NETWORK API SERVICES GENERAL TERMS
Version: February 25
Our Terms in a nutshell: If you don’t feel like reading all our Terms, here’s what it all comes down to:
• We sell APIs but not only.
• We store as little personal information as possible and always hash all of it.
• We charge you monthly mainly on a usage basis.
• You commit to not using the solution and Services for anything illegal, ensuring respect for individuals and laws, nor for anything contrary to these online Terms.
• These Terms, our Services description and our pricing are available on our Site.
These General Terms constitute the agreement applicable between You and Orange, in respect of your use of any Network API Service provided by Orange.
To use a Network API Service, You must first agree to be bound with full and unreserved acceptance by these General Terms. Should You wish to use a Network API Service to which related Specific Terms apply, You will have to comply with both General Terms and Specific Terms (together the “Terms”). In case of discrepancy between the Specific Terms and the General Terms, Specific Terms will prevail.
1. DEFINITIONS
“Account” means an account for the Website which allows a user to, notably, register, log in online and access a private space to subscribe to an API usage.
“API” or “application programming interface” means the set of coded instructions that specify how You and your Business Customer Software must interact with the Network API Services. These instructions are made available by Orange.
“Brand Features” is defined as the trade names, trademarks, service marks, logos, domain names, and other distinctive brand features of either Orange or You.
“Business Customer” means merchants, financial institutions and other entities, that have signed an agreement with You in order to use the Orange Services though your Developer Products.
“Catalog” means the catalog of APIs, Software and Services proposed by Orange, as described on and accessible from the Website.
“Confidential Information” means all non-public information that a party designates, either in writing or orally, as being confidential, or which, under the circumstances of disclosure, should be treated as confidential. Confidential Information includes information relating to (i) business policies or practices of a party, (ii) customers or suppliers of a party, (iii) technical, commercial, strategic, financial and economic data, data related to research, to the technical specifications, to Software, to components and to products or (iv) information received from others that the disclosing party is obligated to treat as confidential, but does not include information that was known to the receiving party prior to disclosure by the disclosing party, or information that becomes publicly available through no fault of the receiving party;
“Developer Product” means APIs, software or services that You create for professional purposes, as a developer and on your sole and full responsibility, that incorporate Orange Services, and which is intended for End Users using your Developer Product;
“End User” means an Orange customer who is subscribed to mobile and/or Internet services and who may opt for services provided by You or your Business Customer approved under these Terms.
“Fee” means any fee or fees payable to Orange, as specified in the Specific Terms;
“General Terms” means these Networks APIs General Terms;
“Intellectual Property Rights” means all copyright (including but not limited to rights in computer software),patents, trademarks, trade names, trade secrets, registered and unregistered design rights, database rights and topography rights, all rights to bring an action for passing off, any other similar form of intellectual property or proprietary rights, statutory or otherwise, whether or not registrable and shall include applications for any of them, all rights to apply for protection in respect of any of the above rights and all other forms of protection of a similar nature or having equivalent or similar effect to any of these which may subsist anywhere in the world;
“ Open Source Software" shall mean (i) any software that allows or requires as a condition of distribution of such software, that such software (1) be distributed in source code form; (2) be licensed under the condition that modifications and the creation of derived works are allowed; and/or (3) cannot be redistributed subject to license or contractual conditions that are in addition to the conditions contained in the original license. For clarification, this definition of Open Source Software includes, but is not limited to any software that is available in source code form under licenses meeting the Open Source Definition as promulgated by the Open Source Initiative, including without limitation any license approved by the Open Source Initiative and listed at www.opensource.org/licenses/, which licenses include without limitation the GNU General Public License, the GNU Lesser General Public License, the Berkeley Software Distribution (BSD) License and the Apache License.
“Orange” means Orange SA, with registered address located at 111, quai du Président Roosevelt CS 70222 92449 Issy-Les-Moulineaux Cedex, France, (VAT registered: FR 89 380 129 866).
“Orange API” means an API made available through the Website .
“Orange Brand Features” means the Brand Features owned and managed by Orange Brand Services Limited and other intangible proprietary rights used or approved for use by Orange to identify Orange goods and services and includes (without limiting the generality of the foregoing) any element of the Orange brand and any marketing properties designated as elements of the Orange brand from time to time.
“Orange Software” means Software which copyright is fully owned by Orange.
“Payment Provider” has the meaning set forth in Section 10.2.
“Private Key” means your Website account password and any API key (Client ID and Client secret) provided to allow the Developer Product to access an Orange Service and/or API.
“Sales Tax” means any sales or use tax, and any equivalent tax measured by sales proceeds that Orange is required to pass through to its customers.
“Service” or “Orange Service” or “Network API Service” means the access to and/or use of each Software, including APIs, Orange offers to You and as described in each Specific Terms, a list is given in the Catalog, for the benefit of your Developer Product, and in compliance with these Terms. We are constantly enhancing the quality of Services rendered. Therefore, Orange is entitled to unilaterally update its Services, provided that the updated Services are at least equivalent to the previous ones.
“Software” means all source and object code that Orange makes available to You, in connection with the provision, receipt, or use of the Services, including but not limited to APIs; WSDLs (Web Services Description Languages); sample code; software libraries; command line tools; proofs of concept; templates; software development kit (“SDK”) ; associated documentation and other related technology, for your Developer Product.
“Specific Terms” means any terms provided by Orange for a specific Service. These Specific Terms apply to You for the use of Orange Services and APIs and to your Business Customers for the use of your Developer Product. In case of discrepancy between the Specific Terms and the General Terms, Specific Terms will prevail.
“Website” means the website made available by Orange for the purpose of the distribution and use of the Services and governed by the website Terms of Use) located at https://developer.orange.com/terms-and-conditions/.
“You” means a private individual or a company, organisation, or legal entity using the Orange Services and APIs.
2. BINDING AGREEMENT
2.1 You agree that (i) your acceptance expressed electronically, including without limitation by checking a box or clicking on an “subscribe”, “agree”, “accept”, or similar button, (ii) any data collected from You using your Private Keys, and (iii) any data notified to You via the Website and/or any other related electronic means such as email, are processed and stored by Orange on its platform and will be considered binding and definitive. You expressly accept that data stored by Orange on its platform shall constitute definitive evidence of proof.
2.2 The provision of the Service shall only take effect when Orange expressly validates the Developer’s subscription request.
2.3 Orange will use reasonable security and other measures to protect data (including Personal Data) provided in the performance of these Terms from unauthorized access, use, disclosure, alteration, and destruction.
3. REGISTRATION
3.1 To access the Services, you must: (i) create your Account, (ii) read and accept these Terms, (iii) select the Services you are interested in among the Catalog, (iv) verify your selection and correct it if necessary, and (v) enter your bank details information and confirm your order. Following acceptance of these Terms, which you acknowledge as having read and understood, and validation of the bank account details, You will be granted access to the related Services through your Account. You will receive emails confirming the creation of your Account and your order.
3.2 You may not use any Orange Services or APIs and may not accept these Terms (i) unless You are of legal age to form a binding contract and (ii) if You are barred from using or receiving Orange Services or APIs under the laws of any country.
