General Terms of Use for Clients of the SofSign Service

I. GENERAL PROVISIONS

The General Terms and Conditions of Use for SofSign Service Subscribers (hereinafter the “General T&Cs”) of Softeh d.o.o. set forth the conditions of use, as well as the mutual rights and obligations of the provider or the provider’s partner and the subscriber in relation to all SofSign cloud services (hereinafter also the “Service” or “Services”), which are provided by SOFTEH d.o.o., Trgovska ulica 2, 2310 Slovenska Bistrica, registration number 3651827000, tax number SI 72997842 (hereinafter also the “Provider” or “SOFTEH”).

The General T&Cs may be supplemented by Additional Terms and Conditions (hereinafter the “Additional T&Cs”) that define the specific conditions of use for individual SofSign Services. Together, the General T&Cs and the Additional T&Cs constitute a comprehensive framework governing the terms of use.

Annex 1: Additional Terms and Conditions for the Use of the SofSign Service via Application Programming Interface (API)
Annex 2: Additional Terms and Conditions for the Use of the SofSign Portal

These General T&Cs apply to all subscribers who, by submitting a purchase order or by entering into an agreement with the Provider or the Provider’s partner, subscribe to the use of the Services. They are fully binding on both the Subscriber and the Provider and have the effect of a contract. The General T&Cs constitute a binding agreement between the Subscriber and the Provider and thus have the legal character of a contract. No separate written agreement is required to establish the contractual relationship between the Subscriber and the Provider, as such a relationship is formed upon the Subscriber’s order and acceptance of these General T&Cs, or in the manner defined in the applicable Additional T&Cs.

The Provider and the Subscriber may agree on different rights and obligations than those set out in the General T&Cs by entering into a separate agreement. In the event of any conflict between the provisions of the General T&Cs and the Additional T&Cs, the latter shall prevail. If the Subscriber and the Provider regulate their business relationship through a separate agreement and there is a conflict between the provisions of such agreement and the General T&Cs, the specifically agreed contractual provisions shall take precedence.

II. Definitions

The terms used in these General T&Cs shall have the following meanings:

• Service Price List: the valid price list for the performance of services as determined by the Provider and published on the Provider’s website or as specified in the offer or agreement
• SofSign: a suite of cloud-based services for managing digital transactions, namely: the creation and management of electronic identities, user authentication, management of electronic signing workflows, electronic signing (of documents), exchange (of electronic documents), and electronic archiving of finalized documentary material, i.e. finalized electronically signed documents containing business content, in accordance with the Regulation on electronic identification and trust services for electronic transactions in the internal market (Regulation (EU) No 910/2014 of 23 July 2014, hereinafter: eIDAS) and the applicable national legislation in the Subscriber’s country regarding electronic signatures, electronic signing, and the storage of documents in electronic form.
• SofSign eID: a component of the SofSign Service that performs the function of an electronic identity provider in the cloud;
• SofSign RS: a component of the SofSign Service that enables remote signing and covers those types of signatures where the signer is not physically present at the point of sale. The signature may be executed as a click-to-sign (with a qualified electronic seal of the service), with the user’s local qualified certificate, or with the user’s qualified certificate stored in the cloud;
• SofSign Portal: a component of the SofSign Service that provides comprehensive IT support for managing digital transactions – from designing the signing workflow to the distribution of the fully signed documents;
• Incident: an event that deviates from the standard operation of the Service and causes or may cause a disruption or limited functionality of the Service;
• End User: means a natural or legal person or another economic entity who receives, reviews, accepts, signs, approves, or otherwise uses the Service, whereby the Subscriber ensures that the End User is informed about the use of the Service which the End User accesses through the Subscriber;
• Subscriber: any legal person or other economic entity that uses the SofSign Services for payment and agrees to the General Terms and Conditions. A subscriber also includes any subscriber who uses the services free of charge during a trial period;
• Provider’s Partner: a legal person or other economic entity that offers the Provider’s Services and through whom the Subscriber may order the Provider’s Services
• Authorized User: a person registered by the Subscriber for the use of the SofSign Services;
• Connection Fee: the cost of connecting or integrating an individual Subscriber to the SofSign Services;
• Software: software owned by the Provider and installed on hardware owned by the Provider, which constitutes an integral part of the SofSign Service. Third-party software used by the Provider or the Subscriber is used in accordance with the applicable terms and conditions of such third parties;
• Audit Trail: a visible trail of evidence that enables the traceability of information in assertions or reports back to the source;
• Service or Services: all cloud services provided by the Provider;
• Transaction: means the transmission of a completed unit of documentary material (document, image, record, etc.) for electronic signing via the SofSign Service. In the case of a package of documents or a transaction involving multiple documents, the transfer of each document within the package or transaction counts as a separate transaction.

III. Scope of Services

The SofSign Service for managing digital transactions encompasses the following functional modules or services provided by the Provider:

• Creation and management of electronic identities;
• Execution of user authentication for the purposes of confirming digital transactions;
• Preparation of digital transactions (documents) and signing workflows;
• Management of the digital transaction approval process (e-signing)
• using a personal (qualified) digital certificate or
• using a central qualified digital certificate with secure (one- or multi-factor) authentication of the signer’s identity or
• by capturing and digitizing a handwritten signature (using a signature pad or other signing device) and securely embedding the electronic signature into the electronic document;

The management of the digital transaction approval process (e-signing) is carried out through the SofSign RS and EBA Next services.

Signing is possible anytime and from anywhere; the service is supported for use on personal computers, smartphones, tablets, and dedicated signing devices.

The SofSign Service enables the signing of a single document or a package of multiple documents (transaction) by one or more signatories.

IV. Technical Conditions for Use of Services

To use the SofSign Services, an Authorized User must have: an email address, a mobile phone number (for remote signing), a computer or mobile device with internet access, a dedicated signing device (for handwritten signatures), a compatible web browser and operating system supported by their manufacturers, and a SofSign eID electronic identity (for remote signing). The Provider is not responsible for service malfunctions on outdated operating systems no longer supported by their manufacturers. The Services may also operate on unsupported browser versions; however, this may affect page display or functionality.

V. INTELLECTUAL PROPERTY

All SofSign Services are licensed and are not subject to sale to the Subscriber. The Subscriber may use the Service only for as long as the right to use it is valid. The right to use is tied to the Subscriber (the economic entity that obtained the license) and any legal successor thereof.

By purchasing SofSign services, the Subscriber obtains a non-transferable, non-exclusive, time-limited, and paid right to use, limited to the number of purchased rights or subscriptions, exclusively for the non-commercial use of the individual right of use. The Subscriber does not acquire the right to further distribute, modify, interfere with the source code, reverse engineer, reproduce, translate, adapt, alter, commercially exploit, or lease the services, whether for remuneration or free of charge.

The SofSign Services are the exclusive property of the Provider and constitute its copyrighted work. The Provider reserves all proprietary and moral copyright rights, which are not transferred to the Subscriber with the granted right of use for the duration of the subscription.

All content, data, images, and other information within the SofSign Services are protected by copyright or other forms of industrial property rights in accordance with applicable law. Ownership, legal title, and rights arising from copyright and other intellectual property rights remain the exclusive property of the Provider.

Use of the SofSign Services by unauthorized or third parties is not permitted, except as provided by these General Terms and Conditions.

VI. Client’s Content

Subscriber Content means any text, information, or material such as electronic documents or images that the Subscriber uploads or imports into the Services or creates using the Services or Software. Uploading illegal content is prohibited. The Provider reserves the right to remove content or restrict access to content, Services, or Software if any content violates the provisions of these General Terms and Conditions. As a rule, the Provider does not access the content but may use available technologies or procedures to detect incorrect data, certain types of illegal or otherwise inappropriate content

The Provider reserves the right to pre-screen the appropriateness of content (e.g., political content, adult content, and any content that is legally prohibited or restricted) that the Subscriber intends to use within the Service, as well as the right to approve or reject the use of the Services for such content.

The Subscriber retains ownership rights and any other intellectual property rights on all content that they upload or otherwise use within the Services.

VII. CONFIDENTIALITY AND PERSONAL DATA

Upon entering into the contractual relationship, the Provider and the Subscriber agree that all information accessed during the provision of the Services, including personal data, shall be considered business secrets and shall not be disclosed to third parties, except when necessary for the provision of the Services.

The Subscriber authorizes the Provider, as its contractual processor, to store and process data transmitted to the information system, service, or the Provider’s employees exclusively for the purpose of providing the Services. Such data may have a business or confidential nature, for which appropriate security measures will be ensured to prevent disclosure.

The Provider undertakes to perform the Services professionally, properly, and in accordance with the legislation governing the protection of business secrets. In doing so, the Provider will ensure that the Subscriber’s business or confidential information is not misused and will act in compliance with applicable laws, good practice standards, and its own internal regulations and procedures.

The Subscriber remains the owner and controller of all personal data and is responsible for their protection in accordance with applicable law.

The Subscriber has the right to request reports and evidence regarding the Provider’s handling of confidential data at any time.

The Provider ensures the security of data processing and storage by implementing appropriate organizational, technical, and logical-technical measures to guarantee information security, data protection, and the confidentiality of business secrets.

