NETWORK API SERVICES GENERAL TERMS
Version: February 25
Our Terms in a nutshell: If you don’t feel like reading allour Terms, here’s what it all comes down to:
• We sell APIs butnot only.
• We store aslittle personal information as possible and always hash all of it.
• We charge youmonthly mainly on a usage basis.
• You commit to notusing the solution and Services for anything illegal, ensuring respect forindividuals and laws, nor for anything contrary to these online Terms.
• These Terms, ourServices description and our pricing are available on our Site.
These General Termsconstitute the agreement applicable between You and Orange, in respect of youruse of any Network API Service provided by Orange.
To use a Network API Service, You must first agree to bebound with full and unreserved acceptance by these General Terms. Should Youwish to use a Network API Service to which related Specific Terms apply, Youwill have to comply with both General Terms and Specific Terms (together the“Terms”). In case of discrepancy between the Specific Terms and the GeneralTerms, Specific Terms will prevail.
1. DEFINITIONS
“Account” means an account for the Website which allows auser to, notably, register, log in online and access a private space tosubscribe to an API usage.
“API” or “application programming interface” means the setof coded instructions that specify how You and your Business Customer Softwaremust interact with the Network API Services. These instructions are madeavailable by Orange.
“Brand Features” isdefined as the trade names, trademarks, service marks, logos, domain names, andother distinctive brand features of either Orange or You.
“Business Customer” means merchants, financial institutionsand other entities, that have signed an agreement with You in order to use theOrange Services though your Developer Products.
“Catalog” means the catalog of APIs, Software and Servicesproposed by Orange, as described on and accessible from the Website.
“Confidential Information” means all non-public informationthat a party designates, either in writing or orally, as being confidential, orwhich, under the circumstances of disclosure, should be treated asconfidential. Confidential Information includes information relating to (i)business policies or practices of a party, (ii) customers or suppliers of aparty, (iii) technical, commercial, strategic, financial and economic data,data related to research, to the technical specifications, to Software, to componentsand to products or (iv) information received from others that the disclosingparty is obligated to treat as confidential, but does not include informationthat was known to the receiving party prior to disclosure by the disclosingparty, or information that becomes publicly available through no fault of thereceiving party;
“Developer Product” means APIs, software or services thatYou create for professional purposes, as a developer and on your sole and fullresponsibility, that incorporate Orange Services, and which is intended for EndUsers using your Developer Product;
“End User” means an Orange customer who is subscribed tomobile and/or Internet services and who may opt for services provided by You oryour Business Customer approved under these Terms.
“Fee” means any fee or fees payable to Orange, as specifiedin the Specific Terms;
“General Terms” means these Networks APIs General Terms;
“Intellectual Property Rights” means all copyright(including but not limited to rights in computer software),patents, trademarks,trade names, trade secrets, registered and unregistered design rights, databaserights and topography rights, all rights to bring an action for passing off,any other similar form of intellectual property or proprietary rights,statutory or otherwise, whether or not registrable and shall includeapplications for any of them, all rights to apply for protection in respect ofany of the above rights and all other forms of protection of a similar natureor having equivalent or similar effect to any of these which may subsistanywhere in the world;
“ Open Source Software" shall mean (i) any softwarethat allows or requires as a condition of distribution of such software, thatsuch software (1) be distributed in source code form; (2) be licensed under thecondition that modifications and the creation of derived works are allowed;and/or (3) cannot be redistributed subject to license or contractual conditionsthat are in addition to the conditions contained in the original license. Forclarification, this definition of Open Source Software includes, but is notlimited to any software that is available in source code form under licensesmeeting the Open Source Definition as promulgated by the Open SourceInitiative, including without limitation any license approved by the OpenSource Initiative and listed at www.opensource.org/licenses/, which licensesinclude without limitation the GNU General Public License, the GNU LesserGeneral Public License, the Berkeley Software Distribution (BSD) License andthe Apache License.
“Orange” means Orange SA, with registered address located at111, quai du Président Roosevelt CS 70222 92449 Issy-Les-Moulineaux Cedex,France, (VAT registered: FR 89 380 129 866).
“Orange API” means an API made available through the Website.
“Orange Brand Features” means the Brand Features owned andmanaged by Orange Brand Services Limited and other intangible proprietaryrights used or approved for use by Orange to identify Orange goods and servicesand includes (without limiting the generality of the foregoing) any element ofthe Orange brand and any marketing properties designated as elements of theOrange brand from time to time.
“Orange Software” means Software which copyright is fullyowned by Orange.
“Payment Provider” has the meaning set forth in Section10.2.
“Private Key” means your Website account password and anyAPI key (Client ID and Client secret) provided to allow the Developer Productto access an Orange Service and/or API.
“Sales Tax” means any sales or use tax, and any equivalenttax measured by sales proceeds that Orange is required to pass through to itscustomers.
“Service” or “Orange Service” or “Network API Service” meansthe access to and/or use of each Software, including APIs, Orange offers to Youand as described in each Specific Terms, a list is given in the Catalog, forthe benefit of your Developer Product, and in compliance with these Terms. Weare constantly enhancing the quality of Services rendered. Therefore, Orange isentitled to unilaterally update its Services, provided that the updatedServices are at least equivalent to the previous ones.
“Software” means all source and object code that Orangemakes available to You, in connection with the provision, receipt, or use ofthe Services, including but not limited to APIs; WSDLs (Web ServicesDescription Languages); sample code; software libraries; command line tools;proofs of concept; templates; software development kit (“SDK”) ; associateddocumentation and other related technology, for your Developer Product.
“Specific Terms” means any terms provided by Orange for aspecific Service. These Specific Terms apply to You for the use of OrangeServices and APIs and to your Business Customers for the use of your DeveloperProduct. In case of discrepancy between the Specific Terms and the GeneralTerms, Specific Terms will prevail.
“Website” means the website made available by Orange for thepurpose of the distribution and use of the Services and governed by the websiteTerms of Use) located at https://developer.orange.com/terms-and-conditions/.
“You” means a private individual or a company, organisation,or legal entity using the Orange Services and APIs.
2. BINDINGAGREEMENT
2.1 You agree that(i) your acceptance expressed electronically, including without limitation bychecking a box or clicking on an “subscribe”, “agree”, “accept”, or similarbutton, (ii) any data collected from You using your Private Keys, and (iii) anydata notified to You via the Website and/or any other related electronic meanssuch as email, are processed and stored by Orange on its platform and will beconsidered binding and definitive. You expressly accept that data stored byOrange on its platform shall constitute definitive evidence of proof.
2.2 The provisionof the Service shall only take effect when Orange expressly validates theDeveloper’s subscription request.
2.3 Orange will usereasonable security and other measures to protect data (including PersonalData) provided in the performance of these Terms from unauthorized access, use,disclosure, alteration, and destruction.