3.3 In order to access certain Services or APIs, You may be required to provide certain information. You agree that You will keep any information You provide accurate and up to date.
3.4 You agree to treat any Private Keys associated with your Account as Confidential Information, and to use them only in accordance with these Terms and as otherwise instructed by Orange. As a consequence, You represent and warrant that You will protect such elements from unauthorised access, use, disclosure, alteration or destruction and will immediately notify Orange in writing if You have any reason to believe there has been a compromise of any of your Private Keys.
3.5 By submitting any information (either personal or non-personal information) or material (for example, description of your Developer Product) to Orange, You grant Orange a restricted right to use such information or material in particular for the purpose of managing your Account and processing payment, as described in the Privacy Notice of Orange Developer. Therefore, You accept that Orange discloses your information to any of its affiliated companies and/or Orange’s business partners. Your information or material will not be used for any other purposes and will remain confidential within Orange, its affiliates and Orange’s business partners. In case You have the opportunity to work with Orange, any of its affiliates and/or any Orange’s business partners and wish to use any Services provided by Orange (including the distribution of your Developer Product), specific agreements will apply to such services and suitable rights to use will be granted.
4. USING NETWORK API SERVICES
4.1 Orange grants You a limited right to use Orange Services and APIs for the purpose set out in these Terms. Orange retains all right, title and interest in and intellectual property rights related to Orange Services and APIs.
4.2 If You act as an aggregator or a distributor of Orange Services or APIs, You will ensure that your terms and conditions with your Business Customer are consistent with these Terms.
4.3 You will use Orange Services and APIs only as permitted by law.
4.4 You will only access (or attempt to access) an Orange Service or API by the means described in these Terms.
4.5 Orange may monitor, control and restrict the use of Orange Services or APIs to ensure quality, improve our Services, and verify your compliance with these Terms.
4.6 Orange may at any time modify the contractual or technical conditions of any Orange Service or API (notably by modifying, deprecating or removing an Orange Service or API), after giving You at least a one-month notice, unless otherwise provided under the Specific Terms, before the modification comes into effect .
5. DEVELOPER PRODUCT REQUIREMENTS
5.1 Orange Services and APIs are offered to You to enhance your Developer Product(s). Orange reserves the right to investigate any Developer Product on compliance with these Terms. Such investigation may involve Orange accessing and using the Developer Product. You consent to any such investigation. Orange may suspend all or part of the access to Orange Services and/or APIs by You, the Business Customers or the Developer Product without notice if we reasonably believe that You or your Business Customers are in breach of these Terms.
5.2 If your Developer Product requires access to Orange’s network, such Developer Product must not in Orange’s reasonable judgement excessively use or unduly burden network capacity or bandwidth.
5.3 You will use reasonable endeavours to protect End User information collected by Developer Product, including personally identifiable information (PII), from unauthorised access or use and will promptly report to your End Users any unauthorised access or use of such information.
5.4 Orange does not acquire ownership of the Developer Product, and by using Orange Services and/or APIs, You do not acquire ownership of any rights in Orange Services and/or APIs or the content that is accessed through Orange Services and/or APIs.
5.5 Orange reserves the right to delete Developer Product which remain inactive. An inactive Developer Product is considered as a client application which has not seen any API traffic from any of its Orange API subscriptions for a period of 12 months.
6. RESTRICTIONS OF USE
6.1 When using Orange Services and/or APIs, the following restrictions apply:
a) You will not sublicense an Orange Service and/or API for use by a third party. Accordingly, You or your Business Customers will not create a Developer Product that functions substantially the same as an Orange Services and/or API and offer it for use by a third party.
b) You and your Business Customers will not perform an action with the intent of introducing to Orange Services and/or API any viruses, worms, defects, Trojan horses, malware or any items of a destructive nature.
c) Except to the extent this restriction is expressly prohibited by applicable law, You and your Business Customers will not reverse engineer or attempt to extract the source code from any Orange API or any Software.
6.2 In addition to Section 6.1, You agree that you shall not:
d) Use cheats, exploits, automation software, bots, hacks, mods or any unauthorized software designed to modify or interfere with the Services;
e) Interfere with, damage, or disrupt the Services, including through the use of viruses, cancel bots, Trojan horses, harmful code, flood pings, denial-of-service attacks, packet or IP spoofing, forged routing or electronic mail address information, or similar methods or technology;
f) Attempt to probe, scan, or test the vulnerability of the Services or network, or breach any security or authentication measures;
g) Disrupt or interfere with the security of, or otherwise cause harm to, the Services or any ORANGE systems, resources, accounts, passwords, servers or networks connected to or accessible through the Services;
h) Systematically retrieve data or other content from the Services to create or compile, directly or indirectly, in single or multiple downloads, a collection, compilation, database, directory or the like, whether by manual methods, through the use of bots, crawlers, spiders, or otherwise.
7. CHANGES TO SERVICES
7.1 Orange may at any time and at its own discretion discontinue, modify or upgrade any feature, design or functioning of the Services (herein after the “Modifications”).
7.2 The Modifications may require You to take actions at your own expense and Orange shall not be liable to You for any consequences of such Modifications, whether direct or indirect.
7.3 The Modification period (“Modification Period”) will start when the first Modification notification is sent to You via the e-mail address associated with your Website account and will last for a period defined in such notification, so as to allow You to adapt to the Modifications .
7.4 During the Modification Period, the Services will remain unmodified.
7.5 At the end of the Modification Period, the Modifications will be effective.
8. SUSPENSION OF THE SERVICES
Orange reserves the right to suspend the Services immediately in one of the following circumstances:
a) in order to carry out maintenance operations or in case of emergency;
b) where your use of the Services presents a risk to the security of the Services, is abnormal, jeopardises the delivery of the Services or is considered by Orange as fraudulent;
c) in case of attack or attempted attack to the security of the Services;
d) in case of default by You in relation to one of your obligations under these Terms;
e) in case of late payment or non-payment;
f) in case of a request by a judicial or administrative authority.
Wherever possible, Orange will inform You in advance of a suspension of the Services and the duration of the suspension. In case of suspension, Orange is discharged from its obligation to provide the Services subscribed to and cannot be held responsible for any damage suffered by You during periods of suspension.
The Services subscribed to will be restored as soon as the event that led to the suspension of Services has been remedied.
Failing such remedy, the suspension of the Services may result in termination of the Terms in accordance with Section 13 Term and Termination.
9. SERVICES SUPPORT
We provide you with technical support in French or English, which is accessible during business hours through our support site https://developer.orange.com with three (3) different levels (basic plan, developer plan, business plan), as described and under the conditions specified on the Website.
10. PRICING - PAYMENT
10.1 The Fees of the Services are given in the euro currency, excluding VAT, in the Price List on the Website. Orange is entitled to modify these prices, notably to reflect changes to the Catalog. Orange will inform you, in advance, of any increasing Fees of the Price List, so you will therefore be entitled to terminate your Account, in compliance with the provisions of Section 13 Term and Termination of these Terms.
