Agreement for the Sale and Use of DataShielder NFC HSM and HSM PGP Encryption Products

Preamble:

DataShielder NFC HSM and HSM PGP products are classified as dual-use goods, in accordance with international regulations. As the purchaser of these products, you agree to use them only for lawful purposes and in accordance with the laws of your country of residence or destination, as well as international regulations applicable to dual-use encryption products.

By purchasing a DataShielder NFC HSM or HSM PGP encryption product, you acknowledge that you have read and agree to the terms of this Membership Agreement. This agreement sets out your legal obligations related to the use of these products, according to international and national regulations. The acquisition of a product implies automatic adherence and full acceptance of this contract without requiring a physical signature.

These products are subject to strict rules regarding their use, export and import according to the applicable legislation in different countries. By validating this purchase, you acknowledge that you are fully aware of the associated legal responsibilities.

DataShielder products, designed to combat espionage, offer advanced security and complete privacy. The purchaser acknowledges that it is fully aware of the advanced security features of these products and the risks associated with illicit or malicious use. These products work without a server, without a database, without account creation, and offline, thus guaranteeing a high level of anonymity and security.

Article 1. Purpose of the Agreement

This Agreement sets forth the rights and obligations of Acquirer and Freemindtronic and Fullsecure with respect to the acquisition, use, management, and data protection of DataShielder Cryptography Products. These products, classified as dual-use (civilian and military) items, are subject to international regulations relating to cryptographic products, including Regulation (EU) 2021/821, the U.S. https://www.bis.gov/regulations as well as specific laws in China, Japan, South Korea, and other similar jurisdictions.

This agreement covers the Auth, M-Auth & Lite (civil), Master (regal) and Defense (military) versions of DataShielder NFC HSM products as well as the HSM PGP version. It provides a framework for the acquirer’s obligations in terms of compliant use, security, and data protection, while guaranteeing the advanced cryptographic security of the NFC HSM and HSM PGP systems.

Article 2. Patent and Copyright Protection

NFC HSM products are protected by two international patents the Wireless Access Control System and the Segmented Key Authentication.

The DataShielder HSM PGP is protected by the Segmented Key Authentication Patent, as well as the copyrights of the firmware, software, applications, and web browser extensions associated with these products.

These protections also extend to the qualified level digital signature system embedded in the DataShielder HSM PGP, working with segmented encryption keys, providing automatic self-repudiation. RSA 4096, 3076, 2048, or ECC encryption keys used for PGP signatures are secured with 256-bit keys, which are compatible with .asc and .p7s formats.

These products, by virtue of their cryptographic functionalities and potential for use, are classified as dual-use items under the terms of the Wassenaar Arrangement Regulations and are subject to the associated restrictions.

Article 3.  Data Access and Security

3.1. Access to Encrypted Data

Neither Freemindtronic, Fullsecure, nor any other natural or legal entity may access the encrypted data stored in the memories of NFC HSM or HSM PGP devices, even if the devices are physically accessed. Access to encrypted data is strictly conditional on complete knowledge of all segmented keys, which are protected by international patents specific to these devices, thus ensuring maximum security and total impermeability of the systems.

3.2. Protection of Private Keys

The private keys used for the digital signature are secured by passwords generated from segmented keys of more than 256 bits, ensuring the security of access, integrity, and authenticity of the identity of the creator of the signature.

3.3. Disclosureable information

For NFC HSM devices, only information relating to the identity of the acquirer and the serial numbers of the devices purchased may be communicated to the competent authorities upon official request. For the PGP HSM, only the information related to the identity of the acquirer and the number of the activated motherboard can be communicated. No other data may be disclosed or accessed. The communication of this information to the authorities is only done on legal request and in compliance with personal data protection standards, such as the General Data Protection Regulation (GDPR) for European acquirers.

3.4. Data inviolability

It is physically impossible to trace, identify, detect, prevent use, corrupt, or extract the secrets contained in these devices. Encrypted data is protected by segmented keys, freely and randomly created by the user, to which can be added trust criteria, such as geo-zones, passwords, BSSIDs, or specific cryptographic conditions.

3.5. Use of Encryption Keys

Only the holder of all segmented keys and trust criteria can use AES-256 CBC encryption keys to access the data. This principle also applies to key sharing via randomly generated RSA-4096 key pairs stored in the NFC HSM, making it impossible to decrypt during sharing between NFC HSM devices.

3.6. Limitation of Liability

As a result, the judicial authorities cannot request the manufacturer to try to access the contents of the HSM or HSM PGP NFC devices, given that these systems are specifically designed for counter-espionage, with enhanced security and complete anonymization of the user and data.

Article 4. General Liability and Export Non-Compliance

Freemindtronic and Fullsecure expressly inform the acquirer of the legal obligations applicable to the export of crypto products, in accordance with national and international regulations. These products, being classified as dual-use items, are subject to strict controls due to their strategic nature.

The acquirer assumes full responsibility for ensuring that it holds all required licenses and authorizations for the import, export, and use of the crypto products in its country of residence or destination. This includes strict compliance with local crypto regulations, as well as export restrictions to certain countries or geographies, including territories subject to embargoes or trade sanctions.