3. REGISTRATION
3.1 To access theServices, you must: (i) create your Account, (ii) read and accept these Terms,(iii) select the Services you are interested in among the Catalog, (iv) verifyyour selection and correct it if necessary, and (v) enter your bank detailsinformation and confirm your order. Following acceptance of these Terms, whichyou acknowledge as having read and understood, and validation of the bankaccount details, You will be granted access to the related Services throughyour Account. You will receive emails confirming the creation of your Accountand your order.
3.2 You may not useany Orange Services or APIs and may not accept these Terms (i) unless You areof legal age to form a binding contract and (ii) if You are barred from usingor receiving Orange Services or APIs under the laws of any country.
3.3 In order toaccess certain Services or APIs, You may be required to provide certaininformation. You agree that You will keep any information You provide accurateand up to date.
3.4 You agree totreat any Private Keys associated with your Account as ConfidentialInformation, and to use them only in accordance with these Terms and asotherwise instructed by Orange. As a consequence, You represent and warrantthat You will protect such elements from unauthorised access, use, disclosure,alteration or destruction and will immediately notify Orange in writing if Youhave any reason to believe there has been a compromise of any of your PrivateKeys.
3.5 By submittingany information (either personal or non-personal information) or material (forexample, description of your Developer Product) to Orange, You grant Orange arestricted right to use such information or material in particular for thepurpose of managing your Account and processing payment, as described in thePrivacy Notice of Orange Developer.. Therefore, You accept that Orangediscloses your information to any of its affiliated companies and/or Orange’sbusiness partners. Your information or material will not be used for any otherpurposes and will remain confidential within Orange, its affiliates andOrange’s business partners. In case You have the opportunity to work withOrange, any of its affiliates and/or any Orange’s business partners and wish touse any Services provided by Orange (including the distribution of yourDeveloper Product), specific agreements will apply to such services andsuitable rights to use will be granted.
4. USING NETWORKAPI SERVICES
4.1 Orange grantsYou a limited right to use Orange Services and APIs for the purpose set out inthese Terms. Orange retains all right, title and interest in and intellectualproperty rights related to Orange Services and APIs.
4.2 If You act asan aggregator or a distributor of Orange Services or APIs, You will ensure thatyour terms and conditions with your Business Customer are consistent with theseTerms.
4.3 You will useOrange Services and APIs only as permitted by law.
4.4 You will onlyaccess (or attempt to access) an Orange Service or API by the means describedin these Terms.
4.5 Orange maymonitor, control and restrict the use of Orange Services or APIs to ensurequality, improve our Services, and verify your compliance with these Terms.
4.6 Orange may atany time modify the contractual or technical conditions of any Orange Serviceor API (notably by modifying, deprecating or removing an Orange Service orAPI), after giving You at least a one-month notice, unless otherwise providedunder the Specific Terms, before the modification comes into effect .
5. DEVELOPERPRODUCT REQUIREMENTS
5.1 Orange Servicesand APIs are offered to You to enhance your Developer Product(s). Orangereserves the right to investigate any Developer Product on compliance withthese Terms. Such investigation may involve Orange accessing and using theDeveloper Product. You consent to any such investigation. Orange may suspendall or part of the access to Orange Services and/or APIs by You, the BusinessCustomers or the Developer Product without notice if we reasonably believe thatYou or your Business Customers are in breach of these Terms.
5.2 If yourDeveloper Product requires access to Orange’s network, such Developer Productmust not in Orange’s reasonable judgement excessively use or unduly burdennetwork capacity or bandwidth.
5.3 You will usereasonable endeavours to protect End User information collected by DeveloperProduct, including personally identifiable information (PII), from unauthorisedaccess or use and will promptly report to your End Users any unauthorisedaccess or use of such information.
5.4 Orange does notacquire ownership of the Developer Product, and by using Orange Services and/orAPIs, You do not acquire ownership of any rights in Orange Services and/or APIsor the content that is accessed through Orange Services and/or APIs.
5.5 Orange reservesthe right to delete Developer Product which remain inactive. An inactiveDeveloper Product is considered as a client application which has not seen anyAPI traffic from any of its Orange API subscriptions for a period of 12 months.
6. RESTRICTIONS OFUSE
6.1 When usingOrange Services and/or APIs, the following restrictions apply:
a) You will notsublicense an Orange Service and/or API for use by a third party. Accordingly,You or your Business Customers will not create a Developer Product thatfunctions substantially the same as an Orange Services and/or API and offer itfor use by a third party.
b) You and yourBusiness Customers will not perform an action with the intent of introducing toOrange Services and/or API any viruses, worms, defects, Trojan horses, malwareor any items of a destructive nature.
c) Except to theextent this restriction is expressly prohibited by applicable law, You and yourBusiness Customers will not reverse engineer or attempt to extract the sourcecode from any Orange API or any Software.
6.2 In addition toSection 6.1, You agree that you shall not:
d) Use cheats,exploits, automation software, bots, hacks, mods or any unauthorized softwaredesigned to modify or interfere with the Services;
e) Interfere with,damage, or disrupt the Services, including through the use of viruses, cancelbots, Trojan horses, harmful code, flood pings, denial-of-service attacks,packet or IP spoofing, forged routing or electronic mail address information,or similar methods or technology;
f) Attempt toprobe, scan, or test the vulnerability of the Services or network, or breachany security or authentication measures;
g) Disrupt orinterfere with the security of, or otherwise cause harm to, the Services or anyORANGE systems, resources, accounts, passwords, servers or networks connectedto or accessible through the Services;
h) Systematicallyretrieve data or other content from the Services to create or compile, directlyor indirectly, in single or multiple downloads, a collection, compilation,database, directory or the like, whether by manual methods, through the use ofbots, crawlers, spiders, or otherwise.
7. CHANGES TOSERVICES
7.1 Orange may atany time and at its own discretion discontinue, modify or upgrade any feature,design or functioning of the Services (herein after the “Modifications”).
7.2 TheModifications may require You to take actions at your own expense and Orangeshall not be liable to You for any consequences of such Modifications, whetherdirect or indirect.
7.3 TheModification period (“Modification Period”) will start when the firstModification notification is sent to You via the e-mail address associated withyour Website account and will last for a period defined in such notification,so as to allow You to adapt to the Modifications .
7.4 During theModification Period, the Services will remain unmodified.
7.5 At the end ofthe Modification Period, the Modifications will be effective.
8. SUSPENSION OFTHE SERVICES
Orange reserves the right to suspend the Servicesimmediately in one of the following circumstances:
a) in order tocarry out maintenance operations or in case of emergency;
b) where your useof the Services presents a risk to the security of the Services, is abnormal,jeopardises the delivery of the Services or is considered by Orange asfraudulent;
c) in case ofattack or attempted attack to the security of the Services;
d) in case ofdefault by You in relation to one of your obligations under these Terms;
e) in case of latepayment or non-payment;
f) in case of arequest by a judicial or administrative authority.
Wherever possible, Orange will inform You in advance of asuspension of the Services and the duration of the suspension. In case ofsuspension, Orange is discharged from its obligation to provide the Servicessubscribed to and cannot be held responsible for any damage suffered by Youduring periods of suspension.