The security policy and organizational measures govern at least the following obligations:

• All data are processed in a dedicated system that ensures prevention of unauthorized access and secure execution of all critical operations (remote access, data transfer, digital signing, etc.);
• Premises housing the information system or its components are physically or electronically secured;
• Hardware, system and application software, including input-output units, are physically and electronically protected in accordance with information security principles;
• Security mechanisms are established to detect and protect systems against malicious software;
• The Provider follows technological standards and upgrades and updates hardware and software accordingly;
• The Provider adheres to best practices regarding information security;
• Secure data transmission between the Subscriber and the Provider is established;
• Prescribed management of information security incidents is implemented;
• Unauthorized access to data during processing or transmission, including transmission via telecommunication means and networks, is prevented through an integrated access rights management system and the use of cryptographic tools;
• The information system, based on the Subscriber’s decision or directly pursuant to applicable regulations, ensures an effective method for data deletion;
• The information system ensures traceability of all data processing activities within the Provider’s information system for the entire period from the start of processing until the end of data storage.

a)     PROCESSING OF PERSONAL DATA

These General Terms and Conditions also regulate the processing of personal data within the scope of the services provided under Article 4 of the General Terms and Conditions, as well as the determination of rights and obligations between the Subscriber and the Provider in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: the Regulation).

The Provider receives personal data from the Subscriber when the Subscriber accesses the services and submits personal data within them. These data may be included in documents uploaded by the Subscriber through the services or may form part of the login or registration data within the services.

When the Provider acts as the processor and the Subscriber as the data controller, the processing of personal data in the services is governed in accordance with Article 28 of the Regulation, whereby they define their mutual rights and obligations in accordance with the Regulation.

The Subscriber guarantees that it has an appropriate legal basis for the processing of all personal data provided, in accordance with the provisions of the Regulation.

The Subscriber ensures that the personal data provided to the Provider for processing have been obtained on the basis of at least one of the following grounds: the explicit consent of the data subject, the performance of a contract with that individual, or compliance with a legal obligation. The Subscriber also guarantees that it has a legal basis for processing the data it transmits through the services or enters into the login or registration fields within the services.

If the Customer provides the Provider with personal data obtained in violation of the Regulation or other applicable data protection legislation, the Provider shall not assume any responsibility for such data.

The types of personal data that the Customer provides to the Provider through documents may vary depending on the content of the documents and are not stored by the Provider in a structured form.

Personal data contained in login, registration, and other input fields may include: first name, last name, email address, mobile phone number, and tax identification number. These data relate to users, end users, as well as employees of the Customer or legal entities or other business entities with whom the Customer cooperates.

During the term of the contractual relationship, the Customer may, if necessary, also provide other types of personal data relating to additional categories of individuals not explicitly listed in the previous paragraph, provided that such data are necessary for the use of the services and the Customer has an appropriate legal basis for them.

The Provider shall not transfer personal data received in the course of providing the services to third countries, unless required by the law of the European Union or the Republic of Slovenia. In such cases, the Provider shall inform the Customer prior to the transfer of data in accordance with applicable legislation.

The Provider shall process personal data on behalf of and for the account of the Customer only to the extent necessary for the provision of the ordered services. The Provider shall process the received personal data solely within the scope, by the means, and for the purposes specified by the Customer. The Provider shall not independently determine the purposes or means of data processing.

The Provider shall handle all received personal data in accordance with the provisions of the Regulation and other applicable data protection legislation. The Provider commits not to use the personal data for any purposes other than those specified by the Customer.

The Provider shall process the data solely within the scope of the submitted documents and according to the Customer’s documented instructions, and shall provide the Customer with all necessary information to demonstrate compliance with its obligations.

The Provider ensures that all persons authorized to process personal data within the Provider’s organization are bound by confidentiality and data protection obligations.

The Provider shall assist the Customer, based on the nature of the processing, with appropriate technical and organizational measures to fulfill the obligations related to the exercise of data subjects’ rights under Chapter 3 of the Regulation, as well as to comply with the provisions of Articles 32 to 36 of the Regulation.

The Provider shall not disclose personal data to third parties, except to contractual subprocessors with whom it has concluded appropriate data processing agreements and who are obligated to comply with all provisions of these General Terms and Conditions.

The Provider shall provide the Customer with all necessary information to demonstrate compliance with obligations related to personal data processing and shall allow audits and inspections that the Customer may designate or conduct, subject to prior notice.

In the event of a detected or confirmed personal data breach, the Provider shall immediately notify the Customer, no later than within 48 hours.

The Customer undertakes to immediately notify the Provider of any possible termination of the legal basis for the processing of personal data in accordance with these General Terms and Conditions.

Requests related to the exercise of rights shall be submitted in writing to the email address podpora@softeh.com. The Customer must clearly specify the required assistance and the deadline for the response.

The Customer and the Provider agree that all obligations related to notification and other procedures concerning the processing of personal data under these General Terms and Conditions shall be carried out by the Customer. The Provider will, however, supply the Customer with all necessary information for this purpose.

The Provider is entitled to charge for assistance related to data protection and information (e.g., exercising individuals’ rights, completing questionnaires, etc.) based on actual hours worked in accordance with the valid price list. However, the Provider may not charge for such assistance if the Customer’s request is a result of a data protection breach.

The Provider shall fulfill obligations arising from inspections and other official proceedings conducted by competent authorities related to data processing under the General Terms and Conditions, carried out directly at the Provider’s premises. The same shall apply accordingly to any subprocessors. The Provider shall immediately notify the Customer of such proceedings.

For personal data where the Provider acts as the processor and the Customer as the controller, the Customer agrees upon entering into the contractual relationship that the Provider may perform the data processing tasks either personally or delegate them to a subcontractor acting as a sub-processor of personal data. Information about sub-processors will be communicated to the Customer in a pre-agreed manner before concluding the contractual relationship. Prior to any subsequent change of a contractual sub-processor, the Provider will notify the Customer in writing with a general consent at least 15 days before granting the new sub-processor access to the data. During this period, the Customer will have the opportunity to object to the change of sub-processor. The Provider will also conclude a contract or other legal act with the sub-processor, imposing data protection obligations equivalent to those between the Customer and the Provider. The list of sub-processors performing specific data processing tasks on behalf of the Provider is attached as Annex 3 to these General Terms and Conditions.

The Provider and the Customer are obligated to ensure appropriate procedures and measures in accordance with Article 32 of the Regulation.

The Provider shall protect personal data in compliance with data protection regulations and in accordance with the measures and procedures defined in these General Terms and Conditions.

The Provider shall process the Customer’s personal data and any personal data provided by the Customer solely for the purpose of delivering the services and only for the duration of the contractual relationship with the Customer, or, in the case of a subscription, for the duration of the subscription period for the selected subscription package.

The Provider shall delete all documents containing personal data related to a given transaction no later than 70 days after their receipt, following the completion of the transaction.

The Provider shall irreversibly destroy any copies of personal data within the deadline specified in the previous paragraph, unless required by law to retain the data for a longer period.

In the event of termination of the service, the Provider or the Provider’s partner shall, upon the Customer’s request, hand over the stored data in the SofSign information system to the Customer, unless another law requires the retention of personal data. The Provider or the Provider’s partner is entitled to charge the Customer for the cost of handing over the data.

b)     SPECIAL PROVISIONS REGARDING PERSONAL DATA

The Customer guarantees that it has informed all its end users that the Provider acts as a data processor on behalf of the Customer, and that it has notified them about the general terms and conditions for end users published on the Provider’s website. The Provider assumes no liability for the use of the services by end users; all responsibility related to their use of the services rests solely with the Customer.

VIII. AUDIT TRAIL

Audit trail is a visible record of evidence that enables tracing information in statements or reports back to its source. The Provider manages the audit trail to demonstrate the traceability of business events. The Provider ensures that the audit trail remains unaltered, transparent, and confidential. Based on an agreement with the Customer, the Provider may allow the export of the complete audit trail for a specific transaction.

The Provider processes the following data for the purpose of managing the audit trail:

• Event ID
• Signatory ID
• Username
• Type of event (e.g. transaction creation, signature execution, transaction archiving, etc.)
• Date and time
• Event status (success/failure)
• Transaction name
• Additional information (e.g. type of signature, type of login, etc.)
• Process status (e.g. transaction uploading, signed, archived, completed)
• IP address

IX. TECHNICAL SUPPORT

The Provider publishes various user guides and instructions for the use of services on its official website or within its web applications for the purpose of assisting Customers.

The Provider is not obliged to offer additional direct technical support or to respond directly to Customer inquiries, unless otherwise stipulated in a specific agreement, another written arrangement, or in cases where the Customer’s subscription plan includes technical support provided by the Provider or such support is defined in the Additional Terms for a specific service.

X. WARRANTIES AND DISCLAIMER OF LIABILITY BY THE PROVIDER

The Provider warrants that the Services will be delivered in a professional and competent manner, in accordance with technological standards, organizational measures (such as general organization, security policies, information system management procedures, and service execution), and applicable legislation.T he Provider also ensures that the SofSign Services are regularly updated in line with technological recommendations and legal requirements.

