1
The Tourism Investment Portal of Tourism
Development Fund
Introduction/ overview of the Tourism Investment
Portal of the Tourism Development Fund
The Tourism Investment Portal Program of the
Tourism Development Fund was launched on 2022,
with a vision to support achieving the objectives of the
National Tourism Strategy through enabling and
incentivizing the tourism sector in the Kingdom to
support its sustainable growth. This Portal also aims
to enhance the speed of performance between the
Beneficiaries and TDF to respond effectively to the
economic needs by facilitating the procedures for
private sector Beneficiaries to obtain financing
solutions enabling the economic transformation in the
tourism sector in the Kingdom of Saudi Arabia.
2022
Terms, conditions, warranties and representation
relating to the Tourism Investment Portal of Tourism
Development Fund (hereinafter referred to as
(“Terms and Conditions”):
1. The Beneficiary acknowledges and agrees that
his use of this Portal represents his explicit
consent and acceptance of all these Terms and
Conditions and TDF’s use and privacy policy.
1
2. Unless the context otherwise requires, the terms
defined below shall have the following meanings:
2
:
TDF: means the Tourism Development Fund
established by Royal Decree No. A/30 dated
26/1/1441H, and operates in accordance with its
approved law pursuant to Council of Minister
Resolution No. (665) dated 10/24/1441H and
approved by Royal Decree No. (M/147) dated
26/10/1441H.
Beneficiary: means the entity/establishment using
the Portal or will be the ultimate beneficiary of the
financing Products Application.
Applicant: means the natural person authorized to
represent the Beneficiary in the submission of the
Application.
Service Provider: means any company,
institution, or governmental or private entity
contracted by TDF for the purpose of providing
services.
2
Eligibility Stage: means the assessment stage of
the documents provided by the Beneficiary
through the Portal.
SIMAH: means the Saudi Credit Bureau.
Bayan: means Bayan Credit Bureau.
Electronic Signature and Authentication:
means the electronic or digital signature or
authentication conducted through the Service
Provider (Baud Telecom Company - emdha), or
any other services provided licensed by the
Communications and Information Technology
Commission or the National Center for Digital
Certification appointed by TDF.
Products: means the financing products offered by
TDF to the Beneficiary.
Portal: means the Tourism Investment Portal of
Tourism Development Fund.
Website: means the Tourism Development Fund’s
website.
Application: means the registration and financing
application submitted by the Applicant on behalf
of Beneficiaries to TDF through the Portal for the
purpose of obtaining the Products.
3. TDF may, at any time, make any updates by
adding, amending, or canceling any of these
Terms and Conditions and without a prior notice.
Accordingly, the Beneficiary undertakes and
agrees to review these Terms and Conditions
periodically to keep updated with respect to any
changes that may occur. The Beneficiary
acknowledges and accepts that any updates to
these Terms and Conditions shall be deemed
approved from the date of publication on the
Portal.
3
4. The Beneficiary acknowledges and agrees that
the use of this Portal does not create any
contractual or legal relationship between TDF
and the Beneficiary and does not create any
obligation or responsibility on TDF. The
Beneficiary further acknowledges and agrees that
TDF will not be responsible towards the
Beneficiary for any delay or non-response,
4
3
including, for example but not limited to, with
regard to the response, answer and notifying of
the Application status as a result of any reason,
and TDF, at its absolute discretion, has the right
to stop, reject or cancel the Application at any
time and for any reason and without providing the
Beneficiary with the reasons. TDF will not be
responsible or liable for any material or moral
damages or losses that result or may result from
such non-response, rejection or cancelation.
5. The Beneficiary acknowledges and agrees that
the use of this Portal will be under his own
responsibility, and the Beneficiary releases TDF
from responsibility for any losses, costs or
expenses incurred or that the Beneficiary or his
representative may incur as a result of submitting
the Application or using the Portal.
5
6. The Beneficiary agrees to indemnify, protect and
compensate TDF for any complaints, claims,
damages, or material or moral losses that result or
may result from his submission of the
Application or any of the information, data or
documents submitted by him or his use of the
Portal or TDF’s use of the information, data or
documents submitted by the Beneficiary.
6
7. The Beneficiary acknowledges and agrees that
the submission of the Application on the Portal
does not mean in any way TDF’s approval of the
Beneficiary's Application to provide any
Products to it, and that such submission is for the
purpose of enabling TDF to conduct an initial
review and evaluation of the Application without
such constituting any obligation on TDF to accept
or respond to the Application.
7
8. The Beneficiary acknowledges and agrees that
passing the Eligibility Stage or any financing
proceduresstages, and any messages,
notifications or approvals sent from TDF to the
Beneficiary does not mean in any way TDF’s
acceptance of the Beneficiary’s Application to
provide any Products to it and does not create any
contractual or legal relationship between TDF
and the Beneficiary and does not create any
obligation or responsibility on TDF. If TDF
accepts to provide any Products to the
8
4
Beneficiary, financing agreements and contracts
will be signed between TDF and the Beneficiary.
9. TDF has the right to assign or transfer its rights
and obligations under these Terms and
Conditions to any other party.
9
10. The Beneficiary may not assign or transfer any of
its rights or obligations under these Terms and
Conditions to any other party.
10
11. The Beneficiary is obligated not to disclose any
of the contents of this Portal, or any other
information obtained from TDF to any other
parties.