The Services subscribed to will be restored as soon as theevent that led to the suspension of Services has been remedied.
Failing such remedy, the suspension of the Services mayresult in termination of the Terms in accordance with Section 13 Term andTermination.
9. SERVICES SUPPORT
We provide you with technical support in French or English,which is accessible during business hours through our support sitehttps://developer.orange.com with three (3) different levels (basic plan,developer plan, business plan), as described and under the conditions specifiedon the Website.
10. PRICING -PAYMENT
10.1 The Fees ofthe Services are given in the euro currency, excluding VAT, in the Price Liston the Website. Orange is entitled to modify these prices, notably to reflectchanges to the Catalog. Orange will inform you, in advance, of any increasingFees of the Price List, so you will therefore be entitled to terminate yourAccount, in compliance with the provisions of Section 13 Term and Terminationof these Terms.
10.2 All Feesrelated to your Account and to your use of the Software and Services, arebilled each month by Orange based on your actual consumption in the course ofthe preceding month, with the cost of said usage based on the Price listapplicable in the course of the month in question. You must provide Orange witha valid credit card or online transaction account that Orange accepts (“PaymentProvider”) , prior to receiving any paid Services. You will promptly notifyOrange of any change to your payment information. Your Payment Provideragreement , and not these Terms, governs Your use of the designated credit cardor online transaction account. By providing Your payment information, You agreethat Orange may invoice You for all Fees when they become due to Orange withoutadditional notice or consent. Orange may change its charges and billingpractices at any time, by posting notice of such change on the Website, ornotifying You via email in case of an increasing price. Renewal of monthlypayments is tacit and automatic . Orange sends an e-invoice to the emailaddress associated with your Account. Moreover, we use the services of paymentservices providers (e.g., card acceptance, merchant settlement, and relatedservices), being specified that Orange do not store credit card data. By payingfor the Services, You agree to be bound by Chargebee's policy(https://www.chargebee.com/company/terms/) and Chargebee Embedded Paymentsterms (https://www.chargebee.com/embedded-payments-tou/ ).
10.3 All Fees arenet of any applicable Sales Tax. Sales Tax is automatically calculated andadded to all orders where applicable.
10.4 All paymentsfor the Services will be made free and clear of, and without reduction for, anywithholding taxes. Any such taxes imposed on payments of Fees to Orange will beyour sole responsibility. Upon Orange’s request, You will provide Orange withofficial receipts issued by the appropriate taxing authority, or other suchevidence that You have paid all applicable taxes.
10.5 You mustnotify Orange in writing at compta@ORANGE.com within seven (7) days afterreceiving your e-invoice, if You dispute any of Orange charges on thatstatement or such dispute will be deemed waived.
11. RESPONSIBILITY- WARRANTIES
11.1 You representand warrant to Orange that:
a) You comply withthe data protection requirements described in Appendix A;
b) You comply withthe security requirements described in Appendices B and C;
c) Either asprivate individual acting for yourself and on your own behalf or acting in thename and on behalf of a company, organisation, or legal entity as its dulyauthorised representative having full legal authority to act in the name and onbehalf such company, organisation, or legal entity and bind it to these Terms,You have the right and authority to enter into these Terms, to bind suchcompany, organisation, or legal entity to the Terms and to fully perform yourobligations under these Terms;
d) The DeveloperProduct is authorised for distribution, sale and use in each of the territorieswhere You make it available and complies with the laws and regulations of thoseterritories;
e) The DeveloperProduct and services linked to it do not violate or infringe any copyright,trademark, patent or other intellectual or contractual rights of any person orentity; and
f) The DeveloperProduct does not contain any offensive, obscene, or other materials or anycontent that is prohibited or restricted under local regulations or laws of anyterritory where You make it available. For the avoidance of doubt, Yourepresent and warrant that the Developer Product does not (i) depict explicitsexual activity; (ii) depict or endorse acts that cause or are intended tocause excessive pain or suffering; (iii) promote or endorse the misuse ofalcohol, tobacco, illegal drugs or other addictive substances; (iv) promoteintolerance or discrimination based on racial, political, ethnic, religious,gender or sexuality; (v) promote invasion of rights or privacy; (vi) promoteunlawful gambling or (vii) promote illegal activity.
11.2 The DeveloperProduct and any data collection conducted through it shall protect the privacyand legal rights of End Users in particular regarding process purposes andlegal basis. In addition, any Personal Data collected shall be used solely forthe purpose of providing your Developer Product or the Developer Product ofyour Business Customers. You must also protect such data from unauthorizedaccess. You must comply with (i) the provisions as set forth in Annex A ofthese General Terms, (ii) all applicable data protection laws and rules and(iii) any additional data protection requirements that may be provided inSpecific Terms .
11.3 You warrantnot to use Personal Data of End Users for any purpose other than the purposefor which they have been communicated, as set out in the Specific Terms of therelevant Network API Service.
11.4 You representand warrant not to engage in any activity, including the development, editionor distribution of any Developer Product that interferes with, disrupts,damages, or accesses in an unauthorised manner the networks, devices, servers,or any other components or services used for the distribution and uses of theDeveloper Product.
11.5 You will besolely responsible for ensuring the Developer Product is safe and free ofdefects in operation and conception. You will also be solely responsible forany documentation and End User support and warranty of the Developer Product.
11.6 Orange shallhave no responsibility or liability for the installation or use of theDeveloper Product by an End User.
11.7 You shallindemnify and hold Orange harmless against any and all claims, suits, losses,damages arising from or attributable to the Developer Product and/or the use ofthe Developer Product by any Business Customer and/or End User and/orattributable to your failure to perform any of your obligations under theseTerms.
12. CHANGES TOTERMS
Orange may change these Terms at any time and when it doesso, will inform You by email and on the Website . Please regularly log in onthe Website for any changes to the Terms. Your continued use of Orange Servicesand/or APIs will be deemed as acceptance of any changes to the Terms notifiedby Orange. If You do not accept any changes to the Terms, You must cease usingthe relevant Orange Services and/or APIs immediately. Nothing in this sectionshall affect Orange’s rights under Sections 2 Binding Agreement or 13 Term andTermination.
13. TERM ANDTERMINATION
13.1 These Termsbetween You and Orange shall be applicable upon You checking a box or clickingon an “subscribe”, “agree”, “accept”, or similar button and shall continue forso long as You are using a Network API Service, unless terminated in accordancewith these Terms.
13.2 Orange may, atany time, immediately terminate the relevant Terms:
a) in case of latepayment or non-payment;
b) if You havebreached any provision of the relevant Terms;
c) if Orange isrequired to do so by law;
d) if You go intoliquidation (in which case the termination will be effective from the date ofthe judicial pronouncement of the liquidation) or any analogous insolvencyprocess in the relevant jurisdiction; or
e) if You declineto accept any new terms or version of these Terms .
13.3 Orange and Youmay terminate the relevant Terms of an Orange Service and/or API for any reasonsubject to thirty 30) days’ prior written notice .