10.2 All Fees related to your Account and to your use of the Software and Services, are billed each month by Orange based on your actual consumption in the course of the preceding month, with the cost of said usage based on the Price list applicable in the course of the month in question. You must provide Orange with a valid credit card or online transaction account that Orange accepts (“Payment Provider”) , prior to receiving any paid Services. You will promptly notify Orange of any change to your payment information. Your Payment Provider agreement , and not these Terms, governs Your use of the designated credit card or online transaction account. By providing Your payment information, You agree that Orange may invoice You for all Fees when they become due to Orange without additional notice or consent. Orange may change its charges and billing practices at any time, by posting notice of such change on the Website, or notifying You via email in case of an increasing price. Renewal of monthly payments is tacit and automatic . Orange sends an e-invoice to the email address associated with your Account. Moreover, we use the services of payment services providers (e.g., card acceptance, merchant settlement, and related services), being specified that Orange do not store credit card data. By paying for the Services, You agree to be bound by Chargebee's policy (https://www.chargebee.com/company/terms/) and Chargebee Embedded Payments terms (https://www.chargebee.com/embedded-payments-tou/ ).
10.3 All Fees are net of any applicable Sales Tax. Sales Tax is automatically calculated and added to all orders where applicable.
10.4 All payments for the Services will be made free and clear of, and without reduction for, any withholding taxes. Any such taxes imposed on payments of Fees to Orange will be your sole responsibility. Upon Orange’s request, You will provide Orange with official receipts issued by the appropriate taxing authority, or other such evidence that You have paid all applicable taxes.
10.5 You must notify Orange in writing at compta@ORANGE.com within seven (7) days after receiving your e-invoice, if You dispute any of Orange charges on that statement or such dispute will be deemed waived.
11. RESPONSIBILITY - WARRANTIES
11.1 You represent and warrant to Orange that:
a) You comply with the data protection requirements described in Appendix A;
b) You comply with the security requirements described in Appendices B and C;
c) Either as private individual acting for yourself and on your own behalf or acting in the name and on behalf of a company, organisation, or legal entity as its duly authorised representative having full legal authority to act in the name and on behalf such company, organisation, or legal entity and bind it to these Terms, You have the right and authority to enter into these Terms, to bind such company, organisation, or legal entity to the Terms and to fully perform your obligations under these Terms;
d) The Developer Product is authorised for distribution, sale and use in each of the territories where You make it available and complies with the laws and regulations of those territories;
e) The Developer Product and services linked to it do not violate or infringe any copyright, trademark, patent or other intellectual or contractual rights of any person or entity; and
f) The Developer Product does not contain any offensive, obscene, or other materials or any content that is prohibited or restricted under local regulations or laws of any territory where You make it available. For the avoidance of doubt, You represent and warrant that the Developer Product does not (i) depict explicit sexual activity; (ii) depict or endorse acts that cause or are intended to cause excessive pain or suffering; (iii) promote or endorse the misuse of alcohol, tobacco, illegal drugs or other addictive substances; (iv) promote intolerance or discrimination based on racial, political, ethnic, religious, gender or sexuality; (v) promote invasion of rights or privacy; (vi) promote unlawful gambling or (vii) promote illegal activity.
11.2 The Developer Product and any data collection conducted through it shall protect the privacy and legal rights of End Users in particular regarding process purposes and legal basis. In addition, any Personal Data collected shall be used solely for the purpose of providing your Developer Product or the Developer Product of your Business Customers. You must also protect such data from unauthorized access. You must comply with (i) the provisions as set forth in Annex A of these General Terms, (ii) all applicable data protection laws and rules and (iii) any additional data protection requirements that may be provided in Specific Terms.
11.3 You warrant not to use Personal Data of End Users for any purpose other than the purpose for which they have been communicated, as set out in the Specific Terms of the relevant Network API Service.
11.4 You represent and warrant not to engage in any activity, including the development, edition or distribution of any Developer Product that interferes with, disrupts, damages, or accesses in an unauthorised manner the networks, devices, servers, or any other components or services used for the distribution and uses of the Developer Product.
11.5 You will be solely responsible for ensuring the Developer Product is safe and free of defects in operation and conception. You will also be solely responsible for any documentation and End User support and warranty of the Developer Product.
11.6 Orange shall have no responsibility or liability for the installation or use of the Developer Product by an End User.
11.7 You shall indemnify and hold Orange harmless against any and all claims, suits, losses, damages arising from or attributable to the Developer Product and/or the use of the Developer Product by any Business Customer and/or End User and/or attributable to your failure to perform any of your obligations under these Terms.
12. CHANGES TO TERMS
Orange may change these Terms at any time and when it does so, will inform You by email and on the Website . Please regularly log in on the Website for any changes to the Terms. Your continued use of Orange Services and/or APIs will be deemed as acceptance of any changes to the Terms notified by Orange. If You do not accept any changes to the Terms, You must cease using the relevant Orange Services and/or APIs immediately. Nothing in this section shall affect Orange’s rights under Sections 2 Binding Agreement or 13 Term and Termination.
13. TERM AND TERMINATION
13.1 These Terms between You and Orange shall be applicable upon You checking a box or clicking on an “subscribe”, “agree”, “accept”, or similar button and shall continue for so long as You are using a Network API Service, unless terminated in accordance with these Terms.
13.2 Orange may, at any time, immediately terminate the relevant Terms:
a) in case of late payment or non-payment;
b) if You have breached any provision of the relevant Terms;
c) if Orange is required to do so by law;
d) if You go into liquidation (in which case the termination will be effective from the date of the judicial pronouncement of the liquidation) or any analogous insolvency process in the relevant jurisdiction; or
e) if You decline to accept any new terms or version of these Terms .
13.3 Orange and You may terminate the relevant Terms of an Orange Service and/or API for any reason subject to thirty 30) days’ prior written notice .
13.4 If You want to terminate these Terms and therefore stop using all the Services, You may do so by going to the “Change / Cancel Account” page of your Account setting page on the Website or by contacting us via email at [address], with at least thirty (30) days’ prior written notice .
13.5 Termination of the relevant Terms for a Service and/or API between You and Orange will not automatically terminate any other Terms for other Service and/or APIs between You and Orange.
13.6 Upon termination for any reason, You agree to cease without delay all use of Network API Services, together with Orange’s materials, Services and/or Private Keys in relation to these Network API Services.
13.7 If the Terms are terminated, the Terms will continue to have their effects only to permit the recovery of amounts remaining due, as applicable, by You on the Term’s termination date.
13.8 You undertake at the Term’s termination date to cease any use of the elements belonging to Orange, including brands, trade names, logos, contents, and databases, and not to keep copies except for elements necessary for the recovery defined above.
13.9 The provisions relating to Responsibility - Warranties, Limitation of Liability, Confidentiality and Intellectual Property or any provisions which are either expressed to survive termination of these Terms or, from their nature or context, are apparently intended to survive termination of these Terms shall remain in full force and effect notwithstanding termination of these Terms.
14. INTELLECTUAL PROPERTY RIGHTS
14.1 For each Service, Orange will indicate in the relevant Specific Terms the appropriate copyright notice, including the identification of Open Source Software licenses or other specific license terms as the case may be.