11
12. The Beneficiary acknowledges and understands
that if TDF accepts to provide any Products to the
Beneficiary, further agreements and contracts
will be signed between the Beneficiary and TDF
as determined by TDF’s internal procedures, and
such agreements and contracts, once signed, will
be effective and enforceable
12
13. The Beneficiary acknowledges and confirms that
all the details, information and data provided in
the Application are true, accurate and up-to-date,
and that TDF has the right to exclude any
Application at any stage if it is proven that the
Beneficiary has provided inaccurate, incorrect or
misleading information, details and data or for
any reason whatsoever, and the Beneficiary shall
indemnify, protect and compensate TDF for any
complaints, claims, damages, or material or
moral losses that result or may result from any
false, inaccurate, outdated or misleading
information provided by the Beneficiary.
13
14. The Applicant acknowledges and confirms that
all necessary authorizations, approvals, permits
and documents have been obtained from all
relevant authorities that authorize him/her to
represent the Beneficiary, including, but not
limited to, authorization forms, board of directors
or board of managers resolutions and
shareholders resolutions in the forms approved
by TDF, and TDF will not be responsible for
verifying the validity and accuracy of such
14
5
submitted authorizations, permits, approvals and
documents from the Applicant on behalf of the
Beneficiary.
15. The Applicant acknowledges that all details,
information and data provided in the Application
are true, accurate and up-to-date, and
acknowledges that full details of all shareholders,
ultimate beneficiaries, stake holders of any entity
in the Beneficiary structure and all individuals
authorized to sign on behalf of the Beneficiary
have been disclosed.
15
16. The Beneficiary represents and warrants to TDF
that:
16
a) it is lawfully organized and established with a
valid legal status in relation to all relevant parties;
b) it has all the licenses, approvals and permits
required by law, and they are all valid and
effective, and there are no restrictions on any of
them;
c) all information, documents, and declarations that
are provided to TDF are true, accurate, correct
and complete as of the date of its submission;
d) there are no restrictions on the Beneficiary that
prevent it from dealing with any government
entity, and that it is not subject to legal, economic,
financial, commercial or any other penalties
imposed by any government entity in the
Kingdom of Saudi Arabia or in any other country,
and that it is not present or existing, established
or organized in any country or region that is under
economic, financial or commercial sanctions or
embargo; and
e) it is not bankrupt, insolvent, or otherwise
experiencing financial difficulties.
17. The Beneficiary represents and warrants to TDF
that the following will be disclosed in the
Application:
17
6
a) any existing loans or financings provided to
the Beneficiary, or to which the Beneficiary
intends to apply with any other party,
including, but not limited to, any financing
entities, commercial banks, government
funds, or other government development
banks;
b) any changes in the ownership of the
Beneficiary, including but not limited to, any
mergers, acquisitions or any changes to the
ownership of the Beneficiary during the past
five years;
c) any sanctions that the Beneficiary is subject
to or is in any way associated with any
person or organization under investigation in
the Kingdom of Saudi Arabia or
international anti-money laundering law;
d) any sanctions that the Beneficiary is subject
to or is associated in any way with any
person or organization that is subject to
Saudi or international sanctions;
e) any case in which the Beneficiary is subject
to or associated in any way with any person
or organization subject to a criminal
investigation, whether in the Kingdom of
Saudi Arabia or abroad; and
f) any relationship between the Beneficiary or
any of its employees, representatives,
members of its management, owners or
senior management (or one of their relatives
to the fourth degree) with any of TDF’s
employees or board members.
18. The Beneficiary acknowledges by submitting the
Application and warrants to TDF that it has not
and will not defraud TDF by targeting any of its
employees or board members in any way,
including, but not limited to, defrauding to obtain
facilities of any kind, performing work, or
exempting it from any of the requirements, and
TDF shall have the right to immediately exclude
the Beneficiary’s Application and take the
necessary legal procedures in the event that it is
18
7
proven that the Beneficiary has committed or
intends to commit any form of fraud.
19. The Beneficiary acknowledges by submitting the
Application and warrants to TDF that it is the
ultimate Beneficiary of the Application and the
Products (if the Application is accepted).
19
20. The Beneficiary acknowledges and agrees that
TDF or any third party that TDF authorizes is
granted the right to publish and use any non-
confidential information or data relating to the
Beneficiary, including but not limited to, the
names of the Beneficiaries, trademarks, and
websites in any media, including but not limited
to, the Website, social media, telephone,
television, radio, etc., for marketing purposes,
photographing advertising campaigns, or any
promotional purposes, whether during or after
TDF’s offering of Products and irrespective of
the Application’s status.
20
21. The Beneficiary is obligated to notify TDF in
writing and within 60 days maximum, from the
date of its occurrence, of any change in its
submitted information, including, but not limited
to, any change in the legal structure, or financial
data and information, or credit status, legal or tax
status of the Beneficiary or its net worth.
21
22. In the event TDF is not notified in writing of any
changes to the information provided by the
Beneficiary within the abovementioned period,
TDF, at its absolute discretion, has the right to
exclude the Beneficiary’s Applicationor stop
providing Products and terminate the financing
agreements (in case the Application is approved)
and this shall not result in TDF incurring any
obligations or liability of any kind and without
prejudice to TDF’s rights under the financing
agreements.
22
23. The Beneficiary acknowledges that TDF has the
right to request the Beneficiary to provide
additional information and documents relating to
the Beneficiary, its branches, subsidiaries,
managers, employees, representatives and agents,
or with regard to its financial and credit status, or
any other information and documents, whether
prior the start of assessing the Application, during
any stage of the Application assessment, or as
23
8
part of the periodic data update, and TDF will
have the right to cancel and exclude the
Beneficiary’s Application or stop providing
Products and terminate the financing agreements
in the event that such additional information and
documents are not provided and without
prejudice to TDF’s rights under the financing
agreements.