In the event of a breach of these obligations, the purchaser undertakes to indemnify Freemindtronic and Fullsecure for any damage or injury resulting from non-compliant or illegal use of the DataShielder products. This indemnification includes, without limitation, any violation of the rules of export, use of cryptographic technologies, or any failure to comply with its contractual obligations. The acquirer is also required to cover all legal fees, fines and other costs associated with such violations.

Article 5. Compliance with Sanctions Lists

The acquirer undertakes to comply with international sanctions lists, such as those of the United Nations, the EU and OFAC (Office of Foreign Assets Control). It is strictly prohibited to sell, transfer, or allow access to the DataShielder products to any entity or individual on these lists. Any violation of this clause may result in legal sanctions and the immediate termination of the distribution contract and refusal to sell the products to a buyer.

Article 6. Final Destination Control

The acquirer agrees not to export or transfer the DataShielder products to countries subject to international embargoes or trade sanctions. The purchaser must ensure that the final destinations of the products comply with the international regulations in force. Any violation of this clause may result in legal sanctions and the immediate termination of the distribution contract and refusal to sell the products to a buyer.

Article 7. Prohibition of Use in Weapons Systems

DataShielder products may not be used for development, production, or integration into weapons systems unless expressly authorized by the relevant authorities. Any violation of this prohibition may result in legal sanctions and immediate termination of the distribution contract.

Article 8. Limitation of Rights in the Event of Armed Conflict or Military Intervention

The rights to use DataShielder HSM PGP products may be limited by a non-renewal of the license in the event of armed conflict, military intervention, or exceptional situations that jeopardize national security. This limitation is exercised within the limits of Freemindtronic’s prerogatives and under the intervention of the Andorran authorities.

Article 9. Non-Renewal of License in Case of Malicious Use

Because DataShielder NFC HSM and HSM PGP are counterintelligence solutions, it is physically impossible for Freemindtronic, Fullsecure, or its distributors to detect malicious or non-compliant use. However, Freemindtronic reserves the right not to renew a term license for DataShielder HSM PGP if evidence of malicious use is established.

Article 10. Prohibition of Reverse Engineering

The purchaser may not attempt to disassemble, modify, or reverse engineer the DataShielder products. This ban is intended to prevent any attempt at industrial espionage or circumvention of security systems. Any violation of this clause may result in legal sanctions and immediate termination of the distribution contract.

Article 11. Product Releases and Compliance

This agreement applies to the four versions of DataShielder products, each of which addresses specific security and compliance needs:

11.1. Auth, M-Auth & Lite (civilian version)

These versions are intended for businesses and individuals with advanced security needs. They offer robust encryption features suitable for civilian use, ensuring that sensitive data is protected from unauthorized access.

11.2. Master (regal version)

Reserved for government institutions and sovereign entities, this version meets the security requirements of public administrations and sovereign bodies. It incorporates enhanced security mechanisms to ensure the confidentiality and integrity of critical information.

11.3. Defense (Military Version)

Designed for military applications, this version meets the highest safety requirements. It is intended for armed forces and defense entities, providing advanced levels of protection against sophisticated threats and espionage attempts.

11.4. HSM PGP (double usage)

This version comes in the form of a browser extension, suitable for civilian and military use. It encrypts and decrypts electronic communications via the PGP (Pretty Good Privacy) standard. The PGP HSM extension provides enhanced security for email and file protection, and it is designed to operate independently, without a connection to a server or database. Ideal for companies, public institutions and defense entities, it guarantees the confidentiality of exchanges, while being easy to deploy on a computer, and compliant with international security standards.

Each version of DataShielder products complies with international and national regulations applicable to cryptography technologies and dual-use goods. The purchaser undertakes to use the products in accordance with their classification and the laws in force in their country of residence or destination.

Article 12. Safety and Responsible Use

12.1. Quantum Security

The Acquirer acknowledges that DataShielder products are high-level cryptographic technologies, based on advanced encryption systems such as AES-256, CBC and PGP with segmented keys. These products, due to their robustness against espionage and unauthorized access attempts, are specifically designed to provide maximum protection for sensitive communications and data.

The acquirer also acknowledges that, due to their design for counter-espionage and advanced encryption uses, any illicit, malicious use or use without prior import and/or export authorization could be injurious to national security. Such use exposes the purchaser to civil and criminal penalties, in accordance with dual-use laws.

12.2. Civil and criminal penalties for violationsInternational legislation, such as Regulation (EU) 2021/821 and the U.S. EAR, provide for severe penalties for violating rules on the export, import, or use of sensitive cryptographic technologies. These penalties include:

  • Substantial fines;
  • Prison sentences for serious non-compliance with export rules or illicit use;
  • Restrictions on access to sensitive technologies in the event of recurrence or non-compliance.

The purchaser undertakes to use these products in accordance with local and international regulations and not to misuse these technologies for malicious or illegal purposes.

Article 13. End-use statement

The purchaser represents that the DataShielder products will be used for lawful purposes and in compliance with national and international regulations. Any misrepresentation about the end use may result in civil and criminal penalties, as well as immediate termination of the contract.