14.2 Services may include third-party Software. This third-party Software may be subject to Intellectual Property Rights, and, if so, You may not use it unless You are licensed to do so by the owner of that Software or are otherwise permitted by law.
14.3 Orange hereby grants You, for the duration of the Terms a non-exclusive, non-transferable, sub-licensable to Your Business Customers, licence to (as applicable) access, use and permit access to and use of the Orange Software including in each case any Intellectual Property Rights therein, to the sole extent necessary to enable You and Your Business Customers to receive, access, onward provide and benefit from such Orange Software as permitted by these Terms; and
14.4 You hereby grant to Orange, for the duration of these Terms, a non-exclusive, non-transferable, sub-licensable (including to its subcontractors and affiliates), licence to access and use any of Your and any other materials provided by or on behalf of You (including any Intellectual Property Rights therein), to the sole extent necessary for providing the Services in accordance with these Terms.
14.5 You shall not access or use the Services except as expressly permitted by these Terms. For purposes of clarity and without limiting the generality of the foregoing, You shall not, except as these Terms expressly permits or except as expressly otherwise agreed in writing:
a) copy, download, modify, or create derivative works or improvements of the Services;
b) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to the source code of the Services, in whole or in part.
14.6 You may, as deemed appropriate by You and in Your sole discretion, provide Orange with suggestions, comments, input and other feedback regarding the Services or other Orange technologies, products, or services (“Your Feedback”). In case You provide to Orange Your Feedback, You hereby grant Orange a non-exclusive, worldwide, perpetual, irrevocable, royalty-free license of Your Feedback to: (a) use, copy, modify and create derivative works of Your Feedback; (b) publicly perform, publicly display, import, broadcast, transmit, disclose, distribute, license, rent, lease or lend Your Feedback (and derivative technology thereof); and (c) sublicense to third parties the foregoing rights, including the right to grant further sublicenses. Orange receiving Your Feedback acknowledges that (i) it has sole and absolute discretion regarding whether it implements any of Your Feedback; and (ii) it assumes all risks associated with any implementation of Your Feedback. Notwithstanding anything to the contrary in the foregoing, nothing in this Section 14.6 will be construed as granting Orange any rights in Your patents, trademarks, or service marks that may be included in or embodied by any of Your Feedback or by any implementation of Your Feedback in Orange’s offerings.
14.7 Orange may, as deemed appropriate by itself and in its sole discretion, provide You with suggestions, comments, input and other feedback regarding Your software or Your technologies, Your products, or Your services (“Orange Feedback”). In case Orange provides You any Orange Feedback, Orange hereby grants You a non-exclusive, worldwide, perpetual, irrevocable, royalty-free license to: (a) use, copy, modify and create derivative works of Orange Feedback; (b) publicly perform, publicly display, import, broadcast, transmit, disclose, distribute, license, rent, lease or lend the Orange Feedback (and derivative technology thereof); and (c) sublicense to third parties the foregoing rights, including the right to grant further sublicenses. You receiving Orange Feedback acknowledge that (i) you have sole and absolute discretion regarding whether You implement any of Orange Feedback; and (ii) You assume all risks associated with any implementation of Orange Feedback. Notwithstanding anything to the contrary in the foregoing, nothing in this Section 14.7 will be construed as granting You any rights in Orange patents, trademarks, or service marks that may be included in or embodied by any Orange Feedback or by any implementation of Orange Feedback in Your offerings.
14.8 No other rights, even implied, are granted herein, other than those expressly provided in this section.
14.9 There will not be any joint development of Intellectual Property Rights under these Terms.
14.10 All Intellectual Property Rights owned by Orange and made available as a part of these Terms, shall remain the property of Orange.
14.11 If a third party notifies You and/or Your Business Customers of any claim that the access to, and/or the use of a Software and/or Service infringes any Intellectual Property Rights of a third party, You shall immediately notify Orange.
If any such claim is made to You and/or to Your Business Customers and/or to Orange, at Orange's request:
• You shall immediately cease access and use of such Software and Service; and
• You shall procure that Your Business Customers immediately cease access and use of such Software and Service.
You shall not make or permit to be made any admission of liability; and You shall procure that Your Business Customers shall not make or permit to be made any admission of liability
15. CONFIDENTIALITY
15.1 You and Orange agree that at all times during the term of these Terms, and for three (3) years thereafter, the recipient of Confidential Information under these Terms will hold in confidence, and will not use or disclose to any third party (other than in response to lawful requests from law enforcement authorities or contractors to the extent they are performing the receiving party’s obligations under these Terms subject to confidentiality obligations that are at least as protective as those contained in this Section 15), any Confidential Information.
15.2 Unless otherwise specified in these Terms, either Orange or You receiving (“Receiving Party”) Confidential Information from the other party (the “Disclosing Party”) must:
a) only use Confidential Information received from the Disclosing Party in the performance of these Terms; and
b) keep confidential and not use or disclose directly or indirectly to another party or entity, except to the extent provided herein, Confidential Information received from the Disclosing Party using the same degree of diligence (but while respecting commercial practices), which the Receiving Party would use to protect its own Confidential Information. The Receiving Party will only disclose Confidential Information to its representatives who need it and are bound by confidentiality obligations, and only to the extent necessary to fulfil their obligations under these Terms. The Receiving Party requires its representatives to comply with the provisions of this Section to the same extent that it does. A party or person receiving Confidential Information will be responsible for any disclosure of this information by any representative to whom it discloses such information.
The Receiving Party must return or destroy all Confidential Information received from the Disclosing Party, including copies made by the Receiving Party, within thirty (30) days after receipt of a written request from the Disclosing Party to the Receiving Party, except for (a) Confidential Information which the Receiving Party reasonably needs to fulfill its obligations under these Termsand (b) a copy for archival purposes only.
To the extent that You receive Personal Data from Orange about the End User, You must comply with the security requirements set out in Appendices B and C.
15.3 Unless otherwise agreed upon, the obligations of this Section shall not apply to information which:
a) was, at the time of receipt, already in the possession of or known to the Receiving Party, free from any obligation of confidentiality or restriction on use;
b) is or becomes publicly available or accessible by any lawful act of the Receiving Party or the directors, officers, staff members, agents or subcontractors of the Receiving Party;
c) is legitimately received from a third party having no direct or indirect obligation of confidentiality or restriction on use toward the Disclosing Party about such information;
d) is developed independently by the Receiving Party;
e) is approved for disclosure or use with the written permission of the Disclosing Party (including in these Terms); or
f) shall be disclosed by the Receiving Party under any applicable law, rules, regulations or public order, any decree or official publication, or any authority, provided that the Receiving Party has made commercially reasonable efforts to give sufficient notice to the Disclosing Party (where reasonably possible prior to disclosure) in order to enable it to seek protective solutions, and the Receiving Party shall also make reasonable efforts to ensure the confidentiality of the Confidential Information disclosed.
15.4 The Disclosing Party shall retain all rights, titles and interests to any Confidential Information that it discloses to the Receiving Party. Except as expressly provided in these Terms, no license shall be granted by these Terms concerning Confidential Information (including in the form of a patent, brand or copyright), it being also understood that no such license is implied solely by the disclosure of Confidential Information.