24. The Beneficiary acknowledges that TDF has the
right to request a periodic update of the
information and documents relating to the
Beneficiary, its branches, subsidiaries, managers,
employees, representatives and agents, or
regarding its financial and credit status, or any
other information or documents, and TDF will
have the right to cease providing the Products and
terminate the financing agreements (in case the
application is approved) in the event that such
periodic information and documents are not
provided and without prejudice to TDF’s rights
under the financing agreements.
24
25. The Beneficiary acknowledges and agrees that
TDF has the right at any time to obtain any
additional information and details related to the
Beneficiary from third parties, including, but not
limited to, the Saudi Central Bank (SAMA),
SIMAH, Bayan, banks and government entities,
and this acknowledgment is considered a full
authorization from the Beneficiary to TDF
without the need to obtain any consents from the
Beneficiary, and the Beneficiary is obligated to
provide TDF or any third parties appointed by
TDF with all such required information and
details.
25
26. TDF may collect any of the data, information or
documents provided by the Beneficiary to TDF,
and the Beneficiary agrees that TDF has the right
to store, process and use it for internal use
purposes, which include, but not limited to,
marketing, research, risk analysis or other
purposes TDF determines at its absolute
discretion.
26
9
27. The Beneficiary acknowledges that it owns, or
has the license to use and share, all the
documents, information and data it has provided
and all the intellectual property rights associated
with them, and the Beneficiary warrants that its
provision to TDF and use by TDF for any purpose
whatsoever will not result in any violation or
infringement of any Intellectual property rights of
any third party, and that the Beneficiary shall
indemnify and compensate TDF for any material
or moral damages or losses that result or may
result from any violation, infringement or dispute
with respect to all documents, information and
data provided by it and all intellectual property
rights associated therewith.
27
28. The Beneficiary agrees that any intellectual
property rights arising from the Application will
be the sole ownership of TDF, and TDF may
register it as intellectual property under its name
with the Saudi Authority for Intellectual
Property, or any other competent authority.
28
29. The Beneficiary acknowledges and agrees that
TDF has the right to share the Application with
any other party that TDF deals with for the
purpose of providing any Products by that party
instead of TDF, and this assignment will be
subject to TDF's evaluation of the Application
and its sole discretion.
29
30. The Beneficiary acknowledges and understands
that the Portal will be the primary means between
it and TDF for the purpose of submitting the
Application and all required documents and
information. The Beneficiary is obligated to use
its Portal’s account with caution while
maintaining the highest levels of confidentiality
and should not share it with any other external
parties.
30
31. The responsible point of contact information
including the e-mail address, mobile number and
phone number as shown in the Application form
will be final for the purposes of sending any
communications or any correspondence relating
to the Application from TDF to the Beneficiary,
and the communication or correspondence will be
considered received by the Beneficiary once it is
sent to the mentioned e-mail or through the
31
10
messaging feature approved in the Portal. The
Beneficiary acknowledges that all these Terms
and Conditions will apply to any communications
or any correspondence between the Beneficiary
and TDF.
32. Any communications or correspondence from the
Beneficiary to TDF shall not be effective unless
it is sent through the messaging feature approved
in the Portal or to the following e-mail address
contact@tdf.gov.sa provided such
communication or correspondence shall only be
considered received by TDF upon the Beneficiary
receiving from TDF a confirmation of receipt.
32
contact@tdf.gov.sa
33. In the event of any change in the contact details
of the responsible point of contact, the
Beneficiary must notify TDF in writing of this
change immediately through the Portal, and any
changes in these details will not be approved
unless made through the approved procedures for
making changes on the Portal and receiving
TDF’s confirmation approving those changes.
33
34. TDF may communicate with the Beneficiary via
the Portal, phone, internet or mobile in order to
request any information or raise any inquiries,
and the Beneficiary acknowledges and agrees that
TDF has the right to record all communications
through these various means for the purposes of
record keeping, training and security.
34
35. TDF will not be liable under any circumstances
for any direct, indirect, special or incidental
damages that may result from the Portal or its use,
including but not limited to, any cybersecurity
attacks, failure of performance, error, omission,
interruption, failure, delay in operation or
broadcasting or due to computer viruses or failure
of lines or systems without any regard to
informing TDF or its representative in any way
about the possibility of such damages, losses or
expenses.
35
36. TDF shall not be liable to the Beneficiary for any
delay or non-response in relation to the
Beneficiary's request as a result of any cause
including, but not limited to, governmental
action, war, fire, flood, natural disaster or riots. In
such cases, TDF will resume assessing the
36
11
Application as soon as possible after the end of
the force majeure event.
37. This Portal may contain links to other websites
and portals. Therefore, the Beneficiary is
responsible for reviewing the terms and
conditions of those websites and portals, and TDF
will not be responsible for any of their contents.
37
38. Any appendixes attached to these Terms and
Conditions shall be considered an integral part
thereof and shall be read and interpreted in
accordance with such Terms and Conditions.
These Terms and Conditions and appendixes
shall be governed by and interpreted in
accordance with the applicable laws and
regulations of the Kingdom of Saudi Arabia.
38
39. These Terms and Conditions have been drafted in
both Arabic and English. In case of any
discrepancies between the two languages or the
interpretation of either of them, the Arabic text
shall prevail.
39
40. In the event of any dispute arising in connection
with any matter relating to the Portal, the
competent judicial authorities of the city of
Riyadh shall have the jurisdiction to settle such
dispute.