13.4 If You want toterminate these Terms and therefore stop using all the Services, You may do soby going to the “Change / Cancel Account” page of your Account setting page onthe Website or by contacting us via email at [address], with at least thirty(30) days’ prior written notice .
13.5 Termination ofthe relevant Terms for a Service and/or API between You and Orange will notautomatically terminate any other Terms for other Service and/or APIs betweenYou and Orange.
13.6 Upontermination for any reason, You agree to cease without delay all use of NetworkAPI Services, together with Orange’s materials, Services and/or Private Keys inrelation to these Network API Services.
13.7 If the Termsare terminated, the Terms will continue to have their effects only to permitthe recovery of amounts remaining due, as applicable, by You on the Term’stermination date.
13.8 You undertakeat the Term’s termination date to cease any use of the elements belonging to Orange,including brands, trade names, logos, contents, and databases, and not to keepcopies except for elements necessary for the recovery defined above.
13.9 The provisionsrelating to Responsibility - Warranties, Limitation of Liability,Confidentiality and Intellectual Property or any provisions which are eitherexpressed to survive termination of these Terms or, from their nature orcontext, are apparently intended to survive termination of these Terms shallremain in full force and effect notwithstanding termination of these Terms.
14. INTELLECTUALPROPERTY RIGHTS
14.1 For eachService, Orange will indicate in the relevant Specific Terms the appropriatecopyright notice, including the identification of Open Source Software licensesor other specific license terms as the case may be.
14.2 Services mayinclude third-party Software. This third-party Software may be subject toIntellectual Property Rights, and, if so, You may not use it unless You arelicensed to do so by the owner of that Software or are otherwise permitted bylaw.
14.3 Orange herebygrants You, for the duration of the Terms a non-exclusive, non-transferable,sub-licensable to Your Business Customers, licence to (as applicable) access,use and permit access to and use of the Orange Software including in each caseany Intellectual Property Rights therein, to the sole extent necessary toenable You and Your Business Customers to receive, access, onward provide andbenefit from such Orange Software as permitted by these Terms; and
14.4 You herebygrant to Orange, for the duration of these Terms, a non-exclusive,non-transferable, sub-licensable (including to its subcontractors andaffiliates), licence to access and use any of Your and any other materialsprovided by or on behalf of You (including any Intellectual Property Rightstherein), to the sole extent necessary for providing the Services in accordancewith these Terms.
14.5 You shall notaccess or use the Services except as expressly permitted by these Terms. Forpurposes of clarity and without limiting the generality of the foregoing, Youshall not, except as these Terms expressly permits or except as expresslyotherwise agreed in writing:
a) copy, download, modify, or create derivative works orimprovements of the Services;
b) reverse engineer, disassemble, decompile, decode, adapt,or otherwise attempt to derive or gain access to the source code of theServices, in whole or in part.
14.6 You may, asdeemed appropriate by You and in Your sole discretion, provide Orange withsuggestions, comments, input and other feedback regarding the Services or otherOrange technologies, products, or services (“Your Feedback”). In case Youprovide to Orange Your Feedback, You hereby grant Orange a non-exclusive,worldwide, perpetual, irrevocable, royalty-free license of Your Feedback to:(a) use, copy, modify and create derivative works of Your Feedback; (b)publicly perform, publicly display, import, broadcast, transmit, disclose,distribute, license, rent, lease or lend Your Feedback (and derivativetechnology thereof); and (c) sublicense to third parties the foregoing rights,including the right to grant further sublicenses. Orange receiving YourFeedback acknowledges that (i) it has sole and absolute discretion regardingwhether it implements any of Your Feedback; and (ii) it assumes all risksassociated with any implementation of Your Feedback. Notwithstanding anythingto the contrary in the foregoing, nothing in this Section 14.6 will beconstrued as granting Orange any rights in Your patents, trademarks, or servicemarks that may be included in or embodied by any of Your Feedback or by anyimplementation of Your Feedback in Orange’s offerings.
14.7 Orange may, asdeemed appropriate by itself and in its sole discretion, provide You withsuggestions, comments, input and other feedback regarding Your software or Yourtechnologies, Your products, or Your services (“Orange Feedback”). In caseOrange provides You any Orange Feedback, Orange hereby grants You anon-exclusive, worldwide, perpetual, irrevocable, royalty-free license to: (a)use, copy, modify and create derivative works of Orange Feedback; (b) publiclyperform, publicly display, import, broadcast, transmit, disclose, distribute,license, rent, lease or lend the Orange Feedback (and derivative technologythereof); and (c) sublicense to third parties the foregoing rights, includingthe right to grant further sublicenses. You receiving Orange Feedbackacknowledge that (i) you have sole and absolute discretion regarding whetherYou implement any of Orange Feedback; and (ii) You assume all risks associatedwith any implementation of Orange Feedback. Notwithstanding anything to thecontrary in the foregoing, nothing in this Section 14.7 will be construed asgranting You any rights in Orange patents, trademarks, or service marks thatmay be included in or embodied by any Orange Feedback or by any implementationof Orange Feedback in Your offerings.
14.8 No otherrights, even implied, are granted herein, other than those expressly providedin this section.
14.9 There will notbe any joint development of Intellectual Property Rights under these Terms.
14.10 AllIntellectual Property Rights owned by Orange and made available as a part ofthese Terms, shall remain the property of Orange.
14.11 If a thirdparty notifies You and/or Your Business Customers of any claim that the accessto, and/or the use of a Software and/or Service infringes any IntellectualProperty Rights of a third party, You shall immediately notify Orange.
If any such claim is made to You and/or to Your BusinessCustomers and/or to Orange, at Orange's request:
• You shallimmediately cease access and use of such Software and Service; and
• You shall procurethat Your Business Customers immediately cease access and use of such Softwareand Service.
You shall not make or permit to be made any admission ofliability; and You shall procure that Your Business Customers shall not make orpermit to be made any admission of liability
15. CONFIDENTIALITY
15.1 You and Orangeagree that at all times during the term of these Terms, and for three (3) yearsthereafter, the recipient of Confidential Information under these Terms willhold in confidence, and will not use or disclose to any third party (other thanin response to lawful requests from law enforcement authorities or contractorsto the extent they are performing the receiving party’s obligations under theseTerms subject to confidentiality obligations that are at least as protective asthose contained in this Section 15), any Confidential Information.
15.2 Unlessotherwise specified in these Terms, either Orange or You receiving (“ReceivingParty”) Confidential Information from the other party (the “Disclosing Party”)must:
a) only useConfidential Information received from the Disclosing Party in the performanceof these Terms; and
b) keepconfidential and not use or disclose directly or indirectly to another party orentity, except to the extent provided herein, Confidential Information receivedfrom the Disclosing Party using the same degree of diligence (but whilerespecting commercial practices), which the Receiving Party would use toprotect its own Confidential Information. The Receiving Party will onlydisclose Confidential Information to its representatives who need it and arebound by confidentiality obligations, and only to the extent necessary tofulfil their obligations under these Terms. The Receiving Party requires itsrepresentatives to comply with the provisions of this Section to the sameextent that it does. A party or person receiving Confidential Information willbe responsible for any disclosure of this information by any representative towhom it discloses such information.