15.5 This confidentiality obligation will remain in force for the duration of these Terms and for a period of one (1) year following the expiration or termination of these Terms.
16. BRAND FEATURES, ATTRIBUTION, PUBLICITY
16.1 The ORANGE word, name, symbol, device or any combination thereof used in connection with the Services are exclusive property of the ORANGE Group and may not be used without our permission for any other purpose. Other trademarks, service marks and trade names that may appear on or in the Services are the property of their respective owners. You will not remove, alter or obscure any copyright, trademark, service mark or other proprietary rights notices in or related to the Services.
16.2 Any intention to use any Orange Brand Feature, whether required in the Specific Terms governing the usage of a Network API Service, or for the purpose of promoting or advertising that You use Network API Services, must first be approved by Orange by sending an email to . If your request is approved, You agree to adhere to the guidelines for using Orange Brand Features as set out on the Orange Design System website (https://system.design.orange.com). You understand and agree that Orange has the sole discretion to determine whether your attribution(s) and use of Orange's Brand Features are in accordance with these requirements and guidelines. All use by You of Orange's Brand Features (including any goodwill associated therewith) will inure to the benefit of Orange.
16.3 Orange reserves the right to monitor the use of its trademarks to ensure compliance with these Terms and the brand guidelines. This may include periodic reviews of Developer Products and related promotional materials. If Orange determines that you are not in compliance with the trademark usage guidelines, Orange will provide you with written notice specifying the non-compliance and the actions required to remedy it. Upon receiving a notice of non-compliance, you will have thirty (30) days to correct the non-compliance to Orange's satisfaction. Failure to remedy the non-compliance within this period may result in the suspension of the services. Orange reserves the right to pursue any legal remedies available under applicable law, in the event of persisting unauthorized use or misuse of its trademarks.
16.4 You may not issue any public statements regarding these Terms or Network API Services without Orange’s prior approval, which may be withheld in Orange’s sole discretion. Should you wish to issue a public statement regarding your use of Network API Services, then this request should be addressed to contact.developer@orange.com.
16.5 Orange may, at any time and at its own discretion, issue a public statement or announcement relating to, or communicate on, your use or distribution of Network API Services without your prior approval and, therefore, You grant Orange a right to use your name or logo in any advertising or publicity for such purposes.
16.6 Orange may require Developer Products to include the statement “Powered by ORANGE Network APIs ” or the equivalent in the form provided in its brand guidelines. Orange may update brand guidelines from time to time in its sole discretion, and you will make commercially reasonable efforts to comply with such updated brand guidelines in the next release version of the applicable Developer Products. Orange hereby grants you a non-exclusive right and license to use and display the Orange trademarks only in connection with purpose set forth in this Section 16.
17. DISCLAIMER OF WARRANTIES, LIMITATION OF LIABILITY AND INDEMNIFICATION
17.1 Orange provides Orange Services “AS-IS” and “AS-AVAILABLE”. Your use of Network API Services is solely at your own risk, and You are solely responsible for any damage to your information system, services platform or any device or loss of data that results from such use. To the greatest extent permitted by law, Orange excludes any implied warranties or conditions, including those of product liability, merchantability, fitness for a particular purpose, workmanlike effort, and non-infringement of IPR, relating to Orange Services. Without limiting any of the foregoing, Orange expressly disclaims any warranties that access to or use of Orange Services will be uninterrupted or error free.
17.2 Under these Terms, You can recover from Orange only direct damages which shall not exceed the cumulative amount paid by You to Orange or received by Orange from You in the year preceding the date on which the claim or dispute occurred. Any action related to the Terms or Services must commence within one (1) year after it accrues or such action will be permanently barred. You expressly acknowledge that Orange shall not be liable to You under any theory of liability for any indirect, incidental, special, consequential, punitive or exemplary damages or lost profits that may be incurred by You, including any loss of data, whether or not Orange or its representatives have been advised of or should have been aware of the possibility of any such losses arising.
17.3 To the maximum extent permitted by law, You agree to defend, indemnify and hold harmless Orange and its respective directors, officers, employees, and agents from and against any and all third party claims, actions, suits or proceedings, as well as any and all liabilities, assessments, losses, damages, costs and expenses (including reasonable attorneys’ fees) resulting from or arising out of: (i) your breach of these Terms; (ii) your infringement or violation of any copyright, trademark, trade secret, trade dress, patent or other intellectual property right, or defamation of any person or violation of their rights of publicity or privacy; (iii) your breach of or non-compliance to any data protection and/or privacy laws or rules and (iv) misuse of Orange Services by a third party where such misuse was made possible by your failure to take reasonable measures to protect your Private Keys.
17.4 In the event of a breach of Appendix A, and provided that the damage suffered by Orange has been caused directly and materially by You, Your sole responsibility and the exclusive remedy of Orange for a breach of Appendix A shall not exceed the maximum amount of seven hundred and fifty thousand euros (€750,000) or 300% of the agreed amount paid by You to Orange or received by Orange from You in the year preceding the date on which the claim or dispute occurred (hereinafter referred to as the “Specific Ceiling”).
Under no circumstances shall the annual Specific Ceiling, for a consecutive period of 12 months from the date of entry into force, exceed the total amount of five million euros (€5,000,000).
You agree to reimburse Orange for the actual and reasonable costs incurred by Orange to respond to and mitigate the damage caused by breach of Appendices B and C caused by You, including all notice costs ("Compensatory Indemnities"). Your obligations with respect to the payment of Compensatory Indemnities, the settlement to which You consent, or the legal fees and defense costs of Orange are subject to the Specific Ceiling.
18. GOVERNING LAW AND DISPUTE RESOLUTION
18.1 These Terms shall be governed by the laws of France, without regard to its conflict of law provisions.
18.2 Any dispute, controversy or claim arising out of or in connection with the Terms between You and Orange, or the breach, termination or invalidity thereof, shall be firstly amicably settled through a dispute settlement before any litigation procedure. In case of failure to reach an amicable settlement, the dispute, controversy or claim arising out of or in connection with the Terms between You and Orange shall be settled exclusively by the courts of Paris, France .
18.3 This dispute-settlement process shall not be construed as preventing either You or Orange from terminating these Terms for any reason valid under any section permitting such termination.
19. MISCELLANEOUS
19.1 These Terms constitute the entire agreement between You and Orange in respect of your use of Orange Services and related Services.
19.2 You and Orange acknowledge that other than the contractual relationship established by these Terms, these Terms will not be construed as creating any other relationship, or agency, partnership, employment, joint venture, fiduciary duty, or franchise, or any other form of legal association between You and Orange. Other than as expressly stated in these Terms, these Terms are not for the benefit of third parties.
19.3 You agree that if Orange does not exercise or enforce any legal right or remedy which is contained in these Terms (or which Orange has the benefit of under any applicable law), this will not be taken to be a formal waiver of Orange's rights and that those rights or remedies will still be available to Orange.
