VeriSign's net income. VeriSign
will be promptly reimbursed by SDTI for any and all taxes or duties
that VeriSign may be required to pay in connection with this
Agreement or its performance.
9.5 RECORDS AND AUDITS. SDTI shall keep all proper records and books of
account and all proper entries therein relating to its distribution
of Products under this Agreement. To the extent that SDTI is to pay
ongoing royalties under the terms of the initial or a subsequent SOW,
on no less than 30 days' prior written notice and no more than once
annually, VeriSign may request that an independent certified public
accountant audit the applicable records during regular business hours
at SDTI's offices to verify statements rendered hereunder. VeriSign
shall bear the expenses of any such audit; provided that if such
audit reveals that royalties paid by SDTI for any period are less
8
than 95% of what should have been paid by SDTI, on VeriSign's
request, SDTI shall pay the costs of such audit in addition to
royalties then due and owing to VeriSign.
10. CONFIDENTIAL INFORMATION
10.1 CONFIDENTIAL INFORMATION. VeriSign and SDTI agree and acknowledge
that in order to further the performance of this Agreement, they will
be required to disclose to each other certain confidential
information which will be identified as such in writing or, if
disclosed orally, will be reduced to writing within thirty (30) days
thereafter ("Confidential Information"). The Developed Technology
will be regarded as Confidential Information whether or not it is
identified in writing as "Confidential."
10.2 PROTECTION OF CONFIDENTIAL INFORMATION. The receiving party agrees to
protect the confidentiality of the disclosing party's Confidential
Information with at least the same degree of care that it utilizes
with respect to its own similar proprietary information, including
without limitation agreeing:
(a) Not to disclose or otherwise permit any other person or entity
access to, in any manner, the Confidential Information or any part
thereof in any form whatsoever, except that such disclosure or access
shall be permitted to an employee, agent or contractor of the
receiving party requiring access to the Confidential Information in
the course of his or her engagement in connection with this Agreement
and who has signed and agreement obligating the employee, agent or
contractor to maintain the confidentiality of the confidential
information of third parties in the receiving party's possession;
(b) To notify the disclosing party promptly and in writing of the
circumstances surrounding any suspected possession, use or knowledge
of the Confidential Information or any part thereof at any location
or by any person or entity other than those authorized by this
Agreement; and
(c) Not to use the Confidential Information for any purpose other
than as explicitly set forth herein.
10.3 EXCEPTIONS. Nothing in this Section 10 shall restrict the receiving
party with respect to information or data, whether or not identical
or similar to that contained in the Confidential Information, if such
information or data: (a) was rightfully possessed by the receiving
party before its received from the disclosing party; (b) is
independently developed by the receiving part without reference to
the disclosing party's information or data; (c) is subsequently
furnished to the receiving party by a third party not under any
obligation of confidentiality with respect to such information or
data, and without restrictions on use or disclosure; (d) is or
becomes available to the general public otherwise than through any
act or default of the receiving party; or (e) is required to be
disclosed by the receiving party by law or government regulation.
10.4 INJUNCTIVE RELIEF. Because the unauthorized use, transfer or
dissemination of any Confidential Information provided hereunder may
diminish substantially the value of such materials and may
irreparably harm the disclosing party, if a receiving party breaches
the provisions of this Section 10, the disclosing party shall,
without limiting its other rights or remedies, be entitled to
equitable relief, including but not limited to injunctive relief.
11. USE OF CONTRACTORS
Each party may retain third parties ("Contractors") to furnish
services to it in connection with the performance of its obligations
hereunder and permit such Contractors to have access to the
Confidential Information of the other but only to the extent and
insofar as reasonably required in connection with the performance of
such party's obligations under this Agreement; provided that
9
all such Contractors shall be required by the applicable party to
execute a written agreement: (a) sufficient to secure compliance by
the Contractors with such party's obligations of confidentiality
concerning Confidential Information set forth in Section 10; and (b)
acknowledging the Contractor's obligation to assign all work product
to such party in connection with performance hereunder.
12. SUPPORT
12.1 SUPPORT. Upon payment of the support fees set forth in Exhibit E,
VeriSign shall provide the documentation and support to SDTI as set
forth on Exhibit F for the Term of this Agreement. Additional or
different support and documentation and the corresponding support fee
may require for subsequent projects and shall be as set forth in the
applicable Statement of Work. Support services hereunder shall
commence on the Effective Date, shall extend for a period of three
(3) years, and shall continue for successive annual terms, which may
be terminated by either party upon (60) days notice prior to the end
of the then current term. Further, SDTI may terminate the support
services set forth herein at any time upon sixty (60) days written
notice to VeriSign.
12.2 MAINTENANCE. For a period of three (3) years from the Effective Date,
upon payment of the maintenance fees set forth in Exhibit E, VeriSign
shall provide to SDTI all Enhancements and Updates to the Developed
Technology that VeriSign may, in its sole discretion, choose to
develop. VeriSign shall deliver all Updates to SDTI promptly upon
their creation. SDTI shall receive such Enhancements simultaneous
with their release to VeriSign's similarly situated customers, and in
any event shall deliver such available Enhancements at least once per
year. VeriSign agrees to use its reasonable efforts to synchronize
its release of Enhancements and Updates to SDTI with SDTI's release
cycles of its Products. Upon delivery, Updates and Enhancements shall
be deemed part of and incorporated into the Developed Technology.
After the three (3) year maintenance period, the parties agree to
negotiate in good faith for the terms of extended maintenance
services as set forth in this Section. VeriSign agrees that it shall
offer maintenance rates to SDTI that are no less favorable than the
fees offered to any other third party purchasing similar products at
similar volumes under similar commercial terms and conditions.
13. REPRESENTATIONS AND WARRANTIES.
13.1 WARRANTY RE DEVELOPED TECHNOLOGY. VeriSign represents and warrants to
SDTI that (i) each Deliverable hereunder developed by VeriSign will
substantially conform to and perform in accordance with the
applicable Specifications and Documentation when delivered and (ii)
the Developed Technology, when delivered by VeriSign to SDTI, will
substantially conform to and perform in accordance with the
Specifications and Documentation, be free of material defects in
design, both for a period of ninety (90) days following acceptance by
SDTI of the applicable Deliverable (the "Warranty Period"). During
the Warranty Period, as SDTI's exclusive remedy for breach of the
above warranties, VeriSign shall promptly correct all Errors and
shall otherwise provide to SDTI, free of charge, the maintenance and
support services described in Section 12 above.
13.2 AUTHORIZATION AND ORIGINALITY. VeriSign represents and warrants that
it has the right to enter into this Agreement, and that there exist
no prior commitments or other obligations which prevent VeriSign from
making all of the grants and undertakings provided for in this
Agreement. VeriSign warrants that VeriSign has the right to make the
assignments and grant the licenses granted herein. SDTI represents
and warrants that it has the right to enter into this Agreement, and
that there exist no prior commitments or other obligations which
prevent SDTI from making all of the grants and undertakings provided
for in this Agreement. SDTI warrants that SDTI has the right to make
the assignments and grant the licenses granted herein.
10
13.3 DISCLAIMER. EXCEPT AS PROVIDED IN THIS AGREEMENT, VERISIGN MAKES NO
WARRANTIES, EXPRESS OR IMPLIED, WITH RESPECT TO THE DEVELOPED
TECHNOLOGY OR OTHERWISE AND EXPRESSLY DISCLAIMS THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
AND NONINFRINGEMENT. No oral or written information or advice given
by VeriSign's employees or representatives which is not contained in
this Agreement shall create a warranty or in any way increase the
scope of VeriSign's obligations.
13.4 NO WARRANTY AS TO SDTI PRE-EXISTING TECHNOLOGY. SDTI makes no
representation or warranty concerning any SDTI Pre-Existing
Technology licensed to VeriSign hereunder. The SDTI Pre-Existing
Technology is licensed on an "AS IS" basis and solely for the
convenience of VeriSign in performing its obligations hereunder.
14. LIMITATION OF LIABILITY
EXCEPT AS SET FORTH IN SECTION 15, VIOLATION OF THE PARTIES'
RESPECTIVE INTELLECTUAL PROPERTY RIGHTS, BREACH BY PARTIES OF THEIR
RESPECTIVE CONFIDENTIALITY OBLIGATIONS, AND BREACH OF THE SCOPE OF
THE LICENSES GRANTED IN SECTION 4.2, (A) IN NO EVENT SHALL EITHER
PARTY BE LIABLE TO THE OTHER FOR ANY INDIRECT, SPECIAL, INCIDENTAL OR
CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE PERFORMANCE OF OR
ALLEGED FAILURE TO PERFORM THIS AGREEMENT (INCLUDING LOSS OF REVENUE,
PROFITS, USE, DATA, OR OTHER ECONOMIC ADVANTAGE), REGARDLESS OF THE
THEORY OF LIABILITY, EVEN IF SUCH PARTY HAS BEEN PREVIOUSLY ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE OCCURRING, AND (B) IN NO EVENT
SHALL VERISIGN'S LIABILITY TO SDTI EXCEED THE TOTAL AMOUNTS PAID BY
SDTI TO VERISIGN UNDER THIS AGREEMENT.
15. INTELLECTUAL PROPERTY INDEMNIFICATION
15.1 SCOPE OF VERISIGN INDEMNIFICATION.
(a) VeriSign will indemnify, defend and hold SDTI harmless from and
against any and all losses, damages, liabilities and expenses
(including but not limited to reasonable legal fees, settlement
costs, judgments and awards) to the extent resulting from or
incurred in connection with any claim or legal proceeding
brought against SDTI and based on a claim that a Deliverable,
the Developed Technology, or any part thereof, or SDTI's use,
manufacture or distribution thereof, infringes any issued United
States patent or copyright or misappropriates any trade secret
of a third party except to the extent that such claim arises out
of (a) any SDTI Pre-Existing Technology or any modification to
the Deliverable or Developed Technology made by SDTI or not made
by VeriSign; or (b) any combination of the foregoing with
Technology not provided or recommended in writing by VeriSign.
The remedies set forth in this Section 15.1 shall be SDTI's sole
and exclusive remedy, and VeriSign's sole and exclusive
obligations with regard to third party claims of intellectual
property infringement.
(b) VERISIGN'S EFFORTS. Should SDTI's use and/or distribution of the
Developed Technology be enjoined or become the subject of a
claim of infringement, VeriSign shall use all reasonable
commercial efforts to either (a) procure for SDTI the right to
continue to use and distribute the Developed Technology , as the
case may be, or (b) replace or modify the Developed Technology,
as the case may be, to make it non-infringing without materially
changing the form, fit, operation and function of the Developed
Technology. If none of such alternatives is reasonably possible,
then the use and distribution of the particular Developed
Technology may be terminated at the option of VeriSign without
11
further obligation or liability except as otherwise provided
herein. In the event of such termination, VeriSign shall refund
to SDTI any and all monies paid by SDTI with respect to such
Developed Technology less depreciation for use on a straight
line basis amortized over _____ years.
(c) CONDITIONS TO INDEMNIFICATION. The foregoing indemnity is
conditioned on (i) prompt written notice by SDTI of any claim or
proceeding subject to indemnity; (ii) VeriSign's sole control of
the defense and settlement of any claim under this Section and
(iii) all reasonable cooperation and assistance by SDTI party in
the defense and settlement of such claim at VeriSign's expense.
15.2 SCOPE OF SDTI INDEMNIFICATION. Subject to Section 15.1, SDTI shall
defend, indemnify and hold VeriSign harmless from any and all
damages, liabilities, costs and expenses (including but not limited
to attorney's fees) incurred by VeriSign arising out of (i) claims
described in items (a) and (b) of Section15.1(a), or (ii) any acts or
omissions of SDTI in connection with their activities under this
Agreement. As a condition to such defense and indemnification,
VeriSign will provide SDTI with prompt written notice of the claim,
the opportunity to assume the defense of the claim at SDTI's expense,
and information and assistance, at SDTI's expense, in connection
therewith.
16. TERM AND TERMINATION
16.1 TERM OF AGREEMENT. This Agreement shall commence on the Effective
Date and continue in perpetuity unless terminated as set forth below
(the "Term").
16.2 TERMINATION FOR CAUSE. If either party commits a material breach of
the terms and conditions of this Agreement, the other party may
terminate this Agreement upon forty-five (45) days' prior written
notice to the defaulting party describing in reasonable detail such
breach unless, within such forty-five (45)day period after receipt of
such Notice, all breaches specified therein shall have been remedied.
16.3 TERMINATION FOR INSOLVENCY EVENT. To the fullest extent permitted by
law, this Agreement may be terminated at the option of the
terminating party upon written notice to the other party upon the
occurrence of any of the following events with respect to the other
party: (i) a receiver is appointed for such party or its property;
(ii) such party makes a general assignment for the benefit of its
creditors; (iii) such party commences, or has commenced against it,
proceedings under any bankruptcy, insolvency or debtor's relief law,
which proceedings are not dismissed within sixty (60) days; or (iv)
such party is liquidated or dissolved.
16.4 SURVIVAL OF RIGHTS AND OBLIGATIONS UPON TERMINATION. The provisions
of Sections 3, 4.2, 4.3, 10, 12, 13, 14, 15, 16, and 17 shall survive
any expiration or termination of this Agreement.
16.5 RETURN OF MATERIALS UPON TERMINATION. Upon termination or expiration
of this Agreement, all materials containing the SDTI Pre-Existing
Technology or Confidential Information of SDTI shall be returned
promptly to SDTI or destroyed and certified as same by an officer of
VeriSign. Unless otherwise provided in this Agreement, upon
termination of this Agreement, all materials containing the VeriSign
Pre-Existing Technology, Developed Technology, and VeriSign
Proprietary Information of VeriSign shall be returned promptly to
VeriSign or destroyed and certified as same by an authorized
representative of SDTI.
17. MISCELLANEOUS
17.1 FORCE MAJEURE. Neither party shall be liable to the other (except for
failure to pay) for delays or failures in performance resulting from
causes beyond the reasonable control of that party, including but not
limited to acts of God, labor disputes or disturbances, material
shortages or
12
rationing, riots, acts of war, governmental regulations,
communication or utility failures or casualties.
17.2 ASSIGNMENT. SDTI may not assign or otherwise transfer this Agreement,
or any of its rights or obligations under this Agreement to a third
party without the prior written consent of VeriSign. .
17.3 RELATIONSHIP OF PARTIES. The parties are independent contractors
under this Agreement and no other relationship is intended, including
a partnership, franchise, joint venture, agency, employer/employee,
fiduciary, master/servant relationship, or other special
relationship. Neither party shall act in a manner which expresses or
implies a relationship other than that of independent contractor or
binds the other party.
17.4 WAIVER OR DELAY. Waiver of any term, condition or provision of this
Agreement, or a delay in the enforcement of any right hereunder,
shall not be construed as a waiver of any other term, condition, or
provision, nor shall such waiver be deemed a waiver of any subsequent
breach thereof.
17.5 SEVERABILITY. If any term or provision of this Agreement is found to
be invalid under any applicable statute or rule of law then, that
provision notwithstanding, this Agreement shall remain in full force
and effect and such provision shall be deemed omitted.
17.6 BENEFICIARIES. This Agreement is made for the benefit of the parties
hereto and not for the benefit of any third parties.
17.7 GOVERNING LAW AND JURISDICTION. Any action related to this Agreement
will be governed by California law and controlling U.S. federal law.
No choice of law rules of any jurisdiction will apply. Any action
brought hereunder shall be brought exclusively in the United States
District Court for the Northern District of California, San Jose
Branch, or the California Superior Court for the County of Santa
Clara, as applicable.
17.8 ATTORNEYS' FEES. In addition to any other relief, the prevailing
party in any action arising out of this Agreement shall be entitled
to attorneys' fees and costs.
17.9 NOTICES. Any notices required or permitted to be given pursuant to
this Agreement shall be in writing, and may be personally delivered,
telecopied (with confirmation by recognized overnight courier), or
sent by recognized overnight courier to the addresses set forth on
the first page of this Agreement or to such other address as may be
specified from time to time by notice in writing. Any such notice
shall be deemed to have been given when received.
17.10 HEADINGS. Headings used in this Agreement are for ease of reference
only and shall not be used to interpret any aspect of this Agreement.
17.11 ENTIRE AGREEMENT. This Agreement, together with its Exhibits, is the
parties' entire understanding and agreement with respect to its
subject matter and supersedes (a) all prior or contemporaneous oral
or written communications, proposals, understandings, and
representations with respect to its subject matter; and (b) any
conflicting terms of any quote, order, acknowledgment, or similar
communication between the parties. This Agreement may not be modified
or amended, in whole or in part, except in a writing executed by duly
authorized representatives of each party.
17.12 COMPLIANCE WITH EXPORT LAWS SDTI shall not export, directly or
indirectly, the Developed Technology or other materials or
information provided by VeriSign hereunder, to any country for which
the United States or any other relevant jurisdiction requires any
export license or other governmental approval at the time of export
without first obtaining such license or approval.
13
17.13 COUNTERPARTS. This Agreement may be executed in two counterparts,
each of which shall be an original and together which shall
constitute one and the same instrument.
IN WITNESS WHEREOF, the parties have caused this Agreement to be executed by
their duly authorized representatives.
SECURITY DYNAMICS VERISIGN, INC.
TECHNOLOGIES, INC. ("SDTI") ("VeriSign")
By: /s/ Marian O'Leary By: /s/ Dana L. Evan
---------------------------- ---------------------------
Name: Marian O'Leary Name: Dana L. Evan
-------------------------- -------------------------
Title: Chief Financial Officer Title: Chief Financial Officer
------------------------- ------------------------
14
EXHIBIT A
DEVELOPMENT EQUIPMENT
[TO BE COMPLETED]
- --------------------------------------------------------------------------------
EXHIBIT B
SPECIFICATIONS
[TO BE COMPLETED]
- --------------------------------------------------------------------------------
EXHIBIT C
STATEMENT OF WORK
[TO BE COMPLETED]
- --------------------------------------------------------------------------------
EXHIBIT D
THIRD PARTY TECHNOLOGY
[TO BE COMPLETED]
- --------------------------------------------------------------------------------
EXHIBIT E
LICENSE AND ROYALTY PAYMENTS
1. LICENSE FEE. SDTI shall pay to VeriSign an initial license fee of U.S.
[*] for the Developed Technology as more particularly described in the
Statement of Work dated ______ , 1997. Such license fee shall be payable as
follows:
DELIVERABLE DATE PAYMENT
Execution of Agreement $ 900,000
Per Achievement of Milestones set forth in the Statement of Work $1,800,000
TOTAL $2,700,000
2. SUPPORT FEE: Support for the Developed Technology as set forth in Section
12.1 of the Agreement shall be provided by VeriSign without charge for a period
of six (6) months from the Effective Date. Thereafter, SDTI shall pay VeriSign
a support fee of [*] per month.
3. MAINTENANCE FEE: Maintenance services as set forth in Section 12.2 of the
Agreement shall be provided by VeriSign without charge for a period of twelve
(12) months from the Effective Date. Thereafter, SDTI shall pay VeriSign an
annual support fee of [*] payable upon the anniversary of the Effective
Date.
________________________
[*] Confidential treatment has been requested with respect to certain portions
of this exhibit. Confidential portions have been omitted form the public filing
and have been separately filed with the Securities and Exchange Commission.
15
EXHIBIT F
SUPPORT
[TO BE COMPLETED]
16
EXHIBIT G
LOGO AND TRADEMARK USAGE GUIDE
VeriSign encourages its customers and partners to use VeriSign logos and
trademarks on customer and partner product data sheets, packaging, Web pages and
advertising - but it is important to use them properly.
When using VeriSign trademarks and service marks in ads, product packaging,
documentation or collateral materials, be sure to use the correct trademark
designator: (SM) for claimed or pending servicemarks, O for claimed or pending
trademarks, and (R) for registered trademarks. VeriSign trademarks and their
correct designators are depicted below. To ensure proper usage, please allow
VeriSign's Corporate Marketing department to review any materials using or
mentioning VeriSign trademarks prior to general release.
Using these VeriSign logos does not require prior written permission; in fact,
we encourage you to use them on your product packaging, Web pages and marketing
collateral. However, text of written materials which mention VeriSign services
and/or products should be reviewed by VeriSign's Corporate marketing department
at the draft stage.
VeriSign updates its Logo and Trademarks Usage Guide--available at
http://www.VeriSign.com/about/logosmtm.html on a regular basis and will
distribute the information to its customers and partners. This information will
also be located on the VeriSign Web site and updated often.
Logos/Marks (see the website for actual logos):
VeriSign(TM)
Digital ID(SM)
Digital ID Partner(SM)
Digital ID Center(SM)
Authentic Site(TM)
17
EXHIBIT 10.23
[CONFIDENTIAL TREATMENT REQUESTED]
PLA Number:____________________
Date of Agreement: ____________
VERISIGN PRIVATE LABEL AGREEMENT
(Customer Root Key)
Customer: VISA International Service Association, a Delaware
------------------------------------------------------------
corporation
------------------------------------------------------------
Customer Address: 900 Metro Center Boulevard, Foster City California 94404 or
------------------------------------------------------------
P.O. Box 8999, San Francisco, California 94128-8999
------------------------------------------------------------
Customer Contact: Peter R. Hill
------------------------------------------------------------
Effective Date: April 2. 1996
------------------------------------------------------------
Term of Agreement: Two and one half (2.5) years from the earlier of the
----------------------------------------------------
Commencement of Pilot Program or April 1, 1997.
----------------------------------------------
Exhibits Attached: Exhibit "A": Definitions
Exhibit "B": Fees
Exhibit "C": Logo Usage Guide
Exhibit "D": Project Plan Elements
Exhibit "E": System Design Specifications
Exhibit "F": Customer Requirements for ECS
Exhibit "G": Acceptance Test Procedures
Exhibit "H": VeriSign Marketing Rights and Royalty
Obligations
Exhibit "I": Escrow Agreement
Exhibit "J": License Agreement
Exhibit "K": Service Level Specification
Exhibit "L": Support Levels
Exhibit "M": Timetable for Resolution of Outstanding
Issues
THIS VERISIGN PRIVATE LABEL AGREEMENT ("AGREEMENT"), effective as of the
---------
Effective Date set forth above, is entered into by and between VeriSign, Inc., a
Delaware corporation, having its principal place of business at 2593 Coast
Avenue, Mountain View, California 94043 ("VERISIGN"), and the party identified
--------
above ("CUSTOMER"), having a principal address as set forth above.
--------
RECITAL
VeriSign provides Certificate-issuing and certain other services to members of
both public and private hierarchies. Customer wishes VeriSign to design, build
and operate a Private Label Certificate System based on Customer's Root Key for
the use by Customer to provide certificate registration, issuing and management
functions to its member banks, all on the terms and subject to the conditions
set forth in this Agreement.
NOW, THEREFORE, the parties hereto agree as follows:
VeriSign Private Label Agreement
Page 2
AGREEMENT
1. DEFINITIONS
-----------
Capitalized terms shall have the meanings shown in Exhibit "A" hereto.
2. VERISIGN SERVICES TO CUSTOMER
-----------------------------
2.1 DEVELOPMENT OF PRIVATE LABEL CERTIFICATE SYSTEM. VeriSign will design
and develop a Private Label Certificate System based on Customer's Root Keys, a
Protocol specified by Customer and specifications agreed upon by VeriSign and
Customer in accordance with Section 4.1 below. The Private Label Certificate
System will include Certificate servers, custom enrollment and verification
processes for each Certificate type specified for use by Subscribers, management
of the Certificate repository and renewal process, and procedures for operation
of the system.
2.2 OWNERSHIP AND LICENSE OF PRIVATE LABEL CERTIFICATE SYSTEM. VeriSign
will acquire and assemble the components of the Private Label Certificate
System, consisting of hardware, software and telecommunications equipment. All
right, title and interest to the Private Label Certificate System shall belong
solely and exclusively to VeriSign, and Customer shall have no right, title or
ownership interest therein. VeriSign shall have the right to obtain and hold in
its name copyrights, registrations, patents and any similar protection which may
be available for the Private Label Certificate System or components thereof and
any derivative works thereof. In the event that any technology included in the
VSE as delivered to Customer by VeriSign (the "VSE Technology") is hereafter
covered by a claim of a patent issued to or assigned to VeriSign, VeriSign shall
grant to Customer a nonexclusive, worldwide, perpetual, irrevocable, royalty-
free license under the relevant claim(s) to make, use, have made and sell any
product incorporating technology included in the VSE as delivered by VeriSign,
provided that such license shall extend only to the VSE Technology and not to
any other technology incorporated in any such product. In the event that any
technology included in the Private Label Certificate System as delivered to
Customer by VeriSign is hereafter covered by a claim of a patent issued to or
assigned to VeriSign, VeriSign shall grant to Customer a nonexclusive,
worldwide, royalty-free license under the relevant claim(s) to the extent
necessary for Customer to use the Private Label Certificate System as provided
in this Agreement.
Commencing April 1, 1998, Customer on ninety (90) days' prior written
notice shall have the right to license the Private Label Certificate System
pursuant to a license agreement substantially in the form of Exhibit "J". To
the extent portions of the Private Label Certificate System are not owned by
VeriSign, VeriSign will arrange to obtain the right to use such items by
Customer or arrange for Customer to obtain the right to purchase or otherwise
license such items.
2.3 ASSISTANCE IN DEFINING PROTOCOL. VeriSign will assist Customer in
defining a workable Protocol for secure management and handling of Certificates
in Customer's Private Hierarchy. VeriSign will provide Customer with a copy of
VeriSign's Certification Practice Statement which governs Certificate operations
in the VeriSign Public Hierarchies and a copy of the VeriSign Public Key
Infrastructure (PKI) specification, which details management and
VeriSign Private Label Agreement
Page 3
handling of Certificates under a policy-based delegation of operating authority.
VeriSign will also recommend a set of operating and security practices and
procedures to mitigate risks associated with Private Key compromise and Root Key
distribution and to protect Customer's confidential authorization information.
2.4 MAINTENANCE OF PRIVATE LABEL CERTIFICATE SYSTEM AT VERISIGN SITE.
VeriSign will provide a high-security facility on VeriSign's premises in
Mountain View, California for operation of the Certificate server(s) and for
storage of Certificate Signing Units containing Customer's Private Keys when not
in use in a secure vault. VeriSign shall be responsible for maintaining the
security on its premises and shall be liable for any damages that arise out of a
breach of its security. VeriSign may move the Private Label Certificate System
to another location under VeriSign's control which provides a comparable level
of security, and VeriSign shall provide notice to Customer in advance of such
relocation. VeriSign shall establish a secure backup site at a mutually
agreeable location that ensures continued operation in the event of a technical
failure, natural disaster or any other event that disables the Mountain View (or
relocated) facility.
2.5 CERTIFICATE MANAGEMENT SERVICES. VeriSign will provide to Customer
the following services for Certificate management and operations:
2.5.1 SCOPE OF SERVICES. In accordance with Customer's specified
Protocol, VeriSign will provide the following services with respect to the
Certificate server(s): maintain adequate Certificate-issuing capacity to meet
Customer's reasonable forecast requirements, provide firewall security for all
appropriate portions of the Private Label Certificate System, maintain such
firewall security for the portion of the Private Label Certificate System
located on VeriSign premises, maintain a Certificate repository. renew, revoke
and suspend Certificates. and provide Certificate status services.
2.5.2 ENROLLMENT AND RENEWAL SERVICES. Using an enrollment process
based on security-enhanced HTML or e-mail with interfaces to Certificate
Signing Units and authorization systems, VeriSign will issue Certificates under
Customer's name and containing Customer's Root Keys to Subscribers in Customer's
Private Hierarchy in accordance with the Protocol. VeriSign will process
renewals of Certificates in accordance with the Protocol. Within ten (10) days
after the end of each month, VeriSign will provide Customer with a monthly
report on the number of Certificates issued and renewed.
2.5.3 CERTIFICATE REPOSITORY, REVOCATION AND STATUS SERVICES.
VeriSign will maintain a repository of Certificates issued in Customer's
Private Hierarchy. VeriSign will revoke and suspend Certificates in accordance
with the Protocol
2.6 CUSTOMER SUPPORT. During the term of this Agreement, VeriSign will
supply maintenance for the Private Label Certificate System as described in this
Section 2.6 without additional charge to Customer.
2.6.1 TELEPHONE SUPPORT. VeriSign will provide telephone support as
is reasonably necessary for Customer to meet the performance criteria for the
Private Label
VeriSign Private Label Agreement
Page 4
Certificate System as provided in Exhibit "K". VeriSign will also provide
telephone support for a reasonable volume of calls to Customer-related entities
as provided in Exhibit "L". VeriSign shall provide the support specified in this
Section 2.6.1 to Customer's employees responsible for developing and maintaining
Customer Products. VeriSign will provide the names of employees who will serve
as primary points of contact for technical support for Customer. VeriSign may
change the names of designated employees at any time by providing written notice
to Customer. On VeriSign's request, Customer will provide a list with the names
of the employees designated to receive support from VeriSign. Customer may
change the names on the list at any time by providing written notice to
VeriSign.
2.6.2 ESCALATION PROCEDURES. Customer and VeriSign shall agree upon
a procedure for resolution of operating problems in the Private Label
Certificate System which provides for escalation of effort based on the problem
severity.
2.6.3 REIMBURSEMENT FOR CORRECTION OF CUSTOMER ERRORS. In the event
VeriSign is required to take actions to correct an error which is caused by
Customer errors, modifications, enhancements, software or hardware, then
VeriSign may charge Customer for the correction or repair on a time-and-
materials basis at VeriSign's rates then in effect, plus reimbursement for
reasonable travel to and from Customer's sites and out-of-pocket expenses. as
may be necessary in connection with duties performed under this Section 2.6 by
VeriSign.
2.6.4 SYSTEM RELEASES. In the event operating problems in the
Private Label Certificate System are not resolved by the escalation procedures,
Customer and VeriSign agree to evaluate the desirability of changing to a later
available release version of ECS, ECAS, and other applications employed by
VeriSign in provision of the Private Label Certificate System. A change to
release level in the Private Label Certificate System will also be evaluated at
the time new releases are tested.
2.7 ESCROW AGREEMENT. VeriSign will place in escrow pursuant to the
Escrow Agreement set forth at Exhibit "I" all information necessary to build.
support. maintain and operate the Private Label Certificate System. This
information will be released to Customer upon occurrence of the events specified
in such Escrow Agreement.
2.8 CUSTOMER MARKETING RIGHTS. VeriSign acknowledges and understands that
Customer will be marketing Certificates and Certificate services using the
Private Label Certificate Service being produced by VeriSign to Customer
hereunder. VeriSign will be entitled to market Customer to Members as a
Certification Authority and to sell Certificates issued in Customer's Private
Hierarchy at royalty rates specified on Exhibit "H". All pricing of
Certificates to Customer Members under the Certificate Authority Service
marketed by Customer shall be determined by Customer, independent of any
obligation to support and operate the Private Label Certificate Service by
VeriSign hereunder. Customer shall charge its Members directly for use of the
Private Label Certificate System.
2.9 CUSTOMER PERSONNEL. Customer may, at its own cost, upon reasonable
notice and for the purpose of problem resolution, provide personnel to monitor
or participate in the
VeriSign Private Label Agreement
Page 5
operation of the Private Label Certificate Service and provision of Customer
service pursuant to Section 2.6. VeriSign agrees to cooperate with Customer
personnel to permit them to assist in establishing appropriate levels of
Customer service, participate in problem verification and determination, and
prepare to transfer operation of the Private Label Certificate Service to
Customer pursuant to the license set forth in Exhibit "J".
2.10 FINANCIAL DATA. In the event Customer ceases to have access to
financial information concerning VeriSign pursuant to its rights under that
certain Investors' Rights Agreement dated February 20, 1996, or pursuant to
filings made in accordance with the Securities Exchange Act of 1934, VeriSign
shall make available to Customer on a quarterly basis, an unaudited balance
sheet and statement of operations. Such information shall be kept confidential
by Customer in accordance with Section 6.
3. CUSTOMER OBLIGATIONS TO VERISIGN
--------------------------------
3.1 PROTOCOL. In addition to specifying SET-based functionality as
incorporated in the Customer Requirements for ECS and the System Design
Specifications, Customer will specify a Protocol, consisting of policies,
procedures and resources to control the entire Certificate process for its
Private Hierarchy and the transactional use of Certificates within the Private
Hierarchy. The Protocol is not required to be consistent with the requirements
of VeriSign's Certification Practice Statement for operation of VeriSign Public
Hierarchies.
3.2 VERIFICATION OF SUBSCRIBER INFORMATION. Customer will provide
VeriSign with verification of enrollment information submitted by a Subscriber
who wishes to become a member of Customer's Private Hierarchy prior to
VeriSign's issuance of a Certificate to such Subscriber. Customer will provide
VeriSign with verification of a Subscriber's identity to the extent required by
the Protocol.
3.3 FORECAST. Customer agrees to provide VeriSign on a confidential basis
at the end of each calendar quarter with an updated forecast of the volume of
Certificates it expects to be required for Customer's Private Hierarchy for the
next six (6) months. The forecasts shall be by product line and based upon good
faith estimates and assumptions believed by Customer to be reasonable at the
time made.
3.4 CUSTOMER PERSONNEL. To the extent Customer personnel are provided or
take action pursuant to Sections 2.9, 4.1.5, or 4.2, such personnel shall be
provided solely at Customer's cost, and, upon request, Customer shall provide
evidence of satisfaction of all state and federal employment laws and worker
compensation requirements in connection with such personnel. Such personnel
shall execute confidentiality agreements as VeriSign shall reasonably request,
and shall agree to abide by all reasonable VeriSign visitor regulations.
Customer understands that VeriSign operates a secure facility and that there are
portions of such facility that Customer's personnel will not be permitted to
enter. In the event that VeriSign determines that any of Customer's personnel
has breached a VeriSign visitor regulation, Customer shall immediately cause
such person to be removed from VeriSign's facility, and may provide a
replacement.
VeriSign Private Label Agreement
Page 6
4. DEVELOPMENT
-----------
4.1 DEVELOPMENT OF PROJECT PLAN. Attached as Exhibit D is the Project
Plan that specifies the major phases of the development of the Customer's
Private Label Certificate System, the major tasks to be completed, the
deliverables to be produced and their scheduled completion dates.
4.1.1 DEVELOPMENT OF INTERFACE SPECIFICATIONS. In accordance with
the Project Plan. Customer will create Interface Specifications for software
interface of the Private Label Certificate System to Customer's Subscriber
enrollment and authorization information and deliver the Interface
Specifications to VeriSign for review and approval. VeriSign shall deliver
written acceptance or rejection of the Interface Specifications within fourteen
(14) days. VeriSign shall promptly notify Customer of any deficiencies in the
Interface Specifications. Such notification shall be in writing and shall
contain sufficient detail to allow Customer to resolve such deficiencies. If
VeriSign fails to respond within the fourteen (14) days, Customer may submit
written notice of such failure. If VeriSign does not respond with written
notice of deficiencies as described above within two (2) days of receipt of such
notice then such failure to respond shall be deemed an acceptance by VeriSign.
Customer shall respond to deficiencies identified by VeriSign by either making
modifications or refuting VeriSign's arguments regarding the deficiency. Any
modification to the Interface Specifications shall be resubmitted to VeriSign
for review and approval in accordance with the procedures outlined in this
Section 4.1.1 .
4.1.2 DEVELOPMENT OF PROTOCOL. In accordance with the Project Plan,
Customer will create the Protocol and deliver it to VeriSign for review and
approval. VeriSign shall deliver written acceptance or rejection of the
Protocol within fourteen ( 14) days. VeriSign shall promptly notify Customer of
any deficiencies in the Protocol. Such notification shall be in writing and
shall contain sufficient detail to allow Customer to resolve such deficiencies.
If VeriSign fails to respond within the fourteen (14) days, Customer may submit
written notice of such failure. If VeriSign does not respond with written
notice of deficiencies as described above within two (2) days of receipt of such
notice then such failure to respond shall be deemed an acceptance by VeriSign.
Customer shall respond to deficiencies identified by VeriSign by either making
modifications or refuting VeriSign's arguments regarding the deficiency. Any
modification to the Protocol shall be resubmitted to VeriSign for review and
approval in accordance with the procedures outlined in this Section 4.1.2.
4.1.3 DEVELOPMENT OF SYSTEM DESIGN SPECIFICATIONS. In accordance
with the Project Plan, VeriSign will create System Design Specifications for the
Private Label Certificate System and deliver the System Design Specifications to
Customer to determine material conformity to Exhibit "F" and the Protocol and
for Customer acceptance. Customer shall deliver written acceptance or rejection
of the System Design Specifications within fourteen (14) days. Customer shall
promptly notify VeriSign of any deficiencies in the System Design
Specifications. Such notification shall be in writing and shall contain
sufficient detail to allow VeriSign to resolve such deficiencies. If Customer
fails to respond within the fourteen (14) days, VeriSign may submit written
notice of such failure. If Customer does not respond with written
VeriSign Private Label Agreement
Page 7
notice of deficiencies as described above within two (2) days of receipt of such
notice then such failure to respond shall be deemed an acceptance by Customer.
VeriSign shall respond to deficiencies identified by Customer by either making
modifications or refuting Customer' s arguments regarding the deficiency. Any
modification to the System Design Specifications shall be resubmitted to
Customer for review and approval in accordance with the procedures outlined in
this Section 4.1.3.
4.1.4 DEVELOPMENT OF ACCEPTANCE TEST PROCEDURES. In accordance with
the Project Plan, Customer shall create the Acceptance Test Procedures and
deliver them to VeriSign for review and approval. VeriSign shall deliver
written acceptance or rejection of the Acceptance Test Procedures within
fourteen (14) days. VeriSign shall promptly notify Customer of any deficiencies
in the Acceptance Test Procedures. Such notification shall be in writing and
shall contain sufficient detail to allow Customer to resolve such deficiencies.
If VeriSign tails to respond within the fourteen (14) days, Customer may submit
written notice of such failure. If VeriSign does not respond with written
notice of deficiencies as described above within two (2) days of receipt of such
notice then such failure to respond shall be deemed an acceptance by VeriSign.
Customer shall respond to deficiencies identified by VeriSign by either making
modifications or refuting VeriSign's arguments regarding the deficiency. Any
modification to the Acceptance Test Procedures shall be resubmitted to VeriSign
for review and approval in accordance with the procedures outlined in this
Section 4.1.4.
4.1.5 DEVELOPMENT OF PRIVATE LABEL CERTIFICATE SYSTEM. In accordance
with the Project Plan, VeriSign will develop the Private Label Certificate
System in material conformity to the Interface Specifications and the System
Design Specifications. Development of the Private Label Certificate System will
take place at VeriSign's facility located in Mountain View, California or such
other place as VeriSign shall reasonably select. VeriSign will deliver notice
to Customer that the Private Label Certificate System is in material conformity
to the Interface Specifications and the System Design Specifications and ready
for acceptance testing on or before the date set forth in the Project Plan.
Customer shall have the option to place two Customer employees on VeriSign's
development team for the Private Label Certificate System. Such Customer
personnel will be fully integrated into the development process and have access
to all project information. Such personnel shall be subject to Sections 3.4 and
6 of this Agreement.
4.1.6 DEVELOPMENT OF SERVICE LEVEL SPECIFICATION. Customer and
VeriSign have specified a preliminary set of performance criteria against which
to measure the adequacy of the Private Label Certificate System in Exhibit "K"
hereto, which is acceptable at the Effective Date of this Agreement. Customer
and VeriSign recognize that after completion of the major phases of development
of the Private Label Certificate System some modification of the Service Level
Specification may be desirable. After the Acceptance Test Procedures have been
approved by VeriSign, Customer and VeriSign shall cooperate in evaluating
whether the Service Level Specification should be amended by Change Order in
accordance with Section 4.1.8 and shall negotiate in good faith with respect to
this Exhibit K.
VeriSign Private Label Agreement
Page 8
4.1.7 ACCEPTANCE. Acceptance testing of the Private Label
Certificate System in accordance with the Acceptance Test Procedures shall take
place at VeriSign's facility located in Mountain View, California, or such other
place as VeriSign shall reasonably select, using test data supplied by Customer
and supplemented and approved by VeriSign, and shall establish material
conformity of the Private Label Certificate System with the Interface
Specifications and the System Design Specifications. VeriSign shall be
entitled, but not obligated, to have a representative present at all such tests.
Customer shall promptly notify VeriSign of any failure of the Private Label
Certificate System discovered in testing, and any retesting required will be
performed after redelivery of a modified version of the Private Label
Certificate System to Customer by VeriSign. Customer shall deliver written
acceptance of the Private Label Certificate System after establishment of
material conformance to the Interface Specifications and the System Design
Specifications and material satisfaction of the Acceptance Test Procedures
within fourteen (14) days of the completion of the testing. Such notification
acceptance shall be in writing. If Customer fails to respond within the
fourteen (14) days, VeriSign may submit written notice of such failure. If
Customer does not respond with written notice of acceptance as described above
within two (2) days of receipt of such notice then such failure to respond shall
be deemed an acceptance by Customer.
4.1.8 CHANGE ORDERS. Any amendment to a Program Document after its
acceptance, shall only be effected by a change order ("CHANGE ORDER") approved
------------
as follows:
4.1.8.1 CUSTOMER INITIATED. Customer may initiate a Change
Order by delivering to VeriSign a writing signed by Customer's Program Manager
requesting VeriSign to prepare a proposed Change Order. Such writing shall
specify the requested change and cross-reference to Sections of the Program
Documents that are proposed to be amended.
4.1.8.2 VERISIGN INITIATED. VeriSign may initiate a Change
Order by delivering to Customer a proposed Change Order meeting the requirements
of Section 4.1.8.3.
4.1.8.3 PREPARATION. Upon receipt of a written request as set
forth above in this Section 4. 1.8, VeriSign shall, on or before fifteen (15)
days after receipt of such request, prepare for Customer's review a proposed
Change Order. Such proposed Change Order shall contain:
(i) a detailed description of the proposed
amendments to the Program Documents;
(ii) the change, if any, to scheduled delivery of any
item;
(iii) change in amounts due VeriSign under Exhibit "B"
as a result of such Change Order. It is the expectation of the parties that
enhancements, over and above the work initially specified in the Program
Documents, which both parties deem necessary to permit reasonable implementation
of the Private Label Certificate System, will be jointly funded in a spirit of
cooperation between VeriSign and Customer. Those changes specifically requested
by Customer, which are considered out of the scope of the original Program
Documents, will be provided by VeriSign at its then-current time and materials
rates.
VeriSign Private Label Agreement
Page 9
4.1.8.4 EVALUATION. Customer shall evaluate, and respond to
VeriSign with respect to, any proposed Change Order on or before the fifteenth
(15) business day after receipt.
4.1.8.5 APPROVAL. Change Orders shall become effective and
shall act as amendments to this Agreement and to portions of the Program
Documents specified in such Change Orders only upon their execution by an
officer or the Program Manager of VeriSign and by an officer or the Program
Manager of Customer.
4.1.8.6 TECHNICAL SERVICES. In the event that a Change Order
alters the scope of the project as originally defined, VeriSign will provide the
following technical services to Customer at VeriSign's then standard rates:
4.1.8.6.1 Engineering assistance in developing
interfaces for Certificate services to Customer's proprietary databases
containing authorization and enrollment information regarding Subscribers.
4.1.8.6.2 Training of up to five (5) days for
Customer's employee responsible for training other employees in customer
technical support, marketing, and sales. Training shall occur at VeriSign's
facility in Mountain View, California, or at such other location as the parties
may agree.
4.2 PROJECT AUDITS. Customer shall have the right to perform a project
audit to ensure adherence by VeriSign to this Agreement subject to limitations
set forth below. Customer shall give reasonable prior notice to VeriSign of its
desire to audit VeriSign's performance under this Agreement. Customer shall
have the right to review VeriSign's progress on development of the Private Label
Certificate System and after implementation of such system, Customer shall have
the right to audit operational performance and execution of VeriSign in
connection with the Private Label Certificate System. VeriSign agrees to
cooperate with Customer personnel to permit them to assure themselves that
VeriSign is performing its obligations in a reasonable manner under this
Agreement. Such Customer personnel shall be subject to the requirements of
Sections 3.4 and 6 of this Agreement. Customer shall perform such audits only
at reasonable intervals.
5. FEES AND PENALTIES
------------------
5.1 DEVELOPMENT FEES. As consideration for the development of a Private
Label Certificate System for Customer, provision of the hardware and software
components of the system, and assistance in developing a Protocol for operation
of the Private Label Certificate System as set forth in Sections 2.1, 2.2 and
2.3 above, Customer shall pay to VeriSign the amount set forth as Development
Fees on Exhibit "B" according to the terms contained therein.
5.2 SET-UP FEES. As consideration for operation of the Private Label
Certificate System as set forth in Sections 2.4, 2.5, 2.6 and 2.7 above Customer
shall pay to VeriSign the amount set forth as Set-Up Fees on Exhibit "B"
according to the terms contained therein.
VeriSign Private Label Agreement
Page 10
5.3 SUBSCRIBER FEES. Customer will pay to VeriSign as Subscriber Fees
amounts for each Subscriber initially enrolled or renewed in Customer's Private
Hierarchy through Customer the prices set forth on Exhibit "B".
5.4 TERMS OF PAYMENT. Subscriber Fees shall accrue upon issuance.
VeriSign will furnish Customer with a monthly invoice accompanied by the report
required by Section 2.5.2 above of the number and type of Certificates requested
and the number and type of Certificates issued and renewed during the prior
month. Customer will pay Subscriber Fees as set forth in Exhibit "B" for the
period therein. Subscriber Fees due VeriSign hereunder shall be paid by
Customer to VeriSign's address set forth on Page 1 above on or before the
thirtieth (30th) day after the invoice date. A late payment penalty on any
undisputed Subscriber Fees not paid when due shall be assessed at the rate of
one percent (1%) per thirty (30) days, beginning on the thirty-first (31st) day
after the day the unpaid Subscriber Fees are due.
5.5 TAXES. All taxes, duties, fees and other governmental charges of any
kind (including sales and use taxes, but excluding taxes based on the gross
revenues or net income of VeriSign) which are imposed by or under the authority
of any government or any political subdivision thereof on the Development Fees
or Set-Up Fees, Subscriber Fees or any aspect of this Agreement shall be borne
by Customer and shall not be considered a part of, a deduction from or an offset
against such fees.
5.6 DELAY PENALTY. In the event VeriSign does not operate on Visa's
behalf a Private Label Certificate System materially meeting the System Design
Specifications within four (4) weeks after the date specified as the
"Commencement of Pilot" in the Project Plan ("Penalty Date"), Customer shall be
entitled to liquidated delay damages as follows: One Thousand Dollars ($1,000)
per day for each day past the Penalty Date. VeriSign shall be entitled to an
automatic extension for any deadline that is equal in length to that of any
delay caused by any party other than VeriSign or entities controlled by
VeriSign.