The Provider guarantees to the Customer that the Services will function in accordance with their intended purpose, provided that they are used in line with the instructions for use and supported by an appropriate IT environment. The Provider will make every effort to ensure that the Services are available at all times, except in cases beyond its control. The Provider offers the Services “as is” and “as available”. The Provider disclaims any warranties and makes no guarantee that:

• the Services or software will meet the Customer’s requirements,
• they will be continuously available,
• they will ensure uninterrupted operation,
• they will be timely, secure, and error-free,
• the results obtained through the use of the Services or software will be effective, accurate, or reliable,
• the quality of the Services or software will meet the Customer’s expectations,
• any defects or errors in the Services or software will be corrected.

The Provider shall not be held liable for disruptions and interruptions in the telecommunications network, for possible mobile network outages, for errors occurring during data transmission via telecommunications networks, for inability to access or use the Services due to reasons beyond the Provider’s control (including but not limited to maintenance, upgrades, or other necessary system operations), or for outages caused by force majeure or other circumstances beyond the Provider’s influence.

The Provider shall ensure hosting of the information system and backup services either by itself or through subcontractors located within the European Union, for whom it guarantees as if the services were performed by the Provider itself.

If the Customer fails to fulfill its obligations on time or unjustifiably refuses the Provider’s requests, the Provider shall not be liable for any delays, non-fulfillment, or incorrect fulfillment resulting from the Customer’s failure to meet its obligations, nor for any damages that may arise to the Customer or its clients as a consequence.

To the maximum extent permitted by applicable law, the Provider shall not be liable for any direct, indirect, financial, non-financial, or other damages related to the use of the services. This includes any compensation claims arising from errors, interruptions, or data loss that may occur during the use of the services. This limitation of liability applies regardless of whether the claim is based on these General Terms and Conditions, negligence, intent, or any other reason, including cases where the Provider’s negligence has been established or if the Customer has previously informed the Provider about the possibility of such damage.

The Provider does not provide any warranty and shall not be liable for any claims arising from:

• the use of the services contrary to the terms of use or the intended purpose of the services,
  • modifications to the services made by anyone other than the Provider, unless expressly authorized by the Provider,
  • damage caused by improper or negligent use of the services,
  • damage resulting from data loss at the Customer,
  • use of the services in combination with any system or software not authorized or prohibited by the Provider,
  • content published or uploaded to the service by the Customer or any third party.

Except where explicitly prohibited by law, any liability of the Provider, regardless of the basis for the liability for the incurred damage (including negligence, intent, or breach of legal obligations), is excluded. If a court determines that the Provider is liable for any damage or loss of data or use of the services arising from the provision of the services, the liability of the Provider and its technology partners shall be limited to the amount of the Customer’s monthly SofSign service fee.

The Provider may change the functional or technical parameters of the SofSign service for technical, legal, or economic reasons. If such functional or technical changes could affect the Customer’s ability to use the SofSign service (e.g., changes in integration), the Provider will notify the Customer at least 30 days before implementing the change. This notification does not apply to service interruptions during scheduled system maintenance and upgrades.

The Provider may discontinue the SofSign service for technical, legal, or economic reasons. The Provider will notify the Customer or partner at least 90 days prior to the termination of the SofSign service covered by these General Terms and Conditions. This notice period does not apply in cases of violations of these or other General Terms and Conditions by the Customer.

The Provider is not obliged to compensate for any costs that may arise due to changes or discontinuation of the services.

The Provider may also temporarily disable the use of services for an individual Customer under the conditions set forth in Chapter XIV, “Temporary and Permanent Suspension of Service Use.”

Unless otherwise stipulated in these General Terms and Conditions, the Provider has the right to use the SofSign software (and, where applicable, hardware) or service for other purposes, for other customers, or for other content (for example, marketing content or content of other customers).

XI. RIGHTS AND OBLIGATIONS OF THE CUSTOMER

The Customer commits to providing all necessary data, information, and resources for the integration of the Customer’s business applications with the SofSign service as soon as possible upon request. The Customer will timely ensure all conditions required for the Provider to fully and promptly fulfill its obligations. If the Customer fails to meet its obligations on time or unjustifiably rejects the Provider’s requests, the Provider shall not be held responsible for any delays, non-performance, or incorrect performance resulting from the Customer’s failure to fulfill its obligations, nor for any related damages that may arise to the Customer, its users, clients, or third parties connected to the Customer. In case the Customer’s delay significantly affects the agreed deadlines, the Provider reserves the right to increase the price of the services.

The Customer is obliged to provide truthful information during registration and login to the SofSign services. In case of incomplete, incorrect, false information or for any other reasons, the Provider has the right to refuse registration. The Customer guarantees that all data required for the use of SofSign services are truthful, accurate, correct, and complete; otherwise, the Customer shall be liable to the Provider for any resulting damage.

The Customer is obliged to notify the Provider of any changes to the data that are subject to the agreement between the Provider and the Customer within eight (8) days from the occurrence of the change.

Upon acceptance of the General Terms and Conditions or after establishing the connection with the SofSign service, the Customer obtains access to the SofSign services for its authorized users for whom it has provided data. The Customer guarantees that its users are authorized to use the SofSign portal. The Customer also ensures that its authorized users are familiar with the content of the General Terms and Conditions.

The Customer is obliged to immediately notify the Provider’s technical support if they detect unauthorized access to their SofSign service user account.

The Customer must not misuse the Provider’s software, services, or content provided to them. The Customer expressly guarantees that:

• will not misuse or attempt to misuse the SofSign services,
• will not perform or attempt to perform unauthorized access to the SofSign services,
• will not use or attempt to use the SofSign services in an unauthorized and/or harmful way to third parties,
• has all necessary permissions and consents to use the SofSign services in accordance with these Terms; otherwise, the Customer is liable to the Provider for all caused damages,
• will operate in compliance with the General Terms and Conditions, instructions, and organizational measures prescribed by the Provider,
• will immediately notify the Provider of any unauthorized use, suspected unauthorized use, or possibility of unauthorized use of the SofSign services,
• will not misuse the server infrastructure or the API of the SofSign services,
• will not violate applicable laws,
• will not enable or allow any third party to use the software or services with their user account.

The General Terms and Conditions do not, under any circumstances, grant the right to reproduce, distribute, modify, test, develop, or publicly display the software or services, unless otherwise agreed between the Customer and the Provider.

XII. FORCE MAJEURE

The Provider shall not be held liable for any damage arising from delays or errors in fulfilling its service obligations if such circumstances are the result of factors beyond the Provider’s control or constitute force majeure. This includes, but is not limited to: measures and restrictions imposed by authorities, war, strikes, riots, earthquakes, floods, other natural disasters, catastrophes, and other events beyond the Provider’s influence.

If the Provider is unable to fulfill its obligations due to force majeure, it must notify the Customer immediately, or no later than five (5) days after the occurrence of such circumstances, specifying the nature of the force majeure event, its expected duration, and any possible consequences.

If the force majeure circumstances last longer than two (2) months, both the Provider and the Customer have the right to terminate the contractual relationship without any additional notice period.

XIII. ENSURING MEASURES FOR THE INTEGRITY AND AUTHENTICITY OF TRANSACTIONS AND THE LEGAL VALIDITY OF SIGNATURES

The Provider, within the SofSign service, ensures all necessary means to maintain the integrity and authenticity of electronically signed documents as well as the legal validity of electronic signatures. To guarantee these properties of electronically signed documents or transactions and the legal validity of signatures, the User is obligated to follow the rules for using electronic signing tools and to carry out signing in accordance with the organizational measures that are part of the SofSign service (including the electronic signing security policy).

The Service Provider guarantees that every electronic signature created using the SofSign service, performed under the conditions set by the organizational measures of the SofSign service, complies with the requirements of the relevant legislation governing the respective field.

The Provider shall under no circumstances be responsible for or guarantee the integrity and authenticity of electronically signed documents or transactions, nor the legal validity of electronic signatures, in cases of misuse of the electronic signing tools that are part of the SofSign service, or misuse of the service itself, by the Customer, user, or any third party. Likewise, the Provider shall not be responsible for or guarantee the integrity and authenticity of electronically signed documents or transactions, nor the legal validity of electronic signatures, if the SofSign service is used in violation of the organizational measures of the SofSign service or if there is misuse of those organizational measures.

The Customer or user is obliged to use the SofSign service in accordance with the instructions and organizational measures prescribed by the SofSign service Provider. The Provider reserves the right to immediately suspend the provision of the SofSign service in case of misuse or failure to comply with the usage instructions, organizational measures, or applicable legislation.

The Provider is not responsible for the operation of any hardware or software owned by the Customer or any third party. Furthermore, the Provider is not liable for the inadequacy, implementation, or incompatibility of the SofSign service if the Customer changes hardware or software configuration or equipment, modifies or alters the source code, uses it together with an information system not approved by the Provider, lacks internet access, or operates in a manner that affects the functioning of the SofSign service without the prior written consent of the Provider.

XIV. TEMPORARY AND PERMANENT TERMINATION OF SERVICE USAGE

The Provider may temporarily suspend the Customer’s use of the Services in the following cases:

• in the event of abuse or material non-compliance with the instructions for use, the General Terms and Conditions, organisational measures, or applicable legislation,
• if the Customer uses the Services contrary to these General Terms and Conditions or applicable legislation,
• in the event of non-payment of undisputed obligations by the Customer,
  by mutual agreement between the Customer and the Provider.

The Provider shall notify the Customer in writing of the reasons for the temporary suspension at least three (3) days prior to the planned suspension.