40
TDF Agreement with SIMAH
In reference to the membership agreement entered
into between TDF and SIMAH, the Beneficiary
acknowledges and agrees that:
1. TDF has the right to share, exchange and provide
SIMAH with all the Beneficiary's credit data and
information, including preliminary information;
1
12
2. SIMAH has the right to store, record and protect
this data and credit information of the Beneficiary
and exchange it with all other existing or potential
members; and
2
3. provide any information required by TDF to
open, audit, or manage the Account or the
Products. The Beneficiary also authorizes TDF to
obtain and collect from SIMAH any information
or data, which include but not limited to, the
information and data of the Beneficiary, the
Account, or the Products. The Beneficiary
undertakes to disclose any all information and
data to SIMAH or any entity approved by the
Saudi Central Bank (SAMA).
3
.
.
TDF Agreement with Bayan
In reference to the membership agreement entered
into between TDF and Bayan, the Beneficiary and
acknowledge and agree that:
1. TDF has the right to share, exchange and provide
a statement of all the data and credit information
of the Beneficiary and update Bayan regarding
credit information immediately upon any positive
or negative changes thereto;
1
2. Bayan has the right to collect, use, photograph,
describe, copy, edit, modify, transfer, compare,
reserve and process this credit information
provided by TDF, which will be in the permanent
possession of Bayan, and it will collect, preserve
and exchange it with members or other
companies; and
2
3. provide TDF and Bayan any information
required, in preparation for obtaining any of the
services and products issued by Bayan, and/or
entering into any of its programs, and/or using
any of the relevant services provided Bayan
including our consent on the establishment of the
credit record. The Beneficiary also authorizes
TDF and Bayan jointly and/or severally to collect
and keep all necessary data pertaining to the he
Beneficiary (or the Beneficiary’s owner or
shareholders), and to view the Beneficiary’s
financial and credit data/information. The
Beneficiary also acknowledges and confirms its
approval on allowing Bayan to exchange and
distribute the Beneficiary’s information by and
between all relevant parties, including current
and potential Bayan members, under special
agreements to be signed with them to regulate the
exchange of information.
3
/
.
13
Signature and Electronic Authentication Service
Provider Agreement
Referring to the agreement of the Signing Interface
Provider (SIP) Reliable KYC Agency (RKA)
Agreement entered into between and TDF and the
Service Provider (Baud Telecom Company - emdha),
the Beneficiary:
1. uunconditionally and irrevocably agrees to
authorize the trust service for digital signature
provided by the Service Provider as follows:
1
1.1. accept the electronic signature service as a
reliable system.
1.2. execute digital signature in hash(es) provided
by TDF using the private key issued on behalf
of the Beneficiary; and
1.3. time-stamp request from the issuer of the
time-stamp on behalf of the Beneficiary.
2. agrees that TDF will provide the Beneficiary ID
(Beneficiary Registry Number or National
Identity Number or Residence Number or
Beneficiary Profile Number CIF) to serve the
Trust Service;
2
CIF
3. uunconditionally and irrevocably agrees to
authorize the Trust Service for digital signature
provided by the Service Provider as follows:
3
3.1. accept the electronic signature service as a
reliable system;
3.2. issue, manage and damage encrypted keys on
behalf of the Beneficiary;
3.3. request a certificate from Emdha eSign CA’
on behalf of the Beneficiary using Beneficiary
information data provided by TDF as valid
and reliable identity information;
3.4. link the Beneficiary's identity to Beneficiary
information data provided by TDF with a
public key linked to the private key produced
on behalf of the Beneficiary; and
3.5. TDF to send the Beneficiary's ID number,
Beneficiary register number and/or national
ID/residence number and other details to the
14
Trust Service in accordance with the
requirements.
4. uunconditionally and irrevocably accepts and
agrees to the provisions of the subscriber
electronic signature subscription agreement
attached in Appendix No. (1) below.
4
15
Appendix No. (1): eSign Subscriber Agreement
1. DEFINITION AND SCOPE
1.1 Emdha eSign CA
The term ‘emdha eSign CA’ refers to the CA entity
directly under the BTC LICENSED CA, owned and
operated by BTC, and is approved by National Center for
Digital Certification (NCDC) to be part of the Saudi
National Public Key Infrastructure (PKI). emdha eSign
CA is responsible for:
1
1.1.1 Generation, issuance and distribution of First party
or/and subscriber related trust service certificates and
supporting services certificates under the emdha eSign
CA;
1.1.2 Revocation or/and suspension of First party or/and
subscriber related trust service certificates and supporting
services certificates;
1.1.3 Periodic publication of revocation information in the
form of CRL;
CRL
1.1.4 Provide certificate revocation information as a OCSP
responder;
OCSP
1.1.5 Renew or Re-key of Trust services and other
supporting services certificates;
1.1.6 Conduct regular certificate and internal security
audits;
1.1.7 Assist in audits conducted by or on behalf of NCDC
and/or Webtrust for CAs related audits; and
Webtrust
1.1.8 Performance of all aspects of the services, operations
and infrastructure related to emdha eSign CA.
16
1.2. Trust Services
Trust Service are electronic services that consume digital
certificates to provide capabilities for certificate-based
authentication, digital signatures, verification, validation
and/or preservation for electronic transactions. Trust
Services provide and/or enhance integrity, reliability and
trust in electronic transactions.
Below is a list of Trust services owned, managed and
provided by emdha to be used with the emdha eSign CA.