5.7 DEGRADATION PENALTY. After thirty (30) days prior notice of failure
to meet the minimum service standard set forth in Exhibit "K" Service Level
Specifications, Customer shall be entitled to degradation penalties as defined
in Exhibit K.
5.8 INCENTIVE FOR EARLY COMPLETION. Both parties agree to work in good
faith to complete all tasks necessary to offer the Private Label Certificate
System as soon as possible. To provide an incentive for completion, Customer
agrees to pay VeriSign a bonus of One Thousand Dollars ($1,000) per day for
every day that it is operating a Private Label Certificate System for the Pilot
before the date of the Commencement Pilot currently listed in Project Plan. In
the event that VeriSign operates a Private Label Certificate System for Customer
on or before January 1, 1997, Customer shall pay VeriSign a bonus of Fifty
Thousand Dollars ($50,000), this bonus shall be in lieu of the One Thousand
Dollars ($1,000) per day bonus.
6. CONFIDENTIALITY
---------------
6.1 CONFIDENTIALITY. The parties acknowledge that in their performance of
their duties hereunder either party may communicate to the other (or its
designees) certain confidential
VeriSign Private Label Agreement
Page 11
and proprietary information concerning the Customer Products, VeriSign products,
the know-how, technology, techniques or marketing plans related thereto
(collectively, the "Proprietary Information") all of which are confidential and
proprietary to, and trade secrets of, the disclosing party. Each party agrees to
hold all Proprietary Information within its own organization and shall not,
without specific written consent of the other party or as expressly authorized
herein, utilize in any manner, publish, communicate or disclose any part of the
Proprietary information to third parties. This Section 6.1 shall impose no
obligation on either party with respect to any Proprietary Information which:
(i) is in the public domain at the time disclosed by the disclosing party; (ii)
enters the public domain after disclosure other than by breach of the receiving
party's obligations hereunder or by breach of another party's confidentiality
obligations; or (iii) is shown by documentary evidence to have been known by the
receiving party prior to its receipt from the disclosing party. Each party will
take such steps as are consistent with its protection of its own confidential
and proprietary information (but will in no event exercise less than reasonable
care) to ensure that the provisions of this Section 6.1 are not violated by its
end user customers, distributors, employees, agents or any other person.
6.2 INJUNCTIVE RELIEF. Both parties acknowledge that the restrictions
contained in this Section 6 are reasonable and necessary to protect their
legitimate interests and that any violation of these restrictions will cause
irreparable damage to the other party within a short period of time, and each
party agrees that the other party will be entitled to injunctive relief against
each violation.
7. OBLIGATIONS OF CUSTOMER
-----------------------
7.1 PROPRIETARY MARKINGS; COPYRIGHT NOTICES. The Customer agrees not to
remove or destroy any proprietary, trademark or copyright markings or notices
placed upon or contained within any VeriSign materials or documentation. The
Customer further agrees to insert and maintain: (i) within every Customer
Product and any related materials or documentation a copyright notice in the
name of VeriSign; and (ii) within the splash screens, user documentation,
printed product collateral, product packaging and advertisements for the
Customer Product, a statement that the Customer Product contains the VeriSign
technology. The Customer shall not take any action which might adversely affect
the validity of VeriSign's proprietary, trademark or copyright markings or
ownership by VeriSign thereof, and shall cease to use the markings, or any
similar markings, in any manner on the expiration of this Agreement. The
placement of a copyright notice on any of the VeriSign materials or
documentation shall not constitute publication or otherwise impair the
confidential or trade secret nature of the VeriSign materials or documentation.
7.2 VERISIGN'S INDEMNITY. CUSTOMER EXPRESSLY INDEMNIFIES AND HOLDS
HARMLESS VERISIGN, ITS SUBSIDIARIES, AGENTS AND AFFILIATES FROM: (i) ANY AND ALL
LIABILITY OF ANY KIND OR NATURE WHATSOEVER TO SUBSCRIBERS IN CUSTOMER'S PRIVATE
HIERARCHY AND TO THIRD PARTIES WHICH MAY ARISE FROM ACTS OF CUSTOMER OR FROM THE
USE OF CERTIFICATES IN CUSTOMER'S PRIVATE HIERARCHY, USE OF ANY CUSTOMER
PRODUCT, OR ANY DOCUMENTATION, SERVICES OR ANY OTHER ITEM
VeriSign Private Label Agreement
Page 12
FURNISHED BY THE CUSTOMER TO SUBSCRIBERS IN CUSTOMER'S PRIVATE HIERARCHY, OTHER
THAN LIABILITY ARISING FROM THE VERISIGN PRODUCTS AND VERISIGN DOCUMENTATION
(UNLESS SUCH LIABILITY WOULD NOT HAVE ARISEN IN THE ABSENCE OF MODIFICATIONS TO
ANY OF THE FOREGOING BY THE CUSTOMER OR ITS EMPLOYEES, AGENTS OR CONTRACTORS) OR
FROM THE ACTS OF VERISIGN; AND (ii) ANY LIABILITY ARISING IN CONNECTION WITH AN
UNAUTHORIZED REPRESENTATION OR ANY MISREPRESENTATION OF FACT MADE BY THE
CUSTOMER OR ITS AGENTS, EMPLOYEES OR DISTRIBUTORS TO ANY PARTY WITH RESPECT TO
THE VERISIGN PRODUCTS OR VERISIGN DOCUMENTATION.
7.3 CUSTOMER'S INDEMNITY. VERISIGN EXPRESSLY INDEMNIFIES AND HOLDS
HARMLESS CUSTOMER, ITS SUBSIDIARIES, AGENTS AND AFFILIATES FROM: (i) ANY AND ALL
LIABILITY OF ANY KIND OR NATURE WHATSOEVER TO ANY THIRD PARTIES THAT MAY ARISE
FROM ACTS OF VERISIGN OR FROM USE OF VERISIGN SOURCE CODE, VERISIGN'S OBJECT
CODE OR VERISIGN'S USER MANUALS (UNLESS SUCH LIABILITY WOULD NOT HAVE ARISEN IN
THE ABSENCE OF MODIFICATIONS TO ANY OF THE FOREGOING BY CUSTOMER OR ITS
EMPLOYEES, AGENTS OR CONTRACTORS); AND (ii) ANY LIABILITY ARISING IN CONNECTION
WITH AN UNAUTHORIZED REPRESENTATION OR ANY MISREPRESENTATION OF FACT MADE BY
VERISIGN OR ITS AGENTS OR EMPLOYEES TO ANY PARTY WITH RESPECT TO CUSTOMER
PRODUCTS, OR ANY VERISIGN SOFTWARE.
7.4 NOTICES. The Customer shall immediately advise VeriSign of any legal
notices served on the Customer which might affect VeriSign.
8. LIMITED WARRANTY: DISCLAIMER OF WARRANTIES; LIMITATION OF LIABILITY;
--------------------------------------------------------------------
INDEMNITIES
-----------
8.1 Limited Warranty. During the term of this Agreement, VeriSign
warrants that
8.1.1 to VeriSign's knowledge, Customer's Private Keys have not been
compromised so long as VeriSign has not provided notice to Customer to the
contrary,
8.1.2 VeriSign has used best efforts to maintain the security at its
facilities and to maintain the security of any of Customer's private keys in its
possession or control,
8.1.3 VeriSign has substantially complied with the Protocol in
issuing a Certificate to a Subscriber in Customer's Private Hierarchy,
8.1.4 VeriSign has substantially complied with the Protocol in
renewing, revoking or suspending a Certificate, and
8.1.5 the Private Label Certificate System materially conforms to the
Interface Specifications and the System Design Specifications.
VeriSign Private Label Agreement
Page 13
8.2 DISCLAIMER. EXCEPT FOR THE EXPRESS LIMITED WARRANTY PROVIDED IN
SECTION 8.1, VERISIGN'S PRODUCTS AND SERVICES ARE PROVIDED "AS IS" WITHOUT ANY
WARRANTY WHATSOEVER. VERISIGN DISCLAIMS ALL WARRANTIES, EXPRESS, IMPLIED OR
STATUTORY, AS TO ANY MATTER WHATSOEVER, INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. NO ORAL OR WRITTEN
INFORMATION OR ADVICE GIVEN BY VERISIGN OR ITS EMPLOYEES OR REPRESENTATIVES
SHALL CREATE A WARRANTY OR IN ANY WAY INCREASE THE SCOPE OF VERISIGN'S
OBLIGATIONS.
CUSTOMER IS RESPONSIBLE FOR THE SECURITY, COMMUNICATION OR USE OF ITS
PRIVATE KEY, EXCEPT TO THE EXTENT SUCH PRIVATE KEY IS IN THE CUSTODY OR CONTROL
OF VERISIGN. VERISIGN SHALL NOT BE RESPONSIBLE FOR THE THEFT OR ANY OTHER FORM
OF COMPROMISE OF CUSTOMER'S PRIVATE KEY, WHICH MAY OR MAY NOT BE DETECTED EXCEPT
WHEN SUCH PRIVATE KEY IS IN THE CUSTODY OR CONTROL OF VERISIGN. VERISIGN SHALL
NOT BE LIABLE FOR ANY USE OF A KEY STOLEN OR COMPROMISED WHILE IN CUSTOMER'S
CUSTODY OR CONTROL UNLESS CUSTOMER HAS PROVIDED NOTICE TO VERISIGN IN ACCORDANCE
WITH THE PROTOCOL, AND VERISIGN HAS FAILED SUBSTANTIALLY TO COMPLY WITH THE
PROTOCOL OR UNLESS CUSTOMER CAN ESTABLISH THAT SUCH THEFT OR KEY COMPROMISE
OCCURRED WHILE THE SOLE COPY OF THE KEY WAS IN THE CUSTODY OR CONTROL OF
VERISIGN OR WHILE THE KEY WAS IN THE CUSTODY OR CONTROL OF VERISIGN AND THAT THE
COPY OF THE KEY IN VERISIGN'S CUSTODY OR CONTROL WAS STOLEN OR COMPROMISED.
EACH SUBSCRIBER IS RESPONSIBLE FOR THE SECURITY, COMMUNICATION OR USE OF
HIS, HER OR ITS PRIVATE KEY. VERISIGN SHALL NOT BE RESPONSIBLE FOR THE THEFT OR
ANY OTHER FORM OF COMPROMISE OF ANY SUBSCRIBER'S PRIVATE KEY, WHICH MAY OR MAY
NOT BE DETECTED. VERISIGN SHALL NOT BE LIABLE FOR ANY USE OF A STOLEN OR
COMPROMISED KEY TO FORGE A SUBSCRIBER'S DIGITAL SIGNATURE TO A DOCUMENT UNLESS
THE SUBSCRIBER OR CUSTOMER HAS PROVIDED NOTICE TO VERISIGN IN ACCORDANCE WITH
THE PROTOCOL AND VERISIGN HAS FAILED TO COMPLY WITH THE PROTOCOL.
8.3 LIMITATION OF LIABILITY. NEITHER PARTY WILL BE LIABLE TO THE OTHER
PARTY, TO A SUBSCRIBER OR TO ANY THIRD PARTY FOR ANY CONSEQUENTIAL, INDIRECT,
SPECIAL, INCIDENTAL OR EXEMPLARY DAMAGES WHETHER FORESEEABLE OR UNFORESEEABLE
(INCLUDING, BUT NOT LIMITED TO, GOODWILL. PROFITS, INVESTMENTS, USE OF MONEY OR
USE OF FACILITIES; INTERRUPTION IN USE OR AVAILABILITY OF DATA; STOPPAGE OF
OTHER WORK OR IMPAIRMENT OF OTHER ASSETS; OR LABOR CLAIMS, EVEN IF VERISIGN HAS
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), ARISING OUT OF BREACH OF ANY
EXPRESS OR IMPLIED WARRANTY, BREACH OF CONTRACT,
VeriSign Private Label Agreement
Page 14
NEGLIGENCE, EXCEPT ONLY IN THE CASE OF DEATH OR PERSONAL INJURY WHERE AND TO THE
EXTENT THAT APPLICABLE LAW REQUIRES SUCH LIABILITY. UNDER NO CIRCUMSTANCES SHALL
EITHER PARTY'S LIABILITY TO THE OTHER PARTY OR ANY SUBSCRIBER OR ANY THIRD PARTY
ARISING OUT OF OR RELATED TO THIS AGREEMENT, EXCLUDING LIABILITY FOR MONEY
ACTUALLY OWED TO A PARTY AS ROYALTY FEES, DEVELOPMENT FEES, SET-UP FEES, OR
SUBSCRIBER FEES, EXCEED $100,000.00 WITH RESPECT TO A SINGLE OCCURRENCE OR
$1,000,000.00 IN THE AGGREGATE REGARDLESS OF WHETHER ANY ACTION OR CLAIM IS
BASED ON WARRANTY, CONTRACT, TORT OR OTHERWISE. THE LIMITATION SET FORTH IN THIS
SECTION 8.3 SHALL NOT APPLY TO INDEMNITIES OR RIGHTS GRANTED BY SECTION 8.5 OR
8.6.
8.4 INDEMNITIES. Subject to the limitations set forth below and the
limitations in Section 8.3, VeriSign, at its own expense, shall (i) defend, or
at its option settle, any claim, suit or proceeding against Customer on the
basis of VeriSign's breach of any limited warranty in this Agreement in
connection with use of a Certificate in Customer's Private Hierarchy; and (ii)
pay any final judgment entered or settlement against company on such issue in
any such suit or proceedings defended by VeriSign. VeriSign shall have no
obligation to Customer pursuant to this Section 8.4 unless (a) Customer gives
VeriSign prompt written notice of the claim; (b) VeriSign is given the right to
control and direct the investigation, preparation, defense and settlement of the
claim; and (c) Customer has complied with the Protocol.
8.5 PROPRIETARY RIGHTS INFRINGEMENT BY VERISIGN.
8.5.1 Subject to the limitations set forth in this Section 8.5,
VeriSign, at its own expense, shall: (i) defend, or at its option settle, any
claim, suit or proceeding against Customer on the basis of infringement of any
United States copyright, patent, trade secret or any other intellectual property
right ("Proprietary Rights") by the unmodified Private Label Certificate System
as delivered by VeriSign or any claim that VeriSign has no right to provide the
Private Label Certificate System hereunder; and (ii) pay any final judgment
entered or settlement against Customer on such issue in any such suit or
proceeding defended by VeriSign. VeriSign shall have no obligation to Customer
pursuant to this Section 8.5.1 unless: (A) Customer gives VeriSign prompt
written notice of the claim; (B) VeriSign is given the right to control and
direct the investigation, preparation, defense and settlement of the claim; and
(C) the claim is based on Customer's use of the most recent version of the
Relatively Unmodified Private Label Certificate System in accordance with this
Agreement. A Relatively Unmodified Private Label Certificate System shall mean
a wholly unmodified Private Label Certificate System or a Private Label
Certificate System that has been modified but such modifications are not
relevant to the claim.
8.5.2 If VeriSign receives notice of an alleged infringement
described in Section 8.5.1, VeriSign shall have the right, at its sole option,
to obtain the right to continue use of the Private Label Certificate System or
to replace or modify the Private Label Certificate System so that it is no
longer infringing. If neither of the foregoing options is reasonably available
to VeriSign, then use of the Private Label Certificate System may be terminated
at the option of VeriSign without further obligation or liability except as
provided in Sections 8.5.1 and 9.3 and
VeriSign Private Label Agreement
Page 15
in the event of such termination, VeriSign shall refund the Development Fees
paid by Customer hereunder less depreciation for use assuming straight line
depreciation over a five (5)-year useful life.
8.5.3 THE RIGHTS AND REMEDIES SET FORTH IN SECTIONS 8.5.1 AND 8.5.2
CONSTITUTE THE ENTIRE OBLIGATION OF VERISIGN AND THE EXCLUSIVE REMEDIES OF
CUSTOMER CONCERNING PROPRIETARY RIGHTS INFRINGEMENT BY THE VERISIGN SOFTWARE.
8.6 PROPRIETARY RIGHTS INFRINGEMENT BY CUSTOMER.
8.6.1 Subject to the limitations set forth in this Section 8.6,
Customer, at its own expense, shall: (i) defend, or at its option settle, any
claim, suit or proceeding against VeriSign on the basis of infringement of any
Proprietary Right by the Customer Product (except to the extent arising from a
Relatively Unmodified Private Label Certificate System); and (ii) pay any final
judgment entered or settlement against VeriSign on such issue in any such suit
or proceeding defended by Customer. Customer shall have no obligation to
VeriSign pursuant to this Section 8.6.1 unless: (A) VeriSign gives Customer
prompt written notice of the claim; and (B) Customer is given the right to
control and direct the investigation, preparation, defense and settlement of the
claim.
8.6.2 If Customer receives notice of an alleged infringement
described in Section 8.6.1, Customer shall have the right, at its sole option,
to obtain the right to continued use of the Private Label Certificate System or
the Customer Product or to replace or modify the Private Label Certificate
System or the Customer Product so that they are no longer infringing. If
neither of the foregoing options in this Section 8.6.2 is reasonably available
to Customer, then use of the Private Label Certificate System or the Customer
Product may be terminated at the option of Customer without further obligation
or liability except as provided in Sections 8.6.1 and 9.3, and in the event of
such termination, VeriSign shall retain all Development Fees, Set-Up Fees and
Subscriber Fees paid by Customer hereunder.
8.6.3 THE RIGHTS AND REMEDIES SET FORTH IN SECTIONS 8.6.1 AND 8.6.2
CONSTITUTE THE ENTIRE OBLIGATION OF CUSTOMER AND THE EXCLUSIVE REMEDIES OF
VERISIGN CONCERNING CUSTOMER'S PROPRIETARY RIGHTS INFRINGEMENT.
9. TERM AND TERMINATION
--------------------
9.1 TERMINATION. This Agreement shall terminate on the earliest of:
9.1.1 The end of the term set forth on the first page hereof;
9.1.2 Failure by either party to perform any of its material
obligations under this Agreement and the Exhibits hereto if such breach is not
cured within sixty (60) days after receipt of written notice thereof from the
other party;
VeriSign Private Label Agreement
Page 16
9.1.3 Notice from VeriSign to the Customer after the occurrence of a
purported assignment of this Agreement in violation of Section 10.2; or
9.1.4 Notice from either party to the other if the other party is
adjudged insolvent or bankrupt, or the institution of any proceedings by or
against the other party seeking relief, reorganization or arrangement under any
laws relating to insolvency, or any assignment for the benefit of creditors, or
the appointment of a receiver, liquidator or trustee of any of the other party's
property or assets, or the liquidation, dissolution or winding up of the other
party's business.
9.1.5 Customer shall have the right to terminate this Agreement upon
sixty (60) days notice if the Customer support obligations provided by VeriSign
pursuant to Section 2.6 are consistently not provided, or if agreement cannot be
reached on the cost of service at the time of any annual review.
9.1.6 Upon Customer's execution of the License Agreement set forth at
Exhibit "J".
9.2 EXTENSION OF TERM. This Agreement may be renewed by the written
consent of the parties for an additional term upon expiration of the term
provided in Section 9.1.1, under VeriSign's then-current standard terms and
conditions. Subscriber Fees and Set-Up Fees shall be renegotiated annually
during any extended term.
9.3 EFFECT OF TERMINATION. Upon expiration or termination of this
Agreement for any reason except for VeriSign's breach pursuant to Section 9.1.2
or if VeriSign fulfills any of the conditions stated in Section 9.1.4, all use
of the Private Label Certificate System by Customer shall cease, and Customer
shall pay to VeriSign any Subscriber Fees which have accrued in accordance with
Section 5.4 unless the termination occurred pursuant to Section 9.1.2 because of
breach by VeriSign. Such expiration or termination shall not affect Sections 6,
7, 8, and 10 of this Agreement which shall continue in full force and effect to
the extent necessary to permit the complete fulfillment thereof.
10. MISCELLANEOUS PROVISIONS
------------------------
10.1 GOVERNING LAWS; VENUE; WAIVER OF JURY TRIAL. THE LAWS OF THE STATE
OF CALIFORNIA, U.S.A. (IRRESPECTIVE OF ITS CHOICE OF LAW PRINCIPLES) SHALL
GOVERN THE VALIDITY OF THIS AGREEMENT, THE CONSTRUCTION OF ITS TERMS, AND THE
INTERPRETATION AND ENFORCEMENT OF THE RIGHTS AND DUTIES OF THE PARTIES HERETO.
THE PARTIES AGREE THAT THE UNITED NATIONS CONVENTION ON CONTRACTS FOR THE
INTERNATIONAL SALE OF GOODS SHALL NOT APPLY TO THIS AGREEMENT. THE PARTIES
HEREBY AGREE THAT ANY SUIT TO ENFORCE ANY PROVISION OF THIS AGREEMENT OR ARISING
OUT OF OR BASED UPON THIS AGREEMENT OR THE BUSINESS RELATIONSHIP BETWEEN THE
PARTIES HERETO SHALL BE BROUGHT IN THE UNITED STATES DISTRICT COURT FOR THE
NORTHERN DISTRICT OF CALIFORNIA OR THE SUPERIOR OR MUNICIPAL COURT IN AND FOR
THE COUNTY OF SANTA CLARA,
VeriSign Private Label Agreement
Page 17
CALIFORNIA, U.S.A. Each party hereby agrees that such courts shall have
exclusive in personam jurisdiction and venue with respect to such party, and
each party hereby submits to the exclusive in personam jurisdiction and venue of
such courts. The parties hereby waive any right to jury trial with respect to
any action brought in connection with this Agreement.
10.2 BINDING UPON SUCCESSORS AND ASSIGNS. Except as otherwise provided
herein, this Agreement shall be binding upon, and inure to the benefit of, the
successors, executors, heirs, representatives, administrators and assigns of the
parties hereto. This Agreement shall not be assignable by either party, by
operation of law (including as a result of a merger involving a party or a
transfer of a controlling interest in a party's voting securities) or otherwise
without the prior written authorization of the nonassigning party, except that
either party may assign its rights and obligations under this Agreement to its
Affiliates, provided that the assigning party receives the nonassigning party's
prior written consent, which shall not be unreasonably withheld. Any such
purported assignment or delegation shall be void and of no effect and shall
permit non-assigning party to terminate this Agreement pursuant to Section
9.1.3.
10.3 SEVERABILITY. If any provision of this Agreement, or the application
thereof, shall for any reason and to any extent, be invalid or unenforceable,
the remainder of this Agreement and application of such provision to other
persons or circumstances shall be interpreted so as best to reasonably effect
the intent of the parties hereto. IT IS EXPRESSLY UNDERSTOOD AND AGREED THAT
EACH AND EVERY PROVISION OF THIS AGREEMENT WHICH PROVIDES FOR A LIMITATION OF
LIABILITY, DISCLAIMER OF WARRANTIES OR EXCLUSION OF DAMAGES IS INTENDED BY THE
PARTIES TO BE SEVERABLE AND INDEPENDENT OF ANY OTHER PROVISION AND TO BE
ENFORCED AS SUCH.
10.4 ENTIRE AGREEMENT. This Agreement, the Appendices hereto and all
agreements referred to therein constitute the entire understanding and agreement
of the parties hereto with respect to the subject matter hereof and supersede
all prior and contemporaneous agreements or understandings between the parties.
10.5 AMENDMENT AND WAIVERS. Except as otherwise expressly provided in
this Agreement, any term or provision of this Agreement may be amended, and the
observance of any term of this Agreement may be waived, only by a writing signed
by the party to be bound thereby.
10.6 ATTORNEYS' FEES. Should suit be brought to enforce or interpret any
part of this Agreement, the prevailing party shall be entitled to recover, as an
element of the costs of suit and not as damages, reasonable attorneys' fees to
be fixed by the court (including without limitation, costs, expenses and fees on
any appeal).
10.7 NOTICES. Whenever any party hereto desires or is required to give
any notice, demand, or request with respect to this Agreement, each such
communication shall be in writing and shall be effective only if it is delivered
sent by a courier service that confirms delivery in writing or mailed, certified
or registered mail, postage prepaid, return receipt requested, addressed as
follows:
VeriSign Private Label Agreement
Page 18
VeriSign: To the address set forth on page 1
Attention: Stratton Sclavos, President & CEO
The Customer: To the address set forth on page 1
Attention: Peter R. Hill
Such communications shall be effective when they are received. Any party
may change its address for such communications by giving notice thereof to the
other party in conformity with this Section.
10.8 FOREIGN RESHIPMENT LIABILITY. THIS AGREEMENT IS EXPRESSLY MADE
SUBJECT TO ANY LAWS, REGULATIONS, ORDERS OR OTHER RESTRICTIONS ON THE EXPORT
FROM THE UNITED STATES OF AMERICA OF TECHNICAL INFORMATION, SOFTWARE OR
INFORMATION ABOUT SUCH SOFTWARE WHICH MAY BE IMPOSED FROM TIME TO TIME BY THE
GOVERNMENT OF THE UNITED STATES OF AMERICA. NOTWITHSTANDING ANYTHING CONTAINED
IN THIS AGREEMENT TO THE CONTRARY, THE CUSTOMER SHALL NOT EXPORT OR RE-EXPORT,
DIRECTLY OR INDIRECTLY, ANY TECHNICAL INFORMATION, SOFTWARE OR INFORMATION ABOUT
SUCH SOFTWARE TO ANY COUNTRY FOR WHICH SUCH GOVERNMENT OR ANY AGENCY THEREOF
REQUIRES AN EXPORT LICENSE OR OTHER GOVERNMENTAL APPROVAL AT THE TIME OF EXPORT
OR RE-EXPORT WITHOUT FIRST OBTAINING SUCH LICENSE OR APPROVAL.
10.9 PUBLICITY. Neither party will disclose to third parties, other than
its agents and representatives on a need-to-know basis, the terms of this
Agreement or any exhibits hereto without the prior written consent of the other
party, except (i) either party may disclose such terms to the extent required by
law; and (ii) either party may disclose the existence of this Agreement.
10.10 NO WAIVER. Failure by either party to enforce any provision of this
Agreement will not be deemed a waiver of future enforcement of that or any other
provision.
10.11 COUNTERPARTS. This Agreement may be executed in one or more
counterparts, each of which will be deemed an original, but which collectively
will constitute one and the same instrument.
10.12 HEADINGS AND REFERENCES. The headings and captions used in this
Agreement are used for convenience only and are not to be considered in
construing or interpreting this Agreement.
10.13 DUE AUTHORIZATION. The Customer hereby represents and warrants to
VeriSign that the individual executing this Agreement on behalf of the Customer
is duly authorized to execute this Agreement on behalf of the Customer and to
bind the Customer hereby.
10.14 INDEPENDENT CONTRACTOR. The relationship of VeriSign and the
Customer is that of independent contractors. Neither the Customer nor the
Customer's employees, consultants,
VeriSign Private Label Agreement
Page 19
contractors or agents are agents, employees or joint venturers of VeriSign, nor
do they have any authority to bind VeriSign by contract or otherwise to any
obligation. They will not represent to the contrary, either expressly,
implicitly, by appearance or otherwise
10.15 PUBLICITY. VeriSign grants Customer the right to disclose that
VeriSign is a vendor of Customer and to name publicly-announced Customer
Products that provide access to Certificates issued by VeriSign. VeriSign also
grants the Company the right to display VeriSign's logo on the Customer's WWW
site in one of the forms shown on Exhibit "C" attached to this Agreement.
Customer shall not acquire any other rights of any kind in VeriSign's trade
names, trademarks, product name or logo by use authorized in this Section.
Customer grants VeriSign the right to disclose that Customer is a vendee of
VeriSign and to name publicly announced Customer Products that provide access to
Certificates issued by VeriSign. Customer also grants VeriSign the right to
display Customer's logo on VeriSign's WWW site. VeriSign shall not acquire any
other rights of any kind in Customer's trade names, trademarks, product name or
logo by use authorized in this Section.
IN WITNESS WHEREOF, the parties have executed this Agreement as of the day
and year first written above.
CUSTOMER:
VISA INTERNATIONAL SERVICE ASSOCIATION
By: /s/ F. Dutray
-------------------------------------------
Its: Group Executive Vice President
------------------------------------------
VERISIGN, INC.
By: /s/ Stratton Sclavos
--------------------------------------------
Its: President and CEO
------------------------------------------
VeriSign Private Label Agreement
Page 20
EXHIBIT "A"
DEFINITIONS
1. ACCEPTANCE means that the Acceptance Test Procedures have been
----------
performed to demonstrate that the Private Label Certificate System conforms to
the Interface Specifications and the System Design Specifications. ACCEPTED
--------
means that Acceptance has occurred.
2. ACCEPTANCE TEST PROCEDURES means the acceptance test procedures to be
--------------------------
created by Customer and approved by VeriSign pursuant to Section 4.1.4. The
Acceptance Test Procedures shall include (1) the criteria against which the
Private Label Certificate System is to be measured in order to verify
conformance to the Interface Specifications and the System Design Specifications
and (2) the testing procedures to be used to establish conformance of the
Private Label Certificate System to the Interface Specifications and the System
Design Specifications. Upon approval by Customer, the Acceptance Test
Procedures shall be attached as Exhibit "G".
3. ACQUIRER means a Member financial institution that establishes an
--------
account with a Merchant and processes bank card authorizations and payments.
4. CARDHOLDER means a consumer or corporate purchaser who uses a bank card
----------
issued by an Issuer to make a purchase from a Merchant.
5. CERTIFICATE means a collection of electronic data consisting of a
-----------
Public Key, identifying information which contains information about the owner
of the Public Key, and validity information, which (or a string of bits derived
from the Public Key) has been encrypted by a third party who is the issuer of
the Certificate with such third party Certificate issuer's Private Key. This
collection of electronic data collectively serves the function of identifying
the owner of the Public Key and verifying the integrity of the electronic data.
"CERTIFY" or "CERTIFICATION" means the act of generating a Certificate.
"CERTIFIED" means the condition of having been issued a valid Certificate by a
Certifier, which Certificate has not been revoked.
6. CERTIFICATE SIGNING UNIT ("CSU") means a hardware unit or software
--------------------------------
designed for use in signing Certificates and key storage. The BBN
SafeKeyper(TM) manufactured by BBN Communications, Inc. is one hardware
implementation of a CSU.
7. CERTIFICATION AUTHORITY ("CA") means VeriSign and any entity, group,
------------------------------
division, department, unit or office which is Certified by VeriSign to, and has
accepted responsibility to, issue Certificates to specified Subscribers in a
Hierarchy in accordance with the CPS or a Protocol.
8. CERTIFICATION PRACTICE STATEMENT ("CPS") means the VeriSign
---------------------------------------
specification of policies, procedures and resources to control the entire
Certificate process and transactional use of Certificates within the VeriSign
Public Hierarchies.
VeriSign Private Label Agreement
Page 21
9. CHANGE ORDER has the meaning set forth in Section 4.1.8.
------------
10. CUSTOMER AFFILIATES shall mean Visa's Subsidiaries and Related
-------------------
Entities. A "Subsidiary" shall mean a company in which on a class-by-class
basis, more than fifty percent (50%) of the stock entitled to vote for the
election of directors is owned or controlled by Customer, but only so long as
such ownership or control exists. A "Related Entity" shall mean an entity (A) at
least fifty percent (50%) of whose stock or other equity is owned by Customer's
member banks and that has the authority to process Visa payment transactions,
but only so long as such ownership exists; (B) has an equity interest in
Customer and is owned in whole by Member banks or financial institutions (e.g.,
national or regional group Members); or (C) is exclusively managed by Visa or a
national or group Member of Visa for the purpose of processing Visa payment
transactions, but only so long as such exclusive management exists.
Notwithstanding anything to the contrary set forth above, however, Subsidiaries
or Related Entities do not include any Acquirer, Issuer or individual bank or
like financial institution. Customer Affiliates include, for example, without
limitation, Visa USA, Inc, ViTAL, Inc, Plus and Interlink.
11. CUSTOMER BRAND KEY means the set of key pairs for signature and
------------------
exchange that are used by the Customer in its capacity of CA. The Customer
Brand Keys will be used as the "Root" for portions of the Private Label
Certificate System.
12. CUSTOMER PRODUCT means any product developed by Customer for use by a
----------------
Subscriber in Customer's Private Hierarchy with a Certificate issued by VeriSign
which incorporates Customer's Root Keys.
13. DIGITAL SIGNATURE means information encrypted with a Private Key which
-----------------
is appended to information to identify the owner of the Private Key and to
verify the integrity of the information. "DIGITALLY SIGNED" shall refer to
----------------
electronic data to which a Digital Signature has been appended.
14. ELECTRONIC CERTIFICATION SYSTEM ("ECS") means the Customer's name for
---------------------------------------
the Private Label Certification System.
15. ELECTRONIC COMMERCE AUTHENTICATION SYSTEM ("ECAS") means VeriSign's
-------------------------------------------------
proprietary software product marketed and developed under the name "Electronic
Commerce Authentication System" providing secure on-line Certificate issuance as
presently in existence and as developed and enhanced in the future by VeriSign.
16. FULLY AUTOMATED MERCHANT CERTIFICATE ISSUANCE means merchant
---------------------------------------------
authentication is achieved by passing the authentication information to either
Visa or a Visa Member who will then respond electronically with a confirmation
or rejection of the authentication. This method does not require human
intervention.
17. HIERARCHY means a domain consisting of a system of chained
---------
Certificates leading from the Primary Certification Authority through one or
more Certification Authorities to Subscribers.
VeriSign Private Label Agreement
Page 22
18. INTERFACE SPECIFICATIONS means the interface specifications to be
------------------------
created by Customer and approved by VeriSign pursuant to Section 4.1.1.
19. INTERNET means the global computer network.
--------
20. ISSUER means a Member financial institution that establishes an
------
account for a Cardholder, issues a bank card to the Cardholder, and guarantees
payment for authorized transactions using the bank card in accordance with
association regulations and local laws.
21. MEMBER means a member of the VISA International Service Association.
------
All Issuers and Acquirers are Members.
22. MERCHANT means one who offers goods or services in exchange for
--------
payment, who accepts bank cards for payment, and who has a relationship with an
Acquirer.
23. PAYMENT GATEWAY shall mean the computer system as further defined in
---------------
SET that provides an interface between open networks, such as the Internet, and
existing payment systems, such as VisaNet.
24. PRIMARY CERTIFICATION AUTHORITY "PCA" means an entity that establishes
-------------------------------------
policies for all Certification Authorities and Subscribers within its domain.
25. PRIVATE HIERARCHY means a domain consisting of a chained Certificate
-----------------
hierarchy which is entirely self-contained within an organization or network and
not designed to be interoperable with or intended to interact through public
channels with any external organizations, networks, and public hierarchies.
26. PRIVATE KEY means a mathematical key which is kept private to the
-----------
owner and which is used through public key cryptography to encrypt electronic
authenticity data and create a Digital Signature which will be decrypted with
the corresponding Public Key.
27. PRIVATE LABEL CERTIFICATE SYSTEM means the system developed by
--------------------------------
VeriSign for Customer as more fully described in Section 2, which incorporates
the SET Module and VSE.
28. PROCESSOR means a third party which has been assigned the processing
---------
of bank card transactions by one or more Issuers or Acquirers.
29. PROGRAM DOCUMENTS means each of the Project Plan, Interface
-----------------
Specifications, Protocol, System Design Specifications, Acceptance Test
Procedures, and Service Level Specification.
30. PROTOCOL means Customer's specification of policies, procedures and
--------
resources to control the entire Certificate process and transactional use of
Certificates within Customer's Private Hierarchy.
31. PUBLIC HIERARCHY means a domain consisting of a system of chained
----------------
Certificates leading from VeriSign as the Primary Certification Authority
through one or more Certification
VeriSign Private Label Agreement
Page 23
Authorities to Subscribers in accordance with the VeriSign Certification
Practice Statement. Certificates issued in a Public Hierarchy are intended to be
interoperable among organizations, allowing Subscribers to interact through
public channels with various individuals, organizations, and networks.
32. PUBLIC KEY means a mathematical key which is available publicly and
----------
which is used through public key cryptography to decrypt electronic authenticity
data which was encrypted using the matched Private Key and to verify Digital
Signatures created with the matched Private Key.
33. PUBLIC KEY INFRASTRUCTURE ("PKI") means the VeriSign specification for
---------------------------------
the architecture, techniques, practices, and procedures that collectively
support the implementation and operation of Certificate-based public key
cryptographic systems.
34. ROOT KEY means one or more public root key(s) published by the
--------
organization which generated and is entitled to use such keys as the public
components of its key pair(s) in issuing Certificates in a hierarchy over which
such organization has responsibility.
35. SECOND TIER CA means an entity in the business of selling or issuing
--------------
Certificates in Customer's Private Hierarchy Digitally Signed by such Second
Tier CA to Subscribers using the Private Label Certificate System as operated by
VeriSign directly or by sublicensing the Private Label Certificate System from
VeriSign.
36. SECURE ELECTRONIC TRANSACTIONS ("SET") means the specification
--------------------------------------
published by Customer and MasterCard International and made available to all
developers wishing to implement secure payments over the Internet and other
public and private networks.
37. SEMI-AUTOMATED MERCHANT CERTIFICATE ISSUANCE means Merchant
--------------------------------------------
authentication is achieved by comparing information provided electronically by
the Customer or Member to information provided electronically by a Merchant
where human intervention is substantially reduced as compared with the Manual
Merchant Certificate Issuance method.
38. SERVICE LEVEL SPECIFICATION means the specification attached hereto as
---------------------------
Exhibit "K" approved by Customer and VeriSign pursuant to Section 4.1.6.
39. SET MODULE shall mean the software module created by VeriSign in
----------
connection with this Agreement to implement the SET. The SET Module shall
include all software elements necessary to implement all aspects of the SET
specification, but shall not include the VISA SET Enhancements.
40. SUBSCRIBER means an individual, a device or a role/office that has
----------
requested a Certifier to issue him, her or it a Certificate.
41. SYSTEM DESIGN SPECIFICATIONS means the system design specifications to
----------------------------
be created by VeriSign in connection with the Private Label Certificate System
for acceptance testing in accordance with Section 4.1.3. The System Design
Specifications shall contain, at
VeriSign Private Label Agreement
Page 24
minimum, the items listed on the outline presently attached as Exhibit "E" and
the Requirements Documents attached as Exhibit "F". Upon acceptance by Customer,
the System Design Specifications shall be attached, in lieu of such outline, as
Exhibit "E".
42. "VERISIGN AFFILIATES" shall mean a company in which, on a class by
---------------------
class basis, more than fifty percent (50%) of the stock entitled to vote for the
election of directors is owned or controlled by VeriSign, but only so long as
such ownership or control exists.
43. VISA SET ENHANCEMENTS ("VSE") shall mean the software module created
-----------------------------
by VeriSign under this Agreement which interfaces with the SET Module to provide
enhanced functionality and features unique to Customer as specified in the
Requirements Document, a current copy of which is attached as Exhibit "F," but
not necessary to fully implement the SET.
44. WWW means the system currently referenced as the "World Wide Web" for
---
organizing multi-media information distributed across network(s) such that it
can be navigated and accessed via cross linking mechanisms, and any successor to
such system, and any parallel system which uses at least all the same
communication protocols as the system currently referenced as the "World Wide
Web" or to the successor to such system, even if the administrators of such
systems choose to call them by different names.
VeriSign Private Label Agreement
Page 25
EXHIBIT "B"
FEES
1. DEVELOPMENT FEES.
----------------
Customer shall pay as Development Fees the amount of * for development and
testing, less the $100,000.00 already paid pursuant to the Consulting Services
Agreement between VeriSign and Customer dated _______________, will be payable
in four equal installments due at the execution of this Agreement, Test I, Test
II, and Pilot as detailed in Exhibit "D".
2. SET-UP FEES.
-----------
A one-time Set-up Fee of * will be paid by Customer for operation and set-
up of redundant dedicated sites of the Private Label Certificate System. The
Set-up Fee shall be in two portions: an Operation Fee of * and a Back-Up Site
Operations Fee of *. One half of the Operation Fee will be payable October 1,
1996 and the other half shall be payable on December 31, 1996. The Back-Up Site
Operations Fee shall be payable upon implementation of the back-up system
specified pursuant to the Project Plan, but not earlier than January 1, 1997.
3. SUBSCRIBER FEES. For the initial Term of this Agreement, Prepaid Subscriber
---------------
Fees shall be as follows:
Prepaid Subscriber Fee* Period
1997
1998
1999
Prepaid Subscriber Fees for 1997 and 1998 shall be paid on a quarterly basis and
shall be due within thirty (30) days of the end of the calendar quarter.
Prepaid Subscriber Fees for 1999 shall be made in two equal installments,
payable within thirty (30) days after the end of the first two (2) calendar
quarters of 1999. One hundred percent (100%) of the Fees accrued and payable on
a monthly basis under this Section 3 shall be offset against such Prepaid
Subscriber Fees until the total annual prepayment is exhausted. All Subscriber
Fees from every type of Certificate shall be offset in the specified manner,
whether Cardholder, Merchant, Payment Gateway or Member.
Prepaid Subscriber Fees in a year not offset in such year shall be earned by
VeriSign and shall not be subject to future offset, however, Prepaid Subscriber
Fees for 1997 shall be used as an offset for Subscriber Fees incurred in the
first year commencing on the First Date of Operations, as defined below.
Similarly, Prepaid Subscriber Fees for 1998 and 1999 shall be used as an
_______________________
* Confidential treatment has been requested with respect to certain portions of
this exhibit. Confidential portions have been omitted from the public filing
and have been separately filed with the Securities and Exchange Commission.
VeriSign Private Label Agreement
Page 26
offset for Subscriber Fees for the second year and the first half of the third
year respectively from the First Date of Operation. The "First Date of
Operation" shall be either the actual date that VeriSign operates the Private
Label Certificate System on behalf of Customer in the Pilot, as defined in the
Project Plan, or April 1, 1997, whichever comes first.
FEES PER CERTIFICATE REQUEST:
Issuer CA Certificates*
Acquirer Certificates*
Payment Gateway CA Certificates*
Quantity
Cardholder Certificates*
Quantity
Manual Merchant Certificates*
Semi-Automated Merchant Certificates
Manual Payment Gateway Certificates
Semi-Automated Payment Gateway Certificates
The parties intend to create a Fully Automated Merchant Certificate. Parties
agree to negotiate in good faith lower pricing for Fully Automated Merchant
Certificates when such Certificates are made available.
4. MOST FAVORED PRICING. VeriSign agrees that it shall offer to Customer and
--------------------
Customer's Subscribers the best pricing it offers to any other customer or
Subscriber of a customer purchasing services or Certificates through any
Certificate system offering Subscriber Certificates through the use of the VSE.
VeriSign agrees to renegotiate any of its pricing if at any time VeriSign
pricing becomes noncompetitive with the pricing of other parties offering
similar services.
5. U.S. CURRENCY. All payments hereunder shall be made in lawful United States
-------------
Currency.
______________________
* Confidential treatment has been requested with respect to certain portions of
this exhibit. Confidential portions have been omitted from the public filing
and have been separately filed with the Securities and Exchange Commission.
VeriSign Private Label Agreement
Page 27
EXHIBIT "C"
LOGOS AND TRADEMARKS
VeriSign encourages its customers to use VeriSign logos, trademarks and
service marks on customer product data sheets, packaging, Web pages and
advertising, but it is important to use them properly.
When using VeriSign trademarks and service marks in ads, product packaging,
documentation or collateral materials, be sure to use the correct trademark
designator: (R) for registered trademarks, (TM) for claimed or pending
trademarks and sm for claimed or pending service marks. VeriSign trademarks and
their correct designators are depicted below. To ensure proper usage, please
allow VeriSign marketing to review any materials using or mentioning VeriSign
trademarks prior to general release.
Using these VeriSign logos does not require written permission; in fact, we
encourage you to use them on your product packaging, Web pages and marketing
collateral!
VeriSign will update this Logos and Trademarks Usage Guide on a regular
basis. To check for most current information on logo and trademark usage, check
VeriSign's Web site at http:/www.verisign.com.
VeriSign(TM)
Digital ID (sm)
Digital ID Center (sm)
VeriSign Private Label Agreement
Page 28
EXHIBIT "D"
PROJECT PLAN ELEMENTS
The VeriSign Deliverables to Customer for Test I will be ready for
Acceptance Test I on or before the date agreed to by the Customer/VeriSign Joint
Project Team. Terms for delivery of development deliverables for Test II and
Test III, Pilot, and General Availability production will be specified in the
Project Plan. VeriSign will provide full production, operational facilities in
accordance with time scales agreed with Customer. The operation and support
will be implemented in phases as defined in the Project Plan (i.e. Test I, II,
III, Pilot, General Availability).
VeriSign Private Label Agreement
Page 29
EXHIBIT "E"
SYSTEM DESIGN SPECIFICATIONS
The Private Label Certificate System will be based upon the VeriSign
product Electronic Commerce Authentication System plus enhancements specified by
Customer.
The parties contemplate that development, testing and implementations of
all Private Label Certificate system component will be implemented in three
phases.
The Private Label Certificate System will consist of three basic module:
ECAS, SET Module and VSE.
The System Design Specifications will implement the following requirements
documents attached in this Exhibit.