If the Customer remedies the reason for the temporary suspension, the Provider shall re-enable the use of the SofSign services within three (3) business days.

In the event of the termination of the use of the SofSign service for any reason, the Provider shall remove all data related to the Customer from its systems no later than within 70 days and shall notify the Customer or the Provider’s partner of this in writing.

XV. NOTIFICATIONS

For receiving notifications related to the provision of services, the Provider offers support at the following email address: podpora@softeh.com.

XVI. FINAL PROVISIONS

If any provision of the General Terms and Conditions is invalid, this shall not affect the remaining provisions of the General Terms and Conditions. The invalid provision shall be replaced by a valid provision that most closely corresponds to the original intent of the invalid provision.

If the relevant terms specify that communication, coordination, or other notifications between the Provider and the Customer must be in writing, an email sent to the appropriate and valid email address shall also be considered to satisfy the writing requirement. A valid email is one designated by both the Customer and the Provider for communication between them.

The Provider and the Customer shall attempt to resolve any disputes amicably. If this is not possible, the competent court for dispute resolution shall be the court in Maribor, under the laws of the Republic of Slovenia.

The Provider has the right to transfer its rights and obligations under these General Terms and Conditions to affiliated companies. The Provider may engage subcontractors or partners to perform the services without the Customer’s consent, provided that the service level remains the same or complies with the provisions of these General Terms and Conditions.

The Provider reserves the right to amend the General Terms and Conditions at any time at its sole discretion, and shall notify the Customer of the changes and their effective date by publishing them on the website.

These General Terms and Conditions are effective as of May 1, 2025.

SOFTEH d.o.o.

ANNEXES:

• Annex 1: Additional Terms and Conditions for Using the SofSign Service via the Application Programming Interface (API)
• Annex 2: Additional Terms and Conditions for Using the SofSign Portal
• Annex 3: List of Subprocessors

Annex 3: List of Subprocessors

Name of Subprocessor	Address of Subprocessor	Registration Number	Purpose of Processing Activities
T2	Verovškova 64A, 1000 Ljubljana	1954598000	performing backup operations
Pošta Slovenije	Slomškov trg 10, 2500 Maribor	5881447000	“Provision of long-term electronic document retention (eHramba.si® service) – Applicable when the Customer subscribes to the eHramba.si® service.”

Additional Terms for Using the SofSign Service through the API

1. Introductory Provisions

The Additional Terms and Conditions for the use of the SofSign service via the Application Programming Interface (API) (hereinafter referred to as the “Additional Terms”) form an integral part of the General Terms and Conditions of Use for SofSign service customers (hereinafter referred to as the “General Terms”) and serve to reasonably supplement them.

The SofSign Application Programming Interface (API) enables the integration of the Customer’s business applications with the SofSign services for the purpose of managing digital transactions.

The functionalities of the SofSign service that have been ordered and are provided by the Provider shall be determined by the Customer and the Provider through an order form or a separate agreement. The signed order form shall be considered a binding contract supplemented by the General Terms and Conditions. The implementation plan for connecting the Customer’s business applications with the SofSign service shall be agreed upon later between the Provider or the Provider’s partner and the Customer (hereinafter: the Plan). The Customer is bound by the General Terms and Conditions even if the Provider’s services are ordered through the Provider’s partner.

2. Start of Service Use and Provider’s Obligations

The Provider undertakes to provide the Customer with the SofSign service in accordance with and to the extent specified in these General Terms and Conditions as well as the Order Form or a special contract.

The Provider shall perform the services subject to these Additional Terms in accordance with the Order Form or a special contract and the agreed Plan between the Provider or the Provider’s partner and the Customer.

The Customer shall begin using the services, and the Provider shall start providing the SofSign service no later than 15 working days after the successful connection of the Customer’s business applications to the (test) SofSign service by the Provider. The Provider or the Provider’s partner shall send the Customer a written notification confirming the successful connection of the Customer’s business applications to the SofSign service by the Provider.

Before the start of use, the Provider or the Provider’s partner will provide the Customer with unique access data for the SofSign service (access to electronic signing functionalities). The access data are essential for using the SofSign service and ensure the confidentiality of the entered data and the created electronic documents.

3. Reinstatement of Services

The Provider reserves the right to charge the Customer a fee for reinstatement equal to the initial connection costs for the SofSign service (connection fee).

If the service price does not include a connection fee, the provider or the provider’s partner has the right to charge the customer a reinstatement fee equivalent to six (6) full monthly subscriptions for the selected services. The customer is not entitled to any compensation for damages in the event of temporary suspension of the service.

4. Service Level

The Provider ensures the service operates 24/7 and strives for uninterrupted service availability. The Provider may perform maintenance and upgrades that could cause disruptions to the service. Scheduled interventions will generally be carried out between 9:00 PM and midnight. If an intervention causes a service outage longer than 15 minutes, the Provider will notify the Customer or the Provider’s partner at least two (2) business days before the planned start of the intervention.

In the event of an error or malfunction during the provision of the service, the Customer must:

• If the services are ordered through the Provider’s partner, all errors must be reported to the designated email address of the Provider’s partner. In case the partner does not resolve the errors independently, the Provider will ensure second and third level support.
• If the services are ordered directly from the Provider, all errors must be reported to the designated email address of the Provider: podpora@softeh.com.

In the event that the Provider, during the handling of a request or thereafter, determines that the error reported by the Customer or the Provider’s partner does not reflect a fault on the part of the Provider or the SofSign service, but rather relates to issues on the Customer’s side or errors outside the scope of both the Customer’s and Provider’s control (e.g., power outage, hacking attack, internet outage), the work performed up to that point, including further handling of the request, will be invoiced according to the Provider’s or the Provider’s partner’s valid price list, based on the scope and complexity of the tasks performed. If the Customer does not confirm the invoice to the Provider or the Provider’s partner within 3 working days, the work performed will be deemed accepted.
 

5. Termination of Subscription for Use of Services

By submitting the order form, a contractual relationship is concluded under the terms specified in the order form; unless explicitly stated otherwise, the relationship is established for an indefinite period.

If the Customer wishes to change the scope of services specified in the order form, this shall be arranged by signing a new order form, which will replace the existing one.

The Customer or the Provider may terminate the contractual relationship without notice if the other party materially breaches the obligations set out in the order form or the General Terms and Conditions, especially in cases of violations related to the settlement of financial obligations, intellectual property, or data protection, and does not cease such breaches despite a written warning.

Both parties may terminate the contractual relationship at any time with a 90-day notice period.

Additional Terms for Use of the SofSign Portal

1.     Introductory Provisions

Additional Terms and Conditions for the use of the SofSign portal (hereinafter: Additional Terms) are an integral part of the General Terms and Conditions of Use for SofSign service customers (hereinafter: General Terms) and meaningfully supplement them.

The SofSign portal is a web application that provides comprehensive IT support for managing digital transactions. It enables the user to prepare documents and signature workflows, manage individual signing steps, notify signatories, perform remote signing, and distribute the fully signed documents.

For the purpose of authentication, the SofSign portal is integrated with the SofSign eID service, which enables the creation and management of electronic identities and the authentication of users for access to the portal and for confirming digital transactions.

2. Service Provision

2.1. Registration

A prerequisite for using the SofSign portal is the registration of the customer and the designation of authorized users who will use the portal. Upon registration, the customer must provide the provider with the required data about themselves and the authorized users of the SofSign portal. After successful registration and payment, the authorized users receive a SofSign eID electronic identity, which grants them access to the SofSign portal. Upon first login to the SofSign eID system, authorized users must confirm their data, change their password, and confirm their agreement with the General Terms and Conditions for using the SofSign eID service and any of its subsequent amendments.

2.2. Login

Login to the SofSign portal takes place via the SofSign eID service in accordance with the General Terms and Conditions for using the SofSign eID service. When logging in, the user must enter login credentials according to the required login strength. The required login credentials may include, for example: an email address, password, one-time password received by the user via SMS, or a qualified digital certificate.

3. Free trial or trial period

The trial period is a pre-agreed, time-limited period intended for a prospective customer to assess the suitability of the SofSign portal according to their electronic signing needs and requirements. During the trial period, users may not have access to all features and functionalities of the SofSign portal. The provider does not guarantee that the free trial will last for the entire agreed period. The provider may limit the number of authorized users that the prospective customer can designate during the trial period. After the free or trial period expires—or even before—the provider may allow continued use of the SofSign portal if the customer subscribes to a paid package or otherwise reaches an agreement with the provider. In such cases, the provider will retain the customer’s data and settings from the trial period.

If the customer does not decide to subscribe to a paid package after the trial period expires, the provider will disable access to the portal for the customer’s authorized users and reserves the right to delete the customer’s personal data as specified in the General Terms and Conditions for the use of the SofSign eID service.

No express or implied warranties apply during the free or trial period for the services and software; all services and software are provided on an “as is” basis. Technical or other support is not included during this period. The provider reserves the right, at its sole discretion, to limit or terminate the free or trial period without prior notice and without any liability to the user.

The provider may add a protective mark (e.g., in the signature label or in the form of a watermark) to documents signed during the free trial period.