Article 14. Acquirer Background Check

Freemindtronic reserves the right to conduct due diligence on the purchaser to ensure that the purchaser complies with national and international dual-use laws.

Freemindtronic also reserves the right to refuse a sale for ethical reasons or in case of reasonable doubt as to the identity of the buyer, in particular if the buyer is identified by the competent authorities as likely to make malicious use of the product. This measure aims to prevent any illicit use or use contrary to national and international security interests.

The purchaser accepts that these verifications may be carried out and undertakes to provide all the necessary information for this purpose. In the event of a refusal to sell, Freemindtronic is not obliged to justify its decision, but undertakes to inform the purchaser in an appropriate manner.

Article 16. Non-Disclosure, Non-Proliferation, Renewal and Maintenance

Acquirer acknowledges that DataShielder products are dual-use items subject to strict non-proliferation regulations. Accordingly, the acquirer undertakes to comply with all applicable laws and regulations regarding export control and non-proliferation of crypto technologies.

Freemindtronic reserves the right to verify the purchaser’s compliance with this clause and to take appropriate action in the event of non-compliance, including immediate termination of the contract and recovery of products transferred without authorization.

Article 17. Updating Security Standards

The purchaser undertakes to regularly update all software made available by Freemindtronic or on official platforms. These updates are essential to maintain a high level of protection against new cybersecurity threats. The acquirer acknowledges that it is its responsibility to comply with these requirements to ensure the security and integrity of the data protected by the DataShielder products.

Article 18. Liability in the event of a cyberattack

The acquirer agrees to immediately notify any security incident or attempted cyberattack affecting the DataShielder devices. It must fully cooperate with Freemindtronic, Fullsecure, and the relevant authorities to resolve the issue. Freemindtronic shall not be liable for any negligence on the part of the purchaser which has led to a compromise of the security of the systems. The acquirer is required to put in place adequate security measures to prevent such attacks and to follow Freemindtronic’s cybersecurity recommendations.

Article 19. Non-Renewal of Licenses

Due to the decentralized nature of DataShielder products, Freemindtronic cannot remotely suspend or revoke a license related to PGP HSMs, as they operate offline, without a server, database, account creation, or credentials. However, in the event of an official request from the authorities, Freemindtronic reserves the right not to renew the license of an acquirer that is about to expire. The purchaser acknowledges that this limitation is inherent in the design of the products to ensure a high level of security and anonymity.

It is important to note that this license suspension or revocation limitation does not apply to the DataShielder NFC HSM, as this module is designed to operate completely autonomously. It works without a battery, without maintenance, and is activated only via energy harvesting from the NFC signal of a compatible phone. This product is undetectable, untraceable, and difficult to identify, if not impossible to identify in its Defense version.

The DataShielder NFC HSM works in real-time, without a server, database, account creation, or credentials, and has no dependency on a specific NFC Android phone. Thanks to its multi-pairing compatibility, it is designed for extreme counter-espionage uses, both on Android NFC phones and on computers via the EviCypher Web Mail (free version) and DataShielder NFC HSM browser extensions, with which it is fully compatible.

Article 20. Surrender of License

In the event of discontinuation or transfer of DataShielder products to another user, the purchaser must ensure that the license activation code associated with the motherboard serial number is properly transferred. Freemindtronic accepts no liability for any breach of this clause.

Article 21. Disclaimer

Freemindtronic and Fullsecure, by this agreement, disclaim any liability in the event of illegal or malicious use of the products by the purchaser. The acquirer assumes full responsibility for violations of local and international laws relating to the import, export and use of cryptographic products.

The acquirer is responsible for informing itself and complying with the laws and regulations in its country of residence or destination, including specific restrictions regarding crypto technologies and trade sanctions. In the event of non-compliance with these laws, the acquirer undertakes to cooperate fully with the competent authorities during any investigation or official request.

Freemindtronic and Fullsecure cannot be held responsible for the consequences resulting from the use of the products in embargoed countries or risk areas, nor for violations of international agreements such as Regulation (EU) 2021/821, the Export Administration Regulations (EAR) of the United Nations, and other similar legislation regarding security and control of sensitive technologies.

In addition, Freemindtronic and Fullsecure reserve the right to fully cooperate with the relevant authorities in any investigation relating to the use of the products, and to provide the necessary information in accordance with applicable laws.

Article 22. Governing Law

This contract shall be governed by and construed in accordance with the laws of the Principality of Andorra, where Fullsecure is based. In the event of a dispute relating to the interpretation, performance or termination of this contract, the parties agree to seek an amicable solution before initiating any legal proceedings.

In the absence of an amicable resolution, any dispute will be subject to the exclusive jurisdiction of the courts of the Principality of Andorra. The parties’ consent to the exclusive jurisdiction of such courts and waive any objection based on forum non conveniens or other similar grounds.

The parties also agree that any notice or communication relating to a dispute shall be in writing and sent to the address of the applicable party as set forth in this Agreement, or to such other address as notified in writing to the other party.