Electronic Certification Services
Brand Certificate Authority
Business Policies, Procedures and Requirements
Version 1.0
April 30, 1996
TABLE OF CONTENTS
1. Overview.......................................................... 1
1.1 Focus........................................................ 1
1.2 Purpose...................................................... 1
1.3 Availability/Phase........................................... 1
2. Operations......................................................... 2
2.1 Start of CA Operations....................................... 2
2.2 Operating Guidelines......................................... 2
2.3 Service Level Agreement...................................... 2
2.4 Termination of CA Operations................................. 3
2.5 Backup Requirements.......................................... 3
2.6 Archival and Retrieval....................................... 3
2.7 Contingency Requirements..................................... 3
3. Keys and Certificates............................................. 4
3.1 Certificate Formats.......................................... 4
3.2 Certificate Issuance Policies................................ 4
3.3 Brand CA Key Pairs and Corresponding CeHiScates.............. 4
3.3.1 Brand CA Geo-political Certificate Signature (T3).... 4
3.3.2 Brand CA Geo-political Key Exchange (T3)............. 4
3.3.3 Brand CA Geo-political Message Signature (T3)........ 5
3.3.4 Brand CA Issuer Certificate Signature (T2)........... 5
3.3.5 Brand CA Issuer Key Exchange (T2).................... 5
3.3.6 Brand CA Issuer Message Signature (T2)............... 5
3.3.7 Brand CA Acquirer Certificate Signature (T2)......... 5
3.3.8 Brand CA Acquirer Key Exchange (T2).................. 6
3.3.9 Brand CA Acquirer Message Signature (T2)............. 6
3.3.11 Brand CA Payment Gateway Key Exchange (T2)........... 6
3.3.12 Brand CA Payment Gateway Message Signature (T2)...... 6
3.3.13 Brand CA Root Key Exchange (GA)...................... 7
3.3.14 Brand CA Root Message Signature (GA)................. 7
3.3.15 Brand CA Backup Signature/Encryption (P)............. 7
3.3.16 Brand CA Archival Signature/Encryption (P)........... 7
3.4 External Certificates........................................ 7
3.4.1 Root CA Brand Certificate Signature (T2)............. 7
3.4.2 Root CA Brand Key Exchange (GA)...................... 8
3.4.3 Root CA Brand Message Signature (GA)................. 8
3.5 Key and Certificate Management............................... 8
3.5.1 Key Security......................................... 8
3.5.2 Key Generation....................................... 9
3.5.3 Key Expiration and Renewal........................... 9
3.5.4 Brand Key Compromise................................. 9
3.5.5 Key Backup...........................................10
i
3.5.6 Key Recovery.........................................10
3.5.7 Key Transport........................................11
3.5.8 Key Archival (P).....................................11
3.5.9 Key Retrieval (P)....................................12
3.6 Underlying Cryptography......................................12
3.7 Certificate Revocation Lists (CRL) (V2)......................12
4. Interface with the Root CA........................................12
4.1 Registering with Root CA.....................................12
4.2 Certificate Request..........................................12
4.3 Certificate Renewal..........................................13
4.4 Certificate Revocation.......................................13
4.5 Root Certificates............................................13
4.6 Root Key Compromise Procedures...............................13
4.7 Messages.....................................................14
5. Interface with Geo-political CAs (T3)..............................14
5.1 Registering a Geo-political CA...............................14
5.2 Certificate Issuance Policies................................15
5.3 Certificate Revocation.......................................15
5.4 Messages.....................................................16
6. Interface with Cardholder CAs.....................................16
6.1 Registering a Cardholder CA..................................16
6.2 Certificate Issuance Policies................................17
6.3 Certificate Revocation.......................................17
6.4 Messages.....................................................18
7. Interface with Merchant CAs.......................................18
7.1 Registering a Merchant CA....................................18
7.2 Certificate Issuance Policies................................19
7.3 Certificate Revocation.......................................19
7.4 Messages.....................................................19
8. Interface with Payment Gateway CA.................................20
8.1 Registering a Payment Gateway CA.............................20
8.2 Certificate Issuance Policies................................21
8.3 Certificate Revocation.......................................21
8.4 Messages.....................................................21
9. Interface with VisaNet............................................22
10. Security (P)......................................................22
10.1 Physical Security............................................22
10.2 Network Security.............................................23
10.3 System Security..............................................24
10.4 Personnel Security Requirements..............................24
11. Auditing (P)......................................................24
12. Reporting.........................................................26
13. Outstanding Issues................................................26
ii
1. OVERVIEW
This document defines the business policies, procedures and requirements
governing the design, implementation and operation of the Brand Certificate
Authority (CA). It addresses all aspects of the Brand Certificate Authority
including operations, key and certificate management, interaction with other
entities, security, auditing and reporting.
1.1 Focus
-----
This document focuses on the Brand Certificate Authority policies procedures and
requirements needed to support Visa's Secure Electronic Commerce (SEC) Services.
All CA functions are collectively known as Visa's Electronic Certification
Services (ECS).
1.2 Purpose
-------
The Brand CA (BCA) issues SEC compliant digital certificates to Brand members
(Issuers and Acquirers or their processors) that wish participate in Visra
Secure Electronic Commerce (SEC) Services. The Brand CA issues Cardholder CA
(CCA) certificates for use in issuing certificates to their cardholders and
Merchant CA (MCA) certificates for use in issuing certificates to their
merchants. In addition the Brand CA will issue certificates to Brand operated
Payment Gateway CAs (PCA) for use in issuing certificates to Acquirer Payment
Gateways. The Brand CA will also issue certificates to Geo-political CAs (GCA).
The Brand CA issues three types of certificates for each of their members:
certificate signature certificates, key exchange certificates and message
signature certificates.
The Brand CA will only directly interact with the Root CA (RCA), Geopolitical
CAs, Cardholder CAs, Merchant CAs, and Payment Gateway CAs.
The Brand CA is also responsible for establishing and publishing policies and
procedures that clearly define the purpose, usage, value and guidelines of
certificates that it issues. It also establishes policies, procedures and
requirements that govern the design, implementation and operation of subordinate
CAs within the Brand CA's domain.
1.3 Availability/Phase
------------------
The policies, procedures and requirements identified and defined within this
document are expected to be in operation and/or the deliverable met for
acceptance testing of Test 1. Exceptions to this are identified by "(xx)" where
xx represents the acceptance test of the phase upon which it must be in
operation and/or the deliverable met.
Test 1 will be based on the April/May 1996 release of the SET specifications.
Pilot will be based on Version 1.0 of SET.
For additional or specific schedule information refer to the overall Visa SEC
Service project plan.
1
2. OPERATIONS
This section defines the business policies, procedures and requirements related
to the operation of the BCA.
2.1 Start of CA Operations
----------------------
To be determined.
1. Prior to the start of the BCA operations, all acceptance testing, audits,
backup and contingency procedures must be completed and have "sign off' by the
appropriate Brand officials.
2.2 Operating Guidelines
--------------------
1. The BCA will operate on GMT time. The BCA clock shall be kept accurate
within one (1) minute of actual GMT time as provided by a source that is
mutually agreed upon by Visa and VeriSign. (T2)
2. The BCA time will be synchronized with all other components of ECS.
3. The BCA will be able to support resent messages from CCAs, MCAs, PCAs and
Payment Gateways. (V2)
4. Responses to resent messages (duplicates) will rewrap the reply contents
and forward the reply to the requester. (V2)
5. The BCA shall log all incoming and response messages.
6. All transactions defined within the SET Specification document must be
supported.
7. The BCA shall maintain a database of all registration information linked
to a certificate and/or member. (T2)
8. No data that has reached the ECS domain can be lost . Refer to the SLA for
more details. (T2)
2.3 Service Level Agreement
-----------------------
1. The BCA shall be available as defined in the Service Level Agreement. (GA)
2. The BCA shall be able to process a certain number of certificates requests
per time period (peak load) as defined in the Service Level Agreement. (GA)
2
2.4 Termination of CA Operations
----------------------------
To be determined.
2.5 Backup Requirements
-------------------
1. The BCA shall be backed up on a scheduled basis as defined in SLA. (T2)
2. The BCA shall back up the basic system components. (T1)
3. The BCA shall back up all elements of the CA as defined in a design
document that is mutually agreed upon by Visa and VeriSign. (T2)
4. Backup copies of the BCA archives must be stored in encrypted and signed
format as defined in a design document that is mutually agreed upon by Visa and
VeriSign. (GA)
5. All backup media must be stored offsite in secure manner. (T2)
6. System backups must be performed as defined in SLA. (T2)
2.6 Archival and Retrieval
----------------------
1. All certificates issued by the BCA and the associated registration
information, will be placed in archives. (GA)
2. The BCA archives shall be kept on read-only media (optical disk). (GA)
3. The BCA will have a mechanism to read/recall information that is stored in
archives as defined in a design document that is mutually agreed upon by Visa
and VeriSign. (GA)
2.7 Contingency Requirements
------------------------
1. The BCA must be able to recover from a RCA or BCA key compromise as defined
in the SLA. (P)
2. The BCA shall have a fully functional and secure contingency site in the
event that the primary site becomes unavailable. (P)
3. In case of disaster, the BCA must have appropriate backup facilities
operable within the time frame described within the SLA.
4. If the BCA servers or cryptographic materials become inoperable, business
resumption plans must allow the BCA services to resume within the time frame
described within the SLA.
3
3. KEYS AND CERTIFICATES
This section defines the business policies, procedures and requirements related
to keys and certificates used within the BCA.
3.1 Certificate Formats
-------------------
1. All RCA certificates will formatted as described in the SET Specification
document and must include any SEC specific information.
2. All BCA certificates will formatted as described in the SET Specification
document and must include any SEC specific information.
3. All GCA certificates will formatted as described in the SET Specification
document and must include any SEC specific information.
4. All CCA certificates will formatted as described in the SET Specification
document and must include any SEC specific information.
5. All MCA certificates will formatted as described in the SET Specification
document and must include any SEC specific information.
6. All PCA certificates will formatted as described in the SET Specification
document and must include any SEC specific information.
3.2 Certificate Issuance Policies
-----------------------------
1. The BCA will only issue certificates to CCAs, MCAs, GCAs and PCAs.
3.3 Brand CA Key Pairs and Corresponding Certificates
-------------------------------------------------
This subsection defines the key pairs and corresponding certificates generated
and used within the BCA.
3.3.1 BRAND CA GEO-POLITICAL CERTIFICATE SIGNATURE (T3)
* Usage: Used to sign certificates issued to GCAs Key Size: 1024 bits
Certificate/Public Key Expiration: 6 years Private Key Expiration: 1 year.
Issued By: RCA
3.3.2 BRAND CA GEO-POLITICAL KEY EXCHANGE (T3)
* Usage: Used by the GCA to encrypt messages sent to BCA
* Key Size: 1024 bits. Certificate/Public Key Expiration: 1 year
* Private Key Expiration: 2 years. Issued By: RCA
4
3.3.3 BRAND CA GEO-POLITICAL MESSAGE SIGNATURE (T3)
* Usage: Used to sign messages sent to GCAs
* Key Size: 1024 bits
* Certificate/Public Key Expiration: 2 years. Private Key Expiration: 1 year
* Issued By: RCA
3.3.4 BRAND CA ISSUER CERTIFICATE SIGNATURE (T2)
* Usage: Used to sign certificates issued to CCAs
* Key Size: 1024 bits
* Certificate/Public Key Expiration: 5 years Private Key Expiration: 1 year.
Issued By: RCA
3.3.5 BRAND CA ISSUER KEY EXCHANGE (T2)
* Usage: Used by the CCA to encrypt messages sent to BCA
* Key Size: 1024 bits
* Certificate/Public Key Expiration: 1 year
* Private Key Expiration: 2 years
* Issued By: RCA
3.3.6 BRAND CA ISSUER MESSAGE SIGNATURE (T2)
* Usage: Used to sign messages sent to CCAs
* Key Size: 1024 bits
* Certificate/Public Key Expiration: 2 years Private Key Expiration: 1 year
* Issued By: RCA
3.3.7 BRAND CA ACQUIRER CERTIFICATE SIGNATURE (T2)
* Usage: Used to sign certificates issued to MCAs
* Key Size: 1024 bits
5
* Certificate/Public Key Expiration: 4 years
* Private Key Expiration: 1 year
* Issued By: RCA
3.3.8 BRAND CA ACQUIRER KEY EXCHANGE (T2)
* Usage: Used by CCA to encrypt messages sent to BCA
* Key Size: 1024 bits
* Certificate/Public Key Expiration: 1 year
* Private Key Expiration: 2 years
* Issued By: RCA
3.3.9 BRAND CA ACQUIRER MESSAGE SIGNATURE (T2)
* Usage: Used to sign messages sent to CCAs Key Size: 1024 bits
* Certificate/Public Key Expiration: 2 years
* Private Key Expiration: 1 year Issued By: RCA
3.3.10 BRAND CA PAYMENT
* Gateway Certificate Signature (T2)
* Usage: Used to sign certificates issued to PCAs
* Key Size: 1024 bits
* Certificate/Public Key Expiration: 2 years. Private Key Expiration: 1 year
* Issued By: RCA
3.3.11 BRAND CA PAYMENT GATEWAY KEY EXCHANGE (T2)
* Usage: Used by PCAs to encrypt messages sent to BCA
* Key Size: 1024 bits
* Certificate/Public Key Expiration: 1 year
* Private Key Expiration: 2 years. Issued By: RCA
3.3.12 BRAND CA PAYMENT GATEWAY MESSAGE SIGNATURE (T2)
* Usage: Used to sign messages sent to PCAs
6
* Key Size: 1024 bits
* Certificate/Public Key Expiration: 2 years
* Private Key Expiration: 1 year.
* Issued By: RCA
3.3.13 BRAND CA ROOT KEY EXCHANGE (GA)
* Usage: Used by RCA to encrypt messages sent to BCA . Key Size: 2048 bits
* Certificate/Public Key Expiration: 1 year Private Key Expiration: 2 years. I
* Issued By: RCA
3.3.14 BRAND CA ROOT MESSAGE SIGNATURE (GA)
* Usage: Used to sign messages sent to the RCA
* Key Size: 2048 bits
* Certificate/Public Key Expiration: 2 years
* Private Key Expiration: 1 year
* Issued By:RCA
3.3.15 BRAND CA BACKUP SIGNATURE/ENCRYPTION (P)
* Usage: Used to sign and encrypt BCA backup data
* Key Size: 1024 bits Certificate/Public Key Expiration: n/a .
* Private Key Expiration: n/a
* Issued By: BCA
3.3.16 BRAND CA ARCHIVAL SIGNATURE/ENCRYPTION (P)
* Usage: Used to sign and encrypt BCA archival data
* Key Size: 1024 bits
* Certificate/Public Key Expiration: n/a
* Private Key Expiration: n/a
* Issued By: BCA
3.4 External Certificates
---------------------
This subsection defines the certificates used by the BCA that were issued
externally to the BCA.
3.4.1 ROOT CA BRAND CERTIFICATE SIGNATURE (T2)
* Usage: Used to authenticate certificates issued by the RCA to the BCA
* Key Size: 2048 bits
* Certificate/Public Key Expiration:
* Private Key Expiration:
7
* Issued By: RCA
3.4.2 ROOT CA BRAND KEY EXCHANGE (GA)
* Usage: Used to encrypt messages sent by the BCA to the RCA
* Key Size: 2048 bits
* Certificate/Public Key Expiration:
* Private Key Expiration:
* Issued By: RCA
3.4.3 ROOT CA BRAND MESSAGE SIGNATURE (GA)
* Usage: Used to authenticate messages sent by the RCA to the BCA
* Key Size: 2048 bits
* Certificate/Public Key Expiration:
* Private Key Expiration:
* Issued By: RCA
3.5 Key and Certificate Management
------------------------------
This section defines the business policies, procedures and requirements related
to key and certificate management of the BCA.
Note: Key management requirements are based on the use of a BBN cryptographic
module. Similar methods must be used for non-BBN cryptographic modules. Visa
will review and approve methods used for non-BBN cryptographic modules prior to
implementation.
3.5.1 KEY SECURITY
1. All BCA cryptographic functions will be performed in tamper proof and
detectable hardware that complies to FIPS 140 level 3 requirements. (T2)
2. Hardware security devices shall be able to indicate failure, error
condition and evidence of tamper.
3. The PPK pair must be generated within the hardware security device in which
that key will be used. The only exception to this is in generating backup
cryptographic devices that require the same keying information.
4. The BCA private keys shall never appear outside of the hardware security
device in any form. The only exception to this is in generating backup
cryptographic devices that require the same keying information.
8
5. All BCA private keys must be kept in a single tamper evident hardware
security device.
3.5.2 KEY GENERATION
1. The BCA keys must be generated according to Visa's direction as defined
in a policy document that is mutually agreed upon by Visa and VeriSign.
2. The BCA public and private key (PPK) pairs must be generated using random
(RNG) or pseudo-random (PRNG) techniques.
3. Any RNG/PRNG technique used to generate PPK pairs must have a low
correlation value of results to ensure unpredictability. Correlation values
must be documented and may be reviewed by Visa at its discretion.
4. The generation of each PPK pair must be conducted within a secure room
rated for tempest security. The equipment may, if tempest rated, suffice.
5. Authorized BCA personnel only may generate PPK pairs.
6. Before generating each PPK pair, the hardware device must be made secure
by guidelines as described by Visa International.
7. An audit control log must be kept for each PPK pair generated.
8. Brand CIK token holders may not also be Member CIK token holders.
3.5.3 KEY EXPIRATION AND RENEWAL
1. 30 days prior to expiration of existing BCA certificates, the BCA will
generate new key pairs for the corresponding application. Following key
generation, the BCA shall request a new certificate from the RCA. The new
certificate will be distributed to all the GCA, CCA, MCA, PCAs within a
message that is signed using the private key that corresponds to the valid
BCA message signature certificate. (GA)
3.5.4 BRAND KEY COMPROMISE
1. Upon the compromise of a BCA key exchange key pair, the corresponding BCA
key exchange certificate will be revoked. A new key pair will be generated
and the BCA shall request a new certificate from the RCA. The BCA will
distribute the new certificate to GCA, CCA, MCA, and PCAs within a message
that is signed using the private key that corresponds to the valid BCA
message signature certificate. (P)
2. Upon the compromise of a BCA message signature key pair, the corresponding
BCA message signature certificate will be revoked. A new key pair will be
generated and the BCA shall request a new certificate from the RCA. The BCA
will distribute the new certificate to GCA, CCA, MCA, and PCAs within a
message that is signed using the private key that corresponds to the new
BCA message signature certificate. (P)
9
3. Upon the compromise of a BCA certificate signature key pair, the
corresponding BCA certificate signature certificate will be revoked. A new
key pair will be generated and the BCA shall request a new certificate from
the RCA. All GCA, CCA, MCA, and PCA certificates signed by the compromised
key will be revoked. New certificates will be issued and signed using the
newly generated key pair. The new certificates along with the new BCA
certificate signature certificate will be sent to all GCA, CCA, MCA, and
PCAs who's certificates were revoked. These certificates will be sent
within a message that is signed using the private key that corresponds to
the valid BCA message signature certificate. In addition, all other GCA,
CCA, MCA, and PCAs will receive the new certificate within a similar
message. (P)
4. Upon the compromise of a BCA Root key exchange key pair, the corresponding
BCA Root key exchange certificate will be revoked. A new key pair will be
generated and the BCA shall request a new certificate from the RCA. (GA)
5. Upon the compromise of a BCA Root message signature key pair, the
corresponding BCA Root message signature certificate will be revoked. A new
key pair will be generated and the BCA shall request a new certificate from
the RCA in a trusted, off-line manner. (GA)
3.5.5 KEY BACKUP
1. Each BCA private key will have a corresponding backup housed within a fill
device; each fill device must be kept in a separate location known only to
authorized CA personnel; access to backup key must be under dual control.
2. Backup facilities are subject to same key management requirements as the
primary facilities.
3.5.6 KEY RECOVERY
1. In the event that the BCA's private key is lost in a manner free of
compromise where equipment failure, corruption of the keying data, or passwords
are forgotten, it may be possible to restore the keying material from a secure
backup, i.e., removable storage device.
2. The secure backup process includes a datakey or token where the private key
is secured by both the physical security proprieties of the removable storage
medium and by a secret DES key that is unique to the device that originally
contained the Private Key. The latter requirement is important to assure that
the authority is restored only on the device that contained the original DES key
and that a duplicate authority is not created.
3. The DES key protecting the Private Key when secured in the removable
storage device is to be a double length key and triple encryption is to be used
to protect the Private
10
Key. The encryption process is defined in Visa's Card Technologies Standards
Manual.
4. The process of removing the device from storage is to be performed under
the principle of dual control.
5. Re-initialization of the authority is to be managed, using the same
procedures as when the authority was created.
3.5.7 KEY TRANSPORT
1. Private Keys are never to be transported outside the physical protection of
the security module containing that private key during its active, useful life.
2. The Private Key may, for purposes of recovery, exist in the protected
memory of removable storage only if protected by a double length DES key that is
known only to the device were the actual Private Key is resident.
3. Transport of the data token, with the encrypted Private Key, is to be under
dual control, i.e., never to be managed under the single custody of the
transporting parties.
4. Custodians for the removable memory component are never to be holders of
the Cryptographic Ignition Keys (CIKs).
5. Every access of the removable memory component is to be logged and a
verifiable audit trail maintained by the CA.
6. When Public Keys are transported, steps must be taken to assure that the
integrity of the key is maintained. There must be no chance for the substitution
of other values. Therefore, Public Keys received by the CA for the purposes
certification, are to be protected either using the DES Algorithm or Diffie-
Hillman Exponential Key Exchange.
3.5.8 KEY ARCHIVAL (P)
1. Archival refers to the off-line, long term storage of keys that are no
longer operational.
2. The purpose of archiving is to settle disputes involving non-repudiation,
i.e., the evidence of the validity of an old digital signature.
3. To be able to establish the validity of a claim requires that any achieved
keying data be secured so that the integrity of the original key is assured.
4. The archival of a Private Key requires either the secure, long term storage
of the removable memory device or the complete storage of the physical device
used by the CA for certificate creation. In those situations where the removable
memory device can be archived, the physical device to which the removable memory
was a part must contain a single authority.
11
5. For the purposes of the BCA, the archival of the private key requires the
secure storage of the removable memory of the security device used by the
authority for that Private Key. This device will contain the archived Private
Key encrypted under the secret, double length DES key known only to the security
module containing the active Private Key and distributed across the
Cryptographic Ignition Keys (CIKs) unique to that device.
6. If the device contains multiple authorities, the archival of all Private
Keys will, most likely have to be accomplished at the same time because, at no
time is a CA to archive Private Keys outside the physical device of which they
were created, protected by a DES key that is being used to protect another
archived Private Key, except by chance.
3.5.9 KEY RETRIEVAL (P)
1. For the purposes of non-repudiation, the archived Private Keys are to be
managed as if they were valid.
2. Key retrieval from an archival domain is to be accomplished using the same
care and procedures as originally used for its creation.
3.6 Underlying Cryptography
-----------------------
1. The BCA will support the RSA algorithm for public-key cryptography, SHA (1)
for hashing and DES for data encryption. Refer to the SEC Specification document
for details.
3.7 Certificate Revocation Lists (CRL) (V2)
---------------------------------------
Not applicable for of General Availability.
4. INTERFACE WITH THE ROOT CA
This subsection defines the business policies, procedures and requirements
related to the BCA's interaction with the RCA.
4.1 Registering with Root CA
------------------------
To be determined.
4.2 Certificate Request
-------------------
1. Initial BCA root certificate requests will be obtained by the RCA in a
trusted, off-line manner. (P)
2. Delivery of the Initial BCA root certificate requests will be handled as
described in a
12
policy document that is mutually agreed upon by Visa and VeriSign. (P)
3. Subsequent BCA certificate requests will be obtained by the RCA via online
electronic means. (GA)
4.3 Certificate Renewal
-------------------
1. 30 days prior to expiration of existing BCA certificates, the BCA will
generate new key pairs for the corresponding application. Following key
generation, the BCA shall request a new certificate from the RCA.
4.4 Certificate Revocation
----------------------
1. Upon the compromise of any BCA key pair, the BCA must notify the RCA to
revoke the corresponding BCA certificate. A new key pair will be generated and
the BCA shall request a new certificate from the RCA.
4.5 Root Certificates
-----------------
1. All initial RCA certificates will obtained in a trusted manner. (P)
2. All initial RCA certificates will be authenticated using the public keys
contained within the RCA certificates and the associated hash values as defined
in the SEC Specification document. (P)
3. All non-initial RCA certificates will be authenticated using the public key
contained within the previous Root usage certificates. (P)
4. All RCA certificates will be stored in a tamper proof and detectable
manner. (P)
5. All certificates issued by the RCA to the BCA will be authenticated using
the public key contained within the valid RCA brand certificate signature
certificate. (P)
4.6 Root Key Compromise Procedures
------------------------------
1. Upon compromise of a RCA key pair, new RCA certificates shall be treated as
initial RCA certificates and the appropriate procedures will be applied. (P)
2. Upon the compromise of a RCA brand certificate signature key pair, the
corresponding RCA brand signature certificate and any certificates issued with
the corresponding key will not be accepted. The RCA will distribute the new RCA
brand key exchange certificate to the BCA within a message that is signed using
the private key that corresponds to the valid RCA brand message signature
certificate. All BCA certificates signed by the compromised key will be revoked.
New BCA certificates will be requested from the RCA. All CCA, MCA, GCA, PCA and
Registration Server certificates signed by BCA certificates issued by the
compromised RCA key will be revoked. New CCA, MCA,
13
GCA, PCA and Registration Server certificates will be issued and signed using
newly generated BCA key pairs. The new certificates along with the new RCA and
BCA certificate signature certificates will be sent, in a trusted manner, to all
CCA, MCA, GCA, PCA and Registration Server whose certificates were revoked. (P)
3. Upon the compromise of a RCA brand key exchange key pair, the corresponding
RCA brand key exchange certificate will not be used to encrypt messages sent to
the RCA. The RCA will distribute the new RCA brand key exchange certificate to
the BCA within a message that is signed using the private key that corresponds
to the valid RCA brand message signature certificate. (P)
4. Upon the compromise of a RCA brand message signature key pair, the
corresponding RCA brand message signature certificate and any messages signed by
the compromised key pair will not be accepted. The RCA will distribute the new
RCA brand message signature certificate to the BCA within a message that is
signed using the private key that corresponds to the new RCA brand message
signature certificate. (P)
4.7 Messages
--------
1. All messages sent by the BCA to the RCA will be encrypted using the public
key contained within the valid RCA brand key exchange certificate. (GA)
2. All messages sent by the RCA to the BCA will be encrypted using the public
key contained within the valid BCA Root key exchange certificate. (GA)
3. All messages sent by the BCA to the RCA will be signed using the private
key corresponding to the valid BCA Root message signature certificate. (GA)
4. All messages sent by the RCA to the BCA will be authenticated using the
public key contained within the valid RCA brand message signature certificate.
(GA)
5. All requests for BCA certificates sent to the RCA will be formatted as
described in ??? (GA)
6. All responses to BCA certificate requests by the RCA will be formatted as
described in ??? (GA)
5. INTERFACE WITH GEO-POLITICAL CAS (T3)
This subsection defines the business policies, procedures and requirements
related to the BCA's interaction with a GCA.
5.1 Registering a Geo-political CA
------------------------------
1. The GCA entity must register with the Brand prior to issuing certificates
to it's members.
14
2. The GCA entity must complete a GCA Registration Contract prior to being
issued a certificate by the Brand.
3. The GCA Registration Contract must be signed by authorized members of the
GCA entity.
4. The authorized members of the GCA entity must present proof of the
existence of the Geo-political entity (i.e. letter of incorporation).
5. The authorized members of the GCA entity must present proof of their own
identity (i.e. passport).
6. The authorized members of the GCA entity must present proof of their
relationship to GCA entity (i.e. badge).
7. The authorized members of the GCA entity must present proof of their
authorization to act on behalf of the GCA entity (i.e. letter granting authority
with appropriate letter head and signature of entity executives).
5.2 Certificate Issuance Policies
-----------------------------
1. Initial GCA certificate requests will be obtained by the BCA in a trusted,
off-line manner. This must include requests for GCA Brand (message and
encryption) certificates.
2. Subsequent GCA certificate requests will be obtained by the BCA via
electronic means.
3. All certificates issued to GCAs will be signed using the private key that
corresponds to the valid BCA Geo-political certificate signature certificate.
4. The BCA will only issue certificates to GCA certificate requests that have
passed the business constraints and edit routines as defined in a policy
document that is mutually agreed upon by Visa and VeriSign.
5. The BCA shall send a certificate request rejection response to GCA
certificate requests that have not passed the business constraints and edit
routines.
5.3 Certificate Revocation
----------------------
1. The BCA shall retain the right to revoke a GCA certificate based on
guidelines outline within the Geo-political Registration Contract.
2. Upon the compromise of a GCA Brand key exchange key pair, the GCA must
revoke the corresponding GCA Brand key exchange certificate. A new key pair will
be generated and the GCA shall request a new certificate from the BCA.
3. Upon the compromise of a GCA Brand message signature key pair, the GCA must
15
revoke the corresponding GCA Brand message signature certificate. A new key pair
will be generated and the GCA shall request a new certificate from the BCA in a
trusted, off-line manner.
4. Upon the compromise of any other GCA key pair, the GCA must revoke the
corresponding GCA certificate. A new key pair will be generated and the GCA
shall request a new certificate from the BCA.
5.4 Messages
--------
1. All requests for GCA certificates sent to the BCA will be formatted as
described in ???
2. All responses to GCA certificate requests by the BCA will be formatted as
described in ???
3. All messages sent by the GCA to the BCA will be encrypted using the public
key contained within the valid BCA Geo-political key exchange certificate.
4. All messages sent by the BCA to the GCA will be encrypted using the public
key contained within the valid GCA brand key exchange certificate.
5. All request messages sent to the BCA by GCAs will be authenticated using
the public key contained within the valid GCA brand message signature
certificate.
6. All response messages sent to GCAs will be signed using the private key
that corresponds to the valid BCA Geo-political message signature certificate.
6. INTERFACE WITH CARDHOLDER CAS
This subsection defines the business policies, procedures and requirements
related to the BCA's interaction with a CCA.
6.1 Registering a Cardholder CA
---------------------------
1. The CCA entity must register with the Brand prior to issuing certificates
to it's cardholders.
2. The CCA entity must complete a CCA Registration Contract prior to being
issued a certificate by the Brand.
3. The CCA Registration Contract must be signed by authorized members of the
CCA entity.
4. The authorized members of the CCA entity must present proof of the
existence of the CCA entity (i.e. letter of incorporation).
16
5. The authorized members of the CCA entity must present proof of their own
identity (i.e. passport).
6. The authorized members of the CCA entity must present proof of their
relationship to CCA entity (i.e. badge).
7. The authorized members of the CCA entity must present proof of their
authorization to act on behalf of the CCA entity (i.e. letter granting authority
with appropriate letter head and signature of entity executives).
6.2 Certificate Issuance Policies
-----------------------------
1. Initial CCA certificate requests will be obtained by the BCA in a trusted,
off-line manner. This must include requests for CCA Brand (message and
encryption) certificates.
2. Subsequent CCA certificate requests will be obtained by the BCA via
electronic means. (GA)
3. All certificates issued to CCAs will be signed using the private key that
corresponds to the valid BCA issuer certificate signature certificate.
4. The BCA will only issue certificates to CCA certificate requests that have
passed the business constraints and edit routines as defined in a policy
document that is mutually agreed upon by Visa and VeriSign.
5. The BCA shall send a certificate request rejection response to CCA
certificate requests that have not passed the business constraints and edit
routines.
6.3 Certificate Revocation
----------------------
1. The BCA shall retain the right to revoke a CCA certificate based on
guidelines outline within the CCA Registration Contract.
2. Upon the compromise of a CCA Brand key exchange key pair, the CCA must
revoke the corresponding CCA Brand key exchange certificate. A new key pair will
be generated and the CCA shall request a new certificate from the BCA.
3. Upon the compromise of a CCA Brand message signature key pair, the CCA must
revoke the corresponding CCA Brand message signature certificate. A new key pair
will be generated and the CCA shall request a new certificate from the BCA in a
trusted, off-line manner.
4. Upon the compromise of any other CCA key pair, the CCA must revoke the
corresponding CCA certificate. A new key pair will be generated and the CCA
shall request a new certificate from the BCA.
17
6.4 Messages
--------
1. All requests for CCA certificates sent to the BCA will be formatted as
described in ??? (GA)
2. All responses to CCA certificate requests by the BCA will be formatted as
described in ??? (GA)
3. All messages sent by the CCA to the BCA will be encrypted using the public
key contained within the valid BCA issuer key exchange certificate. (GA)
4. All messages sent by the BCA to the CCA will be encrypted using the public
key contained within the valid CCA brand key exchange certificate. (GA)
5. All request messages sent to the BCA by CCAs will be authenticated using
the public key contained within the valid CCA brand message signature
certificate. (GA)
6. All response messages sent to CCAs will be signed using the private key
that corresponds to the valid BCA issuer message signature certificate. (GA)
7. INTERFACE WITH MERCHANT CAS
This subsection defines the business policies, procedures and requirements
related to the BCA's interaction with an MCA.
7.1 Registering a Merchant CA
-------------------------
1. The MCA entity must register with the Brand prior to issuing certificates
to it's merchants.
2. The MCA entity must complete an MCA Registration Contract prior to being
issued a certificate by the Brand.
3. The MCA Registration Contract must be signed by authorized members of the
MCA entity.
4. The authorized members of the MCA entity must present proof of the
existence of the MCA entity (i.e. letter of incorporation).
5. The authorized members of the MCA entity must present proof of their own
identity (i.e. passport).
6. The authorized members of the MCA entity must present proof of their
relationship to MCA entity (i.e. badge).
7. The authorized members of the MCA entity must present proof of their
18
authorization to act on behalf of the MCA entity (i.e. letter granting authority
with appropriate letter head and signature of entity executives).
7.2 Certificate Issuance Policies
-----------------------------
1. Initial MCA certificate requests will be obtained by the BCA in a trusted,
off-line manner. This must include requests for MCA Brand (message and
encryption) certificates.
2. Subsequent MCA certificate requests will be obtained by the BCA via online
electronic means. (GA)
3. All certificates issued to MCAs will be signed using the private key that
corresponds to the valid BCA acquirer certificate signature certificate.
4. The BCA will only issue certificates to MCA certificate requests that have
passed the business constraints.
5. The BCA shall send a certificate request rejection response to MCA
certificate requests that have not passed the business constraints.
7.3 Certificate Revocation
----------------------
1. The BCA shall retain the right to revoke a MCA certificate based on
guidelines outline within the MCA Registration Contract.
2. Upon the compromise of a MCA Brand key exchange key pair, the MCA must
revoke the corresponding MCA Brand key exchange certificate. A new key pair will
be generated and the MCA shall request a new certificate from the BCA.
3. Upon the compromise of a MCA Brand message signature key pair, the MCA must
revoke the corresponding MCA Brand message signature certificate. A new key pair
will be generated and the MCA shall request a new certificate from the BCA in a
trusted, off-line manner.
4. Upon the compromise of any other MCA key pair, the MCA must revoke the
corresponding MCA certificate. A new key pair will be generated and the MCA
shall request a new certificate from the BCA.
7.4 Messages
--------
1. All requests for MCA certificates sent to the BCA will be formatted as
described in ??? (GA)
2. All responses to MCA certificate requests by the BCA will be formatted as
described in ??? (GA)
19
3. All messages sent by the Acquirer CA to the BCA will be encrypted using the
public key contained within the valid BCA acquirer key exchange certificate.
(GA)
4. All messages sent by the BCA to the MCA will be encrypted using the public
key contained within the valid MCA brand key exchange certificate. (GA)
5. All request messages sent to the BCA by MCAs will be authenticated using
the public key contained within the valid MCA brand message signature
certificate. (GA)
6. All response messages sent to MCAs will be signed using the private key
that corresponds to the valid BCA acquirer message signature certificate. (GA)
8. INTERFACE WITH PAYMENT GATEWAY CA
This subsection defines the business policies, procedures and requirements
related to the BCA's interaction with a PCA.
8.1 Registering a Payment Gateway CA
--------------------------------
1. The Acquirer operating the Payment Gateway must register with the Brand
prior to accepting SEC transactions.
2. The Acquirer operating the Payment Gateway must complete an MCA
Registration Contract prior to being issued a certificate by the Brand.
3. The MCA Registration Contract must be signed by authorized members of the
MCA entity.
4. The authorized members of the MCA entity must present proof of the
existence of the MCA entity (i.e. letter of incorporation).
5. The authorized members of the MCA entity must present proof of their own
identity (i.e. passport).
6. The authorized members of the MCA entity must present proof of their
relationship to MCA entity (i.e. badge).
7. The authorized members of the MCA entity must present proof of their
authorization to act on behalf of the MCA entity (i.e. letter granting authority
with appropriate letter head and signature of entity executives).
8. The Acquirer must have a Visa approved Payment Gateway in order to be
eligible for an MCA certificate.
20
8.2 Certificate Issuance Policies
1. Initial Payment Gateway certificate requests will be obtained by the BCA in
a trusted manner. This must include requests for Payment Gateway Brand (message
and encryption) certificates.
2. Subsequent Payment Gateway certificate requests will be obtained by the BCA
via online electronic means.
3. All certificates issued to Payment Gateway will be signed using the private
key that corresponds to the valid BCA payment gateway certificate signature
certificate.
4. The BCA will only issue certificates to Payment Gateway certificate
requests that have passed the business constraints.
5. The BCA shall send a certificate request rejection response to Payment
Gateway certificate requests that have not passed the business constraints.
8.3 Certificate Revocation
----------------------
1. The BCA shall retain the right to revoke a Payment Gateway certificate
based on guidelines outline within the MCA Registration Contract.
2. Upon the compromise of a Payment Gateway Brand key exchange key pair, the
Payment Gateway must revoke the corresponding Payment Gateway Brand key exchange
certificate. A new key pair will be generated and the Payment Gateway shall
request a new certificate from the BCA.
3. Upon the compromise of a Payment Gateway Brand message signature key pair,
the Payment Gateway must revoke the corresponding Payment Gateway Brand message
signature certificate. A new key pair will be generated and the Payment Gateway
shall request a new certificate from the BCA in a trusted manner.
4. Upon the compromise of any other Payment Gateway key pair, the Payment
Gateway must revoke the corresponding Payment Gateway certificate. A new key
pair will be generated and that Payment Gateway shall request a new certificate
from the BCA.
8.4 Messages
--------
1. All requests for Payment gateway certificates sent to the BCA will be
formatted as described in ??? (GA).
2. All responses to Payment gateway certificate requests by the BCA will be
formatted as described in ??? (GA).
3. All messages sent by the Payment gateway to the BCA will be encrypted using
21
the public key contained within the valid BCA payment gateway key exchange
certificate (GA).
4. All messages sent by the BCA to the Payment gateway will be encrypted using
the public key contained within the valid Payment gateway brand key exchange
certificate (GA).
5. All request messages sent to the BCA by Payment gateways will be
authenticated using the public key contained within the valid Payment gateway
brand message signature certificate (GA).
6. All response messages sent to Payment gateways will be signed using the
private key that corresponds to the valid BCA payment gateway message signature
certificate (GA).
9. INTERFACE WITH VISANET
There is no interface between the BCA and VisaNet. Future interface may be
implemented to facilitate the automation of registration and management of
member certificates.
10. SECURITY (P)
This section identifies the physical, electronic and personnel security policies
and procedures to which the BCA must comply.
10.1 Physical Security
-----------------
1. All BCA servers and cryptographic materials shall reside in a secure
facility used solely for BCA purposes; no other business activities may be
performed within the same facility.
2. The BCA facility must provide protection of the BCA servers and
cryptographic materials from unauthorized access, modification, substitution,
insertion and deletion.
3. The BCA facility will provide protection such that attempts described above
will not be successful or will have a high probability of being detected.
4. All access to the BCA servers and cryptographic materials shall be only by
authorized personnel.
5. No unauthorized personnel shall be allowed access to secure areas where the
BCA servers or cryptographic materials are maintained.
6. No guests or "piggy backers" of authorized personnel shall be allowed
access to secure areas where the BCA servers or cryptographic materials are
maintained.
22
7. An audit control log of all access to room with the BCA server and
cryptographic materials must be kept and reviewed by designated BCA management;
this may be an electronic audit log.
8. Physical modification or movement of the BCA servers or cryptographic
materials must be under dual control and require prior notification. Visa may
oversee such modification or movement at its discretion.
9. An audit control log of all physical modifications or movements of the BCA
servers or cryptographic materials must be strictly enforced.
10. The BCA facility will be protected with an intrusion alarm system and 24
hour guard; camera surveillance is recommended.
11. The BCA facility will have auxiliary power to ensure uninterrupted
operation in the event of a central power failure.
12. Designated BCA management personnel will routinely inspect alarm system and
auxiliary power source at least once every two weeks.
13. Records of alarm and auxiliary power inspections must be maintained.
14. Unauthorized access or potential compromise must be immediately reported to
Visa International.
15. Backup facilities are subject to same physical security requirements as the
primary facilities.
10.2 Network Security
----------------
1. The BCA must not be connected to a network that serves non-BCA functions.
2. Electronic access to the BCA must be restricted to data that is to be used
only by authorized users.
3. CA network must be thoroughly researched, analyzed and tested to ensure
adequate security before deployment.
4. CA network must respect the International Organization for Standardization
(ISO) Open Systems Interconnection (ISO) seven layer model. Those seven are:
Physical Link Network Transport Session Presentation Application
5. CA network must be implemented securely to mitigate exposures within each
of the seven levels of the ISO model.
6. CA network must be implemented securely to mitigate exposure to cracking,
sniffing, spoofing and denial of service attacks.
23
7. CA network architecture must be reviewed every six months to ensure
exposures within each layer are mitigated.
8. CA network architecture must be modified immediately upon receipt of
generally available information or notification by Visa International regarding
weaknesses discovered within any of the seven layers.
9. Access to CA network shall be only by authorized personnel; each of the
seven network layers shall be secured to ensure only authorized personnel have
access to the CA network.
10. CA server administrators will continually monitor for unauthorized access,
performance tuning and other network administrative tasks. Unauthorized access
will be immediately reported to Visa International.
11. At its discretion Visa may analyze and/or test a CA network implementation
to ensure known attack points do not present exposure to unauthorized access.
12. Backup facilities are subject to same network security requirements as the
primary facilities.
10.3 System Security
---------------
1. User ID's are to be used to maintain individual accountability, tracking
what a user is doing within the system.
2. Passwords are to be assigned by the system and changed every other month on
a rotating basis, i.e., half of password changed on a monthly basis.
3. Passwords are never to be stored on the system except as cryptograms.
4. Passwords are to managed consistent with the guidelines set forth in the
Department of Defense Password Management Guideline, i.e., the Green Book and
FIPS PUB 112 - Password Usage.
10.4 Personnel Security Requirements
-------------------------------
1. All personnel with access to the BCA servers and cryptographic materials
shall be subject to a thorough background check as approved by Visa
International; Visa, at its sole discretion, may modify background check
procedures as it deems appropriate.
11. AUDITING (P)
1. All auditing processes and procedures are to be consistent with the
recording, examining and reviewing of security related functions of a trusted
system, where a security related activity is any activity or event that relates
to the access of an object.
24
Typical events that will require logging include:
* Logons (successful and unsuccessful)
* Logouts
* Remote System Access
* File Opens, Closes, Renames and Deletions
* Changes in Privileges or Security Attributes
2. All auditable actions/events are to be associated to an authenticated ID.
Audit trails produced by the system must show the ID of the user who initiated
each action.
3. Each time that an audit event occurs, the system is to write, at least, the
following information:
* Date and time of the event
* Unique ID of the user who initiated the event
* Type of event
* Success or failure
* Origin of the request ( e.g., terminal ID) . Name of object involved
(e.g., file being created/deleted)
* Description of modifications to security database
4. Audit procedures are to be consistent with the requirements as set forth in
the Orange Book (Trusted Computer Systems Evaluation Criteria; DOD 520.28-STD)
for security protection of level B2.
5. Audit confirmation is to be provided to confirm that passwords are being
protected consistent with B2 Levels of security of the Orange Book and as set
forth in the Department of Defense Password Management Guideline, i.e., the
Green Book and FIPS PUB 112 - Password Usage.
6. An annual EDP audit report at a SAS 70 level of review is to be performed
annually and the results of that audit made available to Visa International.
7. All audit control logs must be reviewed by management on a monthly basis
and retained for up to three years.
25
8. All Acquirer CA audit control logs, policies or procedures may be subject
to inspection by Visa International at anytime.
12. REPORTING
To be defined.
13. OUTSTANDING ISSUES
The following are outstanding issues that need to be resolved. Each issue
includes a brief description, group that identified the issue and the time frame
by which it must be resolved.
1. What if an Issuer/Acquirer cert must be revoked? - Visa (T2)
2. Key Archival/Key Retrieval - VISA has asked us to archive private keys for
the purposes of validating old digital signatures. I have recommended that they
revisit this requirement, because archival of public keys would make more sense.
This issue remains open. - VeriSign (P)
3. Physical Security - VISA has requested that their CA services be housed in
a facility separate from VeriSign's CA operations. VeriSign will fulfill this
requirement at GA physically separating VISA CA operations from VeriSign
operations. This separation will not include the customer service department. -
VeriSign (P)
4. System Security - VISA has made reference to a DOD Publication in managing
user passwords. If this mandates O.S. security higher than C2, this may be an
issue. - VeriSign (P)
5. Auditing - VISA has made reference to DOD Publications and B2 security in
the April 26 version of the CA requirements. VeriSign needs to analyze cost and
sizing impacts of such a requirement. This issue remains open. VeriSign (P)
6. VeriSign to Visa interface documents need to be finalized. - Visa (T1)
26
VeriSign Private Label Agreement
Page 30
EXHIBIT "F"
INTERFACE SPECIFICATIONS
These specifications are contained in the VAP Interface Specifications,
Release 10.2, dated August 1995. This document has already been delivered to
VeriSign by Customer.
VerSign Private Label Agreement
Page 31
EXHIBIT "G"
ACCEPTANCE TEST PROCEDURES
[POST CLOSING ITEM]
VerSign Private Label Agreement
Page 32
EXHIBIT "H"
VERISIGN MARKETING RIGHTS AND ROYALTY OBLIGATIONS
VeriSign shall have the right to market the VSE only as set forth on this
Exhibit "H".
1. MARKETING RIGHTS. VeriSign shall have the right to license to Eligible
----------------
Customers ECS pursuant to a license substantially in the form of Exhibit "J" or
to provide Certificate registration, issuing and management functions to
Eligible Customers using ECS. "Eligible Customers" shall mean: any Member of
Visa and any entity providing Financial Services. "Financial Services" shall
mean any of the following: banking, savings and loans, thrifts, insurance,
lending, EDI, credit card issuance and service, commercial network transactions,
companies facilitating commercial transactions over networks (e.g. CyberCash,
DigiCash, and VeriFone), deposit taking, financial intermediaries and the like.
2. CHARGES. VeriSign shall determine the fees it charges for licensing of ECS
-------
or operation of ECS on behalf of the Second Tier CA in its sole discretion.
3. VERISIGN RESERVED RIGHTS. VeriSign shall be entitled to create a software
------------------------
module with the functionality of the VSE provided that VeriSign does not make
use of the source code to the VSE or the System Design Specifications, Interface
Specifications and Customer Requirements that are confidential or proprietary to
Customer in creation of its own product. This Section shall not limit VeriSign's
use for any purpose of residuals resulting from access to such source code. The
term "residuals" means information in non-tangible form which may be retained by
persons who have had access to such source code, including ideas, concepts,
know-how or techniques contained therein.
4. ROYALTIES. VeriSign will pay Customer a seven percent (7%) royalty on (i)
---------
all revenues from sales of any ECAS System to a Visa Member or Visa Processor
and (ii) all revenues from sales of ECS or any derivative work created from ECS
which shall not include any derivative works generated from the ECAS System
alone. This royalty shall be paid on a quarterly basis and due within thirty
(30) days of the end of the calendar quarter in which such revenue was received.