4. Payment Terms, Prices, and Method of Charging for Services

4.1. Subscription

The price, functionalities, and usage options of the SofSign portal are tied to the selected subscription package or to any changes requested by the customer. The provider does not guarantee that any particular subscription package will be available indefinitely. The provider also reserves the right to change prices or functionalities within a given package without prior notice.

4.2. Subscription Package

The subscription package represents the right to use the SofSign portal and the associated software for a specified period upon payment of the applicable fee. Under these General Terms and Conditions, the customer obtains a user account and registers authorized users who have access to the service. The right to use the SofSign portal is exclusively limited to the designated authorized users of the customer and the signatories appointed by them.

By accepting the General Terms and Conditions, the customer commits not to resell the SofSign portal or in any way enable its use by unauthorized persons or third parties.

Subscription packages differ based on the available functionalities of the SofSign portal and/or the number and scope of allowed transactions. Detailed information, pricing, and the list of current subscription packages are published on the provider’s official website. The methods and types of signing available to users depend on the selected subscription package.

4.3. Prices

Valid prices are always published on the provider’s website. If the customer wishes to terminate the subscription, they can do so by submitting a written request to the provider’s email address before the end of the billing cycle, thereby canceling the subscription for the next billing period for the use of the SofSign portal.

In case of a different billing method, the provider and the customer shall conclude a separate SofSign Service Level Agreement (hereinafter: SLA). In such case, the provisions of the SLA shall prevail over the provisions of these Terms and Conditions.

4.4. Billing

The Customer commits to timely payment of all subscription fees related to the SofSign portal. Fees for the selected subscription packages will be charged to the Customer in advance. The Customer may choose annual or monthly billing for the subscription packages, or another billing period as specified in the valid price list on the Provider’s website.

The subscription package fees paid by the Customer are non-refundable, except in cases where the Customer and the Provider agree otherwise through an official written agreement or as otherwise stipulated in these Terms and Conditions.

After payment for the service, the Customer will receive a confirmation email. The Provider will issue an invoice to the Customer for the use of the SofSign portal. Upon payment, the Customer will receive access credentials to the SofSign portal immediately or no later than within 3 (three) working days.

The subscription is automatically renewed and charged for the next billing period at the end of the current plan (monthly, yearly), unless the customer cancels it beforehand.

In case of delayed payment, the provider is entitled to charge statutory late payment interest and may suspend the provision of services to the customer.

4.5. Change of Subscription Package

The subscriber can change the subscription package by adding users or increasing the number of users.

If the value of the subscription package increases due to a change in the package or the number of users, the provider will charge the subscriber a proportional difference for the remainder of the current billing period. The changed settings take effect immediately.

If the value of the subscription package decreases due to a change, the provider reserves the right not to refund the difference in the amount already paid. In this case as well, the new settings take effect immediately.

5. Temporary or Permanent Suspension of Services

The subscription to the subscription package shall terminate:

• immediately upon the expiry of the period for which the subscription package was concluded,
• immediately upon the subscriber’s withdrawal from the subscription package during the free trial or at the end of the free trial period,
• within 23 hours if payment is not successfully processed during the automatic renewal of the subscription.

The provider reserves the right to charge the full monthly or annual package fee upon reactivation. In case of temporary suspension of the service, the customer is not entitled to any compensation for damages.

The customer has the option to permanently delete their account; in this case, all data related to the customer will be automatically deleted.

General Terms and Conditions for the Use of the SofSign eID Service

The General Terms and Conditions for the use of the SofSign eID service for the creation, storage, management, and use of electronic identities, as well as for authentication using electronic identification means (hereinafter: the General Terms), define the conditions for the performance and use of the SofSign eID service for natural persons, the scope of the offered services, and the mutual rights and obligations between the users of this service and the company SOFTEH d.o.o., with its registered office at Trgovska ulica 2, 2310 Slovenska Bistrica, acting as the responsible provider and operator of the service (hereinafter: the Provider).

These General Terms and Conditions constitute a legally valid and binding agreement between the users of the SofSign eID service and the Provider.

1. Subject of the Service

By accepting the General Terms and Conditions for the use of the SofSign eID service, the user acquires the right to create and use an electronic identity and the associated electronic identification means (such as a username, password, one-time password – OTP, etc.), which are used for authentication in connection with linked online services.
The electronic identity and the associated identification means are granted to the user for an indefinite period.

By confirming the General Terms and Conditions, the provider becomes the processor of the user’s personal data that are necessary for the operation of the SofSign eID service. If the user does not accept the General Terms and Conditions, the use of the SofSign eID service is not permitted.

2. Provision of the SofSign eID Service

Use and provision of the SofSign eID service enables:

• User registration for the SofSign eID service. During this process, the user provides or confirms their personal data and obtains an electronic identity along with the corresponding electronic identification means (e.g. username, password, etc.).
• User login with an existing SofSign eID electronic identification means. Upon successful login, the user may gain access to the desired online service connected to SofSign eID, provided that the login is performed using an identification means with the appropriate level of assurance.
• Management of user profile settings: The user can manage personal data that they have submitted themselves and can deactivate their electronic identity with SofSign eID.
• The user may terminate their use of the SofSign eID service at any time via the profile management section of the SofSign eID service.

3. Technical conditions for using the SofSign eID service

To use the SofSign eID service, the user must have, in addition to a valid email address, a personal computer or mobile device (e.g., mobile phone, tablet) with internet access, as well as a web browser and operating system version supported by the manufacturers.

The provider does not take responsibility for the malfunctioning of the SofSign eID service on older versions of operating systems that are no longer officially supported by the manufacturer. Although the service may still operate on such unsupported browser versions, it is possible that distorted display or reduced functionality of the web pages may occur.

A condition for using the service is also access to the user’s valid email address and providing it.

4. User Responsibility

The user may use the SofSign eID service exclusively for their own purposes. By their guarantee, the user confirms that the personal data they have provided is accurate and actually belongs to them. The use of offensive data or data that contains or promotes hate speech is not permitted.

The user is obligated to promptly update any changes to their data in the SofSign eID user profile. The electronic identification means must be kept confidential and used in accordance with the provisions of these General Terms and Conditions. In case of misuse or negligent behavior, the user may bear liability for damages or even criminal responsibility.

The transfer or enabling the use of electronic identification means to other persons is not permitted. In case of violation of this provision, the user guarantees unlimited liability for damages.

The SofSign eID service must not be used for illegal purposes. Likewise, the user must not collect, store, or otherwise process personal data of other users.

In the event of suspicion that their electronic identification means have been misused, the user must immediately notify the provider, who will then prevent further use of these means.

5. Rights and Responsibilities of the Provider and Data Protection

The SofSign eID service is generally available 24 hours a day, every day of the year.

The provider ensures that all personal data, electronic identification means, and other information (hereinafter referred to as Data), which it has access to due to the provision of the SofSign eID service, are carefully protected in accordance with the law.

The provider commits not to disclose users’ personal data to any persons who are not authorized to use the SofSign eID service. Persons involved in the provision of the service at the provider have a binding confidentiality and data protection agreement in place.

The provider ensures the security of data processing and storage in accordance with the organizational measures of the SofSign eID service, measures to ensure information security, data protection, and business confidentiality, thereby also preventing the misuse of user data.

The provider reserves the right to disable the user’s electronic identity in the event of multiple unsuccessful login attempts.

The SofSign eID service provider reserves the right to modify any part of the system and delete any part of the content without prior notice.

The provider ensures the hosting of the information system and backup services either independently or through subcontractors within the territory of the European Union, guaranteeing their performance as if the services were carried out by the provider itself.

6. Limitation of Provider’s Liability

The provider reserves the right to temporary interruptions of access to the SofSign eID service due to maintenance work, technical reasons, or equipment replacement. However, the provider does not guarantee uninterrupted availability of the service in cases of communication network outages, other technical disturbances, errors, interruptions caused by third parties (e.g., power supply), or force majeure.

The provider does not assume any liability for any direct or indirect damages or deficiencies that the user may suffer due to technical issues or the inability to use the SofSign eID service.

The user alone is responsible for any consequences if they provide the provider with incorrect, false, incomplete, or outdated personal data – the provider is not liable for these. The provider is also not responsible for any disruptions in the service caused by improper use or the user’s lack of knowledge about how the service operates.

The provider is not responsible for any damage caused by the loss, transmission, or misuse of data if this occurs due to the fault of the user, the service subscriber, or third parties.

In case of detected abuse of the SofSign eID service, the provider reserves the right to immediately restrict or terminate the user’s access to the service.

7. Personal Data Protection in the Use of the SofSign eID Service

In the provision of the SofSign eID service, the Provider collects, processes, and stores the user’s personal data and electronic identification means, acting as the data controller. The processing is carried out in accordance with the applicable personal data protection legislation. Personal data shall be stored until the purpose is revoked or until the right to erasure is exercised. For the purposes of these General Terms and Conditions, the user shall be considered an individual within the meaning of the personal data protection legislation.

The processing of personal data is based on the user’s explicit consent, expressed by accepting the General Terms and Conditions, which thereby constitute the legal basis for the processing. The processing of such data is a necessary condition for the use of the SofSign eID service. If the user does not agree to the General Terms and Conditions, the service cannot be used.

The Provider does not disclose the collected personal data to third parties or other organisations, except to affiliated online services which the user wishes to access via the SofSign eID service.