The Receiving Party must return or destroy all ConfidentialInformation received from the Disclosing Party, including copies made by theReceiving Party, within thirty (30) days after receipt of a written requestfrom the Disclosing Party to the Receiving Party, except for (a) ConfidentialInformation which the Receiving Party reasonably needs to fulfill itsobligations under these Termsand (b) a copy for archival purposes only.
To the extent that You receive Personal Data from Orangeabout the End User, You must comply with the security requirements set out inAppendices B and C.
15.3 Unlessotherwise agreed upon, the obligations of this Section shall not apply toinformation which:
a) was, at the timeof receipt, already in the possession of or known to the Receiving Party, freefrom any obligation of confidentiality or restriction on use;
b) is or becomespublicly available or accessible by any lawful act of the Receiving Party orthe directors, officers, staff members, agents or subcontractors of theReceiving Party;
c) is legitimatelyreceived from a third party having no direct or indirect obligation ofconfidentiality or restriction on use toward the Disclosing Party about suchinformation;
d) is developedindependently by the Receiving Party;
e) is approved fordisclosure or use with the written permission of the Disclosing Party(including in these Terms); or
f) shall bedisclosed by the Receiving Party under any applicable law, rules, regulationsor public order, any decree or official publication, or any authority, providedthat the Receiving Party has made commercially reasonable efforts to givesufficient notice to the Disclosing Party (where reasonably possible prior todisclosure) in order to enable it to seek protective solutions, and theReceiving Party shall also make reasonable efforts to ensure the confidentialityof the Confidential Information disclosed.
15.4 The DisclosingParty shall retain all rights, titles and interests to any ConfidentialInformation that it discloses to the Receiving Party. Except as expresslyprovided in these Terms, no license shall be granted by these Terms concerningConfidential Information (including in the form of a patent, brand orcopyright), it being also understood that no such license is implied solely bythe disclosure of Confidential Information.
15.5 Thisconfidentiality obligation will remain in force for the duration of these Termsand for a period of one (1) year following the expiration or termination ofthese Terms.
16. BRAND FEATURES,ATTRIBUTION, PUBLICITY
16.1 The ORANGEword, name, symbol, device or any combination thereof used in connection withthe Services are exclusive property of the ORANGE Group and may not be usedwithout our permission for any other purpose. Other trademarks, service marksand trade names that may appear on or in the Services are the property of theirrespective owners. You will not remove, alter or obscure any copyright,trademark, service mark or other proprietary rights notices in or related tothe Services.
16.2 Any intentionto use any Orange Brand Feature, whether required in the Specific Termsgoverning the usage of a Network API Service, or for the purpose of promotingor advertising that You use Network API Services, must first be approved byOrange by sending an email to . If your request is approved, You agree toadhere to the guidelines for using Orange Brand Features as set out on theOrange Design System website (https://system.design.orange.com). You understandand agree that Orange has the sole discretion to determine whether yourattribution(s) and use of Orange's Brand Features are in accordance with theserequirements and guidelines. All use by You of Orange's Brand Features(including any goodwill associated therewith) will inure to the benefit ofOrange.
16.3 Orangereserves the right to monitor the use of its trademarks to ensure compliancewith these Terms and the brand guidelines. This may include periodic reviews ofDeveloper Products and related promotional materials. If Orange determines thatyou are not in compliance with the trademark usage guidelines, Orange willprovide you with written notice specifying the non-compliance and the actionsrequired to remedy it. Upon receiving a notice of non-compliance, you will havethirty (30) days to correct the non-compliance to Orange's satisfaction.Failure to remedy the non-compliance within this period may result in thesuspension of the services. Orange reserves the right to pursue any legalremedies available under applicable law, in the event of persistingunauthorized use or misuse of its trademarks.
16.4 You may notissue any public statements regarding these Terms or Network API Serviceswithout Orange’s prior approval, which may be withheld in Orange’s solediscretion. Should you wish to issue a public statement regarding your use ofNetwork API Services, then this request should be addressed tocontact.developer@orange.com.
16.5 Orange may, atany time and at its own discretion, issue a public statement or announcementrelating to, or communicate on, your use or distribution of Network APIServices without your prior approval and, therefore, You grant Orange a rightto use your name or logo in any advertising or publicity for such purposes.
16.6 Orange mayrequire Developer Products to include the statement “Powered by ORANGE NetworkAPIs ” or the equivalent in the form provided in its brand guidelines. Orangemay update brand guidelines from time to time in its sole discretion, and youwill make commercially reasonable efforts to comply with such updated brandguidelines in the next release version of the applicable Developer Products.Orange hereby grants you a non-exclusive right and license to use and displaythe Orange trademarks only in connection with purpose set forth in this Section16.
17. DISCLAIMER OFWARRANTIES, LIMITATION OF LIABILITY AND INDEMNIFICATION
17.1 Orangeprovides Orange Services “AS-IS” and “AS-AVAILABLE”. Your use of Network APIServices is solely at your own risk, and You are solely responsible for anydamage to your information system, services platform or any device or loss ofdata that results from such use. To the greatest extent permitted by law,Orange excludes any implied warranties or conditions, including those ofproduct liability, merchantability, fitness for a particular purpose, workmanlikeeffort, and non-infringement of IPR, relating to Orange Services. Withoutlimiting any of the foregoing, Orange expressly disclaims any warranties thataccess to or use of Orange Services will be uninterrupted or error free.
17.2 Under theseTerms, You can recover from Orange only direct damages which shall not exceedthe cumulative amount paid by You to Orange or received by Orange from You inthe year preceding the date on which the claim or dispute occurred. Any actionrelated to the Terms or Services must commence within one (1) year after itaccrues or such action will be permanently barred. You expressly acknowledgethat Orange shall not be liable to You under any theory of liability for anyindirect, incidental, special, consequential, punitive or exemplary damages orlost profits that may be incurred by You, including any loss of data, whetheror not Orange or its representatives have been advised of or should have beenaware of the possibility of any such losses arising.
17.3 To the maximumextent permitted by law, You agree to defend, indemnify and hold harmlessOrange and its respective directors, officers, employees, and agents from andagainst any and all third party claims, actions, suits or proceedings, as wellas any and all liabilities, assessments, losses, damages, costs and expenses(including reasonable attorneys’ fees) resulting from or arising out of: (i)your breach of these Terms; (ii) your infringement or violation of anycopyright, trademark, trade secret, trade dress, patent or other intellectualproperty right, or defamation of any person or violation of their rights ofpublicity or privacy; (iii) your breach of or non-compliance to any dataprotection and/or privacy laws or rules and (iv) misuse of Orange Services by athird party where such misuse was made possible by your failure to takereasonable measures to protect your Private Keys.