1.3 eSign trust Service or Online Signature Service
(eSign)
eSign
eSign Trust Service enables Signature Interface Providers
(SIP) to integrate their digital service platform with emdha
eSign CA and thereby facilitate remote online signature
facility for their applications, customers and end-users. It
is responsible for:
SIP
1. Requesting and/or receiving validated subscriber
Know Your Costumer (KYC) information from a
Reliable KYC Agency (RKA);
1
2. Acting as a proxy for emdha eSign CA to
receive and process subscriber KYC
information;
2
3. Receiving and processing data-hash to securely
perform subscriber signatures remotely;
3
4. Deleting the subscriber private keys at the end
of every signature session;
4
5. Verifying and validating subscriber’s digital
signature request or/and related information
received from authorized SIP,RKA and alike;
5
SIP
6. Securely retaining the evidence(s) for subscriber
certificate issuance and digital signature
creation;
6
7. Digitally signing response(s) to SIPs; and
7 SIP
17
Complying to any additional steps either regulatory or
otherwise, deemed necessary to ensure or/and enhance the
security of the eSign Trust Service.
1.4 Time- Stamp Authority (TSA)
TSA
TSA service provides an RFC 3161 compliant digitally
signed timestamp token whose signer vouches for the
existence of the signed document, transaction or content at
a certain point in time by recording their digitally signed
fingerprint along with the date and time the transaction
occurred. This service asserts that the data and/or
associated secure hash existed at the specified time.
RFC3161
This service will be consumed by emdha’s own eSign
service for time-stamping transactions preformed through
the eSign service.
Time-stamping of transactions also allows for the
transaction to be considered valid beyond the expiration of
the subscriber certificate.
The TSA shall use a reliable time source whose clock is
synchronized as per global best-practices. The TSA shall
ensure rime synchronization is performed at least once
every 24 hours and ensure time drift is within 1 second of
UTC time.
For the purpose of this Subscriber agreement, emdha eSign
CA and TSA are considered to be a part of the eSign Trust
Service.
TSA
1.5 Signing Interface Provider (SIP)
SIP
SIP is an organization or an entity using the eSign
service(s) as part of their application to digitally sign the
content. Examples include Government Departments,
Banks and other public or private organizations. SIPs shall
be responsible for:
1. Complying with and completing the necessary
obligations stipulated by emdha eSign CA for on-
boarding before they can start using the eSign
Trust Service;
1
2. Securely communicating with eSign Trust Service
using prescribed procedures mandated by emdha
eSign CA;
2
18
3. Receiving, validating and compiling transaction
data/document(s) and ensuring that hash(es) are
created for accurate and complete data prior to
sending them to the eSign Trust Service;
3
4. Obtaining user-consent to permit eSign Trust
Service to preform digital signature remotely;
4
4. Verifying and ensuring the digitally signed-
hash(es) received from eSign Trust Service
correspond to the respective data/document(s)
hash(es) sent earlier by the SIP;
5
6. Verifying and validating emdha eSign CA digital
signature(s) for every transaction received from
eSign Trust Service;
6
7. Verifying and validating subscriber signature
before relying on or processing the transaction;
7
SIP asserts that they use eSign Trust Services and
processes associated with each transaction in accordance
with the emdha eSign CA CP/CPS and this SIP/RKA
Agreement.
CP/CPS
1.6 Reliable KYC Agency (RKA)
RKA
RKA is an organization, other than BTC/emdha, listed in
this document to act as a KYC (Know Your Customer)
provider for the purpose of Online Signature Service
(eSign Trust Service). RKA is responsible for:
1. Subscriber’s verification and authentication
before providing the subscriber KYC information
to emdha eSign CA. Such agency shall ensure the
verification steps of the signatory shall be the
same or higher than the verification steps
required by emdha eSign CA to verify for
issuance of Digital Signature Certificate;
1
19
2. Digitally signing subscriber KYC information
using the prescribed certificate type before
providing to the emdha eSign CA. it will be the
basis for creation of the subscriber certificate;
2
3. Obtaining user-consent and preform at least a 2-
factor authentication for each digital
certificate/signature and key generation/request
before providing the digitally-signed KYC
information to emdha eSign CA or to eSign trust
service;
3
4. RKA asserts that they use eSign services and
processes associated with each transaction in
accordance with the emdha eSign CA CP/CPS
and the RKA Agreement.
4
CP/CPS
Following are the entities eligible to be RKA’s under this
policy:
1. Any establishment operating under the
regulations of Saudi Central Bank (SAMA) in
Kingdom of Saudi Arabia.
1
2. Absher or National IAM agency of the Kingdom
of Saudi Arabia.
2 IAM
3. Ministry of Human Resources and Social
Development
3
4. Any governmental establishment/institution that
unconditionally relies only on Absher or
National IAM agency for providing reliable
KYC information of its end-user(s).
4
IAM
5. Anynon-governmental
establishment/institution that unconditionally
relies only on Absher or National IAM agency
for providing reliable KYC information of its
end-user(s), and signs and submits a declaration
that the signed KYC information received from
Absher is shared with BTC with no
modifications.
5
IAM
20
SIP and RKA are allowed to be the same organization,
as long as both are authorized for each role.
1.7 Subscribers
Subscribers are individuals (end users/customers) or
entities (organizations) to whom certificates are issued and
are legally bound by a Subscriber Agreement or Terms of
use.
1.8 Relying Parties
A Relying Party is the entity that relies of the validity of
the binding of the CA’s or subscriber’s identity to a public
key. The Relying Party is responsible for checking the
validity of the certificate by examining the appropriate
certificate status information, using validation services
provided by the emdha eSign CA. A Relying Party’s right
to rely on a certificate issued under the emdha eSign CA
CP/CPS, requirements for reliance, and limitations
thereon, are governed by the terms of the emdha eSign CA
CP/CPS and the Relying Party Agreement, that are
available at www.emdha.sa.