The Provider undertakes to handle personal data responsibly and to process such data solely for the purposes for which they were originally collected.
For the purpose of operating the SofSign eID service, the Provider processes the following data: first name, last name, email address, telephone number, country (for the purpose of sending a one-time password), and other personal data specified by the data controller and for which the user has given prior consent.
Based on justified requests, the Provider may disclose personal data to competent national authorities, provided there is a legal basis for such disclosure (e.g., courts, law enforcement authorities, EU national authorities).

In accordance with applicable legislation, the user has the right to:

• access personal data,
• rectification of inaccurate data,
• data portability,
• object to processing,
• restriction of processing, and
• erasure of personal data.

The Provider shall ensure the exercise of the aforementioned rights without undue delay, and at the latest within one month from the receipt of the request. If the request is complex or if there are multiple requests, the deadline may be extended by an additional two months, of which the user shall be informed within one month from the receipt of the request, together with the reasons for the extension.

Requests for exercising rights may be submitted by the user via email to podpora@softeh.com or by post to the following address: SOFTEH d.o.o., Trgovska ulica 2, 2310 Slovenska Bistrica.

If there is a legitimate doubt regarding the identity of the requester, the Provider may require additional information to verify the identity of the user to whom the data relate.

In the case of manifestly unfounded or excessive requests (particularly if they are repetitive), the Provider may:

• charge a reasonable fee covering the administrative costs of processing the request, or
• refuse to act on the request.

If the Provider does not decide on the request within the prescribed deadline or rejects it, the user has the right to file a complaint with the Information Commissioner. The user may also file a complaint directly if they believe that the processing of their personal data violates Slovenian or European personal data protection legislation.

8. Termination of Service Provision

In the event that the provision of the SofSign eID service is terminated, the Provider shall delete all data relating to the user from its systems within one month. Users shall be notified of the termination of the service and data deletion by means of a notice published on the Provider’s official website.

9. Technical Support

In case of issues or inquiries, users may send a message to the email address podpora@softeh.com or call from Monday to Friday, excluding public holidays, at the following telephone number:

• during working hours from 8 a.m. to 4 p.m.: 02 421 56 70,
• outside working hours via email: podpora@softeh.com.

10. Breach of the General Terms and Conditions

The Provider reserves the right to deny access to the SofSign eID service to users who violate or act contrary to the General Terms and Conditions.

In the event that the user causes damage to the Provider through their actions, the user shall be fully liable for such damage, including moral, material, and criminal liability.

Any violations of the use of the SofSign eID service by other users may be reported to the Provider by email at podpora@softeh.com or in writing to the address SOFTEH d.o.o., Trgovska ulica 2, 2310 Slovenska Bistrica.

11. Final Provisions

The Provider may amend or supplement the General Terms and Conditions at any time without prior notice or the consent of the users.

These General Terms and Conditions shall enter into force on May 1, 2025.

General Terms and Conditions for Users of SofSign Services

1. GENERAL

By accessing, downloading materials, or using the SofSign online service or the SofSign mobile application, the user agrees to comply with these General Terms and Conditions of Use of the SofSign service (hereinafter: the General Terms and Conditions). If the user does not agree with the General Terms and Conditions, they shall not use the SofSign service.

The General Terms and Conditions define the manner of provision and the conditions of use of the SofSign service for natural persons, specify the scope of services, as well as the rights and obligations between the user and the company SOFTEH d.o.o., Trgovska ulica 2, 2310 Slovenska Bistrica, registration number: 3651827000, tax number: SI72997842, acting as the responsible provider and executor of the service (hereinafter: the Provider).

These General Terms and Conditions constitute a legally binding agreement between the user and the Provider of the SofSign service.

If the defined scope of the service does not meet the user’s requirements, the user should contact the client representative, who will propose a suitable alternative solution for signing.

2. DEFINITION OF TERMS

The meanings of the terms used in these General Terms and Conditions are as follows:

• SofSign or the service refers to a suite of cloud services intended for managing digital transactions, which includes: the creation and management of electronic identities, user authentication, management of electronic signature workflows, electronic signing of documents, electronic document exchange, and electronic storage of finalized documentary materials, i.e., electronically signed documents with business content. All of this is carried out in accordance with Regulation (EU) No. 910/2014 (eIDAS) and the applicable national legislation of the client’s country regarding electronic signing and electronic document storage.
• SofSign eID constitutes a part of the SofSign service, designed to perform the function of a cloud-based electronic identity provider.
• SofSign RS is a component of the SofSign service that enables remote signing and is used in cases where the signer is not physically present at the point of sale. The signature can be executed as a click-to-sign (using the qualified electronic seal of the service), with a local qualified user certificate, or with a qualified user certificate stored in the cloud
• An electronic identity card is a public document by which a citizen of the Republic of Slovenia proves their identity and citizenship. It contains qualified digital certificates for both high- and low-level login as well as for electronic signatures.
• The Client is a legal entity or other economic subject who uses the SofSign service against payment and agrees to the applicable General Terms and Conditions. The term Client also applies to those who use the service free of charge during the trial period.
• Software means the software solutions owned by the Provider, installed on its hardware, and forming an integral part of the SofSign service. In the event that third-party software is used by the Provider or the Client, the terms of use of those third parties shall apply.
• An audit trail is a visible record of evidence that enables traceability of information in assertions or reports back to their source.
• The General Terms and Conditions represent the applicable terms of use for the SofSign services at any given time.
• Transaction means the transfer of a completed unit of documentary material (e.g., document, image, record, etc.) for electronic signing via the SofSign service.
• The User is a natural or legal person or other economic entity who receives, reviews, confirms, signs, approves, or otherwise uses the service. The Client is responsible for informing the end user about the use of the service they access through the Client.

3. SUBJECT OF THE SERVICE

By using the SofSign service, the user is deemed to be familiar with and to fully accept the General Terms and Conditions. The services provided by SofSign as a cloud solution include:

• Creation and management of electronic identities
• User authentication
• Management of electronic signature processes
• Electronic signing of documents
• Exchange of electronic documents
• Electronic storage of finalized documentary materials, i.e., electronically signed documents with business content

The use of the service implies that the user is familiar with its scope, mode of operation, and the rules set forth in the General Terms and Conditions.

4. EXECUTION OF THE SofSign SERVICE

The SofSign electronic signing service is intended for the preparation and signing of documents generated in the Client’s business processes in an electronic manner. The SofSign service for capturing e-signatures requires documents in PDF format with embedded signature tags at the locations where a signature is needed. The tags specify:

• the signer,
• the signing order,
• and the signature location (who signs where on the document).

The SofSign service encompasses the execution of the electronic signing process services in the following manner:

• SofSign RS enables remote signing and covers those types of signatures where the signer is not physically present at the point of sale. The signature can be executed:
  • as a click-to-sign (with the service’s qualified electronic seal),
  • with the user’s local qualified certificate,
  • with the user’s qualified certificate stored in the cloud,
  • or with the qualified certificate on the user’s personal identity card.

By using the SofSign service, the user agrees to perform electronic signing using the means and under the conditions specified in these General Terms and Conditions, and in the manner of signing as determined by the service Subscriber.

5. TECHNICAL CONDITIONS FOR THE USE OF THE SofSign SERVICE

For the use of the SofSign service in the case of remote signing, the user requires, in addition to an email address, a personal computer or mobile device (mobile phone, tablet, etc.) with internet access, supported versions of web browsers and operating systems as provided by the manufacturers, and a SofSign eID electronic identity.

The Provider shall not be held responsible for the malfunctioning of the SofSign service on outdated versions of operating systems that are no longer officially supported by the manufacturer. The SofSign service may also function on older or unsupported browser versions; however, this may result in impaired or distorted display of the pages.

A condition for using the service is also access to and provision of the user’s valid email address.

The Provider ensures hosting of the information system and backup services either independently or through subcontractors within the territory of the European Union, for which it guarantees as if the services were performed by itself.

6. LIMITATION OF LIABILITY AND USE

The provider explicitly prohibits any interference with the source code of the SofSign service, performing reverse engineering, further distribution, modification or reproduction, leasing or selling, whether for payment or free of charge, and any other commercial use of the SofSign services. Use of the service is allowed exclusively to authorized users and is not permitted for third parties, unless explicitly regulated in these Terms and Conditions or by a special written agreement between the user and the provider. In case of violation of these provisions, the user may be held liable for damages and/or criminally responsible.

The user must provide truthful and accurate information during registration or login for the use of the service. If incomplete, incorrect, or false information is provided, or if there are other justified reasons, the provider reserves the right to refuse registration or login. The user guarantees that all data necessary for the use of the service are accurate, truthful, and complete; otherwise, they bear responsibility for any damage that may result to the provider.

7. RESPONSIBILITY OF THE USER

The user may use the SofSign service exclusively for their own needs. They guarantee that the personal data provided is accurate and genuinely related to them. The use of offensive data or data that could constitute hate speech is prohibited. The service may be used in accordance with these Terms and Conditions by adults and legally competent persons, or by minors with the explicit consent of a legal representative or holder of parental authority.

The user is obliged to keep their electronic identification means confidential and use them in accordance with these Terms and Conditions. In case of misuse of the SofSign service or negligent behavior, the user may be held liable for damages or criminally responsible. The user is not allowed to authorize other persons or enable them to use their electronic identification means. In case of violation of this provision, the user guarantees full liability for damages.