17.4 In the eventof a breach of Appendix A, and provided that the damage suffered by Orange hasbeen caused directly and materially by You, Your sole responsibility and theexclusive remedy of Orange for a breach of Appendix A shall not exceed themaximum amount of seven hundred and fifty thousand euros (€750,000) or 300% ofthe agreed amount paid by You to Orange or received by Orange from You in theyear preceding the date on which the claim or dispute occurred (hereinafterreferred to as the “Specific Ceiling”).
Under no circumstances shall the annual Specific Ceiling,for a consecutive period of 12 months from the date of entry into force, exceedthe total amount of five million euros (€5,000,000).
You agree to reimburse Orange for the actual and reasonablecosts incurred by Orange to respond to and mitigate the damage caused by breachof Appendices B and C caused by You, including all notice costs("Compensatory Indemnities"). Your obligations with respect to thepayment of Compensatory Indemnities, the settlement to which You consent, orthe legal fees and defense costs of Orange are subject to the Specific Ceiling.
18. GOVERNING LAWAND DISPUTE RESOLUTION
18.1 These Termsshall be governed by the laws of France, without regard to its conflict of lawprovisions.
18.2 Any dispute,controversy or claim arising out of or in connection with the Terms between Youand Orange, or the breach, termination or invalidity thereof, shall be firstlyamicably settled through a dispute settlement before any litigation procedure.In case of failure to reach an amicable settlement, the dispute, controversy orclaim arising out of or in connection with the Terms between You and Orangeshall be settled exclusively by the courts of Paris, France .
18.3 Thisdispute-settlement process shall not be construed as preventing either You orOrange from terminating these Terms for any reason valid under any sectionpermitting such termination.
19. MISCELLANEOUS
19.1 These Termsconstitute the entire agreement between You and Orange in respect of your useof Orange Services and related Services.
19.2 You and Orangeacknowledge that other than the contractual relationship established by theseTerms, these Terms will not be construed as creating any other relationship, oragency, partnership, employment, joint venture, fiduciary duty, or franchise,or any other form of legal association between You and Orange. Other than asexpressly stated in these Terms, these Terms are not for the benefit of thirdparties.
19.3 You agree thatif Orange does not exercise or enforce any legal right or remedy which iscontained in these Terms (or which Orange has the benefit of under anyapplicable law), this will not be taken to be a formal waiver of Orange'srights and that those rights or remedies will still be available to Orange.
19.4 If one or moreof the provisions of the Terms are found by a competent court or authority tobe invalid, illegal, or unenforceable in any respect under any applicable lawor regulation, the validity, legality, and enforceability of the remainingprovisions contained herein shall not in any way be affected or impaired,provided that in such case Orange will use its best efforts to achieve thepurpose of the invalid provision by a new legally valid stipulation to the same(or substantially similar) purpose and effect.
19.5 Orange will beentitled to sub-contract without your consent any of their obligations to athird-party sub-contractor. Orange shall not be responsible for the acts andomissions of any sub-contractor.
19.6 The rightsgranted in these Terms may not be assigned or transferred by You without theprior written approval of Orange. You shall not be permitted to delegate yourresponsibilities or obligations under these Terms without the prior writtenapproval of Orange.
19.7 Orange shallbe entitled to assign or transfer or otherwise dispose of these Terms (or partthereof) to any company part of the Orange group, in their absolute discretion.
19.8 You shall not,under any circumstances, either directly or through an intermediary, hire orsolicit the services of Orange employees, under any status whatsoever, whateverthe cause, without the prior written consent of Orange. If You do not complywith this obligation, You agree to compensate Orange by paying immediately andon request, a lump sum equal to twelve (12) times the gross monthly salary ofthe employee concerned at the date of his/her departure from Orange.
19.9 Neither You orOrange will be liable for failure to perform any obligation under these Termsto the extent such failure is caused by a force majeure event. This includesacts of God, natural disasters, war, civil disturbance, action by governmentalentity, strikes and other causes beyond the party’s reasonable control. Theparty affected by the force majeure event will provide notice to the otherparty within a commercially reasonable time and will resume performance as soonas is reasonably practicable.
19.10 The headingsused throughout these Terms are solely for convenience of reference and are notto be used as an aid in the interpretation of the Terms. As used herein,"may" means "has the right, but not the obligation to,""including" means "including, without limitation," and"will" means "is required to."
APPENDIX A
DATA PROTECTION REQUIREMENTS
1 Definitions
For the full understanding of the following terms, the terms“Controller," “Subcontractor," “Concerned Person,"“Recipient," "Breach of Personal Data," and “Processing"will have the meaning defined in the "Applicable Data ProtectionLaws."
Similarly, the term "Personal Data" has themeaning given to it in these same Laws.
The term "Applicable Data Protection Laws" means:
- Regulation (EU)2016/679 of the European Parliament and of the April 27, 2016 Council (GeneralData Protection Regulation) repealing Directive 95/46/EC;
- whereappropriate, the texts adopted by the European Union and local laws which mayapply to the Personal Data processed under these Terms.
2 General stipulations
You, as well as Orange, undertake to comply with the legaland regulatory obligations relating to the protection of their personal data inthe performance of these Terms.
You acknowledge that Orange is the Controller of theprocessing of Orange customers’ Personal Data, implemented in the performanceof these Terms, and that You act as Subcontractor.
The nature and scope of the Processing, the Personal Datacategories, and their retention period by You for the Network APIs Service aredescribed in the Specific Terms.
When processing the Personal Data transmitted by Orange, Youact only on documented instructions and in the context of writtenauthorizations received from Orange.
You must notify Orange immediately if, in Your opinion, aninstruction constitutes a violation of applicable Data Protection Laws. Youmust notify Orange at the following email address:contact.developer@orange.com.
You agree that the Personal Data provided by Orange to Youwithin the framework and for the purposes of these Terms shall remain Orange’sproperty. You will never own and shall never act as if You own the PersonalData transmitted by Orange in connection with the performance of these Terms.
3 Specific stipulations
The use of the Know Your Customer Match Service, the SIMSwap Service and the Number Verification Service is subject to the consent ofthe End User, which Orange is responsible for obtaining as Data Controller.
The End User's express consent will not be required as partof the Consent Option for the SIM Swap Service and for the Know Your Customermatch Service if it is demonstrated that the Service Provider has a legitimateinterest and this is approved by Orange and part of the Number VerificationService option . In these cases, You must explain the justification for theService Provider's legitimate interest in the enrollment process of itsapplication.
You undertake not to proceed with processing operationsother than those defined in these Terms t on Personal Data transmitted byOrange in connection with its execution.
If You intend to make any changes that may affect theProcessing of Personal Data, You undertake to notify Orange in advance, and notto implement such modifications without its prior written consent.
The Processing carried out under these Terms involves makinga third party, the Service Provider, acting as the Data Controller, theRecipient of the data. The latter is then obliged to fulfil all the obligationstowards the persons concerned or towards its compliance with the regulations.
It is Your responsibility to contract with this ServiceProvider in order to provide for the legal and technical conditions under whichthe Service Provider may become a Recipient of the data described in theSpecific Terms in accordance with the provisions of these Terms.