This royalty shall terminate when Customer has been paid, either through the
royalty defined above or through cash payment to Customer or a combination of
both methods, its Initial Development Investment ("IDI") of * ("Date of
Recoupment"). In the event that any obligation of Visa or VeriSign is modified
via an amendment to this Agreement or the Change Order defined in Section 4.1.8
and such amendment or modification changes a royalty obligation, the IDI or any
other aspect of this Section 4, such amendment or change request shall include
an explicit statement of the effect of such modification on the IDI. "All
revenues from sales" means the gross amount of all cash, in-kind or other
consideration receivable by VeriSign at any time in
______________________
* Confidential treatment has been requested with respect to certain portions of
this exhibit. Confidential portions have been omitted from the public filing and
have been separately filed with the Securities and Exchange Commission.
VerSign Private Label Agreement
Page 33
consideration of the licensing of the relevant system, excluding any amounts
receivable by VeriSign for sales and used taxes, shipping, insurance and duties,
and reduced by all discounts, refunds or allowances granted in the ordinary
course of business.
VeriSign will pay Customer a seven percent (7%) royalty on all revenue received
from issuance of certificates by any system defined in this Section 4(i) and
4(ii) above ("Customer Related Certificates"). This royalty shall be due
quarterly and paid within thirty (30) days after the end of the calendar quarter
in which such revenue was received. This royalty shall terminate on the fifth
(5th) anniversary of the Date of Recoupment or ten (10) years after the first
publicly available pilot of the ECS System, whichever comes first.
5. U.S. CURRENCY. All payments hereunder shall be made in lawful United
--------------
States Currency. If VeriSign receives payment in foreign currencies, the amount
of its license fees due to Customer shall be calculated using the closing
exchange rate published in the Wall Street Journal, Western Edition, on the last
business day such journal is published in the calendar quarter immediately
preceding the date of payment.
6. TERMS OF PAYMENT. License fees shall accrue with respect to ECS licensed
----------------
or otherwise distributed by VeriSign or on the date that VeriSign receives the
revenue from the Second Tier CA or Subscriber therefor. License fees due
Customer hereunder shall be paid by VeriSign to the attention of Peter R. Hill
at Customer's address set forth above on or before the thirtieth (30th) day
after the close of the calendar quarter during which the license fees accrued. A
late payment penalty on any undisputed license fees not paid when due shall be
assessed at the rate of one percent (1%) per thirty (30) days beginning on the
thirty-first (31st) day after the day the unpaid license fees are due.
7. LICENSE REPORT. A report in reasonably detailed form setting forth the
--------------
calculation of license fees due from VeriSign and signed by a responsible
officer of VeriSign shall be delivered to Customer on or before the thirtieth
(30th) day after the close of each calendar quarter, regardless of whether
license fee payments are required to be made pursuant to Section 4. The report
shall include, at a minimum, the following information (if applicable to
VeriSign's designated method of calculating license fees) with respect to the
relevant quarter: (i) the total number of ECS licensed or otherwise distributed
by VeriSign (indicating the names and versions thereof), (ii) the total revenue
from sales of such ECS, (iii) the number and class of Certificates issued for
which a royalty is due; and (iv) total license fees accrued.
8. AUDIT RIGHTS. Customer shall have the right, at its sole cost and expense,
------------
to have an independent certified public accountant conduct during normal
business hours not more frequently than annually, an audit of the appropriate
records of VeriSign to verify the number of copies of ECS licensed or otherwise
distributed by VeriSign, the number and class of Certificates issued, and if
relevant to VeriSign's designated method of calculating license fees, the amount
of revenues from sales therefor. Such certified public accountant shall adhere
to any nondisclosure provisions committed to by VeriSign to a Second Tier CA or
subscriber. If such amounts are found to be different than those reported or the
license fees accrued are different than those reported, VeriSign will be
invoiced or credited for the difference, as applicable. Any additional
VerSign Private Label Agreement
Page 34
license fees, along with the late payment penalty assessed in accordance with
Section 6, shall be payable within thirty (30) days of such invoice. If a
deficiency in license fees paid by VeriSign is greater than five percent (5%) of
the license fees reported by VeriSign for any quarter, VeriSign will pay the
reasonable expenses associated with such audit, in addition to the deficiency.
9. EVALUATION COPIES. VeriSign may deliver copies of ECS to prospective
-----------------
Second Tier CAs on a trial basis for evaluation purposes only (each, an
"Evaluation Copy") provided that each such prospective Second Tier CA has
received a written or electronic trial license prohibiting the Second Tier CA
from copying, modifying, reverse engineering, decompiling or disassembling the
code for the VSE code or any part thereof. No royalties on income from licensing
ECS shall be reportable or payable with respect to Evaluation Copies. Per copy
Certificate charges will accrue if applicable.
10. VOLUME CREDIT. Each Certificate issued by a Second Tier CA using ECS, and
-------------
each Certificate issued by VeriSign while operating ECS on behalf of a Second
Tier CA, shall be counted as a Certificate issued by Customer or on behalf of
Customer by VeriSign for purposes of calculating royalties and license fees due
from Customer under Exhibit "B" or the License Agreement when and if executed in
the form of Exhibit "J" with Customer. Customer shall receive one hundred
percent (100%) volume credit for all Customer Related Certificates. The
cumulative total for certificates generated by Customer and Customer Related
Certificates shall be used in determining the volume pricing available for
Customer under Exhibit B. This cumulative total shall not be reset annually or
at any time during this Agreement.
VeriSign Private Label Agreement
Page 35
EXHIBIT "I"
ESCROW AGREEMENT
MASTER PREFERRED ESCROW AGREEMENT
Master Number ________________
This Agreement is effective ______________, 19__ among Data Securities
International, Inc. ("DSI"), ________________________________________
("_______") and any party signing the Acceptance Form attached to this Agreement
("_____"), who collectively may be referred to in this Agreement as "the
parties."
A. Depositor and Preferred Beneficiary have entered or will enter into a
license agreement, development agreement, and/or other agreement regarding
certain proprietary technology of Depositor (referred to in this Agreement as
"the license agreement").
B. Depositor desires to avoid disclosure of its proprietary technology except
under certain limited circumstances.
C. The availability of the proprietary technology of Depositor is critical to
Preferred Beneficiary in the conduct of its business and, therefore, Preferred
Beneficiary needs access to the proprietary technology under certain limited
circumstances.
D. Depositor and Preferred Beneficiary desire to establish an escrow with DSI
to provide for the retention, administration and controlled access of certain
proprietary technology materials of Depositor.
E. The parties desire this Agreement to be supplementary to the license
agreement pursuant to 11 United States [Bankruptcy] Code, Section 365(n).
ARTICLE 1 -- DEPOSITS
1.1 Obligation to Make Deposit. Upon the signing of this Agreement by the
--------------------------
parties, including the signing of the Acceptance Form, Depositor shall deliver
to DSI the proprietary information and other materials ("deposit materials")
required to be deposited by the license agreement or, if the license agreement
does not identify the materials to be deposited with DSI, then such materials
will be identified on an Exhibit A. If Exhibit A is applicable, it is to be
prepared and signed by Depositor and Preferred Beneficiary. DSI shall have no
obligation with respect to the preparation, signing or delivery of Exhibit A.
1.2 Identification of Tangible Media. Prior to the delivery of the deposit
--------------------------------
materials to DSI, Depositor shall conspicuously label for identification each
document, magnetic tape, disk, or other tangible media upon which the deposit
materials are written or stored. Additionally, Depositor shall complete Exhibit
B to this Agreement by listing each such tangible media by the item label
description, the type of media and the quantity. The Exhibit B must be signed
by
VeriSign Private Label Agreement
Page 36
Depositor and delivered to DSI with the deposit materials. Unless and until
Depositor makes the initial deposit with DSI, DSI shall have no obligation with
respect to this Agreement, except the obligation to notify the parties regarding
the status of the deposit account as required in Section 2.2 below.
1.3 Deposit Inspection. When DSI receives the deposit materials and the
------------------
Exhibit B, DSI will conduct a deposit inspection by visually matching the
labeling of the tangible media containing the deposit materials to the item
descriptions and quantity listed on the Exhibit B. In addition to the deposit
inspection, Preferred Beneficiary may elect to cause a verification of the
deposit materials in accordance with Section 1.6 below.
1.4 Acceptance of Deposit. At completion of the deposit inspection, if DSI
---------------------
determines that the labeling of the tangible media matches the item descriptions
and quantity on Exhibit B, DSI will date and sign the Exhibit B and mail a copy
thereof to Depositor and Preferred Beneficiary. If DSI determines that the
labeling does not match the item descriptions or quantity on the Exhibit B, DSI
will (a) note the discrepancies in writing on the Exhibit B; (b) date and sign
the Exhibit B with the exceptions noted; and (c) provide a copy of the Exhibit B
to Depositor and Preferred Beneficiary. DSI's acceptance of the deposit occurs
upon the signing of the Exhibit B by DSI. Delivery of the signed Exhibit B to
Preferred Beneficiary is Preferred Beneficiary's notice that the deposit
materials have been received and accepted by DSI.
1.5 Depositor's Representations. Depositor represents as follows:
---------------------------
a. Depositor lawfully possesses all of the deposit materials deposited
with DSI;
b. With respect to all of the deposit materials, Depositor has the right
and authority to grant to DSI and Preferred Beneficiary the rights as
provided in this Agreement;
c. The deposit materials are not subject to any lien or other
encumbrance; and
d. The deposit materials consist of the proprietary information and other
materials identified either in the license agreement or Exhibit A, as
the case may be.
1.6 Verification. Preferred Beneficiary shall have the right, at Preferred
------------
Beneficiary's expense, to cause a verification of any deposit materials. A
verification determines, in different levels of detail, the accuracy,
completeness, sufficiency and quality of the deposit materials. If a
verification is elected after the deposit materials have been delivered to DSI,
then only DSI, or at DSI's election an independent person or company selected
and supervised by DSI, may perform the verification.
1.7 Deposit Updates. Unless otherwise provided by the license agreement,
---------------
Depositor shall update the deposit materials within 60 days of each release of a
new version of the product which is subject to the license agreement. Such
updates will be added to the existing deposit. All deposit updates shall be
listed on a new Exhibit B and the new Exhibit B shall be signed by Depositor.
Each Exhibit B will be held and maintained separately within the escrow account.
VeriSign Private Label Agreement
Page 37
An independent record will be created which will document the activity for each
Exhibit B. The processing of all deposit updates shall be in accordance with
Sections 1.2 through 1.6 above. All references in this Agreement to the deposit
materials shall include the initial deposit materials and any updates.
1.8 Removal of Deposit Materials. The deposit materials may be removed and/or
----------------------------
exchanged only on written instructions signed by Depositor and Preferred
Beneficiary, or as otherwise provided in this Agreement.
ARTICLE 2 -- CONFIDENTIALITY AND RECORD KEEPING
2.1 Confidentiality. DSI shall maintain the deposit materials in a secure,
---------------
environmentally safe, locked receptacle which is accessible only to authorized
employees of DSI. DSI shall have the obligation to reasonably protect the
confidentiality of the deposit materials. Except as provided in this Agreement,
DSI shall not disclose, transfer, make available, or use the deposit materials.
DSI shall not disclose the content of this Agreement to any third party. If DSI
receives a subpoena or other order of a court or other judicial tribunal
pertaining to the disclosure or release of the deposit materials, DSI will
immediately notify the parties to this Agreement. It shall be the
responsibility of Depositor and/or Preferred Beneficiary to challenge any such
order; provided, however, that DSI does not waive its rights to present its
position with respect to any such order. DSI will not be required to disobey
any court or other judicial tribunal order. (See Section 7.5 below for notices
of requested orders.)
2.2 Status Reports. DSI will issue to Depositor and Preferred Beneficiary a
--------------
report profiling the account history at least semi-annually. DSI may provide
copies of the account history pertaining to this Agreement upon the request of
any party to this Agreement.
2.3 Audit Rights. During the term of this Agreement, Depositor and Preferred
------------
Beneficiary shall each have the right to inspect the written records of DSI
pertaining to this Agreement. Any inspection shall be held during normal
business hours and following reasonable prior notice.
ARTICLE 3 -- GRANT OF RIGHTS TO DSI
3.1 Title to Media. Depositor hereby transfers to DSI the title to the media
--------------
upon which the proprietary information and materials are written or stored.
However, this transfer does not include the ownership of the proprietary
information and materials contained on the media such as any copyright, trade
secret, patent or other intellectual property rights.
3.2 Right to Make Copies. DSI shall have the right to make copies of the
--------------------
deposit materials as reasonably necessary to perform this Agreement. DSI shall
copy all copyright, nondisclosure, and other proprietary notices and titles
contained on the deposit materials onto any copies made by DSI. With all
deposit materials submitted to DSI, Depositor shall provide any and all
instructions as may be necessary to duplicate the deposit materials including
but not limited to the hardware and/or software needed.
VeriSign Private Label Agreement
Page 38
3.3 Right to Sublicense Upon Release. As of the effective date of this
--------------------------------
Agreement, Depositor hereby grants to DSI a non-exclusive, irrevocable,
perpetual, and royalty-free license to sublicense the deposit materials to
Preferred Beneficiary upon the release, if any, of the deposit materials in
accordance with Section 4.5 below. Except upon such a release, DSI shall not
sublicense or otherwise transfer the deposit materials.
ARTICLE 4 -- RELEASE OF DEPOSIT
4.1 Release Conditions. As used in this Agreement, "Release Conditions" shall
------------------
mean the following:
a. Depositor's failure to carry out obligations imposed on it pursuant to
the license agreement; or
b. Depositor's failure to continue to do business in the ordinary course.
4.2 Filing For Release. If Preferred Beneficiary believes in good faith that a
------------------
Release Condition has occurred, Preferred Beneficiary may provide to DSI written
notice of the occurrence of the Release Condition and a request for the release
of the deposit materials. Upon receipt of such notice, DSI shall provide a copy
of the notice to Depositor, by certified mail, return receipt requested, or by
commercial express mail.
4.3 Contrary Instructions. From the date DSI mails the notice requesting
---------------------
release of the deposit materials, Depositor shall have ten business days to
deliver to DSI Contrary Instructions. "Contrary Instructions" shall mean the
written representation by Depositor that a Release Condition has not occurred or
has been cured. Upon receipt of Contrary Instructions, DSI shall send a copy to
Preferred Beneficiary by certified mail, return receipt requested, or by
commercial express mail. Additionally, DSI shall notify both Depositor and
Preferred Beneficiary that there is a dispute to be resolved pursuant to the
Dispute Resolution section of this Agreement (Section 7.3). Subject to Section
5.2, DSI will continue to store the deposit materials without release pending
(a) joint instructions from Depositor and Preferred Beneficiary, (b) resolution
pursuant to the Dispute Resolution provisions, or (c) order of a court.
4.4 Release of Deposit. If DSI does not receive Contrary Instructions from the
------------------
Depositor, DSI is authorized to release the deposit materials to the Preferred
Beneficiary or, if more than one beneficiary is registered to the deposit, to
release a copy of the deposit materials to the Preferred Beneficiary. However,
DSI is entitled to receive any fees due DSI before making the release. This
Agreement will terminate upon the release of the deposit materials held by DSI.
4.5 Use License Following Release. Unless otherwise provided in the license
-----------------------------
agreement, upon release of the deposit materials in accordance with this Article
4, Preferred Beneficiary shall have a non-exclusive, non-transferable,
irrevocable right to use the deposit materials for the sole purpose of
continuing the benefits afforded to Preferred Beneficiary by the license
agreement. Preferred Beneficiary shall be obligated to maintain the
confidentiality of the released deposit materials.
VeriSign Private Label Agreement
Page 39
ARTICLE 5 -- TERM AND TERMINATION
5.1 Term of Agreement. The initial term of this Agreement is for a period of
-----------------
one year. Thereafter, this Agreement shall automatically renew from year-to-year
unless (a) Depositor and Preferred Beneficiary jointly instruct DSI in writing
that the Agreement is terminated; or (b) the Agreement is terminated by DSI for
nonpayment in accordance with Section 5.2. If the Acceptance Form has been
signed at a date later than this Agreement, the initial term of the Acceptance
Form will be for one year with subsequent terms to be adjusted to match the
anniversary date of this Agreement. If the deposit materials are subject to
another escrow agreement with DSI, DSI reserves the right, after the initial one
year term, to adjust the anniversary date of this Agreement to match the then
prevailing anniversary date of such other escrow arrangements.
5.2 Termination for Nonpayment. In the event of the nonpayment of fees owed to
--------------------------
DSI, DSI shall provide written notice of delinquency to all parties to this
Agreement. Any party to this Agreement shall have the right to make the payment
to DSI to cure the default. If the past due payment is not received in full by
DSI within one month of the date of such notice, then DSI shall have the right
to terminate this Agreement at any time thereafter by sending written notice of
termination to all parties. DSI shall have no obligation to take any action
under this Agreement so long as any payment due to DSI remains unpaid.
5.3 Disposition of Deposit Materials Upon Termination. Upon termination of
-------------------------------------------------
this Agreement by joint instruction of Depositor and Preferred Beneficiary, DSI
shall destroy, return, or otherwise deliver the deposit materials in accordance
with such instructions. Upon termination for nonpayment, DSI may, at its sole
discretion, destroy the deposit materials or return them to Depositor. DSI
shall have no obligation to return or destroy the deposit materials if the
deposit materials are subject to another escrow agreement with DSI.
5.4 Survival of Terms Following Termination. Upon termination of this
---------------------------------------
Agreement, the following provisions of this Agreement shall survive:
a. Depositor's Representations (Section 1.5).
b. The obligations of confidentiality with respect to the deposit
materials.
c. The licenses granted in the sections entitled Right to Sublicense Upon
Release (Section 3.3) and Use License Following Release (Section 4.5),
if a release of the deposit materials has occurred prior to
termination.
d. The obligation to pay DSI any fees and expenses due.
e. The provisions of Article 7.
f. Any provisions in this Agreement which specifically state they survive
the termination or expiration of this Agreement.
VeriSign Private Label Agreement
Page 40
ARTICLE 6 -- DSI'S FEES
6.1 Fee Schedule. DSI is entitled to be paid its standard fees and expenses
------------
applicable to the services provided. DSI shall notify the party responsible for
payment of DSI's fees at least 90 days prior to any increase in fees. For any
service not listed on DSI's standard fee schedule, DSI will provide a quote
prior to rendering the service, if requested.
6.2 Payment Terms. DSI shall not be required to perform any service unless the
-------------
payment for such service and any outstanding balances owed to DSI are paid in
full. All other fees are due upon receipt of invoice. If invoiced fees are not
paid, DSI may terminate this Agreement in accordance with Section 5.2. Late fees
on past due amounts shall accrue at the rate of one and one-half percent per
month (18% per annum) from the date of the invoice.
ARTICLE 7 -- LIABILITY AND DISPUTES
7.1 Right to Rely on Instructions. DSI may act in reliance upon any
-----------------------------
instruction, instrument, or signature reasonably believed by DSI to be genuine.
DSI may assume that any employee of a party to this Agreement who gives any
written notice, request, or instruction has the authority to do so. DSI shall
not be responsible for failure to act as a result of causes beyond the
reasonable control of DSI.
7.2 Indemnification. DSI shall be responsible to perform its obligations under
---------------
this Agreement and to act in a reasonable and prudent manner with regard to this
escrow arrangement. Provided DSI has acted in the manner stated in the
preceding sentence, Depositor and Preferred Beneficiary each agree to indemnify,
defend and hold harmless DSI from any and all claims, actions, damages,
arbitration fees and expenses, costs, attorney's fees and other liabilities
incurred by DSI relating in any way to this escrow arrangement.
7.3 Dispute Resolution. Any dispute relating to or arising from this Agreement
------------------
shall be resolved by arbitration under the Commercial Rules of the American
Arbitration Association. Unless otherwise agreed by Depositor and Preferred
Beneficiary, arbitration will take place in San Diego, California, U.S.A. Any
court having jurisdiction over the matter may enter judgment on the award of the
arbitrator(s). Service of a petition to confirm the arbitration award may be
made by First Class mail or by commercial express mail, to the attorney for the
party or, if unrepresented, to the party at the last known business address.
7.4 Controlling Law. This Agreement is to be governed and construed in
---------------
accordance with the laws of the State of California, without regard to its
conflict of law provisions.
7.5 Notice of Requested Order. If any party intends to obtain an order from
-------------------------
the arbitrator or any court of competent jurisdiction which may direct DSI to
take, or refrain from taking any action, that party shall:
a. Give DSI at least two business days' prior notice of the hearing;
VeriSign Private Label Agreement
Page 41
b. Include in any such order that, as a precondition to DSI's obligation,
DSI be paid in full for any past due fees and be paid for the
reasonable value of the services to be rendered pursuant to such
order; and
c. Ensure that DSI not be required to deliver the original (as opposed to
a copy) of the deposit materials if DSI may need to retain the
original in its possession to fulfill any of its other escrow duties.
ARTICLE 8 -- GENERAL PROVISIONS
8.1 Entire Agreement. This Agreement, which includes the Acceptance Form and
----------------
the Exhibits described herein, embodies the entire understanding between all of
the parties with respect to its subject matter and supersedes all previous
communications, representations or understandings, either oral or written. No
amendment or modification of this Agreement shall be valid or binding unless
signed by all the parties hereto, except Exhibit A need not be signed by DSI and
Exhibit B need not be signed by Preferred Beneficiary.
8.2 Notices. All notices, invoices, payments, deposits and other documents and
-------
communications shall be given to the parties at the addresses specified in the
attached Exhibit C and Acceptance Form. It shall be the responsibility of the
parties to notify each other as provided in this Section in the event of a
change of address. The parties shall have the right to rely on the last known
address of the other parties. Unless otherwise provided in this Agreement, all
documents and communications may be delivered by First Class mail.
8.3 Severability. In the event any provision of this Agreement is found to be
------------
invalid, voidable or unenforceable, the parties agree that unless it materially
affects the entire intent and purpose of this Agreement, such invalidity,
voidability or unenforceability shall affect neither the validity of this
Agreement nor the remaining provisions herein, and the provision in question
shall be deemed to be replaced with a valid and enforceable provision most
closely reflecting the intent and purpose of the original provision.
8.4 Successors. This Agreement shall be binding upon and shall inure to the
----------
benefit of the successors and assigns of the parties. However, DSI shall have
no obligation in performing this Agreement to recognize any successor or assign
of Depositor or Preferred Beneficiary unless DSI receives clear, authoritative
and conclusive written evidence of the change of parties.
_________________________ Data Securities International, Inc.
By:______________________ By: _______________________________
Name: ___________________ Name: _____________________________
Title: __________________ Title: ____________________________
Date: ___________________ Date: _____________________________
VeriSign Private Label Agreement
Page 42
Custom Certificate System License Agreement Number: _______________
Date of Agreement: ________________________________________________
EXHIBIT "J"
CUSTOM CERTIFICATE SYSTEM LICENSE AGREEMENT
THIS CUSTOM CERTIFICATE SYSTEM LICENSE AGREEMENT ("Agreement") effective as
of the last date of execution, is entered into by and between VeriSign, Inc., a
Delaware corporation ("VeriSign"), having a principal mailing address at 2593
Coast Avenue, Mountain View, California 94043, and the entity named below as
"Customer" ("Customer"), having a principal address as set forth below.
Customer:
VISA International Service Association
- --------------------------------------
(Name and jurisdiction of incorporation)
Customer Address:
______________________________________
______________________________________
______________________________________
Customer Legal Contact:
______________________________________
(name, telephone and title)
Customer Billing Contact:
______________________________________
(name, telephone and title)
Customer Technical Contact:
______________________________________
(name, telephone and title)
Customer Commercial Contact:
______________________________________
(name, telephone and title)
VeriSign Private Label Agreement
Page 43
1. DEFINITIONS
-----------
The following terms when used in this Agreement shall have the following
meanings:
1.1 "CERTIFICATE" means a collection of electronic data consisting of a
Public Key, identifying information which contains information about the owner
of the Public Key, and validity information, which (or a string of bits derived
from the Public Key) has been encrypted by a third party who is the issuer of
the Certificate with such third party Certificate issuer's Private Key. This
collection of electronic data collectively serves the function of identifying
the owner of the Public Key and verifying the integrity of the electronic data.
"CERTIFY" or "CERTIFICATION" means the act of generating a Certificate.
"CERTIFIED" means the condition of having been issued a valid Certificate by a
Certifier, which Certificate has not been revoked.
1.2 "CERTIFICATE MANAGEMENT SYSTEM ('CMS')" means VeriSign's proprietary
software product marketed and developed under the name "Certificate Management
System" providing secure off-line certificate issuance as presently in existence
and as developed and enhanced in the future by VeriSign.
1.3 "CERTIFICATE SIGNING UNIT ('CSU')" means a hardware unit or software
designed for use in signing Certificates and key storage. The BBN
SafeKeyper(TM) manufactured by BBN Communications, Inc. is one hardware
implementation of a CSU.
1.4 "CERTIFICATE SUBSCRIPTION SERVICE" means the operation of the Licensed
Software to provide Certificate registration, issuing and management functions
on behalf of Second Tier CAs.
1.5 "CERTIFICATION AUTHORITY" OR "CA" means VeriSign and any entity,
group, division, department, unit or office which is Certified by VeriSign to,
and has accepted responsibility to, issue Certificates to specified Subscribers
in a Hierarchy in accordance with the CPS or a Protocol.
1.6 "CERTIFICATION PRACTICE STATEMENT" OR "CPS" means the VeriSign
specification of policies, procedures and resources to control the entire
Certificate process and transactional use of Certificates within the VeriSign
Public Hierarchies.
1.7 "CUSTOMER AFFILIATES" shall mean Visa's Subsidiaries and Related
Entities. A "Subsidiary" shall mean a company in which on a class-by-class
basis, more than fifty percent (50%) of the stock entitled to vote for the
election of directors is owned or controlled by Customer, but only so long as
such ownership or control exists. A "Related Entity" shall mean an entity (A)
at least fifty percent (50%) of whose stock or other equity is owned by
Customer's member banks and that has the authority to process Visa payment
transactions, but only so long as such ownership exists; (B) has an equity
interest in Customer and is owned in whole by Member banks or financial
institutions (e.g., national or regional group Members); or (C) is exclusively
---
managed by Visa or a national or group Member of Visa for the purpose of
processing Visa payment transactions, but only so long as such exclusive
management exists.
VeriSign Private Label Agreement
Page 44
Notwithstanding anything to the contrary set forth above, however, Subsidiaries
or Related Entities do not include any Acquirer, Issuer or individual bank or
like financial institution. Customer Affiliates include, for example, without
limitation, Visa USA, Inc, ViTAL, Inc, Plus and Interlink.
1.8 "CUSTOMER PRODUCT" means any product including some or all of the
Licensed Software developed by Customer for use by a Subscriber in VISA's
Private Hierarchy with a Certificate issued by VISA or by a Second Tier CA to
VISA which incorporates VISA's Root Keys.
1.9 "DIGITAL SIGNATURE" means information encrypted with a Private Key
which is appended to information to identify the owner of the Private Key and to
verify the integrity of the information. "DIGITALLY SIGNED" shall refer to
----------------
electronic data to which a Digital Signature has been appended.
1.10 "ELECTRONIC COMMERCE AUTHENTICATION SYSTEM ('ECAS')" means VeriSign's
proprietary software product marketed and developed under the name "Electronic
Commerce Authentication System" providing secure on-line certificate issuance as
presently in existence and as developed and enhanced in the future by VeriSign.
1.11 "HIERARCHY" means a domain consisting of a system of chained
Certificates leading from the Primary Certification Authority through one or
more Certification Authorities to Subscribers.
1.12 "INTERNET" means the global computer network commonly known as
"Internet".
1.13 "LICENSED SOFTWARE" means the object code and source code of the
VeriSign Software as specified on Exhibit "A" (License and Maintenance Fees)
hereto as having been licensed by Customer. Only those portions of the VeriSign
Software specified as having been licensed are included in the Licensed
Software.
1.14 "NEW RELEASE" means a version of the VeriSign Software which shall
generally be designated by a new version number which has changed from the prior
number only to the right of the decimal point (e.g., Version 2.2 to Version
2.3).
1.15 "NEW VERSION" means a version of the VeriSign Software which shall
generally be designated by a new version number which has changed from the prior
number to the left of the decimal point (e.g., Version 2.3 to Version 3.0).
1.16 "PRIMARY CERTIFICATION AUTHORITY" OR "PCA" means an entity that
establishes policies for all Certification Authorities and Subscribers within
its Private Hierarchy.
1.17 "PRIVATE HIERARCHY" means a domain consisting of a chained
Certificate hierarchy which is entirely self-contained within an organization or
network and not designed to be interoperable with or intended to interact
through public channels with any external organizations, networks, and public
hierarchies. [I am not sure whether this definition correctly
VeriSign Private Label Agreement
Page 45
describes an SET CA - while the hierarchy is self-contained, it is intended to
interact with an "external organization" and on any network.]
1.18 "PRIVATE KEY" means a mathematical key which is kept private to the
owner and which is used through public key cryptography to encrypt electronic
authenticity data and create a Digital Signature which will be decrypted with
the corresponding Public Key.
1.19 "PUBLIC HIERARCHY" means a domain consisting of a system of chained
Certificates leading from VeriSign as the Primary Certification Authority
through one or more Certification Authorities to Subscribers in accordance with
the VeriSign Certification Practice Statement. Certificates issued in a Public
Hierarchy are intended to be interoperable among organizations, allowing
Subscribers to interact through public channels with various individuals,
organizations, and networks.
1.20 "PUBLIC KEY" means a mathematical key which is available publicly and
which is used through public key cryptography to decrypt electronic authenticity
data which was encrypted using the matched Private Key and to verify Digital
Signatures created with the matched Private Key.
1.21 "PUBLIC KEY INFRASTRUCTURE (PKI)" means the VeriSign specification
for the architecture, techniques, practices, and procedures that collectively
support the implementation and operation of Certificate-based public key
cryptographic systems.
1.22 "ROOT KEY" means one or more public root key(s) published by the
organization which generated and is entitled to use such keys as the public
components of its key pair(s) in issuing Certificates in a hierarchy over which
such organization has responsibility.
1.23 "SECOND TIER CA" means an entity in the business of selling or
issuing Certificates in VISA's Private Hierarchy digitally signed by such Second
Tier CA to Subscribers, by virtue of authority of Customer and using VISA's
Certificate Subscription Service directly or by sublicensing the Licensed
Software from Customer.
1.24 "SECURE ELECTRONIC TRANSACTIONS ('SET')" means the specification
published by Visa International Service Association and MasterCard International
and made available to all developers wishing to implement secure payments over
the Internet and other public and private networks.
1.25 "SET MODULE" shall mean the software module created by VeriSign to
implement the SET. The SET Module shall include all software elements necessary
to implement all aspects of the SET specification, but shall not include the
VSE.
1.26 "SUBSCRIBER" means an individual, a device or a role/office that has
requested a Certifier to issue him, her or it a Certificate.
1.27 "USER MANUAL" means the most current version of the user or operating
manual customarily supplied by VeriSign to customers who license the VeriSign
Object Code, if any.
VeriSign Private Label Agreement
Page 46
1.28 "VERISIGN AFFILIATES" shall mean a company in which, on a class by
class basis, more than fifty percent (50%) of the stock entitled to vote for the
election of directors is owned or controlled by VeriSign, but only so long as
such ownership or control exists.
1.29 "VERISIGN OBJECT CODE" means the Licensed Software in machine-
readable, compiled object code form.
1.30 "VERISIGN SOFTWARE" means VeriSign proprietary software known as
Certificate Management System, Electronic Commerce Authentication System, SET
Module and VSE as described in the User Manuals associated therewith. "VeriSign
Software" shall also include all modifications and enhancements (including all
New Releases and New Versions) to such programs as provided by VeriSign to
Customer pursuant to Sections 4.3 and 4.4.
1.31 "VISA" means VISA International Service Association and its
Affiliates.
1.32 "VSE SOURCE CODE" means the mnemonic, high level statement versions
of the VSE written in the source language used by programmers.
1.33 "VSE ('VISA SET ENHANCEMENTS')" shall mean the software module
created by VeriSign under contract from VISA which interfaces with the SET
Module to provide enhanced functionality and features unique to VISA, but not
necessary to fully implement the SET.
1.34 "WWW" means the system currently referenced as the "World Wide Web"
for organizing multi-media information distributed across network(s) such that
it can be navigated and accessed via cross linking mechanisms, and any successor
to such system, and any parallel system which uses at least all the same
communication protocols as the system currently referenced as the "World Wide
Web" or to the successor to such system, even if the administrators of such
systems choose to call them by different names.
2. GRANT OF LICENSES; LIMITATIONS
------------------------------
2.1 VSE SOURCE CODE LICENSE. If a VSE Source Code license is specified in
-----------------------
Exhibit "A", VeriSign hereby grants Customer a non-exclusive, non-transferable,
non-assignable, perpetual worldwide license to: (i) modify the VSE Source Code
(all such modifications to the VSE Source Code referenced collectively as
"Customer Modifications"); and (ii) maintain Customer Products and support
Subscribers .
2.2 VERISIGN SOFTWARE OBJECT CODE LICENSE. VeriSign hereby grants
-------------------------------------
Customer a worldwide non-exclusive, non-transferable, non-assignable, perpetual
license to use the Licensed Software to provide Certificate Subscription
Services; and sublicense the VeriSign Object Code to Second Tier CAs to permit
such Second Tier CAs to provide Certificate Subscription Services.
2.3 LIMITATIONS ON LICENSES. The licenses granted in Sections 2.1 and 2.2
-----------------------
shall be limited as follows:
VeriSign Private Label Agreement
Page 47
2.3.1 LIMITATION ON DISTRIBUTEES. The VeriSign Object Code shall be
--------------------------
sublicensed or otherwise distributed only to Second Tier CAs. Second Tier CAs
shall be prohibited from redistributing or licensing the VeriSign Object Code or
any portion of the Licensed Software.
2.3.2 LICENSE RESTRICTED TO LICENSED SOFTWARE. Customer may not use,
---------------------------------------
modify, sublicense or incorporate into any Customer Product any software module
or other technology component derived from the VeriSign Software which is not
designated as Licensed Software on Exhibit "A".
2.3.3 VERISIGN ROOT KEYS. Any Customer Product and Licensed Software
------------------
must include VISA's Private Hierarchy Root Key and may include VeriSign's Root
Keys.
2.3.4 RESTRICTION ON COPYING. Customer may not copy or reproduce the
----------------------
VeriSign Software or any part, version or form thereof, except as expressly
permitted in Section 2.2.
2.4 TITLE.
-----
2.4.1 IN VERISIGN. Except for the limited licenses granted in
-----------
Sections 2.1 and 2.2, VeriSign shall at all times retain full and exclusive
right, title and ownership interest in and to the VeriSign Software and in any
and all related patents, trademarks, copyrights and proprietary and trade secret
rights.
2.4.2 IN CUSTOMER. Customer shall at all times retain full and
-----------
exclusive right, title and ownership interest in and to the Customer
Modifications representing incremental modifications to the VeriSign Software
(but not in any part of the VeriSign Software, either as a component of a
derivative work or otherwise) and in any and all related patents, copyrights and
proprietary and trade secret rights; provided, however, that Customer hereby
agrees that it will not assert against VeriSign any of such patents, copyrights
or proprietary or trade secret rights with respect to any software or products
developed by VeriSign without reference to the source code for the Customer
Modifications.
3. LICENSE FEES
------------
3.1 LICENSE FEES. In consideration of VeriSign's grant to Customer of the
------------
limited license rights hereunder, Customer shall pay to VeriSign the amounts set
forth below (the "License Fees"):
3.1.1 SOURCE CODE LICENSE FEES. If VeriSign is granting to Customer
------------------------
VSE Source Code license rights as indicated on Exhibit "A", Customer shall pay
to VeriSign the source code License Fees specified on Exhibit "A" upon execution
of this Agreement.
3.1.2 OBJECT CODE LICENSE FEES. In consideration of VeriSign's grant
------------------------
to Customer of the VeriSign Object Code license rights, Customer shall pay to
VeriSign the object code License Fees specified on Exhibit "A" subject to the
following:
VeriSign Private Label Agreement
Page 48
3.1.2.1 ONE-TIME PAID-UP LICENSE FEE. If a one-time paid-up License
----------------------------
Fee is specified on Exhibit "A", a License Fee in the amount specified on
Exhibit "A" shall be due upon execution of this Agreement.
3.1.2.2 PER CERTIFICATE, FIXED DOLLAR LICENSE FEE. If a per
-----------------------------------------
Certificate, fixed dollar License Fee is specified on Exhibit "A", a License Fee
shall be due for each Certificate issued by Customer or a Second Tier CA using
the Licensed Software or a Customer Product, in the amount specified on Exhibit
"A".
3.2 TAXES. All taxes, duties, fees and other governmental charges of any
-----
kind (including sales and use taxes, but excluding taxes based on the gross
revenues or net income of VeriSign) which are imposed by or under the authority
of any government or any political subdivision thereof on the License Fees or
any aspect of this Agreement shall be borne by Customer and shall not be
considered a part of, a deduction from or an offset against License Fees.
3.3 TERMS OF PAYMENT. Per Certificate License Fees shall accrue upon the
----------------
issuance of a Certificate by Customer or Second Tier CA using the Licensed
Software or any Customer Product. One time paid up License Fees are due upon
execution of this Agreement. License Fees due VeriSign hereunder shall be paid
by Customer to the attention of the Software Licensing Department at VeriSign's
address set forth above on or before the thirtieth (30th) day after the close of
the calendar quarter during which the License Fees accrued. A late payment
penalty on any undisputed License Fees not paid when due shall be assessed at
the rate of one percent (1%) per thirty (30) days, beginning on the thirty-first
(31st) day after the last day of the calendar quarter to which the delayed
payment relates.
3.4 U.S. CURRENCY. All payments hereunder shall be made in lawful United
-------------
States currency.
3.5 LICENSING REPORT. A report in reasonably detailed form setting forth
----------------
the calculation of License Fees due from Customer and signed by a responsible
officer of Customer shall be delivered to VeriSign on or before the thirtieth
(30th) day after the close of each calendar quarter during the term of this
Agreement, regardless of whether License Fee payments are required to be made
pursuant to Section 3.3. The report shall include, at a minimum, the following
information (if applicable to Customer's designated method of calculating
License Fees) with respect to the relevant quarter: (i) the total number of
copies/units of Customer Products licensed or otherwise distributed by Customer
(indicating the names and versions thereof); (ii) total License Fees accrued;
and (iii) the total number and type of Certificates issued.
3.6 AUDIT RIGHTS. VeriSign shall have the right, at its sole cost and
------------
expense, to have an independent certified public accountant conduct during
normal business hours and not more frequently than annually, an audit of the
appropriate records of Customer to verify the number of copies/units of Customer
Products licensed or otherwise distributed by Customer, the number and class of
Certificates issued, and, if relevant to Customer's designated method of
calculating License Fees. If such amounts are found to be different than those
reported, or the License Fees
VeriSign Private Label Agreement
Page 49
accrued are different than those reported, Customer will be invoiced or credited
for the difference, as applicable. Any additional License Fees, along with the
late payment penalty assessed in accordance with Section 3.3, shall be payable
within thirty (30) days of such invoice. If the deficiency in License Fees paid
by Customer is greater than five percent (5%) of the License Fees reported by
Customer for any quarter, Customer will pay the reasonable expenses associated
with such audit, in addition to the deficiency.
3.7 EVALUATION COPIES. Customer may deliver copies of Customer Products
-----------------
to prospective Second Tier CAs on a trial basis for evaluation purposes only
(each, an Evaluation Copy") provided that each such prospective Second Tier CA
has received a written or electronic trial license prohibiting the Second Tier
CA from copying, modifying, reverse engineering, decompiling or disassembling
the VeriSign Object Code or any part thereof.
3.8 MFN PRICING. VeriSign agrees to provide Customer with Most Favored
-----------
Nation ("MFN") pricing on all License Fees, excluding maintenance fees and
upgrade charges related to the Licensed Software but including any customer
discount. MFN pricing shall mean that Customer receives the best pricing offered
by VeriSign to any third party under similar terms and conditions. In the event
that VeriSign offers better pricing to a third party under different terms and
conditions, VeriSign agrees to offer such better pricing to Customer under
terms and conditions similar to those offered to the third party. Under no
circumstances will the License Fee charged in Section 3.1.2.1 above, after any
Customer Discount offered pursuant to Section 3.9 below, exceed One Million
Dollars ($1,000,000).
3.9 CUSTOMER DISCOUNT. VeriSign agrees to offer Customer the following
-----------------
discount on the License Fee charged pursuant to Section 3.1.2.1:
Discount* Date License Executed*
-----------------------------------
4. SUPPORT AND MAINTENANCE
-----------------------
4.1 OPTIONAL MAINTENANCE. For the year commencing upon the date of this
--------------------
Agreement and for each year thereafter commencing on the anniversary of such
expiration, Customer may elect to purchase annual maintenance, as described in
Section 4.3, by paying the then-current annual maintenance fee. Such amount
shall be payable for the first year upon the execution of this Agreement and for
each subsequent year in advance of the commencement of such year. VeriSign may
cease to offer maintenance for future maintenance terms by notice delivered to
Customer twelve (12) months or more before the end of the then-current
maintenance term. VeriSign shall not be obligated to provide maintenance for
versions older than the next most current version. For the purpose of this
Section 4.1, "versions" shall refer to the integer portion of the release of a
product (i.e., the "version" of Release 1.2 of a product is 1, therefore, when
----
Release 3.0 of that product is introduced, VeriSign would not be required to
support any Release 1.x).
4.2 ADDITIONAL CHARGES. In the event VeriSign is required to take actions
------------------
to correct a difficulty or defect which is traced to Customer errors,
modifications, enhancements, software or hardware, then Customer shall pay to
VeriSign its time and materials charges at VeriSign's rates then in effect. In
the event VeriSign's personnel must travel to perform maintenance or on-site
support, Customer shall reimburse VeriSign for any reasonable out-of-pocket
expenses incurred,
______________________
* Confidential treatment has been requested with respect to certain portions of
this exhibit. Confidential portions have been omitted from the public filing
and have been separately filed with the Securities and Exchange Commission.
VeriSign Private Label Agreement
Page 50
including travel to and from Customer's sites, lodging, meals and shipping, as
may be necessary in connection with duties performed under this Section 4 by
VeriSign.
4.3 MAINTENANCE PROVIDED BY VERISIGN. For periods for which Customer has
--------------------------------
paid an annual maintenance fee, VeriSign will provide Customer with the
following services:
4.3.1 TELEPHONE SUPPORT. VeriSign will provide telephone support to
-----------------
Customer during VeriSign's normal business hours. VeriSign may provide on-site
support reasonably determined to be necessary by VeriSign at Customer's location
specified on page 1 hereof. VeriSign shall provide the support specified in
this Section 4.3.1 to Customer's employees responsible for developing Customer
Products, maintaining Customer Products, and providing support to Second Tier
CAs. VeriSign will provide the name of an employee who will serve as a single
point of contact for support to Customer. VeriSign may change the name at any
time by providing written notice to Customer. On VeriSign's request, Customer
will provide a list with the names of the employees designated to receive
support from VeriSign. Customer may change the names on the list at any time by
providing written notice to VeriSign.
4.3.2 ERROR CORRECTION. In the event Customer discovers an error in
----------------
the Licensed Software which causes the Licensed Software not to operate in
material conformance to VeriSign's published specifications therefor, Customer
shall submit to VeriSign a written report describing such error in sufficient
detail to permit VeriSign to reproduce such error. Upon receipt of any such
written report, VeriSign will use its reasonable business judgment to classify a
reported error as either: (i) a "Level 1 Severity" error, meaning an error that
causes the Licensed Software to fail to operate in a material manner or to
produce materially incorrect results and for which there is no workaround or
only a difficult workaround; or (ii) a "Level 2 Severity" error, meaning an
error that produces a situation in which the Licensed Software is usable but
does not function in the most convenient or expeditious manner, and the use or
value of the Licensed Software suffers no material impact. VeriSign will
acknowledge receipt of a conforming error report within two (2) business days
and (A) will use its continuing best efforts to provide a correction for any
Level I Severity error to Customer as early as practicable; and (B) will use its
reasonable efforts to include a correction for any Level 2 Severity error in the
next release of the VeriSign Software.
4.3.3 NEW RELEASES AND NEW VERSIONS. VeriSign will provide Customer
-----------------------------
information relating to New Releases and New Versions of the VeriSign Software
during the term of this Agreement. New Releases will be provided at no
additional charge. New Versions will be provided at VeriSign's standard upgrade
charges in effect at the time. Any New Releases or New Versions acquired by
Customer shall be governed by all of the terms and provisions of this Agreement.
4.4 LAPSED MAINTENANCE. In the event Customer has not purchased optional
------------------
maintenance with respect to any Licensed Software, Customer may obtain a license
of a New Release of such Licensed Software or any service which is provided as a
part of maintenance by paying the maintenance fees which would otherwise have
been due from the expiration of
VeriSign Private Label Agreement
Page 51
maintenance provided pursuant to Section 4.1 to the date such New Release is
licensed or such service is provided.
5. MASTER COPY
-----------
As soon as practicable, but not later than five (5) business days after the
date of execution of this Agreement, VeriSign shall deliver to Customer one (1)
copy of each of the VeriSign Object Code, the VSE Source Code (if licensed
hereunder) and the User Manual in the manner designated on Exhibit "A".
6. ADDITIONAL OBLIGATIONS OF CUSTOMER
----------------------------------
6.1 CUSTOMER PRODUCT MARKETING. Customer is authorized to represent to
--------------------------
Second Tier CAs and Subscribers only such facts about the VeriSign Software as
VeriSign states in its published product descriptions, advertising and
promotional materials or as may be stated in other non-confidential written
material furnished by VeriSign.
6.2 CUSTOMER SUPPORT. Customer shall, at its expense, provide all support
----------------
for the Licensed Software, Customer Products to Second Tier CAs and Subscribers.
6.3 LICENSE AGREEMENTS. Customer shall cause to be delivered to each
------------------
Second Tier CA a license agreement which shall contain, at a minimum,
substantially all of the limitations of rights and the protections for VeriSign
which are contained in Sections 2.3, 6.4.2, 6.5, 7.2, 7.3, 9.8 and 9.9 of this
Agreement and shall prohibit Second Tier CAs pursuant to written agreements from
modifying, reverse engineering, decompiling or disassembling the VeriSign Object
Code or any part thereof, to the extent permitted by applicable law. Customer
shall use commercially reasonable efforts to ensure that all Second Tier CAs
abide by the terms of such agreements.