CP/CPS
CP/CPS
www.emdha.sa
Relying Parties shall use and rely on a certificate that
has been issued under the emdha eSign CA CP/CPS if:
CP/CPS
1. The certificate has been used for the purpose for
which it has been issued, as described in the
emdha eSign CA CP/CPS, and applicable
Subscriber Agreement;
1
CP/CPS
2. The Relying Party has verified the validity of the
digital certificate, using procedures described in
the Relying Party Agreement;
2
3. The Relying Party processes and understands
certificate extensions in accordance with RFC
5280;
3
RFC 5280
21
4. The Relying Party has accepted and agreed to the
Relying Party Agreement at the time of relying
on the certificate; it shall be deemed to have done
so by relying on the certificate; and
4
5. The Relying Party accepts in totality, the
certificate policy applicable to the certificate,
which can be identified by reference of the
certificate policy OID mentioned in the
certificate.
5
OID
1.9 Application Sponsor
Application Sponsor shall serve as the representative of an
Application or Organization or SIP in order to register the
application or organization or SIP and/or RKA with the
eSign service and/or emdha eSign CA. Application
Sponsor(s) shall be individual(s) authorized by the SIP
and/or RKA to represent, act and contract on behalf of the
SIP and/or RKA organization.
1.10 Know Your Customer (KYC)
KYC means the transfer of digitally-signed demographic
data such as Name, Address, Date Of Birth, Gender,
Mobile Number, Email Address, Photograph, Customer
Record Number, CRN, CIF, Citizens ID or Iqama ID, etc.
of an individual, collected and verified by RKA on
successful authentication of same individual.
1.11 BTC LICENSED CA
The term ‘BTC LICENSED CA’ refers to the CA entity
owned and operated by BTC which is approved by NCDC
to join Saudi National PKI, directly under the NCDC root
CA. ‘emdha eSign CA’ join directly under the BTC
LICENSED CA.
2. Binding Agreement
2
Subscriber reads, agrees, represents and warrants to
comply with the terms of this Subscriber Agreement
(“Agreement”) before applying for a certificate or
associated signature(s) performed using certificates issued
by emdha eSign CA.
22
Subscriber acknowledges and authorizes eSign Trust
Service offered by BTC/emdha to centrally/remotely
generate cryptographic keys and associated certificate on
behalf of Subscriber, and may centrally/remotely perform
digital signature on behalf of subscriber in accordance to
the Subscriber Agreement and emdha eSign CA
Certificate Policy (CP)/ Certification Practices Statement
(CPS).
CP/CPS
Subscriber agrees that participation in this transaction will
mean acceptance of this Agreement. Subscriber shall not
participate in this transaction in case he/she/them do not
wish to accept and agree to this Agreement.
The terms and conditions set forth herein (the
“Agreement”) constitute a final and binding agreement
between the “Subscriber” and ‘BTC Licensed CA’ and/or
‘emdha eSign CA’ and/or eSign Trust Service with respect
to any services related to the issuance and/or use of digital
certificate issued on the subscriber’s behalf by ‘emdha
eSign CA’ and/or eSign Trust Service. .
3. Subscribers Obligations
3
Subscriber is obligated to:
1. Attest to the truthfulness and accuracy of all
information provided in the Application;
1
2. Accept and agree, in totality, to the terms and
conditions of this Subscriber Agreement and the
emdha eSign CA Certificate Policy (CP)/
Certification Practices Statement (CPS);
2
CP/CPS
3. Provide accurate and complete information at all
times to the RKA;
4. Review and verify provided information for
accuracy and completeness;
3
4
5. Secure authentication and consent mechanisms
for certificate requests and take reasonable and
necessary precautions to prevent loss, disclosure,
modifications, or unauthorized use of the private
key. This includes password, hardware token,
Mobile Phone for OTP, or other activation data
that is used to control access to the Subscriber’s
private key;
5
“OTP”
23
6. Subscriber is responsible to make all reasonable
efforts to prevent the compromise, loss,
disclosure, modification or otherwise
unauthorized use of Subscriber resources from
loss, theft, malware, virus, trojans, spyware,
rootkits, etc.
6
trojans, spyware, rootkits
7. Use Subscriber Certificate only for its intended
use;
7
8. Notify the RKA and SIP in the event of any
information in the Certificate is, or becomes,
incorrect or inaccurate;
8
9. Notify the CA/SIP in the event of a key
compromise immediately whenever the
Subscriber has reason to believe that the
Subscriber’s private key has been accessed by
another individual, or compromised in any other
manner;
9
10. Use the Subscriber Certificate in a manner that
does not violate applicable laws in the Kingdom
of Saudi Arabia; and
10
11. Upon termination of Subscriber Agreement,
immediately notify the SIP to cease use of the
Subscriber Certificate.
11
12. Subscriber accepts ‘emdha eSign CA’ and BTC
Licensed CA’ and ‘eSign Trust Service’ provided
by Baud Telecom Company (BTC)/emdha as
trustworthy systems;
12
13. Subscriber accepts, consents, agrees and
authorizes eSign Trust Service to
centrally/remotely generate cryptographic keys
on behalf of the user and use such keys to request
for associated certificates bound to the subscriber
identity and for requesting and generating
signatures on behalf of the Subscriber. Subscriber
agrees that any use of such Subscriber keys
and/or certificate to sign or otherwise approve the
contents of any electronic record or message is
attributable to Subscriber. Subscriber agrees to be
legally bound by the contents of any such
electronic record or message.