You undertake to indicate to Orange, in any contractconcluded with a Service Provider, that the Orange pages proposed in some ofthe options and described in Appendix J (identification / connection /validation of consent) are not modifiable.
You undertake to declare to Orange, in any contractconcluded with a Service Provider, the legal conditions (in particular thepossible collection of consent) and technical conditions provided for in theseTerms for the Processing in question.
In any contract with the Service Provider, You shall specifythat Orange does not guarantee the content, availability, accuracy or any otheraspect of the information provided in the Network APIs Service, whichexclusively reproduces the information declared by the Orange Account Holder.
3.1. Confidentiality of Personal Data
You undertake to:
- not disclose anyPersonal Data to a Recipient other than an approved Service Provider, whether aprivate or public, physical or legal person, without Orange’s prior consent;
- not disclose anypersonal data processed under these Terms to members of its staff who do notparticipate in the services provided under these Terms;
- ensure that allits staff members, subcontractors and providers providing services under theseTerms know and comply with the rules relating to the confidentiality andprotection of Personal Data and are subject to a specific obligation ofconfidentiality.
3.2. Security, Breach of Personal Data and Notification
You must take the necessary technical and organizationalsecurity measures to protect Personal Data from accidental or unlawfuldestruction, accidental loss, modification, disclosure or unauthorized accessto Personal Data in accordance with applicable Data Protection Laws.
You must notify Orange immediately after having detected orbeen informed by the Service Provider of a Personal Data Breach, or anysecurity breach resulting in the accidental or unlawful destruction, loss,alteration, or unauthorized disclosure of Personal Data transmitted, stored orotherwise processed, or unauthorized access to such Personal Data.
The notification will be sent to Orange at the followingemail address: cert@orange.com
The notification shall specify the nature of the PersonalData Breach and its likely and actual consequences on the People concerned, thenature of the measures already taken or those proposed to remedy the Breach,the people with whom additional information may be obtained, any unaffectedsubsidiaries or entities of Orange and the geographical areas concerned, and,if possible, an estimate of the number of People concerned who may have beenaffected by the breach in question and all the elements for identifying them.
You undertake to establish, with Orange, in the framework ofcooperation between the Parties, regular updates consistent with the urgencyand gravity of the situation.
If one or more Service Providers are affected by thesituation, You shall ensure that they are involved in any exchange.
It is incumbent only on Orange, as the Controller, to informand notify the competent control authorities and, where appropriate, theperson(s) concerned by the Breach of their Personal Data. You shall not notifythe competent authority in Orange’s place.
3.3. Cooperation with Orange
You undertake to cooperate with Orange:
- by providingOrange with all documentation and information it might need in the event of areferral to a regulatory authority to demonstrate its compliance withapplicable Data Protection Laws;
- in the managementof requests from Persons Concerned for the exercise of their rights, inparticular their rights of access, correction, deletion and/or opposition, orany other request relating to the protection of their Personal Data.
- Should the PersonConcerned contact You directly to exercise their rights, You shall communicateto Orange the request received, within seventy-two (72) hours of receiving it.You shall not respond to the request of a Person Concerned without Orange’sapproval.
In the event that the Person Concerned contacts the ServiceProvider directly to exercise his/her rights regarding the processing carriedout by Orange, the Service Provider shall communicate the request to You whoshall pass it on to Orange under the conditions presented above.
- in carrying outan impact assessment that Orange should conduct in order to assess the risksassociated with the processing of Personal Data and to identify the measures tobe taken to deal with these risks and the possible consultation of thesupervisory authority;
- in the event of acontrol or investigation by a competent supervisory authority, the Partiesundertake to cooperate reasonably with each other and with the supervisoryauthority.
In the event that the control exercised by the competentauthority concerns the Processing carried out on behalf of Orange and in itsname, You undertake to inform Orange of that control immediately after havingbeen notified by the supervisory authority itself, and not to commit itself onbehalf of Orange or in its name.
If Orange is controlled by a competent authority, inparticular with regard to the Services provided by You, the latter undertakesto cooperate with Orange and to provide Orange with any information it may needto demonstrate compliance with applicable Data Protection Laws.
3.4. Subsequent Subcontractors
You cannot subcontract all or part of the Processing ofPersonal Data to any Recipient without Orange’s prior written consent.
You shall only call upon subsequent subcontractors providingsufficient safeguards for the implementation of appropriate technical andorganizational measures to ensure Orange's compliance with applicable dataprotection laws, and undertakes to sign with its subsequent subcontractor awritten contract imposing the same data protection obligations as thoseprovided for in these Terms, and including obligations relating to security,confidentiality, and cooperation in case of data breaches or international transfersof Personal Data;
You shall provide Orange, upon request, with a certificateguaranteeing the implementation of the obligations relating to the protectionof personal data by its subsequent subcontractor and a description of theprocessing carried out by the subsequent subcontractor, indicating, inparticular, the purposes of the processing, the categories of data processed,the categories of people having access to the data, and the storage location(s)of the data;
If the subsequent subcontractor fails to comply with thedata protection obligations, You, as an original subcontractor, remain entirelyresponsible to Orange for the proper fulfillment of the obligations of itssubsequent subcontractor.
3.5. Transfer of Data Outside the European Union (EU)
If You are located in a country not recognized by theEuropean Commission as providing adequate protection, or is likely to transferPersonal Data transmitted by Orange to a Service Provider located in a countrynot offering such protection, it undertakes to comply with the formalities laiddown in the applicable Data Protection Laws to regulate data transfers outsidethe European Union.
Personal data cannot be transferred to a third countryoutside the European Economic Area without Orange’s prior written consent.
Orange authorizes You to sign on its behalf and for itsaccount the Standard Contractual Clauses of the European Commission, or anyother instrument governing the transfer of Personal Data outside the EuropeanUnion, and/or to have them signed by the Service Providers.
3.6. Audit
Orange reserves the right to verify compliance with theobligations and guarantees stipulated in these Terms and, in particular, torequest that You submit its data processing capabilities, data files anddocumentation required for processing to an audit.
This audit shall be conducted in accordance with theprocedure and modalities described in Section 5 of Appendix C (Orange SecurityRequirements) to these Terms.
3.7. Fate of Personal Data After Processing
You undertake to comply with the retention times set for theData transmitted to it by Orange for the purposes of these Terms.
In addition, You undertake to delete all documents and filescontaining Personal Data after the end of the Processing provided under theseTerms without delay and without further formalities and not to retain any copyof the Personal Data.
You shall provide Orange, upon request, with a Personal DataDeletion Certificate.
Failure by You to comply with the provisions of thisAppendix will result in termination of these Terms under the conditionsspecified in Section 13 Term and Termination. Orange will also have the rightto request an injunction or other provisional remedy for any actual orpotential breach of this Appendix, without prejudice to any other rights andremedies that Orange may have.
Appendix B – SECURITY REQUIREMENTS FOR YOUR NETWORK
1. DEFINITIONS
The terms defined in this Section have the meanings below asthey appear in Appendix B, unless the context in which they are used requires adifferent meaning or a different definition is indicated for a particularSection or provision.