19.4 If one or more of the provisions of the Terms are found by a competent court or authority to be invalid, illegal, or unenforceable in any respect under any applicable law or regulation, the validity, legality, and enforceability of the remaining provisions contained herein shall not in any way be affected or impaired, provided that in such case Orange will use its best efforts to achieve the purpose of the invalid provision by a new legally valid stipulation to the same (or substantially similar) purpose and effect.
19.5 Orange will be entitled to sub-contract without your consent any of their obligations to a third-party sub-contractor. Orange shall not be responsible for the acts and omissions of any sub-contractor.
19.6 The rights granted in these Terms may not be assigned or transferred by You without the prior written approval of Orange. You shall not be permitted to delegate your responsibilities or obligations under these Terms without the prior written approval of Orange.
19.7 Orange shall be entitled to assign or transfer or otherwise dispose of these Terms (or part thereof) to any company part of the Orange group, in their absolute discretion.
19.8 You shall not, under any circumstances, either directly or through an intermediary, hire or solicit the services of Orange employees, under any status whatsoever, whatever the cause, without the prior written consent of Orange. If You do not comply with this obligation, You agree to compensate Orange by paying immediately and on request, a lump sum equal to twelve (12) times the gross monthly salary of the employee concerned at the date of his/her departure from Orange.
19.9 Neither You or Orange will be liable for failure to perform any obligation under these Terms to the extent such failure is caused by a force majeure event. This includes acts of God, natural disasters, war, civil disturbance, action by governmental entity, strikes and other causes beyond the party’s reasonable control. The party affected by the force majeure event will provide notice to the other party within a commercially reasonable time and will resume performance as soon as is reasonably practicable.
19.10 The headings used throughout these Terms are solely for convenience of reference and are not to be used as an aid in the interpretation of the Terms. As used herein, "may" means "has the right, but not the obligation to," "including" means "including, without limitation," and "will" means "is required to."
APPENDIX A
DATA PROTECTION REQUIREMENTS
1 Definitions
For the full understanding of the following terms, the terms “Controller", “Processor", “Concerned Person", “Recipient", "Breach of Personal Data" and “Processing" will have the meaning defined in the "Applicable Data Protection Laws."
Similarly, the term "Personal Data" has the meaning given to it in these same Laws.
The term "Applicable Data Protection Laws" means:
- Regulation (EU) 2016/679 of the European Parliament and of the April 27, 2016 Council (General Data Protection Regulation) repealing Directive 95/46/EC;
- where appropriate, the texts adopted by the European Union and local laws which may apply to the Personal Data processed under these Terms.
2 General stipulations
You, as well as Orange, undertake to comply with the legal and regulatory obligations relating to the protection of personal data in the performance of these Terms. You acknowledge expressly that You and Orange act as separate Controllers for the Processing of the Personal Data resulting from the performance of the Terms. You and Orange shall not process the Personal Data as Joint Controllers.
You are a Data Controller in your own right, as you are deciding how the Developer Product is built and You have the responsibility of defining the actions and instructions for the provision of the Developer Product, including being explicit on the purposes for which the data can and cannot be used.
Orange has responsibilities to control access to its API interface for registered and authorized developers and to provide instructions on how to interface with its API interface.
3 Specific stipulations
The use of the Know Your Customer Match Service, the SIM Swap Service and the Number Verification Service is subject to compliance with the legal basis of legitimate interest within the meaning of Applicable Data Protection Laws. Such legitimate interest shall be demonstrated by You or Your Business Customer and approved by Orange.
The Processing carried out under these Terms may involve making a third party the Recipient of the data. The latter is then obliged to fulfil all the obligations towards the persons concerned or towards its compliance with the regulations.
It is Your responsibility to contract with such third party in order to provide for the legal and technical conditions under which the third party may become a Recipient of the data described in the Specific Terms in accordance with the provisions of these Terms.
In any contract with a third party, You shall specify that Orange does not guarantee the content, availability, accuracy or any other aspect of the information provided in the Network APIs Service, which exclusively reproduces the information declared by the Orange Account Holder.
3.1. Confidentiality of Personal Data
You and Orange understand and acknowledge that the Personal Data constitutes confidential information and ensures that the persons authorized to process the Personal Data undertake to respect confidentiality.
You and Orange shall not disclose Personal Data to employees who do not have to process Personal Data according to the Terms.
You shall ensure that only persons (employees, subcontractors and independent contractors providing services in relation with the Processing) who have first been bound by confidentiality or are subject to an appropriate legal obligation to secrecy are authorized to process Personal Data.
3.2. Security, Breach of Personal Data and Notification
You and Orange shall take, each for the Processing of the Personal Data of which they are Controllers, the necessary technical and organizational security measures to protect Personal Data from accidental or unlawful destruction, accidental loss, modification, disclosure or unauthorized access to Personal Data in accordance with applicable Data Protection Laws.
You and Orange shall notify each other without undue delay after having detected or been informed of a Personal Data Breach, or any security breach resulting in the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data transmitted, stored or otherwise processed, or unauthorized access to such Personal Data, to the extent that the Personal Data Breach may have an impact on the Processing of Personal Data of the other party.
The notification will be sent to Orange at the following email address: cert@orange.com
3.3. Cooperation between the Parties
You and Orange shall inform each other and provide all assistance in case of a request by the relevant data protection authority so as to demonstrate its compliance with the Applicable Data Protection Laws.
You and Orange shall provide each other with any and all assistance in the management of the requests of the Data Subjects for the exercise of their rights or for any other request relating to the Processing of Personal Data, to the extent that the other party is the Recipient of these requests.
In the event that a Data Subject directly contacts a party to exercise its rights, the latter undertakes to check whether this request is incumbent upon it and to refer if necessary to the other party if it is identified as Controller concerned.
You and Orange shall use reasonable efforts to assist the other party where a data protection impact assessment is required by the Applicable Data Protection Laws or where an assessment of the impact is carried out by a party.
3.4. Transfer of Data Outside the European Economic Area
If You are located in a country not recognized by the European Commission as providing adequate protection or are likely to transfer Personal Data transmitted by Orange to a third party located in a country not offering such protection, You and Orange undertake to comply with the formalities laid down in the Applicable Data Protection Laws to regulate data transfers outside the European Economic Area.
You and Orange shall implement the appropriate safeguards to frame the transfer in order to ensure the necessary and adequate level of protection under the Applicable Data Protection Laws.
Personal data cannot be transferred to a third country outside the European Economic Area without Orange’s prior written consent.
Appendix B – SECURITY REQUIREMENTS FOR YOUR NETWORK
1. DEFINITIONS
The terms defined in this Section have the meanings below as they appear in Appendix B, unless the context in which they are used requires a different meaning or a different definition is indicated for a particular Section or provision.
1.1. “Confidential Information” means: Orange customer data and proprietary network information, data relating to systems, networks, Orange services and security checks implemented on these systems and networks, data relating to Orange staff, proprietary Orange and/or commercial secret information, and other confidential information or data or proprietary data in accordance with the terms of these Terms.
1.2. "Industrial Standard” means: accepted set of best practices (1) used or adopted by a substantial number of companies engaged in a similar type of business ("comparable companies") to manage similar types of information, (2) prescribed for use by a body or group of applicable industrial standards or (3) established by experts who are recognized in the field as acceptable and reasonable.