13
4. Warranty
4
BTC Licensed CA’ and/or ‘emdha eSign CA’ herby
disclaims all warranties including warranty or
merchantability and/or fitness to a particular purpose other
24
than to the extent prohibited by law or otherwise expressly
provided in BTC Licensed CA’ and/or ‘emdha eSign CA’
CP/CPS.
CP/CPS
BTC Licensed CA’ and/or ‘emdha eSign CA’, through its
associate components, seeks to provide digital certification
services according to international standards and best
practices, using secure physical and electronic
installations.
BTC Licensed CA’ and/or ‘emdha eSign CA’ provides no
warranty, express, or implied, statutory, or otherwise and
disclaims any and all liability for the success or failure of
the deployment of the BTC Licensed CA’ and/or ‘emdha
eSign CA’ or for the legal validity, acceptance or any other
type of recognition of its own certificates, any digital
signature backed by such certificates, and any
Products/solutions/services. provided by ‘BTC Licensed
CA’ and/or ‘emdha eSign CA’. ‘BTC Licensed CA’ and/or
‘emdha eSign CA’ further disclaims any warranty of
merchantability or fitness for a particular purpose of the
issued certificates, digital signatures and
products/solutions/services.
Services provided by eSign Trust Service to Subscribers
are provided on an “As is” and “As available” basis, and
eSign Trust Service expressly disclaims all other
warranties relating to any Subscriber Certificate or any
related services provided by eSign Trust Service
including, but not limited to any warranty of no
infringement, machinability, or fitness for a particular
purpose. eSign Trust Service does not warrant that their
certificates will be compatible of functional with any
software. Furthermore, you are hereby notified of the
possibility of compromise of a private key corresponding
to a public key contained in a Subscriber Certificate,
including theft, which may or may not be detected, and of
the possibility of use of a stolen or compromised key to
forge a digital signature to a document.
5. Indemnity and Limitation of Liability
This section applies to liability under contract (including
breach of warranty), tort (including negligence and/or
strict liability), and any other legal or equitable form of
claim.
25
‘eSign Trust Service’ and/or BTC Licensed CA’ and/or
‘emdha eSign CA’ disclaims liability to the certificate
beneficiaries or Subscriber or relying parties or any other
third-parties for any loss suffered as a result of use or
reliance on a certificates beyond those specified in BTC
Licensed CA’ and/or ‘emdha eSign CA’ CP/CPS, when
such certificates has been issued and managed by ‘eSign
Trust Service’ and/or BTC Licensed CA’ and/or ‘emdha
eSign CA’ in compliance with said CP/CPS. In any other
case:
CP/CPS
CP/CPS
1. ‘eSign Trust Service’ will not incur any liability to
Subscriber or relying parties or any person to the
extent that such liability results from their
negligence, fraud or willful misconduct;
1
2. ‘eSign Trust Service’ assumes no liability
whatsoever in relation to the use of Certificates or
associated Public-Key/Private-Key pairs issued
for any use other than in accordance with ‘BTC
Licensed CA’ and/or ‘emdha eSign CA’ CP/CPS.
Subscriber shall immediately indemnify ‘eSign
Trust Service’ from and against any such liability
and costs and claims arising therefrom;
2
CP/CPS
3. ‘eSign Trust Service’ will not be liable to any party
whosever for any damages suffered whether
directly or indirectly as a result of an
uncontrollable disruption of its services;
3
4. End-Users/ Subscribers are liable for any form of
misrepresentation of information contained in the
certificate to relying parties even though the
information has been accepted by ‘eSign Trust
Service’;
4
5. Subscribers to compensate a Relying Party which
incurs a loss as a result of the Subscriber’s breach of
Subscriber agreement;
5
26
6. Relying Parties shall bear the consequences of
their failure to perform the Relying Party
obligations;
6
7. RKAs shall bear the consequences of their failure
to perform the obligations described in the RKA
agreement;
7
8. ‘eSign Trust Service’ denies any financial or any
other kind of responsibility for damages or
impairments resulting from its eSign Trust
Service or CA operations;
8
9. Subscriber shall indemnify and hold emdha eSign
CA and eSign Trust Service harmless from and
against any and all damages (including legal
fees), losses, lawsuits, claims or actions arising
out of:
9
1) Use of Subscriber’s Certificate in a
manner not authorized by the CA/SIP or
otherwise inconsistent with the terms of
the Subscriber Agreement or the emdha
eSign CA and Certificate Policy (CP)/
Certificate Practices Statement (CPS)
1
SIP
CP/CPS
2) A Subscriber Certificate being tampered
with by the Subscriber; or
2
3) Inaccuracies or misrepresentation
contained within the RKA records for the
subscriber.
3
A Subscriber shall indemnify and hold the emdha eSign
CA and eSign Trust Service harmless against any damages
and legal fees that arise out of lawsuits, claims or actions
by third parties who rely on or otherwise use Subscriber’s
Certificate, where such lawsuit, claim, or action relates to
a Subscriber’s breach of its obligations outlined in this
Subscriber Agreement or the emdha eSign CA CP/CPS, a
Subscriber’s failure to protect its authentication material
or devices, or claims pertaining to content or other
information or data supplied, or required to be supplied, by
Subscriber.