6.4 CONFIDENTIALITY; PROPRIETARY RIGHTS.
-----------------------------------
6.4.1 CONFIDENTIALITY. .The parties acknowledge that in their
---------------
performance of their duties hereunder the parties will communicate to each other
(or its designees) certain confidential and proprietary information concerning
their respective businesses and products, and know-how, technology, techniques
or marketing plans related thereto (collectively, the "Know-How") all of which
are confidential and proprietary to, and trade secrets of that party. Each
party agrees to hold all the Know-How within its own organization and shall not,
without specific written consent of the other party or as expressly authorized
herein, utilize in any manner, publish, communicate or disclose any part of the
Know-How to third parties. This Section 6.4.1 shall impose no obligation on
either party with respect to any Know-How which: (i) is in the public domain at
the time disclosed by the party owning such Know-How; (ii) enters the public
domain after disclosure other than by breach of the receiving party's
obligations hereunder or by breach of another party's confidentiality
obligations; or (iii) is shown by documentary evidence to have been known by the
receiving party prior to its receipt from the disclosing party. Each party will
take such steps as are consistent with that party's protection of its own
confidential and proprietary information (but will in no event exercise less
than reasonable care) to ensure that the provisions of this Section 6.4.1 are
not violated by any third
VeriSign Private Label Agreement
Page 52
party including each party's, employees, agents, Customer's Second Tier CA's, or
any other person.
6.4.2 PROPRIETARY MARKINGS; COPYRIGHT NOTICES. Customer agrees not
---------------------------------------
to remove or destroy any proprietary, trademark or copyright markings or
notices placed upon or contained within the VeriSign Source Code, VeriSign
Object Code, User Manuals or any related materials or documentation. Customer
further agrees to insert and maintain: (i) within every Customer Product and
any related materials or documentation a copyright notice in the name of
Customer; and (ii) within the splash screens, user documentation, printed
product collateral, product packaging and advertisements for the Customer
Product, a statement that the Customer Product contains the VeriSign Software.
Customer shall not take any action which might adversely affect the validity of
VeriSign's proprietary, trademark or copyright markings or ownership by
VeriSign thereof, and shall cease to use the markings, or any similar markings,
in any manner on the expiration or other termination of the license rights
granted pursuant to Section 2.
6.4.3 SOURCE CODE. Customer acknowledges the extreme importance of
-----------
the confidentiality and trade secret status of the VSE Source Code and Customer
agrees, in addition to complying with the requirements of Sections 6.4.1 and
6.4.2 as they relate to the VSE Source Code, to: (i) inform any employee that is
granted access to all or any portion of the VSE Source Code of the importance of
preserving the confidentiality and trade secret status of the VSE Source Code;
and (ii) maintain a controlled, secure environment for the storage and use of
the VSE Source Code.
6.4.4 NO PUBLICATION. The placement of a copyright notice on any of
--------------
the VeriSign Software shall not constitute publication or otherwise impair the
confidential or trade secret nature of the VeriSign Software.
6.4.5 INJUNCTIVE RELIEF. Both parties acknowledge that the
-----------------
restrictions contained in this Section 6.4 are reasonable and necessary to
protect both parties' legitimate interests and that any violation of these
restrictions will cause irreparable damage to the other party within a short
period of time and each party agrees that the other party will be entitled to
injunctive relief against each violation.
6.5 FEDERAL GOVERNMENT SUBLICENSE. Any sublicense of a Customer Product
-----------------------------
acquired from Customer under a United States government contract shall be
subject to restrictions as set forth in subparagraph (c)(l)(ii) of Defense
Federal Acquisition Regulations Supplement (DFARS) Section 252.227-7013 for
Department of Defense contracts and as set forth in Federal Acquisition
Regulations (FARs) Section 52.227-19 for civilian agency contracts or any
successor regulations. Customer agrees that any such sublicense shall set forth
all of such restrictions and the tape or diskette label for the Customer Product
and any documentation delivered with the Customer Product shall contain a
restricted rights legend conforming to the requirements of the current,
applicable DFARS or FARs.
VeriSign Private Label Agreement
Page 53
6.6 NOTICES. Each party shall immediately advise the other party of any
-------
legal notices served on that party which might affect the other party.
6.7 VERISIGN'S INDEMNITY. CUSTOMER EXPRESSLY INDEMNIFIES AND HOLDS
--------------------
HARMLESS VERISIGN, ITS SUBSIDIARIES, AGENTS AND AFFILIATES FROM: (i) ANY AND ALL
LIABILITY OF ANY KIND OR NATURE WHATSOEVER TO CUSTOMER'S SECOND TIER CAs OR
SUBSCRIBERS AND THIRD PARTIES WHICH MAY ARISE FROM ACTS OF CUSTOMER OR FROM THE
LICENSE OF CUSTOMER PRODUCTS BY CUSTOMER OR ANY DOCUMENTATION, SERVICES OR ANY
OTHER ITEM FURNISHED BY CUSTOMER TO ITS SECOND TIER CAs, OTHER THAN LIABILITY
ARISING FROM THE VERISIGN SOURCE CODE, THE VERISIGN OBJECT CODE OR THE USER
MANUALS (UNLESS SUCH LIABILITY WOULD NOT HAVE ARISEN IN THE ABSENCE OF
MODIFICATIONS TO ANY OF THE FOREGOING BY CUSTOMER OR ITS EMPLOYEES, AGENTS OR
CONTRACTORS) OR FROM THE ACTS OF VERISIGN; AND (ii) ANY LIABILITY ARISING IN
CONNECTION WITH AN UNAUTHORIZED REPRESENTATION OR ANY MISREPRESENTATION OF FACT
MADE BY CUSTOMER OR ITS AGENTS OR EMPLOYEES TO ANY PARTY WITH RESPECT TO THE
VERISIGN SOFTWARE OR ANY CUSTOMER PRODUCTS.
6.8 CUSTOMER'S INDEMNITY. VERISIGN EXPRESSLY INDEMNIFIES AND HOLDS
--------------------
HARMLESS CUSTOMER, ITS SUBSIDIARIES, AGENTS AND AFFILIATES FROM: (i) ANY AND ALL
LIABILITY OF ANY KIND OR NATURE WHATSOEVER TO ANY THIRD PARTIES THAT MAY ARISE
FROM ACTS OF VERISIGN OR FROM USE OF VERISIGN SOURCE CODE, VERISIGN'S OBJECT
CODE OR VERISIGN'S USER MANUALS (UNLESS SUCH LIABILITY WOULD NOT HAVE ARISEN IN
THE ABSENCE OF MODIFICATIONS TO ANY OF THE FOREGOING BY CUSTOMER OR ITS
EMPLOYEES, AGENTS OR CONTRACTORS); AND (ii) ANY LIABILITY ARISING IN CONNECTION
WITH AN UNAUTHORIZED REPRESENTATION OR ANY MISREPRESENTATION OF FACT MADE BY
VERISIGN OR ITS AGENTS OR EMPLOYEES TO ANY PARTY WITH RESPECT TO CUSTOMER
PRODUCTS, OR ANY VERISIGN SOFTWARE.
7. LIMITED WARRANTY; DISCLAIMER OF WARRANTIES; LIMITATION OF LIABILITY;
--------------------------------------------------------------------
INTELLECTUAL PROPERTY INDEMNITIES
---------------------------------
7.1 LIMITED WARRANTY. During the initial ninety (90)-day term of this
----------------
Agreement VeriSign warrants that the Licensed Software specified in this
Agreement will operate in material conformance to VeriSign's published
specifications for such Licensed Software. VeriSign does not warrant that the
VeriSign Software or any portion thereof is error-free. Customer's exclusive
remedy, and VeriSign's entire liability in tort, contract or otherwise, shall be
correction of any warranted nonconformity as provided in Section 4.3.2. This
limited warranty and any obligations of VeriSign under Section 4.1 shall not
apply to any Customer Modifications or any nonconformities caused thereby and
shall terminate immediately if Customer makes any modification to the VeriSign
Software other than Customer Modifications.
VeriSign Private Label Agreement
Page 54
7.2 DISCLAIMER. EXCEPT FOR THE EXPRESS LIMITED WARRANTY PROVIDED IN
----------
SECTION 7.1, VERISIGN'S PRODUCTS AND SERVICES ARE PROVIDED "AS IS" WITHOUT ANY
WARRANTY WHATSOEVER. VERISIGN DISCLAIMS ALL WARRANTIES, EXPRESS, IMPLIED OR
STATUTORY, AS TO ANY MATTER WHATSOEVER, INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. NO ORAL OR WRITTEN
INFORMATION OR ADVICE GIVEN BY VERISIGN OR ITS EMPLOYEES OR REPRESENTATIVES
SHALL CREATE A WARRANTY OR IN ANY WAY INCREASE THE SCOPE OF VERISIGN'S
OBLIGATIONS.
7.3 LIMITATION OF LIABILITY. NEITHER PARTY WILL BE LIABLE TO THE OTHER
-----------------------
PARTY, TO A SUBSCRIBER OR TO ANY THIRD PARTY FOR ANY CONSEQUENTIAL, INDIRECT,
SPECIAL, INCIDENTAL OR EXEMPLARY DAMAGES, WHETHER FORESEEABLE OR UNFORESEEABLE
(INCLUDING, BUT NOT LIMITED TO, GOODWILL, PROFITS, INVESTMENTS, USE OF MONEY OR
USE OF FACILITIES; INTERRUPTION IN USE OR AVAILABILITY OF DATA; STOPPAGE OF
OTHER WORK OR IMPAIRMENT OF OTHER ASSETS; OR LABOR CLAIMS, EVEN IF VERISIGN HAS
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), ARISING OUT OF BREACH OF ANY
EXPRESS OR IMPLIED WARRANTY, BREACH OF CONTRACT, NEGLIGENCE, EXCEPT ONLY IN THE
CASE OF DEATH OR PERSONAL INJURY WHERE AND TO THE EXTENT THAT APPLICABLE LAW
REQUIRES SUCH LIABILITY. UNDER NO CIRCUMSTANCES SHALL EITHER PARTY'S LIABILITY
TO THE OTHER PARTY OR ANY SUBSCRIBER OR ANY THIRD PARTY ARISING OUT OF OR
RELATED TO THIS AGREEMENT, EXCLUDING LIABILITY FOR LICENSE FEES, MAINTENANCE
FEES OR UPGRADE FEES ACTUALLY OWED TO A PARTY, EXCEED $100,000 WITH RESPECT TO A
SINGLE OCCURRENCE OR $1,000,000 IN THE AGGREGATE REGARDLESS OF WHETHER ANY
ACTION OR CLAIM IS BASED ON WARRANTY, CONTRACT, TORT OR OTHERWISE. THE
LIMITATION SET FORTH IN THIS SECTION 7.3 SHALL NOT APPLY TO INDEMNITIES OR
RIGHTS GRANTED BY SECTION 7.4 OR 7.5.
7.4 PROPRIETARY RIGHTS INFRINGEMENT BY VERISIGN.
-------------------------------------------
7.4.1 OBLIGATION TO DEFEND. VeriSign, at its own expense, shall: (i)
--------------------
defend, or at its option settle, any claim, suit or proceeding against Customer
on the basis of infringement or misappropriation of any United States patent,
copyright, trade secret or any other intellectual property right by the Licensed
Software as delivered by VeriSign (excluding the Customer Modifications) or any
claim that VeriSign has no right to license the Licensed Software hereunder; and
(ii) pay any final judgment entered or settlement against Customer on such issue
in any such suit or proceeding defended by VeriSign. VeriSign shall have no
obligation to Customer pursuant to this Section 7.4.1 unless: (A) Customer gives
VeriSign prompt written notice of the claim; (B) VeriSign is given the right to
control and direct the investigation, preparation, defense and settlement of the
claim; and (C) the claim is based on Customer's use of the most recent version
or the immediately preceding version of the Licensed Software in accordance with
this Agreement.
VeriSign Private Label Agreement
Page 55
7.4.2 VERISIGN OPTIONS. If VeriSign receives notice of an alleged
----------------
infringement, VeriSign shall have the right, at its sole option, to obtain the
right to continue use of the Licensed Software or to replace or modify the
Licensed Software so that it is no longer infringing. If neither of the
foregoing options is reasonably available to VeriSign, then the license rights
granted pursuant to Section 2 may be terminated at the option of either party
hereto without further obligation or liability except as provided in Sections
7.4.1 and 8.3 and in the event of such termination, VeriSign shall refund the
License Fees paid by Customer hereunder ("Refunded Fees") less depreciation for
use assuming straight line depreciation over a five (5)-year useful life.
Alternatively, if VeriSign is unable to obtain the necessary rights to permit
Customer to continue use of the Licensed Software, Customer may obtain a license
permitting its use of the Licensed Software. Customer may seek reimbursement for
any such fees up to the amount of Refunded Fees. If Customer obtains such a
license from a third party, then this Agreement shall continue with both
parties' rights and obligations unchanged.
7.4.3 EXCLUSIVE REMEDIES. THE RIGHTS AND REMEDIES SET FORTH IN
------------------
SECTIONS 7.4.1 AND 7.4.2 CONSTITUTE THE ENTIRE OBLIGATION OF VERISIGN AND THE
EXCLUSIVE REMEDIES OF CUSTOMER CONCERNING VERISIGN'S PROPRIETARY RIGHTS
INFRINGEMENT.
7.5 PROPRIETARY RIGHTS INFRINGEMENT BY CUSTOMER.
-------------------------------------------
7.5.1 OBLIGATION TO DEFEND. Subject to the limitations set forth
--------------------
below, Customer, at its own expense, shall: (i) defend, or at its option settle,
any claim, suit or proceeding against VeriSign on the basis of infringement or
misappropriation of any United States patent, copyright, trade secret or any
other intellectual property right by any Customer Product (excluding the
unmodified VeriSign Software) or the Customer Modifications; and (ii) pay any
final judgment entered or settlement against VeriSign on such issue in any such
suit or proceeding defended by Customer. Customer shall have no obligation to
VeriSign pursuant to this Section 7.5.1 unless: (A) VeriSign gives Customer
prompt written notice of the claim; and (B) Customer is given the right to
control and direct the investigation, preparation, defense and settlement of the
claim.
7.5.2 EXCLUSIVE REMEDIES. THE RIGHTS AND REMEDIES SET FORTH IN
------------------
SECTION 7.5.1 CONSTITUTE THE ENTIRE OBLIGATION OF CUSTOMER AND THE EXCLUSIVE
REMEDIES OF VERISIGN CONCERNING CUSTOMER'S PROPRIETARY RIGHTS INFRINGEMENT.
8. TERM AND TERMINATION
--------------------
8.1 TERM. The license rights granted pursuant to Section 2 shall be
----
effective as of the date hereof and shall continue in full force and effect for
each item of Licensed Software for the period set forth on Exhibit "A" unless
sooner terminated pursuant to the terms of this Agreement. Either party shall
be entitled to terminate all the license rights granted pursuant to this
Agreement at any time on written notice to the other in the event of a default
by the other party and a failure
VeriSign Private Label Agreement
Page 56
to cure such default within a period of thirty (30) days following receipt of
written notice specifying that a default has occurred.
8.2 INSOLVENCY. Upon the institution of any proceedings by or against
----------
either party seeking relief, reorganization or arrangement under any laws
relating to insolvency, or upon any assignment for the benefit of creditors, or
upon the appointment of a receiver, liquidator or trustee of any of either
party's property or assets, or upon the liquidation, dissolution or winding up
of either party's business, then and in any such events all the license rights
granted pursuant to this Agreement may immediately be terminated by the other
party upon giving written notice.
8.3 DISPOSITION OF VERISIGN SOFTWARE AND USER MANUALS ON TERMINATION.
----------------------------------------------------------------
Upon the termination of this Agreement pursuant to a breach by Customer, the
remaining provisions of this Agreement shall remain in full force and effect,
and Customer shall cease making copies of, using or licensing the VeriSign
Software, User Manual and Customer Products, excepting only such copies of
Customer Products necessary to fill orders placed with Customer prior to such
expiration or termination. Customer shall destroy all copies of the VeriSign
Software, User Manual and Customer Products not subject to any then-effective
license agreement with a Second Tier CA and all information and documentation
provided by VeriSign to Customer (including all Know-How), other than such
copies of the VeriSign Object Code, the User Manual and the Customer Products as
are necessary to enable Customer to perform its continuing support obligations
in accordance with Section 6.2, if any, and except as provided in the next
following sentence. If Customer has licensed VeriSign Source Code hereunder,
for a period of one (1) year after the date of expiration or termination of the
license rights granted under this Agreement for any reason other than as a
result of default or breach by Customer, Customer may retain one (1) copy of the
VeriSign Source Code and is hereby licensed for such term to use such copy
solely for the purpose of supporting Second Tier CAs and Subscribers. Upon the
expiration of such one (l)-year period, Customer shall return such single copy
of the VeriSign Source Code to VeriSign or certify to VeriSign that the same has
been destroyed. In the event that this Agreement is terminated because of
VeriSign's breach, Customer's rights under Section 2 shall continue
indefinitely.
9. MISCELLANEOUS PROVISIONS
------------------------
9.1 GOVERNING LAWS. THE LAWS OF THE STATE OF CALIFORNIA, U.S.A.
--------------
(IRRESPECTIVE OF ITS CHOICE OF LAW PRINCIPLES) SHALL GOVERN THE VALIDITY OF THIS
AGREEMENT, THE CONSTRUCTION OF ITS TERMS, AND THE INTERPRETATION AND ENFORCEMENT
OF THE RIGHTS AND DUTIES OF THE PARTIES. THE PARTIES AGREE THAT THE UNITED
NATIONS CONVENTION ON CONTRACTS FOR THE INTERNATIONAL SALE OF GOODS SHALL NOT
APPLY TO THIS AGREEMENT. THE PARTIES AGREE THAT ANY SUIT TO ENFORCE ANY
PROVISION OF THIS AGREEMENT OR ARISING OUT OF OR BASED UPON THIS AGREEMENT OR
THE BUSINESS RELATIONSHIP BETWEEN THE PARTIES SHALL BE BROUGHT IN THE UNITED
STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF CALIFORNIA OR THE SUPERIOR OR
MUNICIPAL COURT IN AND FOR THE COUNTY OF SANTA CLARA, CALIFORNIA, U.S.A. Each
party agrees that such
VeriSign Private Label Agreement
Page 57
courts shall have exclusive in personam jurisdiction and venue with respect to
such party, and each party submits to the exclusive in personam jurisdiction and
venue of such courts.
9.2 BINDING UPON SUCCESSORS AND ASSIGNS. Except as otherwise provided
-----------------------------------
herein, this Agreement shall be binding upon, and inure to the benefit of, the
successors, representatives, administrators and assigns of the parties hereto.
This Agreement shall not be assignable by either party, by operation of law or
otherwise, without the prior written consent of the other party, which shall not
be unreasonably withheld. Any such purported assignment or delegation without
the other party's written consent shall be void and of no effect.
9.3 SEVERABILITY. If any provision of this Agreement is found to be
------------
invalid or unenforceable, the remainder of this Agreement shall be interpreted
so as best to reasonably effect the intent of the parties hereto. IT IS
EXPRESSLY UNDERSTOOD AND AGREED THAT EACH AND EVERY PROVISION OF THIS AGREEMENT
WHICH PROVIDES FOR A LIMITATION OF LIABILITY, DISCLAIMER OF WARRANTIES OR
EXCLUSION OF DAMAGES IS INTENDED BY THE PARTIES TO BE SEVERABLE AND INDEPENDENT
OF ANY OTHER PROVISION AND TO BE ENFORCED AS SUCH.
9.4 ENTIRE AGREEMENT. This Agreement and the exhibits and schedules
----------------
hereto constitute the entire understanding and agreement of the parties hereto
with respect to the subject matter hereof and supersede all prior and
contemporaneous agreements, representations and understandings between the
parties.
9.5 AMENDMENT AND WAIVERS. Any term or provision of this Agreement may be
---------------------
amended, and the observance of any term of this Agreement may be waived, only by
a writing signed by the party to be bound.
9.6 ATTORNEYS' FEES. The prevailing party in any action or proceeding to
---------------
enforce or interpret any part of this Agreement shall be entitled to recover its
reasonable attorneys' fees (including fees on any appeal).
9.7 NOTICES. Any notice, demand, or request with respect to this
-------
Agreement shall be in writing and shall be effective only if it is delivered by
hand or mailed, certified or registered mail, postage prepaid, return receipt
requested, addressed to the appropriate party at its address set forth on page
1. Such communications shall be effective when they are received by the
addressee; but if sent by certified or registered mail in the manner set forth
above, they shall be effective not later than ten (10) days after being
deposited in the mail. Any party may change its address for such communications
by giving notice to the other party in conformity with this Section.
9.8 FOREIGN RESHIPMENT LIABILITY. THIS AGREEMENT IS EXPRESSLY MADE
----------------------------
SUBJECT TO ANY LAWS, REGULATIONS, ORDERS OR OTHER RESTRICTIONS ON THE EXPORT
FROM THE UNITED STATES OF AMERICA OF THE VERISIGN SOFTWARE OR CUSTOMER PRODUCTS
OR OF INFORMATION ABOUT THE VERISIGN SOFTWARE OR CUSTOMER PRODUCTS WHICH MAY BE
IMPOSED FROM TIME TO TIME BY THE GOVERNMENT OF THE UNITED STATES OF AMERICA.
VeriSign Private Label Agreement
Page 58
NOTWITHSTANDING ANYTHING CONTAINED IN THIS AGREEMENT TO THE CONTRARY, CUSTOMER
SHALL NOT EXPORT OR REEXPORT, DIRECTLY OR INDIRECTLY, ANY VERISIGN SOFTWARE OR
CUSTOMER PRODUCTS OR INFORMATION PERTAINING THERETO TO ANY COUNTRY FOR WHICH
SUCH GOVERNMENT OR ANY AGENCY THEREOF REQUIRES AN EXPORT LICENSE OR OTHER
GOVERNMENTAL APPROVAL AT THE TIME OF EXPORT OR REEXPORT WITHOUT FIRST OBTAINING
SUCH LICENSE OR APPROVAL.
9.9 TRADEMARKS. By reason of this Agreement or the performance hereof,
----------
Customer shall acquire no rights of any kind in any VeriSign trademark, trade
name, logo or product designation under which the VeriSign Software was or is
marketed and Customer shall not make any use of the same for any reason except
as expressly authorized by this Agreement or otherwise authorized in writing by
VeriSign.
9.10 PUBLICITY. Neither party will disclose to third parties, other than
---------
its agents and representatives on a need-to-know basis, the terms of this
Agreement or any exhibits hereto (including without limitation any
License/Product Schedule) without the prior written consent of the other party,
except (i) either party may disclose such terms to the extent required by law,
(ii) either party may disclose the existence of this Agreement; and (iii)
VeriSign shall have the right to disclose that Customer is a Customer of the
VeriSign Software and that any publicly-announced Customer Product incorporates
the VeriSign Software. Customer shall provide to VeriSign, solely for
VeriSign's display purposes, one (I) working copy of each Customer Product which
consists solely of computer software and one (1) working or non-working unit of
any hardware product in which is incorporated a Customer Product which consists
of an integrated circuit or other hardware.
9.11 REMEDIES NON-EXCLUSIVE. Except as otherwise expressly provided, any
----------------------
remedy provided for in this Agreement is deemed cumulative with, and not
exclusive of, any other remedy provided for in this Agreement or otherwise
available at law or in equity. The exercise by a party of any remedy shall not
preclude the exercise by such party of any other remedy.
VeriSign Private Label Agreement
Page 59
IN WITNESS WHEREOF, the parties have executed this Agreement as of the date of
the last signature below, unless a different effective date is specified on the
first page of this Agreement.
CUSTOMER:
VISA INTERNATIONAL SERVICE ASSOCIATION
By: __________________________________________
Printed Name: ________________________________
Title: _______________________________________
Date: ________________________________________
VeriSign Private Label Agreement
Page 60
EXHIBIT "K"
SERVICE LEVEL AGREEMENT*
Secure Electronic Commerce
Services (SEC)
Electronic Certification
Services (ECS)
Service Level Agreement
Review Copy
Visa International / VeriSign
- --------------------------------------------------------------------------------
Version 1.0
1
__________________________
* Confidential treatment has been requested with respect to certain portions of
this exhibit. Confidential portions have been omitted from the public filing
and have been separately filed with the Securities and Exchange Commission.
Page 2 Visa SEC Service
REVIEW COPY Electronic Certification Services (ECS)
April 17, 1996 Visa /VeriSign Service Level Agreement
- --------------------------------------------------------------------------------
April 1996
2
Visa SEC Service Page i
Electronic Certification Services (ECS) REVIEW COPY
Visa / VeriSign Service Level Agreement April 18, 1996
- --------------------------------------------------------------------------------
TABLE OF CONTENTS
I. OVERVIEW 1
II. ECS SYSTEM DESCRIPTION 1
1. Brand Certificate Authority 2
2. Cardholder Certificate Authority 2
3. Merchant Certificate Authority 2
4. Payment Gateway Certificate Authority 2
III. SCOPE 3
A. WITHIN SCOPE 3
B. OUTSIDE OF SCOPE 3
IV. ECS SERVICE LEVELS 4
A. SERVICE AVAILABILITY 4
1. Definition 4
2. Measurement 5
3. Minimum Service Level Requirement 5
B. RESPONSE TIME 6
1. Definition 6
2. Measurement 6
3. Minimum Service Level Requirement 7 7
C. THROUGHPUT 7
1. Definition 7
2. Measurement 8
3. Minimum Service Level Requirement 8
D. DATA MANAGEMENT 9
3
1. Definition 9
2. Measurement 9
3. Minimum Service Level Requirement 9
E. SYSTEM MONITORING AND OUTAGE REPORTING 9
1. Definition 9
2. Measurement 10
3. Minimum Service Level Requirement 10
F. SCHEDULED DOWN TIME 10
1. Definition 10
2. Measurement 11
3. Minimum Service Level Requirement 11
G. BACKUP 11
1. Definition 11
2. Measurement 11
3. Minimum Service level Requirement 11
H. KEY COMPROMISE 12
1. Definition 12
2. Measurement 12
3. Minimum Service Level Requirement 12
I. CONTINGENCY OPERATIONS / RECOVERY 12
1. Definition 12
2. Measurement 13
3. Minimum Service Level Requirement 13
J. REPORTING 13
K. PENALTIES 14
1. Access to Service 14
2. On-line Certification Processing Service 15
3. Off-line Certification Processing Service 16
V. VERISIGN ECS CUSTOMER SUPPORT SERVICE LEVELS 17
A. Availability 17
4
B. RESPONSE TIME 17
C. CUSTOMER SUPPORT CALLBACK TIMEFRAMES AND DEFINITIONS 17
5
I. OVERVIEW
This Service Level Agreement (SLA) between Visa International (Visa) and
VeriSign, Inc. (VeriSign) details the terms for the supply of services by
VeriSign to Visa for the operation of the Visa Electronic Certification
Services (ECS). It specifically addresses the service levels that will be
in effect for the ECS pilot as defined in the project plan,. Service levels
for the test phases of ECS will be addressed separately.
This SLA is comprised of two components. The first addresses service levels
for ECS. The second addresses service levels for VeriSign ECS customer
support.
II. ECS SYSTEM DESCRIPTION
A logical depiction of the ECS system is presented below:
[DIAGRAM DEPICTING A "CERTIFICATE REQUESTER" CONNECTED TO A
CLOUD DEPICTING THE INTERNET, CONNECTED TO A USER INTERFACE
WHICH IS CONNECTED TO A PAYMENT GATEWAY CERTIFICATE AUTHORITY,
MERCHANT CERTIFICATE AUTHORITY AND A CARDHOLDER CERTIFICATE
AUTHORITY WHICH ARE THEN CONNECTED TO AN ACQUIRING BANK, VISA
AND AN ISSUING BANK.]
The logical components that are specifically addressed by this service level
agreement are described below:
1. BRAND CERTIFICATE AUTHORITY
The Brand CA issues SEC compliant digital certificates to Brand
members (Issuers and Acquirers or their processors) that wish
participate in Visa's Secure Electronic Commerce (SEC) Service. The
Brand CA issues Issuer certificates for use in issuing certificates to
the Issuer's cardholders and Acquirer certificates for use in issuing
certificates to the Acquirer's merchants. In addition the Brand CA
will issue certificates to Brand or Geo-political operated Payment
Gateway CAs for use in issuing certificates to Acquirer Payment
Gateways. The Brand CA will also issue certificates to Geo-political
CAs The Brand CA issues three types of certificates for each of their
members: certificate signature certificates, key exchange certificates
and message signature certificates.
2. CARDHOLDER CERTIFICATE AUTHORITY
The Cardholder CA issues SEC compliant digital certificates to the
Issuer's cardholders that wish to participate in Visa's Secure
Electronic Commerce (SEC) Service. The Cardholder CA issues a
signature certificate to each cardholder.
3. MERCHANT CERTIFICATE AUTHORITY
The Merchant CA issues SEC compliant digital certificates to the
Acquirer's merchants that wish to participate in Visa's Secure
Electronic Commerce (SEC) Service. The Merchant CA issues two types of
certificates to each merchant: key exchange certificates and message
signature certificates.
4. PAYMENT GATEWAY CERTIFICATE AUTHORITY
The Payment Gateway CA issues SEC compliant digital certificates to
the Payment Gateway's that wish to participate in Visa's Secure
Electronic Commerce (SEC)
6
Service. The Payment Gateway CA issues two types of certificates to
each Payment Gateway: key exchange certificates and message signature
certificates.
III. SCOPE
VeriSign will be developing and operating a Certificate Authority on behalf
of Visa.
A. WITHIN SCOPE
The following components of ECS are addressed within the scope of this
service level agreement:
. Brand Certificate Authority (BCA)
. Payment Gateway Certificate Authority (PCA)
. Cardholder Certificate Authority (CCA)
. Merchant Certificate Authority (MCA)
B. OUTSIDE OF SCOPE
The following components of ECS are not addressed within the scope of this
service level agreement:
. Visa Access Point (VAP)
. VisaNet components (systems and network)
. Issuer components
. Acquirer components
. Geo-political Certificate Authority
IV. ECS SERVICE LEVELS
For the purpose of this SLA, ECS is considered to have two major
operational components:
1. Access to Service
This is the ability to receive a certificate transaction from a
requesting entity (e g., cardholder, merchant, payment gateway),
provide an appropriate signed response to the requester, and either
forward the certificate transaction to the appropriate CA for
immediate processing or queue it for subsequent processing (if the CA
is not available at that time).
2. Certification Processing Service
This is the ability to fully process the certificate transaction
(e.g., certificate request,
7
certificate query, certificate response) and return an appropriate
signed response to the requester.
A. SERVICE AVAILABILITY
1. Definition
Access to Service
Access to ECS must be available, seven (7) days a week, twenty-four (24) hours a
day, 365 days a year.
On-line Certification Processing Service
All of the 'on-line' certificate authorities (CCA, MCA and PCA) must be
available for processing certificate transactions and performing administrative
functions such as regenerating keys seven (7) days a week, twenty-four (24)
hours a day, 365 days a year with the exception of scheduled down time
Off-line Certification Processing Service
Initially, the brand certificate operations require manual procedures, are
performed off-line and require the presence of authorized Visa and VeriSign
personnel. The Brand certificate authority must be available during the normal
hours of operation, as well as after hours by prior arrangement.
Normal hours of operation for the Brand CA are 0600 - 1800 PT. Visa will
normally provide VeriSign with a twenty-four (24) hour advance notice of any
required Brand CA operation.
In the event of extreme conditions, such as disaster recovery or key compromise,
Visa may require Brand CA operations outside of the normal operating periods.
Under such circumstances, Visa shall provide VeriSign with a two (2) hour
advance notice of the required Brand CA operations. Therefore, the Brand CA must
be available for issuing Cardholder CA, Merchant CA, Payment Gateway CA and Geo-
political CA certificates and performing administrative functions such as
generating keys seven (7) days a week, twenty-four (24) hours a day, 365 days a
year with the exception of scheduled downtime.
2. Measurement
Access to Service
The measurement for service availability is the amount of time that the
certificate processing service is capable of receiving and responding to
incoming certificate transactions in an appropriate manner, even if it is not
capable of certification processing. Nonavailability is the amount of time that
the requesting entity cannot access the service at all.
Certification Processing Service
The measurement for service availability is the amount of time that the CA is
capable of receiving, processing and responding to incoming certificate
transactions from the requesting entity (e.g., merchant, acquirer, issuer,
cardholder, payment gateway). Nonavailability is the amount of time that
8
the CA is not capable of receiving, processing and responding to incoming
certificate transactions from the requesting entity (e.g., merchant, acquirer,
issuer, cardholder, payment gateway).
3. Minimum Service Level Requirement Access to Service
Access to Service availability must be *.
Certification Processing Service
The Brand CA must be available to process * of the certificate requests and
perform administrative functions such as generating keys.
All other CAs must be available to process certificate transactions and perform
administrative functions such as generating keys * of the time. Specifically,
for the on-line CAs (i.e., CCA, MCA, PCA), the total unscheduled downtime per
month must not exceed *;no single CA type can exceed * unscheduled downtime per
month; no single unscheduled outage of any CA can exceed *.
B. Response Time
1. Definition
Access to Service
The requesting entity must be able to submit a transaction and receive an
appropriate signed response within *.
On-line Certification Processing Service
On-line CAs must respond to all certificate transactions within one
(1) minute.
Off-line Certification Processing Service
There are two components of response time for the Brand CA.
1. The amount of time that it takes VeriSign to respond to a Visa request for
Brand CA operations
VeriSign must respond to a Visa request for Brand CA operations within *
during normal operating hours. Under extreme conditions, VeriSign must respond
to a Visa request for Brand CA operations within *.
2. The amount of time that the actual Brand CA operation requires
All Brand CA operations must be processed and validated within hour(s) of the
start of the operation. The specification timeframe will be determined at a
later date.
* Confidential treatment has been requested with respect to certain
portions of this exhibit. Confidential portions have been omitted from the
public filing and have been filed separately with the Securities and Exchange
Commission.
9
2. Measurement
Access to Service
The measurement for response time is based upon the time elapsed from when a
certificate transaction reaches VeriSign's Internet access point until the
corresponding response message leaves VeriSign's Internet access point.
On-line Certification Processing Service
The measurement for response time is based upon the time elapsed from when a
certificate transaction reaches VeriSign's Internet access point until the
corresponding response message leaves
VeriSign's Internet access point.
Off-line Certification Processing Service
The measurement for response to requests for Brand CA operations is based upon
the time elapsed from when Visa contacts VeriSign to inform them of the intent
to perform a Brand CA operation until VeriSign confirms their availability to
perform a Brand CA operation.
The measurement for performing Brand CA operations is based upon the time
elapsed from when the operation starts until it is completed and verified.
3. Minimum Service Level Requirement
Access To Service
Access to Service response times must be met * of the time.
Certification Processing Service
For the on-line CAs, * of the certificate transactions must be responded to
within the required time.
For the Brand CA, * of the requests for Brand CA operations must be responded to
within the required time and * of the Brand CA operations must be performed
within the required time.
C. Throughput
1. Definition
Access to Service
The facilities that are providing Access to Service must be capable of meeting
the response time criteria identified above while supporting the following peak
certificate transaction per hour loads:
* Confidential treatment has been requested with respect to certain
portions of this exhibit. Confidential portions have been omitted from the
public filing and have been filed separately with the Securities and Exchange
Commission.
10
1996 1997 1998 1999
All certificate transactions
(peak per hour). *
On-line Certification Processing Service
On-line CAs must be capable of meeting the response time criteria identified
above while supporting the following peak certificate transaction per hour
loads:
Review Copy Electronic Certification Services (ECS)
a) Cardholder Certificate Authority
1996 1997 1998 1999
Cardholder certificate
transactions (peak per hour) *
b) Merchant Certificate Authority
1996 1997 1998 1999
Merchant certificate
transactions (peak per hour) *
c) Payment Gateway Certificate Authority
1996 1997 1998 1999
Payment gateway certificate
transactions (peak per hour) *
Off-line Certification Processing
Throughput is not a factor for the Brand CA because all operations will be
performed sequentially and are dependent upon manual processes.
2. Measurement
The measurement for throughput is based upon the actual volumes of certificate
transactions that are processed by the various ECS system components while
meeting response time criteria.
3. Minimum Service Level Requirement Throughput requirements must be met *
of the time.
D. Data Management
1. Definition ECS data, which includes system logs, transaction history,
certificate registration data and certificates, must be available to support
various legal, billing and customer service requirements. The on-line access,
archive retention and retrieval requirements for the ECS data will vary by data
type as described below:
* Confidential treatment has been requested with respect to certain
portions of this exhibit. Confidential portions have been omitted from the
public filing and have been filed separately with the Securities and Exchange
Commission.
11
Registration data and certificates
This data will be kept on-line for 90 days prior to being archived. Archived
data will be maintained for seven (7) years and must be retrievable, on-line and
/ or on hard copy, within six (6) hours of request.
System logs and transaction history
This data will be kept on-line for 90 days prior to being archived. Archived
data will be maintained for one year and must be retrievable, either on-line and
/ or on hard copy, within twenty-four (24) hours of request.
2. Measurement
The measurement for data management is based upon the data being available,
either on-line or retrieved from archive, within the periods specified above.
3. Minimum Service Level Requirement
The data management requirements must be met * of the time.
E. System Monitoring and Outage Reporting
1. Definition
Monitoring
The key storage units for all of the CAs must be checked for tampering on a
daily basis. The applications and/or systems for the Access to Service
facilities and Certification Processing Service must be monitored continually
and a status check taken every 30 minutes.
Outage Reporting
All ECS hardware and/or software faults shall be logged, tracked and reported
using a suitable computer-based system and provided to Visa within two (2) hours
of occurrence.
All ECS system hardware, network, and software failures, their impact on ECS
operations and any actions taken to correct the problem, including an event log
shall be reported to Visa according to the schedule listed in Section V.C -
Customer Callback Timeframes and Definitions. In addition, Visa shall be
notified within one hour of any major failure that affects the normal operation
of ECS.
2. Measurement The status checks must be recorded on a status log and signed by
the VeriSign system operator. This status log must be available for review by
Visa at any time.
Problem / event logs and system logs will record outages and causes (if known).
These also must be made available to Visa for review at any time.
* Confidential treatment has been requested with respect to certain
portions of this exhibit. Confidential portions have been omitted from the
public filing and have been filed separately with the Securities and Exchange
Commission.
12
3. Minimum Service Level Requirement
Compliance with the monitoring, logging and reporting requirements must be *.
F. Scheduled Down Time
1. Definition
Access to Service
There is no scheduled down time for the Access to Service facility.
Certification Processing Service
There will be a scheduled down time period weekly to perform maintenance, backup
and upgrade functions for the CAs. This period will not exceed * and will be at
the same time each week as agreed to by Visa and VeriSign. If a longer down time
window is needed, it must be agreed to in advance by Visa and VeriSign.
2. Measurement
The measurement for scheduled down time for any CA is based on the time elapsed
from when the CA is not capable of performing operations until it becomes
available for performing operations. During this down time period, certificate
transactions intended for the CA must be accepted, an appropriate signed
response message returned to the requester, and the transaction queued for
processing when the CA becomes available again for performing operations. Daily
system logs will indicate system down time and the cause (if known) and can be
used to track outages.
3. Minimum Service Level Requirement
* of the down times must be within the required period. In addition, the
access to the service (i.e., the receipt of certificate transactions, return of
appropriate signed response, queuing of transaction for subsequent processing)
must be available * of the time.
G. Backup
1. Definition
At a minimum, all data related to the CAs, including application files and
databases, system tables, log files, etc., will be backed up on a scheduled,
daily basis. In addition, the CA application and all system components will be
backed up on a weekly basis. All backups must be done non-disruptively without
adversely impacting normal ECS operations. The backup files must be stored in a
secure off-site facility as agreed upon by VeriSign and Visa.
2. Measurement
Daily system logs will indicate time and location of backup files, backup media
identification and any other relevant information needed for recovery of backup
files.
* Confidential treatment has been requested with respect to certain
portions of this exhibit. Confidential portions have been omitted from the
public filing and have been filed separately with the Securities and Exchange
Commission.
13
3. Minimum Service level Requirement
The backup requirements must be met * of the time.
H. KEY COMPROMISE
1. Definition
On-line Certification Processing Service
In the event of a key compromise, an on-line CA must be able to revoke
certificates generated with the compromised key or keys, generate new keys,
request a new certificate from the appropriate CA, regenerate subordinate
certificates with the new keys, and have these certificates available for
distribution within twenty-four (24) hours of the time that the compromise is
identified for merchants, payment gateways, MCAs, CCAs, GCAs and PCAs. The
timeframe for cardholders will be y hours for certificates. In addition, the new
public key must be published as specified by Visa.
Off-line Certificate Processing Service
In the event of a key compromise, the Brand CA must be able to revoke
certificates generated with the compromised key or keys, generate new keys and
have a new certificate(s) request ready to submit to the Root CA within two
hours of the time that the compromise is identified. In addition, the new public
key must be published as specified by Visa.
2. Measurement
The measurement of recovery from key compromise is the elapsed period of time
between the point at which the key compromise is identified and the point in
time at which the regenerated certificates are available for distribution (on-
line CAs) or a new certificate(s) request is ready for submission to the Root CA
(Brand CA).
3. Minimum Service Level Requirement
The key compromise recovery time frames must be met * of the time.
I. CONTINGENCY OPERATIONS / RECOVERY
1. Definition
Access to Service
In the event of a failure of the Access to Service facilities, a switch must
immediately occur to a backup set of facilities. At no time should a requesting
entity not be able to submit a certificate transaction and receive an
appropriate signed response.
* Confidential treatment has been requested with respect to certain
portions of this exhibit. Confidential portions have been omitted from the
public filing and have been filed separately with the Securities and Exchange
Commission.
14
Certification Processing Service
If any single component of the Certification Processing Service (e.g., CA)
fails, the component shall be recovered to the point of failure within six (6)
hours. In the interim period before normal operations have been restored, Access
to Service must be available with certificate transactions accepted and queued
for future processing and an appropriate signed response returned to the
requesting entity. If at the end of six hours the failed component has not been
recovered, operations for that component will be performed at the backup site
until such time as the component at the primary site has recovered.
In the event of a total Certification Processing Service failure, a switch to a
backup facility must occur. Within twenty-four (24) hours, normal operations
should begin at the alternate site with recovery to the point of failure for all
systems and files. In the interim period before normal operations have begun at
the alternate site, Access to Service must be available to receive certificate
transactions, queue the transactions for future processing and provide an
appropriate signed response to the requesting entity. When the primary site has
recovered, upon agreement by Visa and VeriSign, operation of the Certification
Processing Service will be switched back to the primary site with no loss of
data.
2. Measurement
The measurement for recovery of an ECS system component or a total system outage
will the length of time between the point that the outage occurs and the point
that a full recovery to normal operations has been completed.
The ability to satisfy the recovery and / or contingency operations requirements
will be demonstrated through periodic scheduled tests.
3. Minimum Service Level Requirement
The recovery and contingency operations requirements must be met * of the
time.
J. REPORTING
VeriSign shall provide Visa with reporting on a scheduled basis. This will
include both service level and activity reporting and may be either on hard copy
or electronic (i.e., report or data files) form as agreed to by Visa and
VeriSign.
K. PENALTIES
All service levels are calculated, and penalties assessed, on a monthly basis.
1. Access to Service
Availability
Service Level: * availability, 24 hours per day, 7 days per week, 365 days
per year
* Confidential treatment has been requested with respect to certain
portions of this exhibit. Confidential portions have been omitted from the
public filing and have been filed separately with the Securities and Exchange
Commission.
15
Penalty:
* $5,000
$10,000
$15,000
Below $5,000 per percent
Considered to be grounds for termination of contract
Response Time
Service Level: 100% of certificate transactions received, responded to
(appropriate signed response) within *.
Penalty:
* $500
$1,000
$1,500
$2,000
$2,500
Below $500 per percent
Considered to be grounds for termination of contract
2. On-line Certification Processing Service
Availability
Service Level: * availability, 24 hours per day, 7 days per week, 365 days
per year with exception of scheduled downtime.
Penalty:
* $5,000 per CA
$10,000 per CA
$15,000 per CA
Below $5,000 per percent per CA
Considered to be grounds for termination of contract
Response Time
Service Level: * of certificate transactions received, responded to
(appropriate signed response) within *.
* Confidential treatment has been requested with respect to certain
portions of this exhibit. Confidential portions have been omitted from the
public filing and have been filed separately with the Securities and Exchange
Commission.
16
Penalty:
* $500 per CA
$1,000 per CA
$1,500 per CA
$2,000 per CA
$2,500 per CA
Below $500 per percent per CA
Considered to be grounds for termination of contract
3. Off-line Certification Processing Service
Availability
Service Level: * availability during normal operating hours and upon request
with proper notification.
Penalty: $10,000 per occurrence of non-availability.
Response Time
Service Level: * of requests for Brand CA operations must be responded to
within * during normal operating hours. Under extreme conditions,
VeriSign must respond to a Visa request for Brand CA operations within *.
* of Brand CA operations must be processed and validated within * of the start
of the operation.
V. VERISIGN ECS CUSTOMER SUPPORT SERVICE LEVELS
VeriSign will provide support to Visa as described in the customer support
requirements section of the contract. The VeriSign interface for customer
support will be limited to designated individuals within Visa.
A. Availability
VeriSign Customer Service must be available to accept and respond to problem
calls from Visa seven (7) days a week, twenty-four (24) hours a day.
B. Response Time
Normal Hours of Operation Between 0600 and 1800 PT, VeriSign Customer Support
should respond immediately (i.e., answer the telephone within three rings).
Outside of Normal Hours of Operation Between 1800 and 0600 PT, VeriSign Customer
Support should respond within fifteen (15) minutes.
* Confidential treatment has been requested with respect to certain
portions of this exhibit. Confidential portions have been omitted from the
public filing and have been filed separately with the Securities and Exchange
Commission.