1.3. "Penetration Test" means: part of the Risk Assessment Process in which one or more qualified, experienced and trained individuals, known as "ethical pirates," engage in a coordinated and planned attack of computer systems and networks to uncover potential vulnerabilities and ensure that logical controls can resist deliberate attempts to circumvent them.
1.4. "Program" means: processes and procedures that are documented and implemented to achieve common objectives and monitor this achievement, which may be updated from time to time.
1.5. "Risk Assessment Process” and “Risk Assessment" mean: a process that is documented and implemented for identifying system security risks and determining the likelihood of occurrence and the resulting impact, and identifying additional protections or changes that would appropriately eliminate and/or mitigate this impact.
1.6. "Risk Management Program" means: a process that is documented and implemented to identify, control and mitigate risks that are inherent to the information system. It includes the process of assessing the qualitative and/or quantitative risks of the industrial standard, the cost-benefit analysis, and the selection, implementation, testing and evaluation of protections, including a determination of the steps necessary to meet the four objectives of Security Assurance.
1.7. “Security Assurance” means: evidence that the four security objectives (integrity, availability, confidentiality and compatibility) are adequately met by a specific information system. "Properly met” means (1) a feature that performs sufficiently, (2) sufficient protection against unintentional errors (users or software), and (3) sufficient resistance to intentional penetration or circumvention.
1.8. “Threat Source" means: (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) situation and method that may inadvertently cause a vulnerability.
1.9. “Threat Analysis” means: review and documentation of sources of threat against system vulnerabilities to identify potential threats to a specific information system in a particular operational environment.
1.10. “Vulnerability” means: a defect or weakness in functionality, design, implementation, internal controls of the information system or security procedures that can be applied (triggered accidentally or intentionally) and cause a security vulnerability or breach of the system’s security policy.
2. GENERAL REQUIREMENTS
2.1. This document, “Security Requirements” (“Document”), applies to Your performance when personally identifiable information relating to Orange End Users is provided to You, including, but not limited to, the development, offer, use and/or maintenance of any service, software or other product thereunder, and all editions, versions, updates, improvements and related changes ("software" or "hardware" as applicable).
2.2. You shall implement and maintain administrative, physical and technical security checks of the industrial standard that are sufficient in their nature and scope to protect (1) the confidentiality, integrity and availability of personally identifiable information as well as (2) the availability and integrity of the Orange service, network and operations.
2.3. You shall complete the administrative, physical and technical security checks described in this document.
3. USE OF INFORMATION
3.1. You guarantee that personal data will only be used to combat fraud, identify a mobile phone, complete a form and provide access to data for its customers or other needs specified in these Terms.
3.2. You will take appropriate measures to secure personal data during transit and storage by means of protective mechanisms in accordance with industrial standards (such as encryption). This protection will include all forms of portable media (such as flash drive/USB, laptop, CD, DVD, Blu-ray, portable hard drive, cellular phone/smartphone, MP3 player, etc.).
4. INFORMATION SECURITY POLICIES AND PROGRAM
4.1. You shall implement and maintain a Risk Management Program in accordance with the following industry standards including, but not limited to:
4.2. You shall have a security policy describing the security and confidentiality controls implemented in its operations to satisfy this Document (“Information Security Policy”). You shall establish a Risk Management Program to implement its Information Security Policy including, but not limited to:
4.2.1. A risk assessment process that ensures that the Your operating environments, development environment, systems, applications, networks and procedures are regularly assessed to identify and address security vulnerabilities.
4.2.2. A program for detecting intrusions and security breaches, and preventing and responding to incidents.
4.2.3. A program to manage the system, network and application configuration.
4.2.4. A program for implementing and administering logical access control(s) to the data, systems and network.
4.2.5. A program for implementing and administering physical access control(s) to the premises and data.
4.3. You shall have the Risk Management Program monitored by an internal or external auditor at least once a year to assess compliance with the requirements inherent in its Information Security Policy.
5. DEVELOPMENT CYCLE
5.1. Your controls associated with the development, pre-production testing and delivery of any software or equipment, whatever it may be, will include, but not be limited to, an obligation to:
5.1.1. Implement security controls of the industrial standard for its operating environment, systems, networks and all premises in which the software is developed and/or hosted.
5.1.2. Develop, implement and comply with the best security coding practices of the industrial standard.
5.1.3. Establish processes with, where appropriate, the use of source code scanners, performance testing tools for operating system security, web application scanners or other tools or techniques, or even information acquired through industry standardization bodies to assess vulnerabilities in software or hardware security before starting production.
5.1.4. Follow industrial standard practices to mitigate and protect against all known and reasonably foreseeable security vulnerabilities, including: (1) unauthorized access, (2) unauthorized changes in systemic configurations or data, (3) interruption, degradation, or denial of service, (4) unauthorized escalation to a user privilege, (5) service theft, and (6) unauthorized disclosure of confidential information.
5.2. You must ensure that all entities and configurations remain operational following any updates, modification or upgrades to software and hardware, unless Orange has given its prior written authorization.
6. SECURITY ASSURANCE
6.1. You shall maintain a Risk Assessment Process showing Your Software and Hardware Security Assurance. This process shall include:
6.2. Your obligation to organize and conduct a Risk Assessment of its software and hardware through a third-party security test provider. You shall repeat the Risk Assessment at the beginning of (1) each major release launch or (2) for any software or equipment deployed in the Orange Network or hosted by You. This Risk Assessment shall include:
6.2.1. analysis of threats to software or hardware,
6.2.2. software or hardware penetration test,
6.2.3. risk assessment for administrative, technical, logical and physical security controls in the operating environment, systems, networks and premises where the software or equipment is hosted, if they are hosted by You.
6.3. You must address all high- or medium-risk vulnerabilities identified in the Risk Assessment before starting production.
6.4. Orange may request an electronic copy of the field of work from the third party above tasked with testing the security assurance (Section 6.1).
7. SECURITY BREACH AND INCIDENT RESPONSE
7.1. You shall establish and maintain documented escalation processes for all security breaches and responses to incidents, with procedures for notifying Orange within twenty-four (24) hours after a breach involving personally-identifiable information communicated by Orange.
7.2. You shall cooperate and provide information if requested by Orange or any consultant, contractor, lawyer or other third party authorized by Orange to investigate a security breach in Your operating environment.
7.3. In the event of a security breach affecting Orange, You must send Orange, within forty-eight (48) hours after its discovery, a post mortem report with (1) identification of all the potentially compromised Orange information, (2) actions by You to mitigate the damage caused, and (3) protection to prevent the recurrence of said breach.
8. RIGHT TO RISK ASSESSMENT
8.1. Orange reserves the right to perform a Risk Assessment on Your software and hardware. The risk assessment may, at the discretion of Orange, take place once a year or after each software and/or hardware launch and include, but is not limited to, vulnerability assessments and penetration tests of: (1) software and hardware, (2) underlying infrastructure and operating environment in which software and/or equipment operate or are hosted, (3) network and premises inherent in the operation or maintenance of software and/or hardware and (4) Your administrative, technical and/or physical controls inherent in such software and/or hardware. For Risk Assessments requiring Your involvement, resources, premises or systems, the Parties shall come to an agreement (1) on the extent of its involvement, (2) the resources, premises, or systems that would be required, and (3) the Risk Assessment schedule.