CP/CPS
6. Use of Personal Information
6
Subscriber hereby authorizes eSign Trust Service and
emdha eSign CA to store all subscriber information
27
submitted by the Subscriber/SIP/RKA as part of the
Application, and to release that information, or some
portion of that information, to a Relying Party upon the
successful validation of Subscriber’s Certificate by that
Relying Party. eSign Trust Service or emdha eSign CA
shall not disclose information related to the Subscriber,
except under the terms and conditions set forth in the
emdha eSign CA CP/CPS, Privacy policy, and otherwise
as required by law. Each Relying Party is obligated to enter
into a Relying Party Agreement with eSign Trust Service
that limits the purposes for which a Relying Party may use
or disclose information obtained to those purposes that are
authorized by the emdha eSign CA CP/CPS, subject to the
conditions and limitations set forth therein. eSign Trust
Service and Relying Parties must endeavor to:
CP/CPS
CP/CPS
1. Ensure the confidentiality of personal data and
business records;
2. Prevents the sale or transfer of the personal data
and business records; and
3. Prevent the examination of or tampering with
personal data or business records other than for
the purpose of maintenance or security of the
relevant information processing system or data
integrity.
1
2
3
7. Term
This Subscriber Agreement is effective upon acceptance
of transaction by subscriber and will terminate on the
expiration date of the Subscriber Certificate(s) issued
under this Subscriber Agreement or the expiry of the
Time-Stamp Token applied to the signature transaction,
whichever is later.
8. Assignment
Subscriber shall not assign its rights or delegate its
obligations under this Subscriber Agreement to any third
party.
9. Termination
28
Subscriber shall not terminate the transaction with the
eSign Trust Service or emdha eSign CA. Requirement(s)
to terminate the transaction shall only be affected by
informing the SIP through which the transaction was
performed.
10. Entire Agreement
This Agreement with all documents referred to herein shall
constitute the entire agreement between the Subscriber and
'emdha eSign CA' with respect to the Subscriber's request,
use and acceptance of Subscriber keys and certificate. This
Agreement shall supersede any other existing agreements
between the Subscriber and 'emdha eSign CA', whether
oral or written, with respect to the subject matter hereof.
11. Amendment and Waiver
eSign Trust Service reserves the right to amend this
Agreement and the 'BTC Licensed CA' and/or 'emdha
eSign CA' CP/CPS at any time without prior notice. All
such amendments shall be made by posting the amended
CP/CPS or the amended Agreement to
https://www.emdha.sa. Any such amendment shall be
effective as of the date of posting to
https://www.emdha.sa.
(CP/CPS)
(CP/CPS)
.https://www.emdha.sa
.https://www.emdha.sa
A waiver of any provision of this Agreement must be in
writing, designated as such, and signed by the party against
whom enforcement of that waiver is sought. The waiver by
a party of a breach of any provision of this Agreement shall
not operate or be construed as a waiver of any subsequent
or other breach thereof.
12. Governing Law
This Subscriber Agreement shall be governed and
construed in accordance with the laws of Saudi Arabia.
29
13. Fiduciary relationship
'eSign Trust Service' and/or 'BTC Licensed CA' and/or
'emdha eSign CA' is/are not the agent, fiduciary, trustee,
or other representative of the Subscriber. Subscriber does
not have any authority to bind 'eSign Trust Service' and/or
'BTC Licensed CA' and/or 'emdha eSign CA' by contract
or otherwise, to any obligation. Subscriber shall make no
representations to the contrary, either expressly, implicitly,
by appearance, or otherwise.
14. Severability
Should any provision, or portion of any provision, of this
Agreement be invalid or unenforceable for any reason, the
validity or enforceability of the remaining provisions, or
of the other portions of the provision in question shall not
be affected thereby; provided, that such severance shall
have no material adverse effect on the terms of this
Agreement, and this Agreement shall be carried out as if
any such invalid or unenforceable provision or portion of
any provision were not contained herein.
15. Dispute Resolution
Any controversy or claim arising out of or relating to this
Agreement shall be dealt with in accordance with the 'BTC
PKI Complaint and Dispute Resolution Policy' and is
roughly outlined as follows:
15.1 Negotiation: BTC/emdha will use its best efforts to
resolve a complaint or dispute to the mutual satisfaction of
the related parties and the complainant;
15.2 If both parties have not reached a solution in the
agreed time frame, each party may give a written notice
for Independent Mediation to resolve the dispute;
15.3 If mediation is not successful, then the dispute will be
submitted to the competent courts of Riyadh, Saudi
Arabia.
15.4 For government entities, the Independent Mediation
is optional, and the dispute can be submitted to the
competent courts of Riyadh, Saudi Arabia, if negotiations
fail.
Subscriber agrees that any controversy, claim or dispute
resolution proceedings will be conducted only on an
individual basis and not in a class, consolidated, or
representative action.
30
16. Force Majeure
No party shall be liable for any failure to perform its
obligations in connection with any communication or
transaction, where such failure results from any act of God,
compliance with any law, regulation, order or legal process
to which such party is subject, or other cause beyond such
party's reasonable control (including, without limitation,
any mechanical, electronic or communications failure)
which prevents such Party from communicating under the
terms of this agreement.
17. Survival
The following provisions in this agreement shall survive
termination or expiration of this Agreement for any reason:
(Limitation of Liability), (Term), (Assignment),
(Termination), (Governing Law), (Fiduciary
Relationship), (Severability), (Dispute Resolution) and
(Survival).
18. Notices
All notices, questions, and requests shall be in English and
shall be sent by email transmission to policy@emdha.sa.
Notices to Relying Parties shall be made by posting the
notice on the Repository https://www.emdha.sa and shall
be deemed to be served upon the time of posting.
policy@emdha.sa
https://www.emdha.sa
19. Prevailing Language
If this version of the Agreement exists in any other
language(s), the Arabic language version of this
Agreement shall prevail, in case of any conflict between
the English version and the other language versions.