17
C. Customer Support Callback Timeframes and Definitions
VeriSign Customer Support will ,at a minimum, initiate a return telephone call
to Visa to establish if the problem has been corrected based on the following
call reporting criteria:
Problem Callback
Severity Definition Frequency
1 Entire population of a CA impacted 30 minutes
2 Multiple Member CAs impacted 60 minutes
3 Single Member CA impacted 90 minutes
4 Single cardholder or merchant impacted 120 minutes
In every case, if the problem has not been corrected within the callback
frequency, VeriSign Customer Support will monitor the problem to determine if
any corrective work has begun. If it has, then VeriSign Customer Support will
continue to monitor the situation and provide
18
VeriSign Private Label Agreement
Page 61
EXHIBIT "L"
SUPPORT LEVELS
1. Second-Level Support for Members
VeriSign will provide second level telephone support for any problem
concerning a Certificate issued to a Member on a twenty-four (24) hour per day,
seven (7) day per week basis. In the event that a Member problem is not
resolved by the first level good-faith efforts of VISA Member Support, VeriSign
will provide second level telephone support for a reasonable volume of calls
from VISA Member Support Upon VISA Member Support's providing VeriSign with a
clear description of the unresolved problem, VeriSign will verify the problem's
existence and determine the conditions under which the problem may recur. After
such verification and determination, VeriSign will, at its option,
1.1 use its best efforts to provide an immediate fix for the problem;
1.2 use its best efforts to provide a temporary solution of or workaround
to the problem;
1.3 provide a statement that the problem will be corrected in a future
release;
1.4 provide a statement that more information about the problem is
required (however, after sufficient information, in VeriSign's
opinion, is provided to VeriSign, VeriSign will provide to Customer
one of the other four support alternatives contained in this Section
1); or
1.5 provide a statement that the Private Label Certificate System operates
as described in VeriSign's then current user documentation or that the
problem arises when such Private Label Certificate System is used
other than in a manner for which it was designed
In the case of such second-level support, VeriSign will not contact a
Member directly for more information about the problem unless VISA Member
Support so requests.
2. THIRD-LEVEL SUPPORT FOR CARDHOLDERS AND MERCHANTS
In the event that a Cardholder or Merchant problem has not been resolved by
the good-faith efforts of the relevant Member at the first level or by VISA at
the second level, VeriSign will provide telephone support for a reasonable
volume of calls to VISA as the third level. Upon VISA's providing VeriSign with
a clear description of the unresolved problem, VeriSign will verify the
problem's existence and determine the conditions under which the problem may
recur. After such verification and determination, VeriSign will, at its option,
2.1 use its best efforts to provide an immediate fix for the problem;
VeriSign Private Label Agreement
Page 62
2.2 use its best efforts to provide a temporary solution of or workaround
to the problem;
2.3 provide a statement that the problem will be corrected in a future
release;
2.4 provide a statement that more information about the problem is
required (however, after sufficient information, in VeriSign's
opinion, is provided to VeriSign, VeriSign will provide to Customer
one of the other four support alternatives contained in this Section
2); or
2.5 provide a statement that the Private Label Certificate System operates
as described in VeriSign's then current user documentation or that the
problem arises when such Private Label Certificate System is used
other than in a manner for which it was designed.
In the case of third level support provided for Cardholder and Merchant
problems, VeriSign will not contact the Member directly for more information
about the problem unless VISA so requests, and VeriSign will not contact the
Merchant or Cardholder directly under any circumstances.
The following chart summarizes telephone support provided in this Section:
================================================================================================================
Type of Certificate Entity Supported First level Second level Third level
- ----------------------------------------------------------------------------------------------------------------
Member Issuers, VISA Member VeriSign N/A
Acquirers, Support
Processors
- ----------------------------------------------------------------------------------------------------------------
Cardholder Cardholders Member VISA VeriSign
- ----------------------------------------------------------------------------------------------------------------
Merchant Merchants Member VISA VeriSign
================================================================================================================
3. TIMES TELEPHONE SUPPORT IS PROVIDED
VeriSign will accept and log all second level support requests received
from Customer on a twenty-four (24) hour per day, seven (7) day per week basis,
including national holidays. VeriSign will provide regular telephone support
for both second level and third level on Monday through Friday 8:00 a.m. to
5:00 p.m., local time, and will provide critical corrective support after hours
(outside the hours of 8:00 a.m. to 5:00 p.m., local time) and on national
holidays. A problem is considered critical when the Private Label Certificate
System will not operate or the Customer cannot perform its business function due
to a Private Label Certificate System problem.
VeriSign Private Label Agreement
Page 63
4. CUSTOMER RESPONSIBILITIES FOR TELEPHONE SUPPORT
Customer will (i) identify, document and report to VeriSign each problem
with the Private Label Certificate System necessitating telephone support, (ii)
supply VeriSign with all documentation and assistance necessary to demonstrate
and allow VeriSign to diagnose the problem, and (iii) install each solution to
such problem provided by VeriSign. If Customer requests corrective changes to
the Private Label Certificate System and VeriSign determines that the reported
malfunction is not related to the Private Label Certificate System, VeriSign may
charge Customer for its diagnostic services on a time and materials basis.
Customer will assure the proper use, management and supervision of any
application programs, audit controls, operating methods and office procedures
necessary for the intended use of the Private Label Certificate System.
Customer will provide the first-level support to Members through VISA
Member Support as provided in Section I above. Customer will provide second-
level support to Cardholders and Merchants through VISA as provided in Section 2
above.
VeriSign Private Label Agreement
Page 64
EXHIBIT "M"
TIMETABLE FOR RESOLUTION OF OUTSTANDING ISSUES
Open Issues Date for Resolution
- ----------- -------------------
1. Logo Usage Guide to be attached to Agreement as Exhibit "C June 30, 1996
2. Add description of level of telephone support for Payment
Gateway to Exhibit "L" June 30, 1996
3. VISA Requirements for ECS (Exhibit "F') to be finalized as
to issues indicated as open therein June 30, 1996
4. System Design Specifications to be attached to Agreement as
Exhibit "E" after approval by VISA In accordance with
Project Plan
5. Acceptance Test Procedures to be attached to Agreement as
Exhibit "G" upon approval by VISA In accordance with
Project Plan
6. Service Level Specification to be reevaluated for possible
modification after Acceptance Test Procedures have been
approved. In accordance with
Project Plan
Exhibit 10.24
[Confidential Treatment Requested]
PLA Number: ______________________
Date of Agreement: _______________
VERISIGN PRIVATE LABEL AGREEMENT
Customer: VISA International Service Association, a Delaware
-------------------------------------------------------------
corporation
-------------------------------------------------------------
Customer Address: 900 Metro Center Boulevard, Foster City California 94404 or
-------------------------------------------------------------
P.O. Box 8999, San Francisco, California 94128-8999
-------------------------------------------------------------
Customer Contact: Irv Wentzien, Vice President
------------------------------------------------------------
Effective Date: October 3, 1996
------------------------------------------------------------
Term of Agreement: One year
------------------------------------------------------------
Exhibits Attached: Exhibit "A": Definitions
Exhibit "B": Fees
Exhibit "C": Logo Usage Guide
Exhibit "D": Project Plan Elements
Exhibit "E": System Design Specifications
Exhibit "F": Customer Requirements
Exhibit "G": Acceptance Test Procedures
Exhibit "H": Reserved
Exhibit "I": Escrow Agreement
Exhibit "J": License Agreement
Exhibit "K": Service Level Specification
Exhibit "L": Support Levels
THIS VERISIGN PRIVATE LABEL AGREEMENT ("AGREEMENT"), effective as of the
---------
Effective Date set forth above, is entered into by and between VeriSign, Inc., a
Delaware corporation, having its principal place of business at 2593 Coast
Avenue, Mountain View, California 94043 ("VERISIGN"), and the party identified
--------
above ("CUSTOMER"), having a principal address as set forth above.
--------
R E C I T A L
VeriSign provides Certificate-issuing and certain other services to members
of both public and private hierarchies. Customer wishes VeriSign to design,
build and operate a Private Label Certificate System based on Customer's Root
Key for the use by Customer to provide certificate registration, issuing and
management functions in connection with the Visa Cash stored value card and the
Chip Card Payment System, all on the terms and subject to the conditions set
forth in this Agreement.
NOW, THEREFORE, the parties hereto agree as follows:
A G R E E M E N T
VeriSign Private Label Agreement
Page 2
2. VERISIGN SERVICES TO CUSTOMER
-----------------------------
2.1 DEVELOPMENT OF PRIVATE LABEL CERTIFICATE SYSTEM. VeriSign will design
and develop a Private Label Certificate System based on Customer's Root Keys, a
Protocol specified by Customer and specifications agreed upon by VeriSign and
Customer in accordance with Section 4.1 below. The Private Label Certificate
System will include provision of services described in Exhibit B hereto.
2.2 OWNERSHIP AND LICENSE OF PRIVATE LABEL CERTIFICATE SYSTEM. VeriSign
will acquire and assemble the components of the Private Label Certificate
System, consisting of hardware, software and telecommunications equipment. All
right, title and interest to the Private Label Certificate System shall belong
solely and exclusively to VeriSign, and Customer shall have no right, title or
ownership interest therein. VeriSign shall have the right to obtain and hold in
its name copyrights, registrations, patents and any similar protection which may
be available for the Private Label Certificate System or components thereof and
any derivative works thereof. In the event that any technology included in the
Private Label Certificate System as delivered to Customer by VeriSign is
hereafter covered by a claim of a patent issued to or assigned to VeriSign,
VeriSign shall grant to Customer a nonexclusive, worldwide, royalty-free license
under the relevant claim(s) to the extent necessary for Customer to use the
Private Label Certificate System as provided in this Agreement.
Commencing September 1, 1997, Customer on ninety (90) days' prior written
notice shall have the right to license the Private Label Certificate System
pursuant to a license agreement substantially in the form of Exhibit "J". To
the extent portions of the Private Label Certificate System are not owned by
VeriSign, VeriSign will arrange to obtain the right to use such items by
Customer or arrange for Customer to obtain the right to purchase or otherwise
license such items.
All right, title and interest to the Private Hierarchy Root Keys and
associated Private Keys shall belong solely and exclusively to Customer, and
VeriSign shall have no right, title or ownership interest therein. VeriSign
shall use Customer's Private Hierarchy Root Keys and associated Private Keys in
operating the Private Label Certificate System on Customer's behalf. VeriSign
agrees to provide Customer with all assistance necessary to recover and recreate
any Private Hierarchy Private Key, such assistance may include assigning to
Customer the right and ability to request such recovery from BBN.
2.3 ASSISTANCE IN DEFINING PROTOCOL. VeriSign will assist Customer is
defining a workable Protocol for secure management and handling of Certificates
in Customer's Private Hierarchy. VeriSign will provide Customer with a copy of
VeriSign's Certification Practice Statement which governs Certificate operations
in the VeriSign Public Hierarchies and details management and handling of
Certificates under a policy-based delegation of operating authority. VeriSign
will also recommend a set of operating and security practices and procedures to
mitigate risks associated with Private Key compromise and Root Key distribution
and to protect Customer's confidential authorization information.
2.4 MAINTENANCE OF PRIVATE LABEL CERTIFICATE SYSTEM AT VERISIGN SITE.
VeriSign will provide a high-security facility on VeriSign's premises in
Mountain View, California for operation of the Certificate server(s) and for
storage of Certificate Signing Units containing Customer's Private Keys when not
in use in a secure vault. VeriSign shall be responsible for maintaining the
security on its premises and shall be liable for any damages that arise out of a
breach of its security. VeriSign may move the Private Label Certificate System
to another location under VeriSign's control which provides a comparable level
of security, and VeriSign shall provide notice to Customer in advance of such
relocation. VeriSign shall establish a secure backup site at a mutually
agreeable location that ensures continued operation in the event of a technical
failure, natural disaster or any other event that disables the Mountain View (or
relocated) facility.
2.5 CERTIFICATE MANAGEMENT SERVICES. VeriSign will provide to Customer
the following services for Certificate management and operations:
VeriSign Private Label Agreement
Page 3
2.5.1 SCOPE OF SERVICES. In accordance with Customer's specified
Protocol, VeriSign will provide the following services with respect to the
Certificate server(s): maintain adequate Certificate-issuing capacity to meet
Customer's reasonable forecast requirements.
2.5.2 ENROLLMENT AND RENEWAL SERVICES. Using an enrollment process
based on securely delivered certificate requests, VeriSign will issue
Certificates under Customer's name and containing Customer's Root Keys to
Subscribers in Customer's Private Hierarchy in accordance with the Protocol.
VeriSign will process renewals of Certificates in accordance with the Protocol.
Within ten (10) days after the end of each month, VeriSign will provide Customer
with a monthly report on the number of Certificates issued.
2.6 CUSTOMER SUPPORT. During the term of this Agreement, VeriSign will
supply maintenance for the Private Label Certificate System as described in this
Section 2.6 without additional charge to Customer.
2.6.1 TELEPHONE SUPPORT. VeriSign will provide telephone support as
is reasonably necessary for Customer to meet the performance criteria for the
Private Label Certificate System as provided in Exhibit "K." VeriSign will also
provide telephone support for a reasonable volume of calls to Customer-related
entities as provided in Exhibit "L." VeriSign shall provide the support
specified in this Section 2.6.1 to Customer's employees responsible for
developing and maintaining Customer Products. VeriSign will provide the names
of employees who will serve as primary points of contact for technical support
for Customer. VeriSign may change the names of designated employees at any time
by providing written notice to Customer. On VeriSign's request, Customer will
provide a list with the names of the employees designated to receive support
from VeriSign. Customer may change the names on the list at any time by
providing written notice to VeriSign.
2.6.2 ESCALATION PROCEDURES. Customer and VeriSign shall agree upon
a procedure for resolution of operating problems in the Private Label
Certificate System which provides for escalation of effort based on the problem
severity.
2.6.3 REIMBURSEMENT FOR CORRECTION OF CUSTOMER ERRORS. In the event
VeriSign is required to take actions to correct an error which is caused by
Customer errors, modifications, enhancements, software or hardware, then
VeriSign may charge Customer for the correction or repair on a time-and-
materials basis at VeriSign's rates then in effect, plus reimbursement for
reasonable travel to and from Customer's sites and out-of-pocket expenses, as
may be necessary in connection with duties performed under this Section 2.6 by
VeriSign.
2.6.4 SYSTEM RELEASES. In the event operating problems in the
Private Label Certificate System are not resolved by the escalation procedures,
Customer and VeriSign agree to evaluate the desirability of changing to a later
available release version of Private Label Certificate System and other
applications employed by VeriSign in provision of the Private Label Certificate
System. A change to release level in the Private Label Certificate System will
also be evaluated at the time new releases are tested.
2.7 ESCROW AGREEMENT. VeriSign will place in escrow pursuant to the
Escrow Agreement set forth at Exhibit "I" all information necessary to build,
support, maintain and operate the Private Label Certificate System. This
information will be released to Customer upon occurrence of the events specified
in such Escrow Agreement.
2.8 CUSTOMER MARKETING RIGHTS. VeriSign acknowledges and understands that
Customer will be marketing Certificates and Certificate services using the
Private Label Certificate Service being produced by VeriSign to Customer
hereunder. All pricing of Certificates to Customer Members under the
Certificate Authority Service marketed by Customer shall be determined by
Customer, independent of any obligation to support and operate the Private Label
Certificate Service by VeriSign hereunder. Customer shall charge its Members
directly for use of the Private Label Certificate System.
2.9 CUSTOMER PERSONNEL. Customer may, at its own cost, upon reasonable
notice and for the purpose of problem resolution, provide personnel to monitor
or participate in the operation of the Private Label Certificate Service and
provision of Customer service pursuant to Section 2.6. VeriSign agrees to
cooperate with Customer
VeriSign Private Label Agreement
Page 4
personnel to permit them to assist in establishing appropriate levels of
Customer service and participate in problem verification and determination.
2.10 FINANCIAL DATA. In the event Customer ceases to have access to
financial information concerning VeriSign pursuant to its rights under that
certain Investors' Rights Agreement dated February 20, 1996, or pursuant to
filings made in accordance with the Securities Exchange Act of 1934, VeriSign
shall make available to Customer on a quarterly basis, an unaudited balance
sheet and statement of operations. Such information shall be kept confidential
by Customer in accordance with Section 6.
3. CUSTOMER OBLIGATIONS TO VERISIGN
--------------------------------
3.1 PROTOCOL. In addition to specifying functionality as incorporated in
the Customer Requirements for the product(s) or service(s) specified on Exhibit
"B" hereto and the System Design Specifications, Customer will specify a
Protocol, consisting of policies, procedures and resources to control the entire
Certificate process for its Private Hierarchy and the transactional use of
Certificates within the Private Hierarchy. The Protocol is not required to be
consistent with the requirements of VeriSign's Certification Practice Statement
for operation of VeriSign Public Hierarchies.
3.2 VERIFICATION OF SUBSCRIBER INFORMATION. Customer will provide
VeriSign with verification of enrollment information submitted by a Subscriber
who wishes to become a member of Customer's Private Hierarchy prior to
VeriSign's issuance of a Certificate to such Subscriber. Customer will provide
VeriSign with verification of a Subscriber's identity to the extent required by
the Protocol.
3.3 FORECAST. Customer agrees to provide VeriSign on a confidential basis
at the end of each calendar quarter with an updated forecast of the volume of
Certificates it expects to be required for Customer's Private Hierarchy for the
next six (6) months. The forecasts shall be by product line and based upon good
faith estimates and assumptions believed by Customer to be reasonable at the
time made.
3.4 CUSTOMER PERSONNEL. To the extent Customer personnel are provided or
take action pursuant to Sections 2.9 or 4.2, such personnel shall be provided
solely at Customer's cost, and, upon request, Customer shall provide evidence of
satisfaction of all state and federal employment laws and worker compensation
requirements in connection with such personnel. Such personnel shall execute
confidentiality agreements as VeriSign shall reasonably request, and shall agree
to abide by all reasonable VeriSign visitor regulations. Customer understands
that VeriSign operates a secure facility and that there are portions of such
facility that Customer's personnel will not be permitted to enter. In the event
that VeriSign determines that any of Customer's personnel has breached a
VeriSign visitor regulation, Customer shall immediately cause such person to be
removed from VeriSign's facility, and may provide a replacement.
4. DEVELOPMENT
-----------
4.1 DEVELOPMENT OF PROJECT PLAN. Attached as Exhibit "D" is the Project
Plan that specifies the major phases of the development of the Customer's
Private Label Certificate System, the major tasks to be completed, the
deliverables to be produced and their scheduled completion dates.
4.1.1 DEVELOPMENT OF INTERFACE SPECIFICATIONS. In accordance with
the Project Plan, Customer will create Interface Specifications for software
interface of the Private Label Certificate System to Customer's Subscriber
enrollment and authorization information and deliver the Interface
Specifications to VeriSign for review and approval. VeriSign shall deliver
written acceptance or rejection of the Interface Specifications within fourteen
(14) days. VeriSign shall promptly notify Customer of any deficiencies in the
Interface Specifications. Such notification shall be in writing and shall
contain sufficient detail to allow Customer to resolve such deficiencies. If
VeriSign fails to respond within the fourteen (14) days, Customer may submit
written notice of such failure. If VeriSign does not respond with written notice
of deficiencies as described above within two (2) days of receipt of such notice
then such failure to respond shall be deemed an acceptance by
VeriSign Private Label Agreement
Page 5
VeriSign. Customer shall respond to deficiencies identified by VeriSign by
either making modifications or refuting VeriSign's arguments regarding the
deficiency. Any modification to the Interface Specifications shall be
resubmitted to VeriSign for review and approval in accordance with the
procedures outlined in this Section 4.1.1.
4.1.2 DEVELOPMENT OF PROTOCOL. In accordance with the Project Plan,
Customer will create the Protocol and deliver it to VeriSign for review and
approval. VeriSign shall deliver written acceptance or rejection of the
Protocol within fourteen (14) days. VeriSign shall promptly notify Customer of
any deficiencies in the Protocol. Such notification shall be in writing and
shall contain sufficient detail to allow Customer to resolve such deficiencies.
If VeriSign fails to respond within the fourteen (14) days, Customer may submit
written notice of such failure. If VeriSign does not respond with written
notice of deficiencies as described above within two (2) days of receipt of such
notice then such failure to respond shall be deemed an acceptance by VeriSign.
Customer shall respond to deficiencies identified by VeriSign by either making
modifications or refuting VeriSign's arguments regarding the deficiency. Any
modification to the Protocol shall be resubmitted to VeriSign for review and
approval in accordance with the procedures outlined in this Section 4.1.2.
4.1.3 DEVELOPMENT OF SYSTEM DESIGN SPECIFICATIONS. In accordance
with the Project Plan, VeriSign will create System Design Specifications for the
Private Label Certificate System and deliver the System Design Specifications to
Customer to determine material conformity to Exhibit "F" and the Protocol and
for Customer acceptance. Customer shall deliver written acceptance or rejection
of the System Design Specifications within fourteen (14) days. Customer shall
promptly notify VeriSign of any deficiencies in the System Design
Specifications. Such notification shall be in writing and shall contain
sufficient detail to allow VeriSign to resolve such deficiencies. If Customer
fails to respond within the fourteen (14) days, VeriSign may submit written
notice of such failure. If Customer does not respond with written notice of
deficiencies as described above within two (2) days of receipt of such notice
then such failure to respond shall be deemed an acceptance by Customer.
VeriSign shall respond to deficiencies identified by Customer by either making
modifications or refuting Customer's arguments regarding the deficiency. Any
modification to the System Design Specifications shall be resubmitted to
Customer for review and approval in accordance with the procedures outlined in
this Section 4.1.3.
4.1.4 DEVELOPMENT OF ACCEPTANCE TEST PROCEDURES. In accordance with
the Project Plan, Customer shall create the Acceptance Test Procedures and
deliver them to VeriSign for review and approval. VeriSign shall deliver
written acceptance or rejection of the Acceptance Test Procedures within
fourteen (14) days. VeriSign shall promptly notify Customer of any deficiencies
in the Acceptance Test Procedures. Such notification shall be in writing and
shall contain sufficient detail to allow Customer to resolve such deficiencies.
If VeriSign fails to respond within the fourteen (14) days, Customer may submit
written notice of such failure. If VeriSign does not respond with written
notice of deficiencies as described above within two (2) days of receipt of such
notice then such failure to respond shall be deemed an acceptance by VeriSign.
Customer shall respond to deficiencies identified by VeriSign by either making
modifications or refuting VeriSign's arguments regarding the deficiency. Any
modification to the Acceptance Test Procedures shall be resubmitted to VeriSign
for review and approval in accordance with the procedures outlined in this
Section 4.1.4.
4.1.5 DEVELOPMENT OF PRIVATE LABEL CERTIFICATE SYSTEM. In accordance
with the Project Plan, VeriSign will develop the Private Label Certificate
System in material conformity to the Interface Specifications and the System
Design Specifications. Development of the Private Label Certificate System will
take place at VeriSign's facility located in Mountain View, California or such
other place as VeriSign shall reasonably select. VeriSign will deliver notice
to Customer that the Private Label Certificate System is in material conformity
to the Interface Specifications and the System Design Specifications and ready
for acceptance testing on or before the date set forth in the Project Plan.
4.1.6 DEVELOPMENT OF SERVICE LEVEL SPECIFICATION. Customer and
VeriSign have specified in Exhibit "K" hereto a preliminary set of performance
criteria against which to measure the adequacy of the Private
Label Certificate System, which is acceptance at the Effective Date of this
Agreement. Customer and VeriSign recognize that after completion of the major
phases of development of the Private Label Certificate System some modification
of the Service Level Specification may be desirable. After the Acceptance Test
Procedures have been
VeriSign Private Label Agreement
Page 6
approved by VeriSign, Customer and VeriSign shall cooperate in evaluating
whether the Service Level Specification should be amended by Change Order in
accordance with Section 4.1.8 and shall negotiate in good faith with respect to
this Exhibit K.
4.1.7 ACCEPTANCE. Acceptance testing of the Private Label
Certificate System in accordance with the Acceptance Test Procedures shall take
place at VeriSign's facility located in Mountain View, California, or such other
place as VeriSign shall reasonably select, using test data supplied by Customer
and supplemented and approved by VeriSign, and shall establish material
conformity of the Private Label Certificate System with the Interface
Specifications and the System Design Specifications. VeriSign shall be
entitled, but not obligated, to have a representative present at all such tests.
Customer shall promptly notify VeriSign of any failure of the Private Label
Certificate System discovered in testing, and any retesting required will be
performed after redelivery of a modified version of the Private Label
Certificate System t Customer by VeriSign. Customer shall deliver written
acceptance of the Private Label Certificate System after establishment of
material conformance to the Interface Specifications and the System Design
Specifications and material satisfaction of the Acceptance Test Procedures
within fourteen (14) days of the completion of the testing. Such notification
acceptance shall be in writing. If Customer fails to respond within the
fourteen (14) days, VeriSign may submit written notice of such failure. If
Customer does not respond with written notice of acceptance as described above
within two (2) days of receipt of such notice then such failure to respond shall
be deemed an acceptance by Customer.
4.1.8 CHANGE ORDERS. Any amendment to a Program Document after its
acceptance shaLl only be effected by a change order ("CHANGE ORDER") approved as
------------
follows:
4.1.8.1 CUSTOMER INITIATED. Customer may initiate a Change
Order by delivering to VeriSign a writing signed by Customer's Program Manager
requesting VeriSign to prepare a proposed Change Order. Such writing shall
specify the requested change and cross-reference to Sections of the Program
Documents that are proposed to be amended.
4.1.8.2 VERISIGN INITIATED. VeriSign may initiate a Change
Order by delivering to Customer a proposed Change Order meeting the requirements
of Section 4.1.8.3.
4.1.8.3 PREPARATION. Upon receipt of a written request as set
forth above in this Section 4.1.8, VeriSign shall, on or before fifteen (15)
days after receipt of such request, prepare for Customer's review a proposed
Change Order. Such proposed Change Order shall contain:
(i) a detailed description of the proposed
amendments to the Program Documents;
(ii) the change, if any, to scheduled delivery of any
item;
(iii) change in amounts due VeriSign under Exhibit "B"
as a result of such Change Order. It is the expectation of the parties that
enhancements over and above the work initially specified in the Program
Documents, which both parties deem necessary to permit reasonable implementation
of the Private Label Certificate System, will be jointly funded in a spirit of
cooperation between VeriSign and Customer. Those changes specifically requested
by Customer, which are out of the scope of the original Program Documents, will
be provided by VeriSign at its then-current time and materials rates.
4.1.8.4 EVALUATION. Customer shall evaluate, and respond to
VeriSign with respect to, any Change Order on or before the fifteen (15)
business day after receipt.
4.1.8.5 APPROVAL. Change Orders shall become effective and
shall act as amendments to this Agreement and to portions of the Program
Documents specified in such Change Orders only upon their execution by an
officer or the Program Manager of VeriSign and by an officer or the Program
Manager of Customer.
VeriSign Private Label Agreement
Page 7
4.1.8.6 TECHNICAL SERVICES. In the event that a Change Order alters
the scope of the project as originally defined. VeriSign will provide the
following technical services to Customer at VeriSign's then standard rates:
4.1.8.6.1 Engineering assistance in developing interfaces for
Certificate services to Customer's proprietary databases containing
authorization and enrollment information regarding Subscribers.
4.1.8.6.2 Training of up to two (2) days for Customer's
employee responsible for training other employees in customer technical support,
marketing, and sales. Training shall occur at VeriSign's facility in Mountain
View, California, or at such other location as the parties may agree.
4.2 PROJECT AUDITS. Customer shall have the right to perform a project
audit to ensure adherence by VeriSign to this Agreement subject to limitations
set forth below. Customer shall give reasonable prior notice to VeriSign of its
desire to audit VeriSign's performance under this Agreement. Customer shall
have the right to review VeriSign's progress on development of the Private Label
Certificate System and after implementation of such system, Customer shall have
the right to audit operational performance and execution of VeriSign in
connection with the Private Label Certificate System. VeriSign agrees to
cooperate with Customer personnel to permit them to assure themselves that
VeriSign is performing its obligations in a reasonable manner under this
Agreement. Such Customer personnel shall be subject to the requirements of
Sections 3.4 and 6 of this Agreement. Customer shall perform such audits only
at reasonable intervals.
5. FEES AND PENALTIES
------------------
5.1 Development Fees. As consideration for the development of a Private
Label Certificate System for Customer, provision of the hardware and software
components of the system, and assistance in developing a Protocol for operation
of the Private Label Certificate System as set forth in Sections 2.1, 2.2 and
2.3 above, Customer shall pay to VeriSign the amount set forth as Development
Fees on Exhibit "B" according to the terms contained therein.
5.2 OPERATION FEES. As consideration for operation of the Private Label
Certificate System as set forth in Sections 2.4, 2.5, 2.6 and 2.7 above Customer
shall pay to VeriSign the amount set forth as Operation Fees on Exhibit "B"
according to the terms contained therein.
5.3 SUBSCRIBER FEES. Customer will pay to VeriSign as Subscriber Fees
amounts for each Subscriber initially enrolled or renewed in Customer's Private
Hierarchy through Customer the prices set forth on Exhibit "B".
5.4 TERMS OF PAYMENT. Subscriber Fees shall accrue upon issuance.
VeriSign will furnish Customer with a monthly invoice accompanied by the report
required by Section 2.5.2 above of the number and type of Certificates requested
and the number and type of Certificates issued and renewed during the prior
month. Customer will pay Subscriber Fees as set forth in Exhibit "B" for the
period therein. Subscriber Fees due VeriSign hereunder shall be paid by
Customer to VeriSign's address set forth on Page 1 above on or before the
thirtieth (30th) day after the invoice date. A late payment penalty on any
undisputed Subscriber Fees not paid when due shall be assessed at the rate of
one percent (1%) per thirty (30) days, beginning on the thirty-first (31st) day
after the day the unpaid Subscriber Fees are due.
5.5 TAXES. All taxes, duties, fees and other governmental charges of any
kind (including sales and use taxes, but excluding taxes based on the gross
revenues or net income of VeriSign) which are imposed by or under the authority
of any government or any political subdivision thereof on the Development Fees
or Operation Fees, Subscriber Fees or any aspect of this Agreement shall be
borne by Customer and shall not be considered a part of, a deduction from or an
offset against such fees.
VeriSign Private Label Agreement
Page 8
5.6 DEGRADATION PENALTY. After thirty (30) days prior notice of failure
to meet the minimum service standard set forth in Exhibit "K" Service Level
Specifications, Customer shall be entitled to degradation penalties as defined
in Exhibit "K".
6. CONFIDENTIALITY
---------------
6.1 CONFIDENTIALITY. The parties acknowledge that in their performance of
their duties hereunder either party may communicate to the other (or its
designees) certain confidential and proprietary information concerning the
Customer Products, VeriSign products, the know-how, technology, techniques or
marketing plans related thereto (collectively, the "Proprietary Information")
all of which are confidential and proprietary to, and trade secrets of, the
disclosing party. Each party agrees to hold all Proprietary Information within
its own organization and shall not, without specific written consent of the
other party or as expressly authorized herein, utilize in any manner, publish,
communicate or disclose any part of the Proprietary Information to third
parties. This Section 6.1 shall impose no obligation on either party with
respect to any Proprietary Information which: (i) is in the public domain at the
time disclosed by the disclosing party; (ii) enters the public domain after
disclosure other than by breach of the receiving party's obligations hereunder
or by breach of another party's confidentiality obligations; or (iii) is shown
by documentary evidence to have been known by the receiving party prior to its
receipt from the disclosing party. Each party will take such steps as are
consistent with its protection of its own confidential and proprietary
information (but will in no event exercise less than reasonable care) to ensure
that the provisions of this Section 6.1 are not violated by its end user
customers, distributors, employees, agents or any other person.
6.2 INJUNCTIVE RELIEF. Both parties acknowledge that the restrictions
contained in this Section 6 are reasonable and necessary to protect their
legitimate interests and that any violation of these restrictions will cause
irreparable damage to the other party within a short period of time, and each
party agrees that the other party will be entitled to injunctive relief against
each violation.
7. OBLIGATIONS OF CUSTOMER
-----------------------
7.1 PROPRIETARY MARKINGS; COPYRIGHT NOTICES. The Customer agrees not to
remove or destroy any proprietary, trademark or copyright markings or notices
placed upon or contained within any VeriSign materials or documentation. The
Customer further agrees to insert and maintain: (i) within every Customer
Product and any related materials or documentation a copyright notice in the
name of VeriSign; and (ii) within the splash screens, user documentation,
printed product collateral, product packaging and advertisements for the
Customer Product, a statement that the Customer Product contains the VeriSign
technology. The Customer shall not take any action which might adversely affect
the validity of VeriSign's proprietary, trademark or copyright markings or
ownership by VeriSign thereof, and shall cease to use the markings, or any
similar markings, in any manner on the expiration of this Agreement. The
placement of a copyright notice on any of the VeriSign materials or
documentation shall not constitute publication or otherwise impair the
confidential or trade secret nature of the VeriSign materials or documentation.
7.2 VERISIGN'S INDEMNITY. CUSTOMER EXPRESSLY INDEMNIFIES AND HOLDS
HARMLESS VERISIGN, ITS SUBSIDIARIES, AGENTS AND AFFILIATES FROM: (i) ANY AND ALL
LIABILITY OF ANY KIND OR NATURE WHATSOEVER TO SUBSCRIBERS IN CUSTOMER'S PRIVATE
HIERARCHY AND TO THIRD PARTIES WHICH MAY ARISE FROM ACTS OF CUSTOMER OR FROM THE
USE OF CERTIFICATES IN CUSTOMER'S PRIVATE HIERARCHY, USE OF ANY CUSTOMER
PRODUCT, OR ANY DOCUMENTATION, SERVICES OR NAY OTHER ITEM FURNISHED BY THE
CUSTOMER TO SUBSCRIBERS IN CUSTOMER'S PRIVATE HIERARCHY, OTHER THAN LIABILITY
ARISING FROM THE VERISIGN PRODUCTS AND VERISIGN DOCUMENTATION (UNLESS SUCH
LIABILITY WOULD NOT HAVE ARISEN IN THE ABSENCE OF MODIFICATIONS TO ANY OF THE
FOREGOING BY THE CUSTOMER OR ITS EMPLOYEES, AGENTS OR CONTRACTORS) OR FROM THE
ACTS OF VERISIGN; AND (ii) ANY LIABILITY ARISING IN CONNECTION WITH AN
UNAUTHORIZED REPRESENTATION OR ANY MISREPRESENTATION OF FACT MADE BY THE
CUSTOMER OR ITS AGENTS, EMPLOYEES
VeriSign Private Label Agreement
Page 9
OR DISTRIBUTORS TO ANY PARTY WITH RESPECT TO THE VERISIGN PRODUCTS OR VERISIGN
DOCUMENTATION.
7.3 CUSTOMER'S INDEMNITY. VERISIGN EXPRESSLY INDEMNIFIES AND HOLDS
HARMLESS CUSTOMER, ITS SUBSIDIARIES, AGENTS AND AFFILIATES FROM: (i) ANY AND ALL
LIABILITY OF ANY KIND OR NATURE WHATSOEVER TO ANY THIRD PARTIES THAT MAY ARISE
FROM ACTS OF VERISIGN OR FROM USE OF VERISIGN SOURCE CODE, VERISIGN'S OBJECT
CODE OR VERISIGN'S USER MANUALS (UNLESS SUCH LIABILITY WOULD NOT HAVE ARISEN IN
THE ABSENCE OF MODIFICATIONS TO ANY OF THE FOREGOING BY CUSTOMER OR ITS
EMPLOYEES, AGENTS OR CONTRACTORS); AND (ii) ANY LIABILITY ARISING IN CONNECTION
WITH AN UNAUTHORIZED REPRESENTATION OR ANY MISREPRESENTATION OF FACT MADE BY
VERISIGN OR ITS AGENTS OR EMPLOYEES TO ANY PARTY WITH RESPECT TO CUSTOMER
PRODUCTS, OR ANY VERISIGN SOFTWARE.
7.4 NOTICES. The Customer shall immediately advise VeriSign of any legal
notices served on the Customer which might affect VeriSign.
8. LIMITED WARRANTY; DISCLAIMER OF WARRANTIES; LIMITATION OF LIABILITY;
--------------------------------------------------------------------
INDEMNITIES
-----------
8.1 LIMITED WARRANTY. During the term of this Agreement, VeriSign
warrants that
8.1.1 to VeriSign's knowledge, Customer's Private Keys have not been
compromised so long as VeriSign has not provided notice to
Customer to the contrary,
8.1.2 VeriSign has used best efforts to maintain the security at its
facilities and to maintain the security of any of Customer's
private keys in its possession or control,
8.1.3 VeriSign has substantially complied with the Protocol in
issuing a Certificate to a Subscriber in Customer's Private
Hierarchy,
8.1.4 VeriSign has substantially complied with the Protocol in
renewing, revoking or suspending a Certificate, and
8.1.5 the Private Label Certificate System materially conforms to the
Interface Specifications and the System Design Specifications.
8.2 DISCLAIMER. EXCEPT FOR THE EXPRESS LIMITED WARRANTY PROVIDED IN
SECTION 8.1, VERISIGN'S PRODUCTS AND SERVICES ARE PROVIDED "AS IS" WITHOUT ANY
WARRANTY WHATSOEVER. VERISIGN DISCLAIMS ALL WARRANTIES, EXPRESS, IMPLIED OR
STATUTORY, AS TO ANY MATTER WHATSOEVER, INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. NO ORAL OR WRITTEN
INFORMATION OR ADVICE GIVEN BY VERISIGN OR ITS EMPLOYEES OR REPRESENTATIVES
SHALL CREATE A WARRANTY OR IN ANY WAY INCREASE THE SCOPE OF VERISIGN'S
OBLIGATIONS.
CUSTOMER IS RESPONSIBLE FOR THE SECURITY, COMMUNICATION OR USE OF ITS
PRIVATE KEY, EXCEPT TO THE EXTENT SUCH PRIVATE KEY IS IN THE CUSTODY OR CONTROL
OF VERISIGN, VERISIGN SHALL NOT BE RESPONSIBLE FOR THE THEFT OR ANY OTHER FORM
OF COMPROMISE OF CUSTOMER'S PRIVATE KEY, WHICH MAY OR MAY NOT BE DETECTED EXCEPT
WHEN SUCH PRIVATE KEY IS IN THE CUSTODY OR CONTROL OF VERISIGN. VERISIGN SHALL
NOT BE LIABLE FOR ANY USE OF A KEY STOLEN OR COMPROMISED WHILE IN CUSTOMER'S
CUSTODY OR CONTROL UNLESS CUSTOMER HAS PROVIDED NOTICE TO VERISIGN IN ACCORDANCE
WITH THE PROTOCOL, AND VERISIGN HAS FAILED SUBSTANTIALLY TO COMPLY WITH THE
PROTOCOL
VeriSign Private Label Agreement
Page 10
OR UNLESS CUSTOMER CAN ESTABLISH THAT SUCH THEFT OR KEY COMPROMISE OCCURRED
WHILE THE SOLE COPY OF THE KEY WAS IN THE CUSTODY OR CONTROL OF VERISIGN OR
WHILE THE KEY WAS IN THE CUSTODY OR CONTROL OF VERISIGN AND THAT THE COPY OF THE
KEY IN VERISIGN'S CUSTODY OR CONTROL WAS STOLEN OR COMPROMISED.
EACH SUBSCRIBER IS RESPONSIBLE FOR THE SECURITY, COMMUNICATION OR USE OF
HIS, HER OR ITS PRIVATE KEY. VERISIGN SHALL NOT BE RESPONSIBLE FOR THE THEFT OR
ANY OTHER FORM OF COMPROMISE OF ANY SUBSCRIBER'S PRIVATE KEY, WHICH MAY OR MAY
NOT BE DETECTED. VERISIGN SHALL NOT BE LIABLE FOR ANY USE OF A STOLEN OR
COMPROMISED KEY TO FORGE A SUBSCRIBER'S DIGITAL SIGNATURE TO A DOCUMENT UNLESS
THE SUBSCRIBER OR CUSTOMER HAS PROVIDED NOTICE TO VERISIGN IN ACCORDANCE WITH
THE PROTOCOL AND VERISIGN HAS FAILED TO COMPLY WITH THE PROTOCOL.
8.3 LIMITATION OF LIABILITY. NEITHER PARTY WILL BE LIABLE TO THE OTHER
PARTY, TO A SUBSCRIBER OR TO ANY THIRD PARTY FOR ANY CONSEQUENTIAL, INDIRECT,
SPECIAL, INCIDENTAL OR EXEMPLARY DAMAGES, WHETHER FORESEEABLE OR UNFORESEEABLE
(INCLUDING, BUT NOT LIMITED TO, GOODWILL, PROFITS, INVESTMENTS, USE OF MONEY OR
USE OF FACILITIES; INTERRUPTION IN USE OR AVAILABILITY OF DATA; STOPPAGE OF
OTHER WORK OR IMPAIRMENT OF OTHER ASSETS; OR LABOR CLAIMS, EVEN IF VERISIGN HAS
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), ARISING OUT OF BREACH OF ANY
EXPRESS OR IMPLIED WARRANTY, BREACH OF CONTRACT, NEGLIGENCE, EXCEPT ONLY IN THE
CASE OF DEATH OR PERSONAL INJURY WHERE AND TO THE EXTENT THAT APPLICABLE LAW
REQUIRES SUCH LIABILITY. UNDER NO CIRCUMSTANCES SHALL EITHER PARTY'S LIABILITY
TO THE OTHER PARTY OR ANY SUBSCRIBER OR ANY THIRD PARTY ARISING OUT OF OR
RELATED TO THIS AGREEMENT, EXCLUDING LIABILITY FOR MONEY ACTUALLY OWED TO A
PARTY AS ROYALTY FEES, DEVELOPMENT FEES, OPERATION FEES, OR SUBSCRIBER FEES,
EXCEED $100,000.00 IN THE AGGREGATE REGARDLESS OF WHETHER ANY ACTION OR CLAIM IS
BASED ON WARRANTY, CONTRACT, TORT OR OTHERWISE. THE LIMITATION SET FORTH IN
THIS SECTION 8.3 SHALL NOT APPLY TO INDEMNITIES OR RIGHTS GRANTED BY SECTION 8.5
OR 8.6.
8.4 INDEMNITIES. Subject to the limitations set forth below and the
limitations in Section 8.3, VeriSign, at its own expense, shall (i) defend, or
at its option settle, any claim, suit or proceeding against Customer on the
basis of VeriSign's breach of any limited warranty in this Agreement in
connection with use of a Certificate in Customer's Private Hierarchy; and (ii)
pay any final judgment entered or settlement against company on such issue in
any such suit or proceedings defended by VeriSign. VeriSign shall have no
obligation to Customer pursuant to this Section 8.4 unless (a) Customer gives
VeriSign prompt written notice of the claim; (b) VeriSign is given the right to
control and direct the investigation, preparation, defense and settlement of the
claim; and (c) Customer has complied with the Protocol.
8.5 PROPRIETARY RIGHTS INFRINGEMENT BY VERISIGN.
8.5.1 Subject to the limitations set forth in this Section 8.5,
VeriSign, at its own expense, shall: (i) defend, or at its option settle, any
claim, suit or proceeding against Customer on the basis of infringement of any
United States copyright, patent, trade secret or any other intellectual property
right ("Proprietary Rights") by the unmodified Private Label Certificate System
as delivered by VeriSign or any claim that VeriSign has no right to provide the
Private Label Certificate System hereunder; and (ii) pay any final judgment
entered or settlement against Customer on such issue in any such suit or
proceeding defended by VeriSign. VeriSign shall have no obligation to Customer
pursuant to this Section 8.5.1 unless: (A) Customer gives VeriSign prompt
written notice of the claim; (B) VeriSign is given the right to control and
direct the investigation, preparation, defense and settlement of the claim; and
(C) the claim is based on Customer's use of the most recent version of the
Relatively Unmodified Private Label Certificate System in accordance with this
Agreement. A Relatively Unmodified Private Label Certificate System shall mean a
wholly unmodified Private Label Certificate System or a Private Label
Certificate System that has been modified but such modifications are not
relevant to the claim.
VeriSign Private Label Agreement
Page 11
8.5.2 If VeriSign receives notice of an alleged infringement
described in Section 8.5.1, VeriSign shall have the right, at its sole option,
to obtain the right to continue use of the Private Label Certificate System or
to replace or modify the Private Label Certificate System so that it is no
longer infringing. If neither of the foregoing options is reasonably available
to VeriSign, then use of the Private Label Certificate System may be terminated
at the option of VeriSign without further obligation or liability except as
provided in Sections 8.5.1 and 9.3 and in the event of such termination,
VeriSign shall refund the Development Fees paid by Customer hereunder less
depreciation for use assuming straight line depreciation over a five (5)-year
useful life.
8.5.3 THE RIGHTS AND REMEDIES SET FORTH IN SECTIONS 8.5.1 AND 8.5.2
CONSTITUTE THE ENTIRE OBLIGATION OF VERISIGN AND THE EXCLUSIVE REMEDIES OF
CUSTOMER CONCERNING PROPRIETARY RIGHTS INFRINGEMENT BY THE VERISIGN SOFTWARE.
8.6 PROPRIETARY RIGHTS INFRINGEMENT BY CUSTOMER.
8.6.1 Subject to the limitations set forth in this Section 8.6,
Customer, at its own expense, shall: (i) defend, or at its option settle, any
claim, suit or proceeding against VeriSign on the basis of infringement of any
Proprietary Right by the Customer Product (except to the extent arising from a
Relatively Unmodified Private Label Certificate System); and (ii) pay any final
judgment entered or settlement against VeriSign on such issue in any such suit
or proceeding defended by Customer. Customer shall have no obligation to
VeriSign pursuant to this Section 8.6.1 unless: (A) VeriSign gives Customer
prompt written notice of the claim; and (B) Customer is given the right to
control and direct the investigation, preparation, defense and settlement of the
claim.
8.6.2 If Customer receives notice of an alleged infringement
described in Section 8.6.1, Customer shall have the right, at its sole option,
to obtain the right to continued use of the Private Label Certificate System or
the Customer Product or to replace or modify the Private Label Certificate
System or the Customer Product so that they are no longer infringing. If
neither of the foregoing options in this Section 8.6.2 is reasonably available
to Customer, then use of the Private Label Certificate System or the Customer
Product may be terminated at the option of Customer without further obligation
or liability except as provided in Sections 8.6.1 and 9.3, and in the event of
such termination, VeriSign shall retain all Development Fees, Operation Fees and
Subscriber Fees paid by Customer hereunder.
8.6.3 THE RIGHTS AND REMEDIES SET FORTH IN SECTIONS 8.6.1 AND 8.6.2
CONSTITUTE THE ENTIRE OBLIGATION OF CUSTOMER AND THE EXCLUSIVE REMEDIES OF
VERISIGN CONCERNING CUSTOMER'S PROPRIETARY RIGHTS INFRINGEMENT.