8.2. The right granted to Orange to carry out its own Risk Assessment shall not replace or be a substitute for, under any circumstances, Your Risk Assessment Process specified in this Document. A third-party security provider may, at the discretion of Orange, be used to carry out this Risk Assessment.
9. VULNERABILITY MANAGEMENT
9.1. You shall implement and maintain an Industrial Standard Vulnerability Management Program. You shall assign one or more staff members to the monitoring of appropriate public channels for the disclosure of the vulnerability (such as the NIST, National Vulnerability Database) that affect its software or hardware. This program will include (1) the underlying platform (e.g. operating system, database product, web server, etc.) and (2) all third-party software or (3) freeware that is part of Your software or hardware. This program shall include:
9.2. Assignment by You of one or more staff member(s) to liaise with the Orange Vulnerability Management staff.
9.3. You shall address the vulnerabilities identified in its hardware and software at its own expense.
9.4. With respect to Your software and hardware included in the Orange network and managed by Orange, You will be required to provide a patch with a regression test within fifteen (15) days from the date on which the vulnerability was initially disclosed or to which You were notified by Orange.
9.5. With respect to Your software and hardware hosted in the Orange network and managed by Orange, You will be required to implement in production a patch with a regression test within fifteen (15) days from the date on which the vulnerability was initially disclosed or on which You were notified by Orange.
9.6. With respect to Your software and hardware hosted outside of the Orange network, You will be required to implement in production a patch with a regression test within fifteen (15) days from the date on which the vulnerability was initially disclosed or on which You were notified by Orange.
Appendix C - ORANGE SECURITY REQUIREMENTS
Orange allows You to access its APIs remotely for the sole fulfillment of its Services commitments.
This access to the Orange programming interface will be authorized under the following terms and conditions.
1. Definitions
The terms defined in this Section have the meanings below as they appear in Appendix C, unless the context in which they are used requires a different meaning or a different definition is indicated for a particular Section or provision.
"Services" means all services ordered and provided by You, for which access to the Orange Network is required.
"Orange Network" means the internal network managed by Orange and all the Orange network access infrastructures that are necessary to ensure communication between the resources of each party.
"Access Point” means the technical network interface between Orange and You. This Access Point consists of different types of equipment managed by Orange and made available to You. This Access Point will be used to create a dedicated network between several partner sites. This Access Point will always be used for all network connections and communications between You and Orange.
"Contributors" means everyone formally authorized by You to access the Orange Network remotely to perform only the Services. The Contributors may be Your staff members, agents or subcontractors.
"Resources" means the programming interfaces, networks, hardware, software, and/or data belonging to and/or managed under the responsibility of You and Orange to provide the products stipulated or perform the Services.
2. Access Control
You shall:
a. only use the Access Point to perform the Services, and
b. ensure that only Your Contributors and only Your duly authorized resources are interconnected and in communication with Orange’s resources.
c. implement and manage the organizational and technical processes necessary to accurately identify a person using this remote access and its use or action associated with Orange resources.
With regard to the connection provided by Orange to the Contributors to access Orange’s resources, You shall:
a. not divulge to any third party, other than the authorized contributing members, any authentication of the data giving access to Orange’s resources, and
b. implement and manage all organizational and technical processes to identify and authenticate a person using this connection.
3. Resource Management and Use
You shall:
a. update, as soon as possible and as much as necessary, its IT security tools to maintain the level of security required for its resources, such as updated and effective anti-virus software,
b. implement logoff mechanisms after a short period of inactivity to protect access to its resources,
c. implement and organize a password management policy and connections to its own resources, so that passwords are changed regularly and are hard to guess,
d. implement all the means necessary to ensure the integrity of the data exchanged between Orange and You,
e. implement all necessary means to ensure that the data transmitted to Orange by You are not infected with malicious codes, and
f. return to Orange all its equipment, or return to Orange or destroy all the data that are its property after the Services are completed.
You will only use the Orange Resources they need to deliver the Services.
You will only use their resources if they are needed to deliver the Services.
Access by physical interconnection (Pase Interco, for example)
In the event that Orange allows You to access its network via a Pase Interco type infrastructure to execute these Terms, You shall:
a. ensure that premises hosting the Orange equipment which constitutes this Access Point are subject to physical control and are only accessible by authorized Contributors,
b. ensure that remote access or control is not possible on its own interconnected equipment,
c. comply with the addressing rules imposed by Orange.
You recognize and accept that routers and accesses are provided and administered by Orange.
4. Security Incident Management
You shall designate a point of contact who will be notified in the event of a security incident and promptly notify Orange of any changes affecting this point of contact.
You or Orange will notify each other if it detects a malicious action, system failure, or security incident that may affect the resources of the other using the procedures and contacts previously determined by the Parties.
In case of a serious incident related to Your connection (such a virus or intrusion into the system) likely to affect or threaten the security of Orange resources, Orange may suspend remote access to the Orange Network without notice until the security incident is fully resolved.
5. Right of Audit and Logging
Orange reserves the right to:
a. log Your accesses to Orange's resources,
b. implement management and monitoring tools on access infrastructure, and/or,
c. if needed, ask You for the identity of the user accessing the Orange Network and, where applicable, its subcontractors.
In addition, Orange or any third party authorized by You will be responsible for auditing Your resources to verify that it complies with the commitments stipulated.
You shall assist in the proper conduct of the audit. It will therefore have to agree to provide all the information necessary for this audit. This information will be covered by a non-disclosure agreement. You and Orange will agree on the preparation and drafting of the audit requirements.
In the event that Orange allows You to access its network via a Pase Interco infrastructure to execute these Terms or prepare the audit requirements, You will provide, in writing, to Orange or any authorized third party in charge of the audit:
a. its policy for combating and avoiding malicious codes (such as names of anti-virus products used on workstations and servers, strategies to update signatures and anti-virus engines, and applications or tools on workstations and servers),
b. a diagram of Your networks and of the equipment connected to the Orange Network, and
c. any other information necessary for this audit (security policy item, daily log files, etc.).
If any non-compliance is revealed by the audit, You shall establish a compliance program within ten (10) days after notifying Orange. The program shall contain all the measures to be implemented and their implementation dates within a reasonable timeframe. Once authorized by Orange, this compliance program shall be applied by You. Otherwise, Orange may suspend remote access to the Orange network without notice and terminate these Terms as stipulated in Section 13 Term and Termination.
6. Subcontracting
You shall give Orange prior written notice of any changes inherent to the subcontracting parties involved during execution of the Services.
You shall ensure that its Contributors - including subcontractors - comply with the terms and conditions of this section, in particular with regard to the strict confidentiality or integrity of all information to which they should have access to deliver the Services. Orange may, depending on the type of information disclosed, ask You to sign a non-disclosure agreement.
7. Information
You shall notify Orange and specify in writing any modification of the items it must provide to Orange in accordance with the provisions of this Section, such as name of security contact or security rules.