The user must not use the SofSign service for illegal purposes, nor may they obtain, collect, or store personal data of other users. If the user suspects misuse of their electronic identification means, they must immediately notify the provider at the email address: podpora@softeh.com. Upon receiving the notification, the provider will disable further use of these means.

8. LIMITATION OF PROVIDER’S LIABILITY

The use of the services by the user is at their own risk. The provider does not guarantee uninterrupted service operation but will strive to resolve any disruptions as quickly as possible. The provider reserves the right to temporary service interruptions for technical reasons, maintenance, or equipment replacement. No guarantee is given for service availability in cases of communication network failures, technical errors, disruptions, or outages caused by third parties (e.g., power outages), or in cases of force majeure.

The provider is not liable for any direct or indirect damages or deficiencies that may arise for the user due to technical issues or the inability to use the SofSign service.

The provider is not responsible for any damage caused by incorrect, false, incomplete, or outdated data provided by the user.

The provider is not responsible for malfunctioning of the services caused by incorrect use or lack of knowledge of the service by the user. Likewise, it does not assume responsibility for incorrect data entry by the user, failure to secure entered data, or allowing access to third parties, which could lead to the disclosure of confidential information.

The provider is in no way responsible for any damage the user may suffer due to loss, disclosure, or misuse of data if caused by the user themselves, the subscriber, or third parties.

In case of misuse of the SofSign service, the provider reserves the right to immediately restrict or terminate the user’s access to the service.

9. Protection of Personal Data

For the purpose of providing the SofSign service by the Customer, who acts as the data controller, the Provider collects, processes, and stores the User’s personal data and thereby acts as a data processor. Personal data shall be processed in accordance with the applicable personal data protection legislation. The Provider shall store personal data until the purpose is revoked or the right to erasure is exercised. Within the meaning of these General Terms and Conditions, the User shall be considered a data subject as defined by the legislation governing the protection of personal data.

The Customer, who provides personal data to the Provider, guarantees that it holds an appropriate legal basis for the processing of such data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the “Regulation”) and other applicable legislation. The Customer guarantees that the personal data are provided on the basis of one or more legal grounds: the data subject’s explicit consent, the performance of a contract, or compliance with a legal obligation. If the Customer provides data obtained in breach of the Regulation or any other applicable legislation, the Provider shall bear no responsibility in this regard.

The Provider shall not disclose the collected personal data to any third parties or organisations without prior notice to the Customer as the data controller. A list of sub-processors performing specific tasks on behalf of the Provider is attached as Annex 1 to these General Terms and Conditions. The Provider ensures that such sub-processors act in accordance with the second and fourth paragraphs of Article 28 of the Regulation and observe appropriate technical and organisational measures.

As a personal data processor, the Provider undertakes to handle personal data with due care and to process them solely for the purposes for which they were originally collected.

For the purpose of the SofSign service, the Provider processes personal data received from the Customer in documents, as well as data entered by the User in login or registration forms. The type of personal data depends on the content of the documents and is not stored in a structured format. In any case, the Provider processes the following data: first name, last name, email address, telephone number, country (for one-time password purposes), and data included in the audit trail (see 11. Audit trail).

When using the SofSign mobile application, the following data may be processed:

• For contactless reading of qualified digital certificates on the electronic identity card: first name, last name, and CAN code.
• the case of data transfer to another entity (depending on settings): first name, last name, gender, date of birth, citizenship, nationality, personal identification number (EMŠO), document type, document number, and document expiry date.
  The transfer of data from the identity card to another business entity or the Customer is only possible with the prior consent of the User. The Customer is responsible for the further processing of such data in accordance with applicable legislation.

The application allows the display of the following data regarding the identity card holder:

• First name and last name,
• Identity card serial number,
• Personal identification number (EMŠO),
• Date of birth,
• Gender,
• Validity of the identity card,
• Citizenship,
• Data on the digital certificates contained on the identity card:
  • Type of digital certificate,
  • Issuer,
  • Serial number,
  • Validity of the digital certificate.

These data are displayed to the User only upon request and are not stored within the application. All data are processed exclusively on the device where the application is installed and are not transmitted to other information systems, unless explicitly requested by the User (e.g., for logging into an online service or executing a signature).

The User has the following rights in accordance with applicable legislation:

• Access to data,
• Rectification,
• Portability,
• Objection,
• Restriction of processing,
• Erasure of personal data.

The exercise of rights is possible upon request to the Customer. The User may submit their request to the Customer’s electronic or physical address. In cases where the User’s identity is in doubt, the Provider or the Customer may require additional information to verify the User’s identity. The User may file a complaint with the Information Commissioner if they believe that the processing of their personal data violates applicable regulations. Complaints may be addressed to:

Information Commissioner, Dunajska 22, 1000 Ljubljana

Email: gp.ip@ip-rs.si

Website: www.ip-rs.si

The Provider, as the data processor under these terms, does not make decisions based solely on automated processing (profiling) that would have legal or similarly significant effects on the User.

The Provider hosts the information system and backup data either independently or through subcontractors within the EU and guarantees their security as if the services were performed by the Provider itself.

10. Information Security

The provision of the service subject to these General Terms and Conditions involves the processing and storage of personal data, the disclosure, misuse, or negligent handling of which may cause harm to the User. The Provider undertakes to protect all personal data with due care and to implement appropriate measures to prevent abuse and unauthorized access to such data. All persons involved in the provision of the services are bound by confidentiality and data protection obligations.

The Provider undertakes to perform all services professionally and appropriately, in compliance with regulations governing the handling of confidential data. In the course of providing the services, the Provider shall ensure that no misuse of personal data or other confidential information of the User occurs. This is ensured through strict adherence to applicable legislation, compliance with standards, best practices, as well as internal policies and procedures.

The Provider undertakes to perform all services professionally and appropriately, in compliance with regulations governing the handling of confidential data. In the course of providing the services, the Provider shall ensure that no misuse of personal data or other confidential information of the User occurs. This is ensured through strict adherence to applicable legislation, compliance with standards, best practices, as well as internal policies and procedures.

The Customer remains the owner and controller of all personal data and is responsible for their protection in accordance with applicable legislation.

The Provider ensures the security of data processing and storage in accordance with its organizational measures. These include all necessary organizational, technical, and logical-technical procedures to guarantee information security, data protection, and business confidentiality. The Provider has adopted and implemented an Information Security Management System in compliance with the ISO/IEC 27001 standard.

Communication between the Provider and the User may also include confidential information of the Provider. Confidential information encompasses all materials, messages, and information marked as confidential or which would ordinarily be understood as such under normal circumstances. In the event that the User receives confidential information, they shall not disclose it to any third parties without the prior consent of the Provider.

11. Audit Trail

The audit trail represents a chain of evidence that enables traceability of information in claims or reports back to their origin. For the purpose of ensuring traceability of business events, the Provider establishes and manages the audit trail.
The Provider ensures that the audit trail is complete, unaltered, transparent, and accessible only to authorized personnel. Based on an agreement with the Customer, the Provider may allow the export of the entire audit trail for a specific transaction.

Within the scope of the audit trail, the Provider processes the following data:

• Event ID,
• Signatory ID,
• Username,
• Type of event (e.g., transaction creation, signature execution, transaction archiving, etc.),
• Date and time of the event,
• Event success status,
• Transaction name,
• Additional information (e.g., type of signature, type of login, etc.),
• Process status (e.g., transaction is loading, signed, archived, completed),
• IP address.

12. Termination of Service Provision

The Provider shall delete all documents containing personal data related to a specific transaction no later than 70 days after their receipt, following the completion of the respective transaction.

Based on the Customer’s instruction or, in any case, upon termination of the contractual relationship with the Customer, the Provider shall return or delete all personal data to the Customer no later than 70 days from receipt of the instruction or termination of the relationship, unless otherwise required by law.

Any copies of personal data shall be irreversibly destroyed by the Provider within the specified period, unless their retention is mandatory under applicable law.

13. Breach of the General Terms and Conditions

The Provider reserves the right to deny access to the SofSign service to Users who violate or act contrary to the General Terms and Conditions. Users shall be fully liable to compensate the Provider for any damage caused by their actions. Any breaches of the General Terms and Conditions may also be subject to criminal prosecution.

Any potential violations of the SofSign service by other users may be reported to the Provider via email at podpora@softeh.com or in writing to the registered office of SOFTEH d.o.o., Trgovska ulica 2, 2310 Slovenska Bistrica.

14. INTELLECTUAL PROPERTY RIGHTS

All data and information, graphic designs, layouts, marks, trademarks, and logos included in or forming part of the SofSign service are the property of the Provider or subject to the Provider’s rights and are protected by copyright and/or other industrial property rights in accordance with applicable law.

By using or accessing the SofSign service, the User obtains a non-exclusive, non-transferable, and time-limited right to use the service solely in accordance with these General Terms and Conditions. The User shall not use the service for any other or commercial purposes not in compliance with these terms.

15. Final Provisions

Any disputes between the Provider and the User shall be resolved amicably. If an amicable solution cannot be reached, the competent court in Maribor shall have jurisdiction to resolve the disputes.