9. TERM AND TERMINATION
--------------------
9.1 TERMINATION. This Agreement shall terminate on the earliest of:
9.1.1 The end of the term set forth on the first page hereof;
9.1.2 Failure by either party to perform any of its material
obligations under this Agreement and the Exhibits hereto if such breach is not
cured within sixty (60) days after receipt of written notice thereof from the
other party;
9.1.3 Notice from VeriSign to the Customer after the occurrence of a
purported assignment of this Agreement in violation of Section 10.2; or
9.1.4 Notice from either party to the other if the other party is
adjudged insolvent or bankrupt, or the institution of any proceedings by or
against the other party seeking relief, reorganization or arrangement under
any laws relating to insolvency, or any assignment for the benefit of creditors,
or the appointment of a receiver, liquidator or trustee of any of the other
party's property or assets, or the liquidation, dissolution or winding up of the
other party's business.
VeriSign Private Label Agreement
Page 12
9.1.5 Customer shall have the right to terminate this Agreement upon
sixty (60) days notice if the Customer support obligations provided by VeriSign
pursuant to Section 2.6 are consistently not provided, or if agreement cannot be
reached on the cost of service at the time of any annual review.
9.1.6 Upon Customer's execution of the License Agreement set forth at
Exhibit "J".
9.2 EXTENSION OF TERM. This Agreement may be renewed by the written
consent of the Customer for an additional term upon expiration of the term
provided in Section 9.1.1, under VeriSign's then-current standard terms and
conditions. Subscriber Fees and Operation Fees shall be renegotiated annually
during any extended term.
9.3 EFFECT OF TERMINATION. Upon expiration or termination of this
Agreement for any reason except for VeriSign's breach pursuant to Section 9.1.2
or if VeriSign fulfills any of the conditions stated in Section 9.1.4, all use
of the Private Label Certificate System by Customer shall cease, and Customer
shall pay to VeriSign any Subscriber Fees which have accrued in accordance with
Section 5.4 unless the termination occurred pursuant to Section 9.1.2 because of
breach by VeriSign. Such expiration or termination shall not affect Sections 6,
7, 8, and 10 of this Agreement which shall continue in full force and effect to
the extent necessary to permit the complete fulfillment thereof.
10. MISCELLANEOUS PROVISIONS
------------------------
10.1 GOVERNING LAWS; VENUE; WAIVER OF JURY TRIAL. THE LAWS OF THE STATE
OF CALIFORNIA, U.S.A. (IRRESPECTIVE OF ITS CHOICE OF LAW PRINCIPLES) SHALL
GOVERN THE VALIDITY OF THIS AGREEMENT, THE CONSTRUCTION OF ITS TERMS, AND THE
INTERPRETATION AND ENFORCEMENT OF THE RIGHTS AND DUTIES OF THE PARTIES HERETO.
THE PARTIES AGREE THAT THE UNITED NATIONS CONVENTION ON CONTRACTS FOR THE
INTERNATIONAL SALE OF GOODS SHALL NOT APPLY TO THIS AGREEMENT. THE PARTIES
HEREBY AGREE THAT ANY SUIT TO ENFORCE ANY PROVISION OF THIS AGREEMENT OR ARISING
OUT OF OR BASED UPON THIS AGREEMENT OR THE BUSINESS RELATIONSHIP BETWEEN THE
PARTIES HERETO SHALL BE BROUGHT IN THE UNITED STATES DISTRICT COURT FOR THE
NORTHERN DISTRICT OF CALIFORNIA OR THE SUPERIOR OR MUNICIPAL COURT IN AND FOR
THE COUNTY OF SANTA CLARA, CALIFORNIA, U.S.A. Each party hereby agrees that
such courts shall have exclusive in personam jurisdiction and venue with respect
to such party, and each party hereby submits to the exclusive in personam
jurisdiction and venue of such courts. The parties hereby waive any right to
jury trial with respect to any action brought in connection with this Agreement.
10.2 BINDING UPON SUCCESSORS AND ASSIGNS. Except as otherwise provided
herein, this Agreement shall be binding upon, and inure to the benefit of, the
successors, executors, heirs, representatives, administrators and assigns of the
parties hereto This Agreement shall not be assignable by either party, by
operation of law (including as a result of a merger involving a party or a
transfer of a controlling interest in a party's voting securities) or otherwise
without the prior written authorization of the nonassigning party, except that
either party may assign its rights and obligations under this Agreement to its
Affiliates, provided that the assigning party receives the nonassigning party's
prior written consent, which shall not be unreasonably withheld Any such
purported assignment or delegation shall be void and of no effect and shall
permit non-assigning party to terminate this Agreement pursuant to Section 9.
1.3.
10.3 SEVERABILITY If any provision of this Agreement, or the application
thereof, shall for any reason and to any extent, be invalid or unenforceable,
the remainder of this Agreement and application of such provision to other
persons or circumstances shall be interpreted so as best to reasonably effect
the intent of the parties hereto IT IS EXPRESSLY UNDERSTOOD AND AGREED THAT EACH
AND EVERY PROVISION OF THIS AGREEMENT WHICH PROVIDES FOR A LIMITATION OF
LIABILITY, DISCLAIMER OF WARRANTIES OR EXCLUSION OF DAMAGES IS INTENDED BY THE
PARTIES TO BE SEVERABLE AND INDEPENDENT OF ANY OTHER PROVISION AND TO BE
ENFORCED AS SUCH.
VeriSign Private Label Agreement
Page 13
10.4 ENTIRE AGREEMENT This Agreement, the Appendices hereto and all
agreements referred to therein constitute the entire understanding and agreement
of the parties hereto with respect to the subject matter hereof and supersede
all prior and contemporaneous agreements or understandings between the parties.
10.5 AMENDMENT AND WAIVERS Except as otherwise expressly provided in
this Agreement, any term or provision of this Agreement may be amended, and the
observance of any term of this Agreement may be waived, only by a writing signed
by the party to be bound thereby.
10.6 ATTORNEYS' FEES Should suit be brought to enforce or interpret any
part of this Agreement, the prevailing party shall be entitled to recover, as an
element of the costs of suit and not as damages, reasonable attorneys' fees to
be fixed by the court (including without limitation, costs, expenses and fees on
any appeal).
10.7 NOTICES Whenever any party hereto desires or is required to give any
notice, demand, or request with respect to this Agreement, each such
communication shall be in writing and shall be effective only if it is delivered
sent by a courier service that confirms delivery in writing or mailed, certified
or registered mail, postage prepaid, return receipt requested, addressed as
follows:
VeriSign: To the address set forth on page 1
Attention: Stratton Sclavos, President & CEO
The Customer: To the address set forth on page l
Attention: Irv Wentzien, Vice President
Such communications shall be effective when they are received Any party
may change its address for such communications by giving notice thereof to the
other party in conformity with this Section.
10.8 FOREIGN RESHIPMENT LIABILITY THIS AGREEMENT IS EXPRESSLY MADE
SUBJECT TO ANY LAWS, REGULATIONS, ORDERS OR OTHER RESTRICTIONS ON THE EXPORT
FROM THE UNITED STATES OF AMERICA OF TECHNICAL INFORMATION, SOFTWARE OR
INFORMATION ABOUT SUCH SOFTWARE WHICH MAY BE IMPOSED FROM TIME TO TIME BY THE
GOVERNMENT OF THE UNITED STATES OF AMERICA NOTWITHSTANDING ANYTHING CONTAINED
IN THIS AGREEMENT TO THE CONTRARY, THE CUSTOMER SHALL NOT EXPORT OR RE-EXPORT,
DIRECTLY OR INDIRECTLY, ANY TECHNICAL INFORMATION, SOFTWARE OR INFORMATION ABOUT
SUCH SOFTWARE TO ANY COUNTRY FOR WHICH SUCH GOVERNMENT OR ANY AGENCY THEREOF
REQUIRES AN EXPORT LICENSE OR OTHER GOVERNMENTAL APPROVAL AT THE TIME OF EXPORT
OR RE-EXPORT WITHOUT FIRST OBTAINING SUCH LICENSE OR APPROVAL.
10.9 PUBLICITY Neither party will disclose to third parties, other than
its agents and representatives on a need-to-know basis, the terms of this
Agreement or any exhibits hereto without the prior written consent of the other
party, except (i) either party may disclose such terms to the extent required by
law; and (ii) either party may disclose the existence of this Agreement after
completion of the Pilot phase when the General Availability phase has begun.
10.10 NO WAIVER Failure by either party to enforce any provision of this
Agreement will not be deemed a waiver of future enforcement of that or any other
provision.
10.11 COUNTERPARTS This Agreement may be executed in one or more
counterparts, each of which will be deemed an original, but which collectively
will constitute one and the same instrument.
10.12 HEADINGS AND REFERENCES The headings and captions used in this
Agreement are used for convenience only and are not to be considered in
construing or interpreting this Agreement.
VeriSign Private Label Agreement
Page 9
10.13 DUE AUTHORIZATION The Customer hereby represents and warrants to
VeriSign that the individual executing this Agreement on behalf of the Customer
is duly authorized to execute this Agreement on behalf of the Customer and to
bind the Customer hereby.
10.14 INDEPENDENT CONTRACTOR The relationship of VeriSign and the
Customer is that of independent contractors Neither the Customer nor the
Customer's employees, consultants, contractors or agents are agents, employees
or joint venturers of VeriSign, nor do they have any authority to bind VeriSign
by contract or otherwise to any obligation They will not represent to the
contrary, either expressly, implicitly, by appearance or otherwise.
10.15 PUBLICITY VeriSign grants Customer the right to disclose that
VeriSign is a vendor of Customer and to name publicly-announced Customer
Products that provide access to Certificates issued by VeriSign VeriSign also
grants the Company the right to display VeriSign's logo on the Customer's WWW
site in one of the forms shown on Exhibit "C" attached to this Agreement
Customer shall not acquire any other rights of any kind in VeriSign's trade
names, trademarks, product name or logo by use authorized in this Section
Customer grants VeriSign the right to disclose that Customer is a vendee of
VeriSign and the right to display Customer's logo on VeriSign's WWW site
VeriSign shall not acquire any other rights of any kind in Customer's trade
names, trademarks, product name or logo by use authorized in this Section
VeriSign shall obtain Customer's prior written consent before releasing any
public statement or press release regarding this Agreement or the services
provided hereunder.
IN WITNESS WHEREOF, the parties have executed this Agreement as of the day
and year first written above.
CUSTOMER:
VISA INTERNATIONAL SERVICE ASSOCIATION
By: F. Dutray
------------------------
Its: Executive Vice President
------------------------
VERISIGN, INC.
By: /s/ Stratton Sclavos
------------------------
Its: President and CEO
------------------------
VeriSign Private Label Agreement
EXHIBIT "A"
DEFINITIONS
1. ACCEPTANCE means that the Acceptance Test Procedures have been
----------
performed to demonstrate that the Private Label Certificate System conforms to
the Interface Specifications and the System Design Specifications. ACCEPTED
means that Acceptance has occurred.
2. ACCEPTANCE TEST PROCEDURES means the acceptance test procedures to be
--------------------------
created by Customer and approved by VeriSign pursuant to Section 4. 1.4. The
Acceptance Test Procedures shall include (1) the criteria against which the
Private Label Certificate System is to be measured in order to verify
conformance to the Interface Specifications and the System Design Specifications
and (2) the testing procedures to be used to establish conformance of the
Private Label Certificate System to the Interface Specifications and the System
Design Specifications. Upon approval by Customer, the Acceptance Test Procedures
shall be attached as Exhibit "G".
3. ACQUIRER means a Member financial institution that establishes an
---------
account with a Merchant and processes bank card authorizations and payments.
4. CARDHOLDER means a consumer or corporate purchaser who uses a bank
----------
card issued by an Issuer to make a purchase from a Merchant.
5. CERTIFICATE means a collection of electronic data consisting of a
-----------
Public Key, identifying information which contains information about the owner
of the Public Key, and validity information, which (or a string of bits derived
from the Public Key) has been encrypted by a third party who is the issuer of
the Certificate with such third party Certificate issuer's Private Key. This
collection of electronic data collectively serves the function of identifying
the owner of the Public Key and verifying the integrity of the electronic data.
"CERTIFY" or "CERTIFICATION" means the act of generating a Certificate.
"CERTIFIED" means the condition of having been issued a valid Certificate by a
Certifier, which Certificate has not been revoked.
6. CERTIFICATE SIGNING UNIT ("CSU") means a hardware unit or software
--------------------------------
designed for use in signing Certificates and key storage. The BBN SafeKeyper(TM)
manufactured by BBN Communications, Inc. is one hardware implementation of a
CSU.
7. CERTIFICATION AUTHORITY ("CA") means VeriSign and any entity, group,
------------------------------
division, department, unit or office which is Certified by VeriSign to, and has
accepted responsibility to, issue Certificates to specified Subscribers in a
Hierarchy in accordance with the CPS or a Protocol.
8. CERTIFICATION PRACTICE STATEMENT ("CPS") means the VeriSign
--------------------------------
specification of policies, procedures and resources to control the entire
Certificate process and transactional use of Certificates within the VeriSign
Public Hierarchies.
9. CHANGE ORDER has the meaning set forth in Section 4.1.8.
------------
10. CUSTOMER AFFILIATES shall mean Visa's Subsidiaries and Related
-------------------
Entities. A "Subsidiary" shall mean a company in which on a class-by-class
basis. more than fifty percent (50%) of the stock entitled to vote for the
election of directors is owned or controlled by Customer, but only so long as
such ownership or control exists. A "Related Entity" shall mean an entity (A) at
least fifty percent (50%) of whose stock or other equity is owned by Customer's
member banks and that has the authority to process Visa payment transactions,
but only so long as such ownership exists; (B) has an equity interest in
Customer and is owned in whole by Member banks or financial institutions (e.g.,
---
national or regional group Members); or (C) is exclusively managed by Visa or a
national or group Member of Visa for the purpose of processing Visa payment
transactions, but only so long as such exclusive management exists.
Notwithstanding anything to the contrary set forth above, however, Subsidiaries
or Related
VeriSign Private Label Agreement
Entities do not include any Acquirer, Issuer or individual bank or like
financial institution. Customer Affiliates include, for example, without
limitation, Visa USA, Inc., ViTAL, Inc., Plus and Interlink.
11. CUSTOMER BRAND KEY means the set of key pairs for signature and
------------------
exchange that are used by the Customer in its capacity of CA. The Customer Brand
Keys will be used as the "Root" for portions of the Private Label Certificate
System.
12. CUSTOMER PRODUCT means any product developed by Customer for use by a
----------------
Subscriber in Customer's Private Hierarchy with a Certificate issued by VeriSign
which incorporates Customer's Root Keys.
13. DIGITAL SIGNATURE means information encrypted with a Private Key
-----------------
which is appended to information to identify the owner of the Private Key and to
verify the integrity of the information. "Digitally Signed" shall refer to
------------------
electronic data to which a Digital Signature has been appended.
14. HIERARCHY means a domain consisting of a system of chained
---------
Certificates leading from the Primary Certification Authority through one or
more Certification Authorities to Subscribers.
15. INTERFACE SPECIFICATIONS means the interface specifications to be
------------------------
created by Customer and approved by VeriSign pursuant to Section 4.1. 1.
16. INTERNET means the global computer network.
--------
17. ISSUER means a Member financial institution that establishes an
------
account for a Cardholder, issues a bank card to the Cardholder, and guarantees
payment for authorized transactions using the bank card in accordance with
association regulations and local laws.
18. MEMBER means a member of the VISA International Service Association.
------
All Issuers and Acquirers are Members.
19. MERCHANT means one who offers goods or services in exchange for
--------
payment, who accepts bank cards for payment, and who has a relationship with an
Acquirer.
20. PRIMARY CERTIFICATION AUTHORITY ("PCA") means an entity that
---------------------------------------
establishes policies for all Certification Authorities and Subscribers within
its domain.
21. PRIVATE HIERARCHY means a domain consisting of a chained Certificate
-----------------
hierarchy which is entirely self-contained within an organization or network and
not designed to be interoperable with or intended to interact through public
channels with any external organizations. networks, and public hierarchies.
22. PRIVATE KEY means a mathematical key which is kept private to the
-----------
owner and which is used through public key cryptography to encrypt electronic
authenticity data and create a Digital Signature which will be decrypted with
the corresponding Public Key.
23. PRIVATE LABEL CERTIFICATE SYSTEM means the system developed by
--------------------------------
VeriSign for Customer as more fully described in Section 2.
24. PROCESSOR means a third party which has been assigned the processing
---------
of bank card transactions by one or more Issuers or Acquirers.
25. PROGRAM DOCUMENTS means each of the Project Plan, Interface
-----------------
Specifications, Protocol, System Design Specifications, Acceptance Test
Procedures, and Service Level Specification.
VeriSign Private Label Agreement
26. PROTOCOL means Customer's specification of policies, procedures and
--------
resources to control the entire Certificate process and transactional use of
Certificates within Customer's Private Hierarchy.
27. PUBLIC HIERARCHY means a domain consisting of a system of chained
----------------
Certificates leading from VeriSign as the Primary Certification Authority
through one or more Certification Authorities to Subscribers in accordance with
the VeriSign Certification Practice Statement. Certificates issued in a Public
Hierarchy are intended to be interoperable among organizations, allowing
Subscribers to interact through public channels with various individuals,
organizations, and networks.
28. PUBLIC KEY means a mathematical key which is available publicly and
----------
which is used through public key cryptography to decrypt electronic authenticity
data which was encrypted using the matched Private Key and to verify Digital
Signatures created with the matched Private Key.
29. PUBLIC KEY INFRASTRUCTURE ("PKI") means the VeriSign specification
---------------------------------
for the architecture, techniques, practices and procedures that collectively
support the implementation and operation of certificate-based Public Key
cryptographic systems.
30. ROOT KEY means one or more public root key(s) published by the
--------
organization which generated and is entitled to use such keys as the public
components of its key pair(s) in issuing Certificates in a hierarchy over which
such organization has responsibility.
31. SERVICE LEVEL SPECIFICATION means the specification attached hereto
---------------------------
as Exhibit "K" approved by Customer and VeriSign pursuant to Section 4. l .6.
32. SUBSCRIBER means an individual, a device or a role/office that has
----------
requested a Certifier to issue him, her or it a Certificate.
33. SYSTEM DESIGN SPECIFICATIONS means the system design specifications to
----------------------------
be created by VeriSign in connection with the Private Label Certificate System
for acceptance testing in accordance with Section 4.1.3. The System Design
Specifications shall contain, at minimum, the items listed on the outline
presently attached as Exhibit "E" and the Requirements Documents attached as
Exhibit "F". Upon acceptance by Customer, the System Design Specifications shall
be attached, in lieu of such outline, as Exhibit "E".
34. VERISIGN AFFILIATES shall mean a company in which, on a class by
-------------------
class basis, more than fifty percent (50%) of the stock entitled to vote for the
election of directors is owned or controlled by VeriSign, but only so long as
such ownership or control exists.
35. WWW means the system currently referenced as the "World Wide Web" for
---
organizing multi-media information distributed across network(s) such that it
can be navigated and accessed via cross linking mechanisms, and any successor to
such system, and any parallel system which uses at least all the same
communication protocols as the system currently referenced as the "World Wide
Web" or to the successor to such system, even if the administrators of such
systems choose to call them by different names.
VeriSign Private Label Agreement
EXHIBIT "B"
CUSTOMER PRODUCT AND SERVICES
The Private Label Certificate System is to be used in connection with the
following Customer product(s) or service(s): Visa Cash stored value card and
-------------------------------
Chip Card Payment Service (CCPS) The Private Label Certificate system to be
- ---------------------------------------------------------------------------
operated By VeriSign as CA for Customer under this Agreement will include a
- ---------------------------------------------------------------------------
standalone server for Certificate issuance and management and two CSUs to
- -------------------------------------------------------------------------
contain the Private Hierarchy Root Keys together with custom software and
- -------------------------------------------------------------------------
procedures developed by VeriSign for operation of the system. Customer shall be
- -------------------------------------------------------------------------------
entitled to two key generation ceremonies under this Agreement.
- --------------------------------------------------------------
- --------------------------------------------------------------------------------
ADDITIONAL COMMITMENTS
During the one hundred and eighty (180) day period following execution of
this Agreement. VeriSign and Customer will cooperate in developing a Service
Level Agreement to be attached as Exhibit B to Exhibit J. This new document will
specify the performance standards for correction of errors in the Licensed
Software and will include a reasonable period for curing problems in the
Licensed Software. Exhibit B is intended to become effective at such time as
Customer exercises the option to license the VeriSign Software and operate the
Private Label Certificate System on the terms set forth in Exhibit J.
CONFIDENTIALITY
Customer and VeriSign expressly consent to disclosures of Confidential
Information made by either party to BBN in connection with custom chip
modification necessary to the CSUs used in this Private Label Certificate
System. Such disclosures shall not be a violation of Sections 6.1 or 10.9 of
this Agreement.
FEES
1. DEVELOPMENT FEES.
-----------------
Customer shall pay as Development Fees the amount of * for development and
testing, will be payable Forty Thousand Dollars * upon delivery of VeriSign
Deliverables for testing and * upon delivery of development deliverables for
Pilot, as detailed in Exhibit "D". Additional software development testing, or
policy development which is beyond the initial scope of this project shall be by
Change Order in accordance with Section 4.1.8 above at the rate of * per person
per day for system consulting and * per person per day for PKI consulting. No
additional Development Fees shall be payable with respect to the custom chip
modification work perform for the CSUs.
2. OPERATION FEES.
--------------
Customer shall pay as Operations Fees the amount of * upon delivery of
VeriSign Deliverables for testing as detailed in Exhibit "D" for a one-year
pilot term.
3. SUBSCRIBER FEES.
---------------
Subscriber Fees of * per Member Certificate shall be payable under
this Agreement.
4. U.S. CURRENCY.
-------------
All payments hereunder shall be made in lawful United States Currency.
* Confidential treatment has been requested with respect to certain
portions of this exhibit. Confidential portions have been omitted from
the public filing and have been filed separately with the Securities and
Exchange Commission.
VeriSign Private Label Agreement
EXHIBIT "C"
LOGOS AND TRADEMARKS
VeriSign encourages its customers to use VeriSign logos, trademarks and
service marks on customer product data sheets, packaging, Web pages and
advertising, but it is important to use them properly.
When using VeriSign trademarks and service marks in ads, product packaging,
documentation or collateral materials, be sure to use the correct trademark
designator: /(R)/ for registered trademarks, (TM) for claimed or pending
trademarks and sm for claimed or pending service marks. VeriSign trademarks and
their correct designators are depicted below. To ensure proper usage, please
allow VeriSign marketing to review any materials using or mentioning VeriSign
trademarks prior to general release.
Using these VeriSign logos does not require written permission; in fact, we
encourage you to use them on your product packaging, Web pages and marketing
collateral!
VeriSign will update this Logos and Trademarks Usage Guide on a regular
basis. To check for most current information on logo and trademark usage, check
VeriSign's Web site at http:/www.verisign.com.
VeriSign (TM)
Digital ID sm
Digital ID Center sm
VeriSign Private Label Agreement
EXHIBIT "D"
PROJECT PLAN ELEMENTS
The VeriSign Deliverables to Customer for Test I will be ready for Alpha
Test on or before the date agreed to by the Customer/VeriSign Joint Project
Team. Pilot and General Availability production dates will be specified in the
Project Plan. VeriSign will provide full production, operational facilities in
accordance with time scales agreed with Customer. The operation and support will
be implemented in phases as defined in the Project Plan (i.e. Alpha Test, Pilot,
General Availability).
Project Plan is inserted here as a separate attachment.
VeriSign Private Label Agreement
EXHIBIT "E"
SYSTEM DESIGN SPECIFICATIONS
The Private Label Certificate System will be a custom-designed VeriSign
product based upon the Customer Requirements contained in Exhibit "F."
The parties contemplate that development, testing and implementation of all
Private Label Certificate System components will be implemented in three phases.
The System Design Specifications will implement the Customer Requirements
attached as Exhibit "F".
VeriSign Private Label Agreement
EXHIBIT "F"
CUSTOMER REQUIREMENTS
VISA Customer Requirements include the VISA CCPS Certification Authority
---------------------------------
and RSA Key Tasks Requirements Document dated March 1996. Additional
- ---------------------------------------
references/requirements include:
. Integrated Circuit Card Specifications For Payment Systems Part 3
-----------------------------------------------------------------
Transaction Processing, Version 2.0 June 30, 1995;
----------------------
. Visa Integrated Circuit Card (ICC) Specifications, Version 10 July
-------------------------------------------------
31,1995;
. Visa International Risk Management and Security Integrated Circuit Card
-----------------------------------------------------------------------
Security Guidelines for: Chip Architecture and Design Operating Systems
-----------------------------------------------------------------------
Design and Vendor Viability, January 1996;
---------------------------
. RSA Key and Certification Authority, memorandum dated 15 April 1996 from
-----------------------------------
Joel Weise;
. CCPS Certification Authority and RSA Key Tasks memorandum dated May 16,
----------------------------------------------
1996 from Joel Weise;
. Untitled: "Tasks List (with responsibilities defined)" memorandum dated
-------------------------------------------------------
May 16, 1996 from Joel Weise;
. Letter of intent dated June 6th 1996 from Irv Wentzien;
. VISA Common CA Acceptance Criteria memorandum dated July 17, 1996 from
----------------------------------
Joel Weise;
. CCPS RSA Key, Data, and Certificate Formats memorandum dated October 1,
-------------------------------------------
1996 from Joel Weise.
VeriSign Private Label Agreement
EXHIBIT "G"
ACCEPTANCE TEST PROCEDURES
To be developed as provided in Section 4.1.4 Acceptance Criteria memorandum
is inserted here as a separate attachment.
VeriSign Private Label Agreement
EXHIBIT "H"
RESERVED
VeriSign Private Label Agreement
EXHIBIT "I"
ESCROW AGREEMENT
MASTER PREFERRED ESCROW AGREEMENT
Master Number
This Agreement is effective _________________, 19___ among Data Securities
International, Inc.
("DSI"),___________________________________________________________ (" ")
and any party signing the Acceptance Form attached to this Agreement (" "),
who collectively may be referred to in this Agreement as "the parties."
A. Depositor and Preferred Beneficiary have entered or will enter into a
license agreement, development agreement, and/or other agreement regarding
certain proprietary technology of Depositor (referred to in this Agreement as
"the license agreement").
B. Depositor desires to avoid disclosure of its proprietary technology
except under certain limited circumstances.
C. The availability of the proprietary technology of Depositor is
critical to Preferred Beneficiary in the conduct of its business and, therefore,
Preferred Beneficiary needs access to the proprietary technology under certain
limited circumstances.
D. Depositor and Preferred Beneficiary desire to establish an escrow with
DSI to provide for the retention, administration and controlled access of
certain proprietary technology materials of Depositor.
E. The parties desire this Agreement to be supplementary to the license
agreement pursuant to 11 United States [Bankruptcy] Code, Section 365(n).
ARTICLE 1 -- DEPOSITS
1.1 Obligation to Make Deposit. Upon the signing of this Agreement by the
--------------------------
parties, including the signing of the Acceptance Form, Depositor shall deliver
to DSI the proprietary information and other materials ("deposit materials")
required to be deposited by the license agreement or, if the license agreement
does not identify the materials to be deposited with DSI, then such materials
will be identified on an Exhibit A. If Exhibit A is applicable, it is to be
prepared and signed by Depositor and Preferred Beneficiary. DSI shall have no
obligation with respect to the preparation, signing or delivery of Exhibit A.
1.2 Identification of Tangible Media. Prior to the delivery of the
--------------------------------
deposit materials to DSI, Depositor shall conspicuously label for identification
each document, magnetic tape, disk, or other tangible media upon which the
deposit materials are written or stored. Additionally, Depositor shall complete
Exhibit B to this Agreement by listing each such tangible media by the item
label description, the type of media and the quantity. The Exhibit B must be
signed by Depositor and delivered to DSI with the deposit materials. Unless and
until Depositor makes the initial deposit with DSI, DSI shall have no obligation
with respect to this Agreement, except the obligation to notify the parties
regarding the status of the deposit account as required in Section 2.2 below.
1.3 Deposit Inspection. When DSI receives the deposit materials and the
------------------
Exhibit B, DSI will conduct a deposit inspection by visually matching the
labeling of the tangible media containing the deposit materials to the item
descriptions and quantity listed on the Exhibit B. In addition to the deposit
inspection, Preferred Beneficiary may elect to cause a verification of the
deposit materials in accordance with Section 1.6 below.
VeriSign Private Label Agreement
1.4 Acceptance of Deposit. At completion of the deposit inspection, if
---------------------
DSI determines that the labeling of the tangible media matches the item
descriptions and quantity on Exhibit B, DSI will date and sign the Exhibit B and
mail a copy thereof to Depositor and Preferred Beneficiary. If DSI determines
that the labeling does not match the item descriptions or quantity on the
Exhibit B, DSI will (a) note the discrepancies in writing on the Exhibit B; (b)
date and sign the Exhibit B with the exceptions noted; and (c) provide a copy of
the Exhibit B to Depositor and Preferred Beneficiary. DSI's acceptance of the
deposit occurs upon the signing of the Exhibit B by DSI. Delivery of the signed
Exhibit B to Preferred Beneficiary is Preferred Beneficiary's notice that the
deposit materials have been received and accepted by DSI.
1.5 Depositor's Representations. Depositor represents as follows:
---------------------------
a. Depositor lawfully possesses all of the deposit materials
deposited with DSI;
b. With respect to all of the deposit materials, Depositor has the
right and authority to grant to DSI and Preferred Beneficiary the rights as
provided in this Agreement;
c. The deposit materials are not subject to any lien or other
encumbrance; and
d. The deposit materials consist of the proprietary, information and
other materials identified either in the license agreement or Exhibit A, as the
case may be.
1.6 Verification. Preferred Beneficiary, shall have the right, at
------------
Preferred Beneficiary's expense, to cause a verification of any deposit
materials. A verification determines, in different levels of detail, the
accuracy, completeness, sufficiency and quality of the deposit materials. If a
verification is elected after the deposit materials have been delivered to DSI,
then only DSI, or at DSI' s election an independent person or company selected
and supervised by DSI, may perform the verification.
1.7 Deposit Updates. Unless otherwise provided by the license agreement,
---------------
Depositor shall update the deposit materials within 60 days of each release of a
new version of the product which is subject to the license agreement. Such
updates will be added to the existing deposit. All deposit updates shall be
listed on a new Exhibit B and the new Exhibit B shall be signed by Depositor.
Each Exhibit B will be held and maintained separately within the escrow account.
An independent record will be created which will document the activity for each
Exhibit B. The processing of all deposit updates shall be in accordance with
Sections 1.2 through 1.6 above. All references in this Agreement to the deposit
materials shall include the initial deposit materials and any updates.
1.8 Removal of Deposit Materials. The deposit materials may be removed
----------------------------
and/or exchanged only on written instructions signed by Depositor and Preferred
Beneficiary,, or as otherwise provided in this Agreement.
ARTICLE 2 -- CONFIDENTIALITY AND RECORD KEEPING
2.1 Confidentiality. DSI shall maintain the deposit materials in a
---------------
secure, environmentally safe, locked receptacle which is accessible only to
authorized employees of DSI. DSI shall have the obligation to reasonably protect
the confidentiality of the deposit materials. Except as provided in this
Agreement, DSI shall not disclose, transfer, make available, or use the deposit
materials. DSI shall not disclose the content of this Agreement to any third
party. If DSI receives a subpoena or other order of a court or other judicial
tribunal pertaining to the disclosure or release of the deposit materials, DSI
will immediately notify the parties to this Agreement. It shall be the
responsibility of Depositor and/or Preferred Beneficiary to challenge any such
order; provided, however, that DSI does not waive its rights to present its
position with respect to any such order. DSI will not be required to disobey any
court or other judicial tribunal order. (See Section 7.5 below for notices of
requested orders.)
2.2 Status Reports. DSI will issue to Depositor and Preferred Beneficiary
--------------
a report profiling the account history at least semi-annually. DSI may provide
copies of the account history pertaining to this Agreement upon the request of
any party to this Agreement.
VeriSign Private Label Agreement
2.3 Audit Rights. During the term of this Agreement, Depositor and
------------
Preferred Beneficiary shall each have the right to inspect the written records
of DSI pertaining to this Agreement. Any inspection shall be held during normal
business hours and following reasonable prior notice.
ARTICLE 3 -- GRANT OF RIGHTS TO DSI
3.1 Title to Media. Depositor hereby transfers to DSI the title to the
--------------
media upon which the proprietary information and materials are written or
stored. However, this transfer does not include the ownership of the proprietary
information and materials contained on the media such as any copyright, trade
secret, patent or other intellectual property rights.
3.2 Right to Make Copies. DSI shall have the right to make copies of the
--------------------
deposit materials as reasonably necessary to perform this Agreement. DSI shall
copy all copyright, nondisclosure, and other proprietary notices and titles
contained on the deposit materials onto any copies made by DSI. With all deposit
materials submitted to DSI, Depositor shall provide any and all instructions as
may be necessary to duplicate the deposit materials including but not limited to
the hardware and/or software needed.
3.3 Right to Sublicense Upon Release. As of the effective date of this
--------------------------------
Agreement, Depositor hereby grants to DSI a non-exclusive, irrevocable,
perpetual, and royalty-free license to sublicense the deposit materials to
Preferred Beneficiary upon the release, if any, of the deposit materials in
accordance with Section 4.5 below. Except upon such a release, DSI shall not
sublicense or otherwise transfer the deposit materials.
ARTICLE 4 -- RELEASE OF DEPOSIT
4.1 Release Conditions. As used in this Agreement, "Release Conditions"
------------------
shall mean the following:
a. Depositor's failure to carry out obligations imposed on it
pursuant to the license agreement; or
b. Depositor's failure to continue to do business in the ordinary
course.
4.2 Filing For Release. If Preferred Beneficiary believes in good faith
------------------
that a Release Condition has occurred, Preferred Beneficiary may provide to DSI
written notice of the occurrence of the Release Condition and a request for the
release of the deposit materials. Upon receipt of such notice, DSI shall provide
a copy of the notice to Depositor, by certified mail, return receipt requested,
or by commercial express mail.
4.3 Contrary Instructions. From the date DSI mails the notice requesting
---------------------
release of the deposit materials, Depositor shall have ten business days to
deliver to DSI Contrary Instructions. "Contrary Instructions" shall mean the
written representation by Depositor that a Release Condition has not occurred or
has been cured. Upon receipt of Contrary Instructions, DSI shall send a copy to
Preferred Beneficiary by certified mail, return receipt requested, or by
commercial express mail. Additionally, DSI shall notify both Depositor and
Preferred Beneficiary that there is a dispute to be resolved pursuant to the
Dispute Resolution section of this Agreement (Section 7.3). Subject to Section
5.2, DSI will continue to store the deposit materials without release pending
(a) joint instructions from Depositor and Preferred Beneficiary, (b) resolution
pursuant to the Dispute Resolution provisions, or (c) order of a court.
4.4 Release of Deposit. If DSI does not receive Contrary Instructions
------------------
from the Depositor, DSI is authorized to release the deposit materials to the
Preferred Beneficiary or, if more than one beneficiary is registered to the
deposit, to release a copy of the deposit materials to the Preferred
Beneficiary. However, DSI is entitled to receive any fees due DSI before making
the release. This Agreement will terminate upon the release of the deposit
materials held by DSI.
VeriSign Private Label Agreement
4.5 Use License Following Release. Unless otherwise provided in the
-----------------------------
license agreement, upon release of the deposit materials in accordance with this
Article 4, Preferred Beneficiary shall have a non-exclusive, non-transferable,
irrevocable right to use the deposit materials for the sole purpose of
continuing the benefits afforded to Preferred Beneficiary by the license
agreement. Preferred Beneficiary shall be obligated to maintain the
confidentiality of the released deposit materials.
ARTICLE 5 -- TERM AND TERMINATION
5.1 Term of Agreement. The initial term of this Agreement is for a period
-----------------
of one year. Thereafter, this Agreement shall automatically renew from year-to-
year unless (a) Depositor and Preferred Beneficiary jointly instruct DSI in
writing that the Agreement is terminated; or (b) the Agreement is terminated by
DSI for nonpayment in accordance with Section 5.2. If the Acceptance Form has
been signed at a date later than this Agreement, the initial term of the
Acceptance Form will be for one year with subsequent terms to be adjusted to
match the anniversary date of this Agreement. If the deposit materials are
subject to another escrow agreement with DSI, DSI reserves THE right, after the
initial one year term, to adjust the anniversary date of this Agreement to match
the then prevailing anniversary date of such other escrow arrangements.
5.2 Termination for Nonpayment. In the event of the nonpayment of fees
--------------------------
owed to DSI, DSI shall provide written notice of delinquency to all parties to
this Agreement. Any party to this Agreement shall have the right to make the
payment to DSI to cure the default. If the past due payment is not received in
full by DSI within one month of the date of such notice, then DSI shall have the
right to terminate this Agreement at any time thereafter by sending written
notice of termination to all parties. DSI shall have no obligation to take any
action under this Agreement so long as any payment due to DSI remains unpaid.
5.3 Disposition of Deposit Materials Upon Termination. Upon termination
-------------------------------------------------
of this Agreement by joint instruction of Depositor and Preferred Beneficiary,
DSI shall destroy, return, or otherwise deliver the deposit materials in
accordance with such instructions. Upon termination for nonpayment, DSI may, at
its sole discretion, destroy the deposit materials or return them to Depositor.
DSI shall have no obligation to return or destroy the deposit materials if the
deposit materials are subject to another escrow agreement with DSI.
5.4 Survival of Terms Following Termination. Upon termination of this
---------------------------------------
Agreement, the following provisions of this Agreement shall survive:
a. Depositor' s Representations (Section 1.5) .
b. The obligations of confidentiality with respect to the deposit
materials.
c. The licenses granted in the sections entitled Right to Sublicense
Upon Release (Section 3.3) and Use License Following Release
(Section 4.5), if a release of the deposit materials has occurred
prior to termination.
d. The obligation to pay DSI any fees and expenses due.
e. The provisions of Article 7.
f. Any provisions in this Agreement which specifically state they
survive the termination or expiration of this Agreement.
ARTICLE 6 -- DSI'S FEES
6.1 Fee Schedule. DSI is entitled to be paid its standard fees and
------------
expenses applicable to the services provided. DSI shall notify the party
responsible for payment of DSI' s fees at least 90 days prior to any increase in
VeriSign Private Label Agreement
fees. For any service not listed on DSI's standard fee schedule, DSI will
provide a quote prior to rendering the service, if requested.
6.2 Payment Terms. DSI shall not be required to perform any service
------------
unless the payment for such service and any outstanding balances owed to DSI are
paid in full. All other fees are due upon receipt of invoice. If invoiced fees
are not paid, DSI may terminate this Agreement in accordance with Section 5.2.
Late fees on past due amounts shall accrue at the rate of one and one-half
percent per month (18% per annum) from the date of the invoice.
ARTICLE 7 -- LIABILITY AND DISPUTES
7.1 Right to Rely on Instructions. DSI may act in reliance upon any
-----------------------------
instruction, instrument, or signature reasonably believed by DSI to be genuine.
DSI may assume that any employee of a party to this Agreement who gives any
written notice, request, or instruction has the authority to do so. DSI shall
not be responsible for failure to act as a result of causes beyond the
reasonable control of DSI.
7.2 Indemnification. DSI shall be responsible to perform its obligations
---------------
under this Agreement and to act in a reasonable and prudent manner with regard
to this escrow arrangement. Provided DSI has acted in the manner stated in the
preceding sentence, Depositor and Preferred Beneficiary each agree to indemnify,
defend and hold harmless DSI from any and all claims, actions, damages,
arbitration fees and expenses, costs, attorney' s fees and other liabilities
incurred by DSI relating in any way to this escrow arrangement.
7.3 Dispute Resolution. Any dispute relating to or arising from this
------------------
Agreement shall be resolved by arbitration under the Commercial Rules of the
American Arbitration Association. Unless otherwise agreed by Depositor and
Preferred Beneficiary, arbitration will take place in San Diego, California,
U.S.A. Any court having jurisdiction over the matter may enter judgment on the
award of the arbitrator(s). Service of a petition to confirm the arbitration
award may be made by First Class mail or by commercial express mail, to the
attorney for the party or, if unrepresented, to the party at the last known
business address.
7.4 Controlling Law. This Agreement is to be governed and construed in
---------------
accordance with the laws of the State of California, without regard to its
conflict of law provisions.
7.5 Notice of Requested Order. If any party intends to obtain an order
-------------------------
from the arbitrator or any court of competent jurisdiction which may direct DSI
to take, or refrain from taking any action, that party shall:
a. Give DSI at least two business days' prior notice of the hearing;
b. Include in any such order that, as a precondition to DSI's
obligation, DSI be paid in full for any past due fees and be paid for the
reasonable value of the services to be rendered pursuant to such order; and
c. Ensure that DSI not be required to deliver the original (as
opposed to a copy) of the deposit materials if DSI may need to retain the
original in its possession to fulfill any of its other escrow duties.
ARTICLE 8 -- GENERAL PROVISIONS
8.1 Entire Agreement. This Agreement, which includes the Acceptance Form
----------------
and the Exhibits described herein, embodies the entire understanding between all
of the parties with respect to its subject matter and supersedes all previous
communications, representations or understandings,-either oral or written. No
amendment or modification of this Agreement shall be valid or binding unless
signed by all the parties hereto, except Exhibit A need not be signed by DSI and
Exhibit B need not be signed by Preferred Beneficiary.
8.2 Notices. All notices, invoices, payments, deposits and other
-------
documents and communications shall be given to the parties at the addresses
specified in the attached Exhibit C and Acceptance Form. It shall be the
VeriSign Private Label Agreement
responsibility of the parties to notify each other as provided in this Section
in the event of a change of address. The parties shall have the right to rely on
the last known address of the other parties. Unless otherwise provided in this
Agreement, all documents and communications may be delivered by First Class
mail.
8.3 Severability. In the event any provision of this Agreement is found
------------
to be invalid, voidable or unenforceable, the parties agree that unless it
materially affects the entire intent and purpose of this Agreement, such
invalidity, voidability or unenforceability shall affect neither the validity of
this Agreement nor the remaining provisions herein, and the provision in
question shall be deemed to be replaced with a valid and enforceable provision
most closely reflecting the intent and purpose of the original provision.
8.4 Successors. This Agreement shall be binding upon and shall inure to
----------
the benefit of the successors and assigns of the parties. However, DSI shall
have no obligation in performing this Agreement to recognize any successor or
assign of Depositor or Preferred Beneficiary unless DSI receives clear,
authoritative and conclusive written evidence of the change of parties.
Data Securities International, Inc.
______________________________
By: _______________________ By: _______________________________
Name: _______________________ Name: _______________________________
Title: _______________________ Title: _______________________________
Date: _______________________ Date: _______________________________
EXHIBIT "J"
CUSTOM CERTIFICATE SYSTEM LICENSE AGREEMENT
THIS CUSTOM CERTIFICATE SYSTEM LICENSE AGREEMENT ("Agreement") effective as
of the last date of execution, is entered into by and between VeriSign, Inc., a
Delaware corporation ("VeriSign"), having a principal mailing address at 2593
Coast Avenue, Mountain View, California 94043, and the entity named below as
"Customer" ("Customer"), having a principal address as set forth below.
Customer:
VISA International Service Association
--------------------------------------
(Name and jurisdiction of incorporation)
Customer Address:
900 Metro Center Boulevard, Foster City California 94404 or
------------------------------------------------------------
P.O. Box 8999, San Francisco, California 94128-8999
----------------------------------------------------
Customer Legal Contact:
Andrew Konstantaras, Counsel, 415-432-8066
------------------------------------------
(name, telephone and title)
Customer Billing Contact:
Irv Wentzien, VP, 415-432-3460
------------------------------
(name, telephone and title)
Customer Technical Contact:
Joel Weise, Chip Card Technology Manager, 415-432-3863
------------------------------------------------------
(name, telephone and title)
Customer Commercial Contact:
Joel Weise, Chip Card Technology Manager, 415-432-3863
------------------------------------------------------
(name, telephone and title)
VeriSign, Inc.
Custom Certificate System License Agreement
Page 2
1. DEFINITIONS
-----------
The following terms when used in this Agreement shall have the following
meanings:
1.1 "CERTIFICATE" means a collection of electronic data consisting of a
Public Key, identifying information which contains information about the owner
of the Public Key, and validity information, which (or a string of bits derived
from the Public Key) has been encrypted by a third party who is the issuer of
the Certificate with such third party Certificate issuer's Private Key. This
collection of electronic data collectively serves the function of identifying
the owner of the Public Key and verifying the integrity of the electronic data.
"Certify" or "Certification" means the act of generating a Certificate.
"Certified" means the condition of having been issued a valid Certificate by a
Certifier, which Certificate has not been revoked.
1.2 "CERTIFICATE SIGNING UNIT ('CSU')" means a hardware unit or software
designed for use in signing Certificates and key storage. The BBN SafeKeyper(TM)
manufactured by BBN Communications, Inc. is one hardware implementation of a
CSU.
1.4 "CERTIFICATION AUTHORITY" OR "CA" means VeriSign and any entity,
group, division, department, unit or office which is Certified by VeriSign to,
and has accepted responsibility to, issue Certificates to specified Subscribers
in a Hierarchy in accordance with the CPS or a Protocol.
1.5 "CERTIFICATION PRACTICE STATEMENT" OR "CPS" means the VeriSign
specification of policies, procedures and resources to control the entire
Certificate process and transactional use of Certificates within the VeriSign
Public Hierarchies.
1.6 "CUSTOMER PRODUCT" means any product including some or ail of the
Licensed Software developed by Customer for use by a Subscriber in VlSA's
Private Hierarchy with a Certificate issued by aVISA which incorporates VlSA's
Root Keys.
1.7 "DIGITAL SIGNATURE" means information encrypted with a Private Key
which is appended to information to identify the owner of the Private Key and to
verify the integrity of the information. "DIGITALLY SIGNED" shall refer to
----------------
electronic data to which a Digital Signature has been appended.
1.8 "HIERARCHY" means a domain consisting of a system of chained
Certificates leading from the Primary Certification Authority through one or
more Certification Authorities to Subscribers.
1.9 "INTERNET" means the global computer network commonly known as
"Internet".
1.10 "LICENSED SOFTWARE" means the object code of the VeriSign Software
as specified on Exhibit "A" (License and Maintenance Fees) hereto as having been
licensed by Customer. Only those portions of the VeriSign Software specified as
having been licensed are included in the Licensed Software.
1.11 "NEW RELEASE" means a version of the VeriSign Software which shall
generally be designated by a new version number which has changed from the prior
number only to the right of the decimal point (e.g., Version 2.2 to Version
2.3).
1.12 "NEW VERSION" means a version of the VeriSign Software which shall
generally be designated by a new version number which has changed from the prior
number to the left of the decimal point (e.g., Version 2.3 to Version 3.0).
1.13 "PRIMARY CERTIFICATION AUTHORITY" OR "PCA" means an entity that
establishes policies for all Certification Authorities and Subscribers within
its Private Hierarchy.
VeriSign, Inc.
Custom Certificate System License Agreement
Page 3
1.14 "PRIVATE HIERARCHY" means a domain consisting of a chained
Certificate hierarchy which is entirely self-contained within an organization or
network and not designed to be interoperable with or intended to interact
through public channels with any external organizations, networks, and public
hierarchies.
1.15 "PRIVATE KEY" means a mathematical key which is kept private to the
owner and which is used through public key cryptography to encrypt electronic
authenticity data and create a Digital Signature which will be decrypted with
the corresponding Public Key.
1.16 "PUBLIC HIERARCHY" means a domain consisting of a system of chained
Certificates leading from VeriSign as the Primary Certification Authority
through one or more Certification Authorities to Subscribers in accordance with
the VeriSign Certification Practice Statement. Certificates issued in a Public
Hierarchy are intended to be interoperable among organizations, allowing
Subscribers to interact through public channels with various individuals,
organizations, and networks.
1.17 "PUBLIC KEY" means a mathematical key which is available publicly
and which is used through public key cryptography to decrypt electronic
authenticity data which was encrypted using the matched Private Key and to
verify Digital Signatures created with the matched Private Key.
1.18 "PUBLIC KEY INFRASTRUCTURE (PKI)" means the VeriSign specification
for the architecture, techniques, practices, and procedures that collectively
support the implementation and operation of Certificate-based public key
cryptographic systems.
1.19 "ROOT KEY" means one or more public root key(s) published by the
organization which generated and is entitled to use such keys as the public
components of its key pair(s) in issuing Certificates in a hierarchy over which
such organization has responsibility.
1.20 "SUBSCRIBER" means an individual, a device or a role/office that has
requested a Certifier to issue him, her or it a Certificate.
1.21 "USER MANUAL" means the most current version of the user or
operating manual customarily supplied by VeriSign to customers who license the
VeriSign Object Code, if any.
1.22 "VERISIGN OBJECT CODE" means the Licensed Software in machine-
readable, compiled object code form.
1.23 "VERISIGN SOFTWARE" means VeriSign proprietary software for the
Private Label Certificate System as described in the UserManuals associated
therewith. "VeriSign Software" shall also include all modifications and
enhancements (including all New Releases and New Versions) to such programs as
provided by VeriSign to Customer pursuant to Sections 4.3, 4.4, and 4.5.
1.24 "VISA" means VISA International Service Association.
1.25 "WWW" means the system currently referenced as the "World Wide Web"
for organizing multimedia information distributed across network(s) such that it
can be navigated and accessed via cross linking mechanisms, and any successor to
such system, and any parallel system which uses at least all the same
communication protocols as the system currently referenced as the "World Wide
Web" or to the successor to such system, even if the administrators of such
systems choose to call them by different names.
2. GRANT OF LICENSES; LIMITATIONS
------------------------------
2.1 VERISIGN SOFTWARE OBJECT CODE LICENSE. VeriSign hereby grants
-------------------------------------
Customer a worldwide non-exclusive, non-transferable, non-assignable license
during the term specified in Section 8 to use the Licensed
VeriSign, Inc.
Custom Certificate System License Agreement
Page 4
Software to act as the Primary Certification Authority for Customer's Private
Hierarchy and to make, have made and sell Customer Products.
2.2 LIMITATIONS ON LICENSES. The license granted in Section 2.1 shall be
-----------------------
limited as follows:
2.2.1 LIMITATION ON DISTRIBUTEES. The VeriSign Software shall not be
--------------------------
sublicensed or otherwise distributed .
2.2.2 LICENSE RESTRICTED TO LICENSED SOFTWARE. Customer may not use,
---------------------------------------
modify, sublicense or incorporate into any Customer Product any software module
or other technology component derived from the VeriSign Software which is not
designated as Licensed Software on Exhibit "A".
2.2.3 ROOT KEYS. Any Customer Product and Licensed Software must
---------
include VlSA's Private Hierarchy Root Key.
2.2.4 RESTRICTION ON COPYING. Customer may not copy or reproduce the
----------------------
VeriSign Software or any part, version or form thereof, except as expressly
permitted in Section 2.1.
2.3 TITLE. Except for the limited license granted in Section 2.1,
-----
VeriSign shall at all times retain full and exclusive right, title and ownership
interest in and to the VeriSign Software and in any and all related patents,
trademarks, copyrights and proprietary and trade secret rights.
3. LICENSE FEES
------------
3.1 LICENSE FEES. In consideration of VeriSign's grant to Customer of the
------------
limited license rights hereunder, Customer shall pay to VeriSign the amounts
specified on Exhibit "A."
3.2 TAXES. All taxes, duties, fees and other governmental charges of any
-----
kind (including sales and use taxes, but excluding taxes based on the gross
revenues or net income of VeriSign) which are imposed by or under the authority
of any government or any political subdivision thereof on the License Fees or
any aspect of this Agreement shall be borne by Customer and shall not be
considered a part of, a deduction from or an offset against License Fees.
3.3 TERMS OF PAYMENT. License Fees are due upon execution of this
----------------
Agreement and shall be paid by Customer to the attention of the Software
Licensing Department at VeriSign's address set forth above.
3.4 U.S. CURRENCY. All payments hereunder shall be made in lawful United
-------------
States currency.
4. SUPPORT AND MAINTENANCE; DEVELOPMENT
------------------------------------
4.1 OPTIONAL MAINTENANCE. For the year commencing upon the date of this
--------------------
Agreement and for each year thereafter commencing on the anniversary of such
expiration, Customer may elect to purchase annual maintenance, as described in
Section 4.3, by paying the then-current annual maintenance fee. Such amount
shall be payable for the first year upon the execution of this Agreement and for
each subsequent year in advance of the commencement of such year. VeriSign may
cease to offer maintenance for future maintenance terms by notice delivered to
Customer ninety (90) days or more before the end of the then current maintenance
term.
4.2 ADDITIONAL CHARGES. In the event VeriSign is required to take actions
------------------
to correct a difficulty or defect which is traced to Customer errors,
modifications, enhancements, software or hardware, then Customer shall pay to
VeriSign its time and materials charges at VeriSign's rates then in effect. In
the event VeriSign's personnel must travel to perform maintenance or on-site
support, Customer shall reimburse VeriSign for any reasonable
VeriSign, Inc.
Custom Certificate System License Agreement
Page 5
out-of-pocket expenses incurred, including travel to and from Customer's sites,
lodging, meals and shipping, as may be necessary in connection with duties
performed under this Section 4 by VeriSign.
4.3 MAINTENANCE PROVIDED BY VERISIGN. For periods for which Customer has
--------------------------------
paid an annual maintenance fee, VeriSign will provide Customer with the
following services:
4.3.1 TELEPHONE SUPPORT. VeriSign will provide telephone support to
-----------------
Customer during VeriSign's normal business hours. VeriSign may provide on-site
support reasonably determined to be necessary by VeriSign at Customer's location
specified on page 1 hereof. VeriSign shall provide the support specified in this
Section 4.3.1 to Customer's employees responsible for developing Customer
Products and maintaining Customer Products. VeriSign will provide the name of an
employee who will serve as a single point of contact for support to Customer.
VeriSign may change the name at any time by providing written notice to
Customer. On VeriSign's request, Customer will provide a list with the names of
the employees designated to receive support from VeriSign. Customer may change
the names on the list at any time by providing written notice to VeriSign.
4.3.2 ERROR CORRECTION. In the event Customer discovers an error in
----------------
the Licensed Software which causes the Licensed Software not to operate in
material conformance to VeriSign's published specifications therefor, Customer
shall submit to VeriSign a written report describing such error in sufficient
detail to permit VeriSign to reproduce such error. Upon receipt of any such
written report, VeriSign will use its reasonable business judgment to classify a
reported error as either: (i) a "Level 1 Severity" error, meaning an error that
causes the Licensed Software to fail to operate in a material manner or to
produce materially incorrect results and for which there is no workaround or
only a difficult workaround; or (ii) a "Level 2 Severity" error, meaning an
error that produces a situation in which the Licensed Software is usable but
does not function in the most convenient or expeditious manner, and the use or
value of the Licensed Software suffers no material impact. VeriSign will
acknowledge receipt of a conforming error report within two (2) business days
and (A) will use its continuing best efforts to provide a correction for any
Level 1 Severity error to Customer as early as practicable; and (B) will use its
reasonable efforts to include a correction for any Level 2 Severity error in the
next release of the VeriSign Software. In the event that VeriSign fails to
comply with the Service Level Agreement attached as Exhibit B to this Exhibit J,
and VeriSign is unable to cure the problem within a reasonable period specified
in Exhibit B, Customer shall have the right to obtain release of the source code
for the Licensed Software from escrow. Customer's rights to the source code
released from escrow shall be limited to use for the purpose of Customer's
operation of the Private Label Certificate System, and Customer may not resell,
sublicense or otherwise permit the use of such source code by any third party
unless VeriSign gives prior written authorization on mutually agreeable terms
and conditions.
4.3.3 NEW RELEASES AND NEW VERSIONS. VeriSign will provide Customer
-----------------------------
information relating to New Releases and New Versions of the VeriSign Software
during the term of this Agreement. New Releases will be provided at no
additional charge. New Versions will be provided at VeriSign's standard upgrade
charges in effect at the time. Any New Releases or New Versions acquired by
Customer shall be governed by all of the terms and provisions of this Agreement.
4.4 LAPSED MAINTENANCE. In the event Customer has not purchased optional
------------------
maintenance with respect to any Licensed Software, Customer may obtain a license
of a New Release of such Licensed Software or any service which is provided as a
part of maintenance by paying the maintenance fees which would otherwise have
been due from the expiration of maintenance provided pursuant to Section 4.1 to
the date such New Release is licensed or such service is provided.
4.5 DEVELOPMENT. If Customer requests that VeriSign make modifications or
-----------
enhancements to the Licensed Software, VeriSign agrees to perform work on such
modifications or enhancements at its lowest time and materials rates then in
effect for a similar type of consulting work.
VeriSign, Inc.
Custom Certificate System License Agreement
Page 6
5. MASTER COPY
-----------
As soon as practicable, but not later than five (5) business days after the
date of execution of this Agreement, VeriSign shall deliver to Customer one (1 )
copy of each of the VeriSign Object Code and the User Manual in the manner
designated on Exhibit "A" together with the CSUs and standalone server used as
part of the Private Label Certificate System as operated by VeriSign.
6. ADDITIONAL OBLIGATIONS OF CUSTOMER
6.1 CUSTOMER PRODUCT MARKETING. Customer is authorized to represent
--------------------------
Subscribers only such facts about the VeriSign Software as VeriSign states in
its published product descriptions, advertising and promotional materials or as
may be stated in other non-confidential written material furnished by VeriSign.
6.2 CUSTOMER SUPPORT. Customer shall, at its expense, provide all support
----------------
for the Licensed Software, and Customer Products to Subscribers.
6.3 CONFIDENTIALITY; PROPRIETARY RIGHTS.
-----------------------------------
6.3.1 CONFIDENTIALITY. Customer acknowledges that in VeriSign's
---------------
performance of its duties hereunder VeriSign will communicate to Customer (or
its designees) certain confidential and proprietary information concerning the
VeriSign Software, and know-how, technology, techniques or marketing plans
related thereto (collectively, the "Know-How") ail of which are confidential and
proprietary to, and trade secrets of, VeriSign. Customer agrees to hold all the
VeriSign Know-How within its own organization and shall not, without specific
written consent of VeriSign or as expressly authorized herein, utilize in any
manner, publish, communicate or disclose any part of the VeriSign Know-How to
third parties. This Section 6.4.1 shall impose no obligation on Customer with
respect to any Know-How which: (i) is in the public domain at the time disclosed
by VeriSign; (ii) enters the public domain after disclosure other than by breach
of Customer's obligations hereunder or by breach of another party's
confidentiality obligations; or (iii) is shown by documentary evidence to have
been known by Customer prior to its receipt from VeriSign. Customer will take
such steps as are consistent with Customer's protection of its own confidential
and proprietary information (but will in no event exercise less than reasonable
care) to ensure that the provisions of this Section 6.4.1 are not violated by
Customer's employees, agents or any other person.
6.3.2 PROPRIETARY MARKINGS; COPYRIGHT NOTICES. Customer agrees not
---------------------------------------
to remove or destroy any proprietary, trademark or copyright markings or notices
placed upon or contained within the VeriSign Object Code, User Manuals or any
related materials or documentation. Customer further agrees to insert and
maintain: (i) within every Customer Product and any related materials or
documentation a copyright notice in the name of Customer; and (ii) within the
splash screens, user documentation, printed product collateral, product
packaging and advertisements for the Customer Product, a statement that the
Customer Product contains the VeriSign Software. Customer shall not take any
action which might adversely affect the validity of VeriSign's proprietary,
trademark or copyright markings or ownership by VeriSign thereof, and shall
cease to use the markings, or any similar markings, in any manner on the
expiration or other termination of the license rights granted pursuant to
Section 2.
6.3.3 PROHIBITED ACTIVITIES. Customer shall not modify, translate,
---------------------
reverse engineer, decompile or disassemble the VeriSign Software or any part
thereof.
6.3.4 NO PUBLICATION. The placement of a copyright notice on any of
--------------
the VeriSign Software shall not constitute publication or otherwise impair the
confidential or trade secret nature of the VeriSign Software .
6.3.5 INJUNCTIVE RELIEF. Customer acknowledges that the
-----------------
restrictions contained in this Section 6.4 are reasonable and necessary to
protect VeriSign's legitimate interests and that any violation of these
restrictions
VeriSign, Inc.
Custom Certificate System License Agreement
Page 7
will cause irreparable damage to VeriSign within a short period of time and
Customer agrees that VeriSign will be entitled to injunctive relief against each
violation.
6.4 FEDERAL GOVERNMENT SUBLICENSE. Any sublicense of a Customer Product
-----------------------------
acquired from Customer under a United States government contract shall be
subject to restrictions as set forth in subparagraph (c)(1)(ii) of Defense
Federal Acquisition Regulations Supplement (DFARS) Section 252.227-7013 for
Department of Defense contracts and as set forth in Federal Acquisition
Regulations (FARs) Section 52.227-19 for civilian agency contracts or any
successor regulations. Customer agrees that any such sublicense shall set forth
all of such restrictions and the tape or diskette label for the Customer Product
and any documentation delivered with the Customer Product shall contain a
restricted rights legend conforming to the requirements of the current,
applicable DFARS or FARs.
6.5 NOTICES. Customer shall immediately advise VeriSign of any legal
-------
notices served on Customer which might affect VeriSign or the VeriSign Software.
6.6 INDEMNITY. CUSTOMER EXPRESSLY INDEMNIFIES AND HOLDS HARMLESS
---------
VERISIGN, ITS SUBSIDIARIES, AGENTS AND AFFILIATES FROM: (i) ANY AND ALL
LIABILITY OF ANY KIND OR NATURE WHATSOEVER TO CUSTOMER'S SUBSCRIBERS AND THIRD
PARTIES WHICH MAY ARISE FROM ACTS OF CUSTOMER OR FROM THE LICENSE OF CUSTOMER
PRODUCTS BY CUSTOMER OR ANY DOCUMENTATION, SERVICES OR ANY OTHER ITEM FURNISHED
BY CUSTOMER TO ITS SUBSCRIBERS, OTHER THAN LIABILITY ARISING FROM THE VERISIGN
OBJECT CODE OR THE USER MANUALS OR FROM THE ACTS OF VERISIGN; AND (ii) ANY
LIABILITY ARISING IN CONNECTION WITH AN UNAUTHORIZED REPRESENTATION OR ANY
MISREPRESENTATION OF FACT MADE BY CUSTOMER OR ITS AGENTS OR EMPLOYEES TO ANY
PARTY WITH RESPECT TO THE VERISIGN SOFTWARE OR ANY CUSTOMER PRODUCTS .
7. LIMITED WARRANTY; DISCLAIMER OF WARRANTIES; LIMITATION OF LIABILITY;
--------------------------------------------------------------------
INTELLECTUAL PROPERTY INDEMNITIES
---------------------------------
7.1 LIMITED WARRANTY. During the initial ninety (90)-day term of this
----------------
Agreement VeriSign warrants that the Licensed Software specified in this
Agreement will operate in material conformance to VeriSign's published
specifications for such Licensed Software. VeriSign does not warrant that the
VeriSign Software or any portion thereof is error-free. Customer's exclusive
remedy, and VeriSign's entire liability in tort, contract or otherwise, shall be
correction of any warranted nonconformity as provided in Section 4.3.2. This
limited warranty and any obligations of VeriSign under Section 4.1 shall
terminate immediately if Customer makes any modification to the VeriSign
Software.
7.2 DISCLAIMER. EXCEPT FOR THE EXPRESS LIMITED WARRANTY PROVIDED IN
----------
SECTION 7.1, THE VERISIGN SOFTWARE IS PROVIDED "AS IS" WITHOUT ANY WARRANTY
WHATSOEVER. VERISIGN DISCLAIMS ALL WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS
TO ANY MATTER WHATSOEVER, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT OF THIRD PARTY RIGHTS.
VERISIGN DISCLAIMS ANY WARRANTY OR REPRESENTATION TO ANY PERSON OTHER THAN
CUSTOMER WITH RESPECT TO THE VERISIGN SOFTWARE. CUSTOMER SHALL NOT, AND SHALL
TAKE ALL MEASURES NECESSARY TO INSURE THAT ITS AGENTS AND EMPLOYEES DO NOT, MAKE
OR PASS THROUGH ANY SUCH WARRANTY ON BEHALF OF VERISIGN TO ANY THIRD PARTY.
7.3 LIMITATION OF LIABILITY. IN NO EVENT WILL VERISIGN BE LIABLE TO
-----------------------
CUSTOMER (OR TO ANY PERSON CLAIMING RIGHTS DERIVED FROM CUSTOMER) FOR INDIRECT,
INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES ARISING OUT OF OR
RELATED TO THE TRANSACTIONS CONTEMPLATED UNDER THIS AGREEMENT, INCLUDING BUT NOT
LIMITED TO LOST PROFITS, BUSINESS INTERRUPTION OR LOSS OF BUSINESS INFORMATION,
VeriSign, Inc.
Custom Certificate System License Agreement
Page 8
EVEN IF VERISIGN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. UNDER NO
CIRCUMSTANCES SHALL VERISIGN'S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THIS
AGREEMENT EXCEED THE TOTAL AMOUNT PAID BY CUSTOMER TO VERISIGN HEREUNDER,
REGARDLESS OF WHETHER ANY ACTION OR CLAIM IS BASED ON WARRANTY, CONTRACT, TORT
OR OTHERWISE.
7.4 PROPRIETARY RIGHTS INFRINGEMENT BY VERISIGN.
-------------------------------------------
7.4.1 OBLIGATION TO DEFEND. Subject to the limitations set forth
--------------------
below and in Section 7.3, VeriSign, at its own expense, shall: (i) defend, or at
its option settle, any claim, suit or proceeding against Customer on the basis
of infringement or misappropriation of any United States, copyright or trade
secret in the field of cryptography by the Licensed Software as delivered by
VeriSign or any claim that VeriSign has no right to license the Licensed
Software hereunder; and (ii) pay any final judgment entered or settlement
against Customer on such issue in any such suit or proceeding defended by
VeriSign. VeriSign shall have no obligation to Customer pursuant to this Section
7.4.1 unless: (A) Customer gives VeriSign prompt written notice of the claim;
(B) VeriSign is given the right to control and direct the investigation,
preparation, defense and settlement of the claim; and (C) the claim is based on
Customer's use of the most recent version or the immediately preceding version
of the Licensed Software in accordance with this Agreement.
7.4.2 VERISIGN OPTIONS. If VeriSign receives notice of an alleged
----------------
infringement, VeriSign shall have the right, at its sole option, to obtain the
right to continue use of the Licensed Software or to replace or modify the
Licensed Software so that it is no longer infringing. If neither of the
foregoing options is reasonably available to VeriSign, then the license rights
granted pursuant to Section 2 may be terminated at the option of either party
hereto without further obligation or liability except as provided in Sections
7.4.1 and 8.3 and in the event of such termination, VeriSign shall refund the
License Fees paid by Customer hereunder less depreciation for use assuming
straight line depreciation over a five (5)-year useful life.
7.4.3 EXCLUSIVE REMEDIES. THE RIGHTS AND REMEDIES SET FORTH IN
------------------
SECTIONS 7.4.1 AND 7.4.2 CONSTITUTE THE ENTIRE OBLIGATION OF VERISIGN AND THE
EXCLUSIVE REMEDIES OF CUSTOMER CONCERNING VERISIGN'S PROPRIETARY RIGHTS
INFRINGEMENT.
7.5 PROPRIETARY RIGHTS INFRINGEMENT BY CUSTOMER.
-------------------------------------------
7.5.1 OBLIGATION TO DEFEND. Subject to the limitations set forth
--------------------
below, Customer, at its own expense, shall: (i) defend, or at its option settle,
any claim, suit or proceeding against VeriSign on the basis of infringement or
misappropriation of any United States, copyright or trade secret by any Customer
Product (excluding the unmodified VeriSign Software); and (ii) pay any final
judgment entered or settlement against VeriSign on such issue in any such suit
or proceeding defended by Customer. Customer shall have no obligation to
VeriSign pursuant to this Section 7.5.1 unless: (A) VeriSign gives Customer
prompt written notice of the claim; and (B) Customer is given the right to
control and direct the investigation, preparation, defense and settlement of the
claim.
7.5.2 EXCLUSIVE REMEDIES. THE RIGHTS AND REMEDIES SET FORTH IN
------------------
SECTION 7.5.1 CONSTITUTE THE ENTIRE OBLIGATION OF CUSTOMER AND THE EXCLUSIVE
REMEDIES OF VERISIGN CONCERNING CUSTOMER'S PROPRIETARY RIGHTS INFRINGEMENT.
8. TERM AND TERMINATION
--------------------
8.1 TERM. The license rights granted pursuant to Section 2 shall be
----
effective as of the date hereof and shall continue in full force and effect for
each item of Licensed Software for the period set forth on Exhibit "A" unless
sooner terminated pursuant to the terms of this Agreement. Either party shall be
entitled to terminate all the
VeriSign, Inc.
Custom Certificate System License Agreement
Page 9
license rights granted pursuant to this Agreement at any time on written notice
to the other in the event of a default by the other party and a failure to cure
such default within a period of thirty (30) days (five (5) days if the default
involves the payment of money) following receipt of written notice specifying
that a default has occurred.
8.2 INSOLVENCY. Upon the institution of any proceedings by or against
----------
either party seeking relief, reorganization or arrangement under any laws
relating to insolvency, or upon any assignment for the benefit of creditors, or
upon the appointment of a receiver, liquidator or trustee of any of either
party's property or assets, or upon the liquidation, dissolution or winding up
of either party's business, then and in any such events all the license rights
granted pursuant to this Agreement may immediately be terminated by the other
party upon giving written notice.
8.3 DISPOSITION OF VERISIGN SOFTWARE AND USER MANUALS ON TERMINATION.
----------------------------------------------------------------
Upon the expiration or termination pursuant to this Section 8 of the license
rights granted pursuant to Section 2, the remaining provisions of this Agreement
shall remain in full force and effect, and Customer shall cease making copies
of, using or licensing the VeriSign Software, User Manual and Customer Products,
excepting only such copies of Customer Products necessary to fill orders placed
with Customer prior to such expiration or termination. Customer shall destroy
all copies of the VeriSign Software, User Manual and Customer Products and all
information and documentation provided by VeriSign to Customer (including all
Know-How), other than such copies of the VeriSign Object Code, the User Manual
and the Customer Products as are necessary to enable Customer to perform its
continuing support obligations in accordance with Section 6.2, if any.
9. MISCELLANEOUS PROVISIONS
------------------------
9.1 GOVERNING LAWS. THE LAWS OF THE STATE OF CALIFORNIA, U.S.A.
--------------
(IRRESPECTIVE OF ITS CHOICE OF LAW PRINCIPLES) SHALL GOVERN THE VALIDITY OF THIS
AGREEMENT, THE CONSTRUCTION OF ITS TERMS, AND THE INTERPRETATION AND ENFORCEMENT
OF THE RIGHTS AND DUTIES OF THE PARTIES. THE PARTIES AGREE THAT THE UNITED
NATIONS CONVENTION ON CONTRACTS FOR THE INTERNATIONAL SALE OF GOODS SHALL NOT
APPLY TO THIS AGREEMENT. THE PARTIES AGREE THAT ANY SUIT TO ENFORCE ANY
PROVISION OF THIS AGREEMENT OR ARISING OUT OF OR BASED UPON THIS AGREEMENT OR
THE BUSINESS RELATIONSHIP BETWEEN THE PARTIES SHALL BE BROUGHT IN THE UNITED
STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF CALIFORNIA OR THE SUPERIOR OR
MUNICIPAL COURT IN AND FOR THE COUNTY OF SANTA CLARA, CALIFORNIA, U.S.A. Each
party agrees that such courts shall have exclusive in personam jurisdiction and
venue with respect to such party, and each party submits to the exclusive in
personam jurisdiction and venue of such courts.
9.2 BINDING UPON SUCCESSORS AND ASSIGNS. Except as otherwise provided
-----------------------------------
herein, this Agreement shall be binding upon, and inure to the benefit of, the
successors, representatives, administrators and assigns of the parties hereto.
This Agreement shall not be assignable by Customer, by operation of law or
otherwise, without the prior written consent of VeriSign, which shall not be
unreasonably withheld; provided, however, that VeriSign may withhold its consent
to the assignment of this Agreement if it provides for a fully paid-up License
Fee. Any such purported assignment or delegation without VeriSign's written
consent shall be void and of no effect.
9.3 SEVERABILITY. If any provision of this Agreement is found to be
------------
invalid or unenforceable, the remainder of this Agreement shall be interpreted
so as best to reasonably effect the intent of the parties hereto. IT IS
EXPRESSLY UNDERSTOOD AND AGREED THAT EACH AND EVERY PROVISION OF THIS AGREEMENT
WHICH PROVIDES FOR A LIMITATION OF LIABILITY, DISCLAIMER OF WARRANTIES OR
EXCLUSION OF DAMAGES IS INTENDED BY THE PARTIES TO BE SEVERABLE AND INDEPENDENT
OF ANY OTHER PROVISION AND TO BE ENFORCED AS SUCH.
VeriSign, Inc.
Custom Certificate System License Agreement
Page 10
9.4 ENTIRE AGREEMENT. This Agreement and the exhibits and schedules
----------------
hereto constitute the entire understanding and agreement of the parties hereto
with respect to the subject matter hereof and supersede all prior and
contemporaneous agreements, representations and understandings between the
parties.
9.5 AMENDMENT AND WAIVERS. Any term or provision of this Agreement may be
---------------------
amended, and the observance of any term of this Agreement may be waived, only by
a writing signed by the party to be bound.
9.6 ATTORNEYS' FEES. The prevailing party in any action or proceeding to
---------------
enforce or interpret any part of this Agreement shall be entitled to recover its
reasonable attorneys' fees (including fees on any appeal).
9.7 NOTICES. Any notice, demand, or request with respect to this
-------
Agreement shall be in writing and shall be effective only if it is delivered by
hand or mailed, certified or registered mail, postage prepaid, return receipt
requested, addressed to the appropriate party at its address set forth on page
1. Such communications shall be effective when they are received by the
addressee; but if sent by certified or registered mail in the manner set forth
above, they shall be effective not later than ten (10) days after being
deposited in the mail. Any party may change its address for such communications
by giving notice to the other party in conformity with this Section.
9.8 FOREIGN RESHIPMENT LIABILITY. THIS AGREEMENT IS EXPRESSLY MADE
----------------------------
SUBJECT TO ANY LAWS, REGULATIONS, ORDERS OR OTHER RESTRICTIONS ON THE EXPORT
FROM THE UNITED STATES OF AMERICA OF THE VERISIGN SOFTWARE OR CUSTOMER PRODUCTS
OR OF INFORMATION ABOUT THE VERISIGN SOFTWARE OR CUSTOMER PRODUCTS WHICH MAY BE
IMPOSED FROM TIME TO TIME BY THE GOVERNMENT OF THE UNITED STATES OF AMERICA.
NOTWITHSTANDING ANYTHING CONTAINED IN THIS AGREEMENT TO THE CONTRARY, CUSTOMER
SHALL NOT EXPORT OR REEXPORT, DIRECTLY OR INDIRECTLY, ANY VERISIGN SOFTWARE OR
CUSTOMER PRODUCTS OR INFORMATION PERTAINING THERETO TO ANY COUNTRY FOR WHICH
SUCH GOVERNMENT OR ANY AGENCY THEREOF REQUIRES AN EXPORT LICENSE OR OTHER
GOVERNMENTAL APPROVAL AT THE TIME OF EXPORT OR REEXPORT WITHOUT FIRST OBTAINING
SUCH LICENSE OR APPROVAL.
9.9 TRADEMARKS. By reason of this Agreement or the performance hereof,
----------
Customer shall acquire no rights of any kind in any VeriSign trademark, trade
name, logo or product designation under which the VeriSign Software was or is
marketed and Customer shall not make any use of the same for any reason except
as expressly authorized by this Agreement or otherwise authorized in writing by
VeriSign.
9.10 PUBLICITY. Neither party will disclose to third parties, other than
---------
its agents and representatives on a need-to-know basis, the terms of this
Agreement or any exhibits hereto (including without limitation any
License/Product Schedule) without the prior written consent of the other party,
except (i) either party may disclose such terms to the extent required by law;
(ii) either party may disclose the existence of this Agreement; and (iii)
VeriSign shall have the right to disclose that Customer is an Customer of the
VeriSign Software and that any publicly-announced Customer Product incorporates
the VeriSign Software. Customer shall provide to VeriSign, solely for VeriSign's
display purposes, one (1 ) working copy of each Customer Product which consists
solely of computer software and one (1 ) working or non-working unit of any
hardware product in which is incorporated a Customer Product which consists of
an integrated circuit or other hardware.
9.11 REMEDIES NON-EXCLUSIVE. Except as otherwise expressly provided, any
----------------------
remedy provided for in this Agreement is deemed cumulative with, and not
exclusive of, any other remedy provided for in this Agreement or otherwise
available at law or in equity. The exercise by a party of any remedy shall not
preclude the exercise by such party of any other remedy.
VeriSign, Inc.
Custom Certificate System License Agreement
Page 11
IN WITNESS WHEREOF, the parties have executed this Agreement as of the date
of the last signature below, unless a different effective date is specified on
the first page of this Agreement.
CUSTOMER:
VISA INTERNATIONAL SERVICE ASSOCIATION
By:___________________________________
Printed Name:_________________________
Title:________________________________
Date:_________________________________
VERISIGN, INC.
By:___________________________________
Printed Name:_________________________
Title:________________________________
Date:_________________________________
VeriSign Private Label Agreement
EXHIBIT "K"
SERVICE LEVEL SPECIFICATION
CHIP CARD PAYMENT SERVICE
(CCPS) & STORED VALUE
CARD (SVC) CERTIFICATION
AUTHORITY
Chip Card Certification
AUTHORITY (CCCA)
SERVICE LEVEL AGREEMENT
VISA INTERNATIONAL / VERISIGN
Version 1.1
OCTOBER 1996
TABLE OF CONTENTS
OVERVIEW................................................. 1
CCCA SYSTEM DESCRIPTION.................................. 1
SCOPE.................................................... 2
WITHIN SCOPE........................................ 2
OUTSIDE OF SCOPE.................................... 2
DEFINITION.......................................... 2
CCCA SERVICE LEVELS................................. 3
SERVICE AVAILABILITY................................ 3
Definition..................................... 3
Measurement.................................... 4
Minimum Service Level Requirement.............. 4
RESPONSE TIME....................................... 4
Definition..................................... 4
Measurement.................................... 4
Minimum Service Level Requirement.............. 5
DATA MANAGEMENT..................................... 6
Definition..................................... 6
Measurement.................................... 6
Minimum Service Level Requirement.............. 6
SYSTEM MONITORING AND OUTAGE REPORTING.............. 6
Definition..................................... 6
Measurement.................................... 7
Minimum Service Level Requirement.............. 7
SCHEDULED DOWN TIME................................. 7
Definition..................................... 8
Measurement.................................... 8
Minimum Service Level Requirement.............. 8
BACKUP.............................................. 8
Definition..................................... 8
Measurement.................................... 8
Minimum Service level Requirement.............. 8
KEY COMPROMISE...................................... 9
CONTINGENCY OPERATIONS / RECOVERY................... 9
Definition..................................... 9
Measurement.................................... 9
Minimum Service Level Requirement.............. 9
REPORTING........................................... 9
PENALTIES........................................... 9
VERISIGN CCCA CUSTOMER SUPPORT SERVICE LEVELS............ 10
AVAILABIL1TY........................................ 10
RESPONSE TIME....................................... 10
CUSTOMER SUPPORT CALLBACK SMEFRAMES AND DEFINITION.. 10
OVERVIEW
This Service Level Agreement (SLA) between Visa International (Visa) and
VeriSign, Inc. (VeriSign) details the terms for the supply of services by
VeriSign to Visa for the operation of the Visa Chip Card Certification Service
(CCCA). It specifically addresses the service levels that will be in effect for
the pilot phases of the CCPS and SVC Diamond projects. Additional service levels
may be implemented after the commencement of either of these two pilots.
This SLA is comprised of two components. The first addresses service levels for
CCCA. The second addresses service levels for VeriSign CCCA customer support.
CCCA SYSTEM DESCRIPTION
A logical depiction of the CCCA system is presented below:
[DRAWING OF TWO RECTANGLES LABLED "ISSUER" AND "VISA"
WITH CONNECTING HORIZONTAL BARS]
SCOPE
VeriSign will be developing and operating a Certificate Authority on behalf of
Visa
WITHIN SCOPE
The following components of CCCA are addressed within the scope of this service
level agreement:
Brand Certificate Authority (Brand CA)
Acceptance of Issuer Public Key from Visa
Generation of Issuer Public Key Certificates
Reconveyance of Issuer Public Key Certificate to Visa
OUTSIDE OF SCOPE
The following components of CCCA are not addressed within the scope of this
service level agreement:
Visa system infrastructure
Deployment of Visa Scheme Public Keys
Issuer to Visa key management processes
Establishment of trust between Issuers and Visa
Conveying of Issuer Public Key Certificate to Issuer
DEFINITION
Brand Certificate Authority
The Brand CA issues EMV compliant Issuer Public Key Certificates to Brand
members (i.e., Issuers) that wish to use the Visa Chip Card Payment Systems
(CCPS) and/or Stored Value Card (SVC) products.
For CCPS the Brand CA generates Issuer Public Key Certificates to enable
Issuers to utilize Static Data Authentication for their customer needs.
For SVC the Brand CA generates Issuer Public Key Certificates to enable
Issuers to utilize Dynamic Data Authentication for their customer needs.
CCCA SERVICE LEVELS
For the purpose of this SLA, CCCA is considered to have one major operational
component:
1. Certification Processing Service
This is the ability to process the certificate transaction (i.e.,
certificate request, certificate generation, certificate response) and
return an appropriate signed response to the requester.
SERVICE AVAILABILITY
Definition
Initially, for the pilot phases of the projects covered by this SLA, the
Brand Certificate Authority (Brand CA) operations require manual
procedures. These are performed off-line and need the presence of
authorized Visa and VeriSign personnel. To maintain multiple controls over
the use of the Visa Brand Private Keys, three (3) of five (5) key
custodians must be present to enable the generation of any Issuer Public
Key Certificate. At least one designated key custodian must be present from
Visa and at least one designated key custodian must be present from
VeriSign to perform this service, i.e., the three key custodians must not
all be representatives from one organization. The designation of the key
custodians from each organization is not a part of this SLA, but all key
custodians must be approved by Visa.
The Brand certificate authority must be available during the normal hours
of operation, as well as after hours by prior arrangement.
Normal hours of operation for the Brand CA are 0800 - 1700 PT, 5 days a
week, 52 weeks a year. Visa will normally provide VeriSign with one working
day advance notice of any required Brand CA operation.
In the event of extreme conditions, such as disaster recovery or key
compromise, Visa may require Brand CA operations outside of the normal
operating periods. Under such circumstances, Visa shall provide VeriSign
with a two (2) day advance notice of the required Brand CA operations.
Measurement
The measurement for service availability is the amount of time that the CA
is capable of receiving, processing and responding to incoming certificate
transactions from the requesting entity (i.e., the Issuer through Visa).
Nonavailability is the amount of time that the CA is not capable of
receiving, processing and responding to incoming certificate transactions
from the requesting entity.
Minimum Service Level Requirement
The Brand CA must be available to process 99% of the certificate requests
and perform necessary administrative functions.
RESPONSE TIME
Definition
There are two components of response time for the Brand CA.
-2-
1. The amount of time that it takes VeriSign to respond to a Visa request
for Brand CA operations.
VeriSign must respond to a Visa request for Brand CA operations within
one working day during normal operating hours. Under extreme
conditions, VeriSign must respond to a Visa request for Brand CA
operations within one (1) hour during normal operating hours.
2. The amount of time that the actual Brand CA operation requires. All
Brand CA operations must be processed and validated within 8 hours of
the start of the operation. If the validation process is extended by
factors out of VeriSign's control, VeriSign will not be penalized.
Measurement
The measurement for response to requests for Brand CA operations is based
upon the time elapsed from when Visa contacts VeriSign to inform them of
the intent to perform a Brand CA operation until VeriSign confirms their
availability to perform a Brand CA operation.
The measurement for performing Brand CA operations is based upon the time
elapsed from when Visa staff arrives at VeriSign to begin the operation
until the operation is completed and verified.
Minimum Service Level Requirement
For the Brand CA, 99% of the requests for Brand CA operations must be
responded to within the required time and 99% of the Brand CA operations
must be performed within the required time.
DATA MANAGEMENT
Definition
CCCA data, which includes system logs, transaction history, certificate
registration data and certificates, must be available to support various
legal, billing and customer service requirements. The archive retention and
retrieval requirements for the CCCA data will vary by data type as
described below:
Registration data and certificates
This data will be kept available for immediate review for 90 days
prior to being archived. Archived data will be maintained for the
length of the one year pilot and must be retrievable within 24 hours
of request. At the end of the pilot project, all archived data will be
returned to VISA.
-3-
System logs and transaction history
This data will be kept available for immediate review for 90 days
prior to being archived. Archived data will be maintained for the
length of the one year pilot and must be retrievable within 24 hours
of request. At the end of the pilot project, all archived data will be
returned to VISA.
Measurement
The measurement for data management is based upon the data being available,
within the periods specified above.
Minimum Service Level Requirement
The data management requirements must be met 99% of the time.
SYSTEM MONITORING AND OUTAGE REPORTING
Definition
Monitoring
The key storage units for all of the CAs must be checked for tampering on a
daily basis. The applications and/or systems for the Certification
Processing Service must be monitored continually and a status check taken
every 24 hours.
Outage Reporting
All CCCA hardware and/or software faults shall be logged, tracked and
reported using a suitable computer-based system and provided to Visa within
two (2) hours of occurrence.
All CCCA system hardware, network, and software failures, their impact on
CCCA operations and any actions taken to correct the problem, including an
event log shall be reported to Visa on a monthly basis. In addition, Visa
shall be notified within one hour of any major failure that affects the
normal operation of CCCA.
Measurement
The status checks must be recorded on a status log and signed by the
VeriSign system operator. This status log must be available for review by
Visa at any time.
Problem / event logs and system logs will record outages and causes (if
known). These also must be made available to Visa for review at any time.
-4-
Minimum Service Level Requirement
Compliance with the monitoring, logging and reporting requirements must be
99%.
SCHEDULED DOWN TIME
Definition
There will be a scheduled down time period weekly to perform maintenance,
backup and upgrade functions for the CAs. This period will not exceed 12
hours and will be at the same time each week as agreed to by Visa and
VeriSign. If a longer down time window is needed, it must be agreed to in
advance by Visa and VeriSign.
Measurement
The measurement for scheduled down time for any CA is based on the time
elapsed from when the CA is not capable of performing operations until it
becomes available for performing operations. Daily system logs will
indicate scheduled system down time and can be used to track outages.
Minimum Service Level Requirement
99% of the down times must be within the required period.
BACKUP
Definition
At a minimum, all data related to the Brand CAs, including application
files and databases, system tables, log files, etc., will be backed up on a
scheduled, daily basis. In addition, the Brand CA application and all
system components will be backed up on a monthly basis. All backups must be
done non disruptively without adversely impacting normal CCCA operations.
The backup files must be stored in a secure off-site facility as agreed
upon by VeriSign and Visa.
Measurement
Daily system logs will indicate time and location of backup files, backup
media identification and any other relevant information needed for recovery
of backup files.
Minimum Service level Requirement
The backup requirements must be met 99% of the time.
-5-
KEY COMPROMISE
The management of key compromise, CRL processing, replacement of Visa
Scheme keys and the re-generation of Issuer Public Key Certificates will
not be a provided service for the pilot phases of CCCA.
CONTINGENCY OPERATIONS/RECOVERY
Definition
If any single component of the Brand CA fails, the component shall be
recovered to the point of failure within five (5) calendar days.
In the event of a total Brand CA failure, a complete recovery must occur
within five (5) calendar days and normal operations should begin with
recovery to the point of failure for all systems and files. In the interim
period before normal operations have begun, Access to Service must be
available to receive certificate transactions, queue the transactions for
future processing and provide an appropriate signed response to the
requesting entity.
Measurement
The measurement for recovery of an CCCA system component or a total system
outage will the length of time between the point that the outage occurs and
the point that a full recovery to normal operations has been completed.
The ability to satisfy the recovery and/or contingency operations
requirements will be demonstrated through periodic scheduled tests.
Minimum Service Level Requirement
The recovery and contingency operations requirements must be met 99% of the
time.
REPORTING
VeriSign shall provide Visa with reporting on a scheduled basis. This will
include both service level and activity reporting and may be either on hard
copy or electronic (i.e., report or data files) form as agreed to by Visa
and VeriSign.
PENALTIES
All service levels are calculated, and penalties assessed, on a monthly
basis.
-6-
VERISIGN CCCA CUSTOMER SUPPORT SERVICE LEVELS
VeriSign will provide support to Visa as described in the customer support
requirements section of the contract. The VeriSign interface for customer
support will be limited to designated individuals within Visa.
AVAILABLITY
VeriSign Customer Service must be available to accept and respond to
problem calls from Visa 0800 - 1700 PT, 5 days a week, 52 weeks a year,
(i.e., a standard financial Industry schedule).
RESPONSE TIME
Normal Hours of Operation
Between 0800 and 1700 PT, a human VeriSign Customer Support representative
should respond immediately (i.e., answer the telephone within a queue time
of 120 seconds).
CUSTOMER SUPPORT CALLBACK TIMEFRAMES AND DEFINITIONS
VeriSign Customer Support will, at a minimum, initiate a return telephone
call to Visa to establish if the problem has been corrected based on the
following call reporting criteria:
Problem Severity Definition Callback Frequency
-------------------------------------------------------------------------------------------
1 Entire population of a CA 60 minutes
impacted
-------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------
In every case, if the problem has not been corrected within the callback
frequency, VeriSign Customer Support will monitor the problem to determine
if any corrective work has begun. If it has, then VeriSign Customer Support
will continue to monitor the situation and provide status to Visa until the
problem is resolved to the satisfaction of Visa. If not corrective work has
begun, VeriSign Customer Support will escalate the problem to the next
support level.
-7-
VeriSign Private Label Agreement
EXHIBIT "L"
SUPPORT LEVELS
1. SECOND-LEVEL SUPPORT FOR MEMBERS
VeriSign will provide second level telephone support for any problem
concerning a Certificate issued to a Member during the times set forth in
Section 2 below. In the event that a Member problem is not resolved by the first
level good-faith efforts of VISA Member Support, VeriSign will provide second
level telephone support for a reasonable volume of calls from VISA Member
Support. Upon VISA Member Support's providing VeriSign with a clear description
of the unresolved problem, VeriSign will verify the problem's existence and
determine the conditions under which the problem may recur. After such
verification and determination, VeriSign will, at its option,
1.1 use its best efforts to provide an immediate fix for the
problem;
1.2 use its best efforts to provide a temporary solution of or
workaround to the problem;
1.3 provide a statement that the problem will be corrected in a
future release;
1.4 provide a statement that more information about the problem is
required (however, after sufficient information, in VeriSign's opinion, is
provided to VeriSign, VeriSign will provide to Customer one of the other four
support alternatives contained in this Section 1); or
1.5 provide a statement that the Private Label Certificate System
operates as described in VeriSign's then current user documentation or that the
problem arises when such Private Label Certificate System is used other than in
a manner for which it was designed.
In the case of such second-level support, VeriSign will not contact a
Member directly for more information about the problem unless VISA Member
Support so requests.
The following chart summarizes telephone support provided in this Section:
=========================================================================================================================
Type of Certificate Entity Supported First Level Second Level Third Level
- -------------------------------------------------------------------------------------------------------------------------
VISA Chipcard CA Issuers, VISA Member Support VeriSign N/A
=========================================================================================================================
2. TIMES TELEPHONE SUPPORT IS PROVIDED
VeriSign will accept and log all second level support requests received
from Customer on a twenty-four (24) hour per day, seven (7) day per week basis,
including national holidays. VeriSign will provide regular telephone support for
both second level on Monday through Friday 8:00 a.m. to 5:00 p.m., local time,
and will provide critical corrective support after hours (outside the hours of
8:00 a.m. to 5:00 p.m., local time) and on national holidays. A problem is
considered critical when the Private Label Certificate System will not operate
or the Customer cannot perform its business function due to a Private Label
Certificate System problem.
3. CUSTOMER RESPONSIBILITIES FOR TELEPHONE SUPPORT
Customer will (i) identify, document and report to VeriSign each problem
with the Private Label Certificate System necessitating telephone support, (ii)
supply VeriSign with all documentation and assistance necessary to demonstrate
and allow VeriSign to diagnose the problem, and (iii) install each solution to
such problem
VeriSign Private Label Agreement
provided by VeriSign. If Customer requests corrective changes to
the Private Label Certificate System and VeriSign determines that the reported
malfunction is not related to the Private Label Certificate System, VeriSign may
charge Customer for its diagnostic services on a time and materials basis.
Customer will assure the proper use, management and supervision of any
application programs, audit controls, operating methods and office procedures
necessary for the intended use of the Private Label Certificate System.
Customer will provide the first-level support to Members through VISA
Member Support as provided in Section 1 above.