If any provision of these General Terms and Conditions is found to be invalid, this shall not affect the validity of the remaining provisions. The invalid provision shall be replaced by a valid provision that is as close as possible in content and purpose to the original intent of the invalid provision.

The Provider reserves the right to amend or supplement these General Terms and Conditions at any time. The obligation to notify Users of changes shall be deemed fulfilled by publishing the updated General Terms and Conditions on the Provider’s website. The new General Terms and Conditions shall become effective on the date of their publication on the Provider’s website, unless a different effective date is specified therein.

SOFTEH d.o.o.
These General Terms and Conditions are effective as of May 1, 2025.

Appendix 1: List of Sub-processors

Name of Subprocessor	Address of Subprocessor	Registration Number	Purpose of Processing Activities
T2	Verovškova 64A, 1000 Ljubljana	1954598000	performing backup operations
Pošta Slovenije	Slomškov trg 10, 2500 Maribor	5881447000	“Provision of long-term electronic document retention (eHramba.si® service) – Applicable when the Customer subscribes to the eHramba.si® service.”

Privacy Policy

SOFTEH d.o.o., Trgovska ulica 2, 2310 Slovenska Bistrica (hereinafter referred to as the “Company” or “SOFTEH”) as the data controller, undertakes to handle all personal data obtained with due care and to process such data solely for the purposes for which they were originally collected. The Company processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “General Data Protection Regulation” or “GDPR”), as well as other applicable data protection legislation.

1. Purpose of the Privacy Policy

The purpose of this Privacy Policy is to inform users of the Company’s website and other individuals (hereinafter also referred to as “data subjects”) about the purposes and legal bases for the processing of personal data carried out by the Company, as well as their rights regarding data protection. Furthermore, this Privacy Policy provides additional clarification on the significance of consent to the processing of personal data.

The Company places special emphasis on the protection of your personal data. All personal data provided are treated as confidential. We manage your data with the utmost care, in compliance with applicable legislation and the highest processing standards. We ensure the security of your personal data through appropriate organizational measures, operational procedures, advanced technological solutions, and adherence to recognized best practices in data protection.

We employ an appropriate level of protection and a reasonable combination of physical, electronic, and administrative measures to safeguard the collected data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data that has been transferred, stored, or otherwise processed.

In accordance with Article 13 of the General Data Protection Regulation (GDPR), the Privacy Policy contains the following information:

• The company’s contact details,
• The purposes, legal bases, and types of personal data processing of individuals,
• Retention periods for different types of personal data,
• The rights of individuals regarding the processing of personal data,
• The possibility to file a complaint related to the processing of personal data,
• The validity of this Privacy Policy.

2. Personal Data Collected by the Company

If you are only a visitor to the website, we collect data about you solely through cookies.

For the purpose of responding to your inquiry submitted via the “Contact Us” form on the website, as well as for conducting business communication, we process the following personal data:

• First and last name,
• Email address,
• Company name,
• Telephone number.

For the purpose of registration in the SOFTEH Partner Portal, we process the following personal data:

• Email address,
• First and last name,
• Address,
• Postal code,
• City,
• Country,
• Phone number,
• Company name.

The processing of the aforementioned personal data is based on your explicit consent. Personal data is retained until the purpose is revoked. The collected personal data is not disclosed to third parties or other organizations, except where there is a legal basis for doing so.

The company may, based on a justified and substantiated request, disclose personal data to competent state authorities when there is a legal basis for doing so. For example, the company may respond to requests from courts, law enforcement agencies, and other state authorities, including authorities of other European Union member states.

You may withdraw your consent for the processing of personal data at any time by submitting a request sent to the email address podpora@softeh.com or by sending a written request to the company’s registered office at: SOFTEH d.o.o., Trgovska ulica 2, 2310 Slovenska Bistrica.

The withdrawal of consent applies solely to personal data processed based on your consent. The most recent consent received by us shall be deemed valid. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal. The right to withdraw consent does not constitute the right to unilaterally terminate any contractual or business relationship with the company.

3. Categories of Data Subjects Whose Personal Data Are Processed

This Privacy Policy is intended for all individuals who visit our website, submit an inquiry via the “Contact Us” form, or register on the SOFTEH Partner Portal.

4. Rights of Individuals Regarding the Processing of Personal Data

The exercise of your rights regarding the processing of personal data will be ensured without undue delay. We will respond to your request no later than one month after its receipt. In cases of a high number of requests or the complexity of the matter, this period may be extended by up to two additional months. In such cases, we will inform you of the extension within one month of receiving your request and provide the reasons for the delay.

Requests to exercise your rights can be submitted via email to podpora@softeh.com or by mail to the address SOFTEH d.o.o., Trgovska ulica 2, 2310 Slovenska Bistrica.

When you submit a request using electronic means, we will provide the information, where possible, also by electronic means, unless you expressly request otherwise.

If there is a legitimate doubt regarding the identity of the individual submitting the request, we may require additional information necessary for the reliable identification of the person to whom the personal data relates.

If an individual’s requests are manifestly unfounded or excessive – particularly if repetitive – we may:

• charge a reasonable fee taking into account the administrative costs of providing the information, communications, or implementing the requested actions, or
• refuse to act on the request.

We provide you with the following rights regarding the processing of your personal data:

1. The right to access your data:

You have the right to obtain information about whether personal data concerning you is being processed. If personal data is being processed, you have the right to access this data and receive the following information:

• the purposes of the processing,
• the types of personal data concerned,
• the recipients or categories of recipients to whom the personal data has been or will be disclosed,
• the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,
• the existence of the right to request rectification or erasure of personal data or restriction of processing, or the right to object to such processing,
• the right to lodge a complaint with a supervisory authority,
• where the personal data is not collected directly from you – any available information as to its source.
• The right to rectification:

You have the right to request without undue delay the rectification of inaccurate personal data concerning you. In accordance with the purposes of the processing, you also have the right to have incomplete personal data completed, including by providing a supplementary statement.

• Right to erasure (“right to be forgotten”)

You have the right to request that your personal data be erased without undue delay where one of the following grounds applies:

• the personal data are no longer necessary for the purposes for which they were collected or otherwise processed,
• you have withdrawn your consent to the processing and there is no other legal ground for the processing,
• you object to the processing and there are no overriding legitimate grounds for the processing,
• the personal data have been unlawfully processed,
• erasure of the personal data is necessary to comply with a legal obligation under EU law or the laws of the Republic of Slovenia.
• Right to Restriction of Processing

You have the right to request the restriction of the processing of your personal data where one of the following applies:

• you contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the data,
• the processing is unlawful and you request the restriction of their use instead of erasure,
• we no longer need the personal data for the purposes of processing, but you require them for the establishment, exercise or defence of legal claims,
• you have objected to processing based on legitimate interests, pending the verification of whether our legitimate grounds override yours.

When the processing is restricted, such data shall only be processed  except for storage purposes with your consent, or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person. Before lifting the restriction, we will inform you accordingly.

• Right to data portability

You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, as well as the right to transmit those data to another controller when:

• the processing is based on your consent or a contract, and
• the processing is carried out by automated means.

At your request, if technically feasible, the data may be transferred directly to another controller.

• Right to Object

When we process your personal data based on legitimate interest, you have the right to object to such processing at any time, in particular where the data are processed for the purposes of direct marketing.

In such a case, we will cease processing your data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or if the processing is necessary for the establishment, exercise, or defence of legal claims.

5. Right to Lodge a Complaint Regarding the Processing of Personal Data

A potential complaint regarding the processing of your personal data may be submitted via email to podpora@softeh.com or by postal mail to the following address:

SOFTEH d.o.o.

Trgovska ulica 2

2310 Slovenska Bistrica

Slovenia.

If we fail to respond to your request within the legal timeframe or if your request is denied, you have the right to lodge a complaint with the Information Commissioner.

You also have the right to lodge a complaint directly with the Information Commissioner if you believe that the processing of your personal data violates the applicable regulations of the Republic of Slovenia or the data protection regulations of the European Union.

If you have exercised your right of access and, upon receiving the response, believe that the personal data provided does not correspond to the data you requested, or that not all requested personal data has been provided, you may submit a reasoned complaint to the company within 15 days before filing a complaint with the Information Commissioner. The company must respond to your complaint as if it were a new request within five working days.

6. Final Provisions

For all matters not regulated by this Privacy Policy, the applicable data protection legislation shall apply.

The Company shall not be liable for any damage that may arise to an individual due to the provision of incorrect, false, incomplete, or outdated personal data relating to that individual.

The controller is liable for damage caused by the processing of personal data only if it fails to comply with the obligations under the General Data Protection Regulation or other applicable data protection legislation, or if it acts contrary to their provisions. The Company is not liable for any damage incurred if it proves that it is not responsible for the event that caused the damage under any circumstances.

The Company reserves the right to amend this Privacy Policy. We will notify you of any changes by posting the updated policy on the Company’s official website (www.softeh.com) or by other appropriate means.

This Privacy Policy is published on the Company’s website and shall enter into force and apply as of May 1, 2025.

If you have any questions regarding this Privacy Policy or the data we hold about you, we will be happy to assist you.

All questions and requests can be sent to:

SOFTEH d.o.o.

Trgovska ulica 2
2310 Slovenska Bistrica
Email: podpora@softeh.com
Phone: +386 2 421 56 70