1.1. “ConfidentialInformation” means: Orange customer data and proprietary network information,data relating to systems, networks, Orange services and security checksimplemented on these systems and networks, data relating to Orange staff,proprietary Orange and/or commercial secret information, and other confidentialinformation or data or proprietary data in accordance with the terms of theseTerms.
1.2. "Industrial Standard” means: accepted set of best practices (1)used or adopted by a substantial number of companies engaged in a similar typeof business ("comparable companies") to manage similar types ofinformation, (2) prescribed for use by a body or group of applicable industrialstandards or (3) established by experts who are recognized in the field asacceptable and reasonable.
1.3. "Penetration Test" means: part of the Risk Assessment Processin which one or more qualified, experienced and trained individuals, known as"ethical pirates," engage in a coordinated and planned attack ofcomputer systems and networks to uncover potential vulnerabilities and ensurethat logical controls can resist deliberate attempts to circumvent them.
1.4. "Program" means: processes and procedures that are documentedand implemented to achieve common objectives and monitor this achievement,which may be updated from time to time.
1.5. "RiskAssessment Process” and “Risk Assessment" mean: a process that isdocumented and implemented for identifying system security risks anddetermining the likelihood of occurrence and the resulting impact, andidentifying additional protections or changes that would appropriatelyeliminate and/or mitigate this impact.
1.6. "RiskManagement Program" means: a process that is documented and implemented toidentify, control and mitigate risks that are inherent to the informationsystem. It includes the process of assessing the qualitative and/orquantitative risks of the industrial standard, the cost-benefit analysis, andthe selection, implementation, testing and evaluation of protections, includinga determination of the steps necessary to meet the four objectives of SecurityAssurance.
1.7. “SecurityAssurance” means: evidence that the four security objectives (integrity,availability, confidentiality and compatibility) are adequately met by aspecific information system. "Properly met” means (1) a feature thatperforms sufficiently, (2) sufficient protection against unintentional errors(users or software), and (3) sufficient resistance to intentional penetrationor circumvention.
1.8. “ThreatSource" means: (1) intent and method targeted at the intentionalexploitation of a vulnerability or (2) situation and method that mayinadvertently cause a vulnerability.
1.9. “ThreatAnalysis” means: review and documentation of sources of threat against systemvulnerabilities to identify potential threats to a specific information systemin a particular operational environment.
1.10. “Vulnerability” means: a defect or weakness in functionality, design,implementation, internal controls of the information system or securityprocedures that can be applied (triggered accidentally or intentionally) andcause a security vulnerability or breach of the system’s security policy.
2. GENERALREQUIREMENTS
2.1. This document,“Security Requirements” (“Document”), applies to Your performance whenpersonally identifiable information relating to Orange End Users is provided toYou, including, but not limited to, the development, offer, use and/ormaintenance of any service, software or other product thereunder, and alleditions, versions, updates, improvements and related changes("software" or "hardware" as applicable).
2.2. You shallimplement and maintain administrative, physical and technical security checksof the industrial standard that are sufficient in their nature and scope toprotect (1) the confidentiality, integrity and availability of personallyidentifiable information as well as (2) the availability and integrity of theOrange service, network and operations.
2.3. You shallcomplete the administrative, physical and technical security checks describedin this document.
3. USE OFINFORMATION
3.1. You guaranteethat personal data will only be used to combat fraud, identify a mobile phone,complete a form and provide access to data for its customers or other needsspecified in these Terms.
3.2. You will takeappropriate measures to secure personal data during transit and storage bymeans of protective mechanisms in accordance with industrial standards (such asencryption). This protection will include all forms of portable media (such asflash drive/USB, laptop, CD, DVD, Blu-ray, portable hard drive, cellularphone/smartphone, MP3 player, etc.).
4. INFORMATIONSECURITY POLICIES AND PROGRAM
4.1. You shallimplement and maintain a Risk Management Program in accordance with thefollowing industry standards including, but not limited to:
4.2. You shall havea security policy describing the security and confidentiality controlsimplemented in its operations to satisfy this Document (“Information SecurityPolicy”). You shall establish a Risk Management Program to implement itsInformation Security Policy including, but not limited to:
4.2.1. A riskassessment process that ensures that the Your operating environments,development environment, systems, applications, networks and procedures areregularly assessed to identify and address security vulnerabilities.
4.2.2. A programfor detecting intrusions and security breaches, and preventing and respondingto incidents.
4.2.3. A program tomanage the system, network and application configuration.
4.2.4. A programfor implementing and administering logical access control(s) to the data,systems and network.
4.2.5. A programfor implementing and administering physical access control(s) to the premisesand data.
4.3. You shall havethe Risk Management Program monitored by an internal or external auditor atleast once a year to assess compliance with the requirements inherent in itsInformation Security Policy.
5. DEVELOPMENTCYCLE
5.1. Your controlsassociated with the development, pre-production testing and delivery of anysoftware or equipment, whatever it may be, will include, but not be limited to,an obligation to:
5.1.1. Implementsecurity controls of the industrial standard for its operating environment,systems, networks and all premises in which the software is developed and/orhosted.
5.1.2. Develop,implement and comply with the best security coding practices of the industrialstandard.
5.1.3. Establishprocesses with, where appropriate, the use of source code scanners, performancetesting tools for operating system security, web application scanners or othertools or techniques, or even information acquired through industrystandardization bodies to assess vulnerabilities in software or hardwaresecurity before starting production.
5.1.4. Followindustrial standard practices to mitigate and protect against all known andreasonably foreseeable security vulnerabilities, including: (1) unauthorizedaccess, (2) unauthorized changes in systemic configurations or data, (3)interruption, degradation, or denial of service, (4) unauthorized escalation toa user privilege, (5) service theft, and (6) unauthorized disclosure ofconfidential information.
5.2. You mustensure that all entities and configurations remain operational following anyupdates, modification or upgrades to software and hardware, unless Orange hasgiven its prior written authorization.
6. SECURITYASSURANCE
6.1. You shallmaintain a Risk Assessment Process showing Your Software and Hardware SecurityAssurance. This process shall include:
6.2. Yourobligation to organize and conduct a Risk Assessment of its software andhardware through a third-party security test provider. You shall repeat theRisk Assessment at the beginning of (1) each major release launch or (2) forany software or equipment deployed in the Orange Network or hosted by You. ThisRisk Assessment shall include:
6.2.1. analysis ofthreats to software or hardware,
6.2.2. software orhardware penetration test,
6.2.3. riskassessment for administrative, technical, logical and physical securitycontrols in the operating environment, systems, networks and premises where thesoftware or equipment is hosted, if they are hosted by You.
6.3. You mustaddress all high- or medium-risk vulnerabilities identified in the RiskAssessment before starting production.
6.4. Orange mayrequest an electronic copy of the field of work from the third party abovetasked with testing the security assurance (Section 6.1).
7. SECURITY BREACHAND INCIDENT RESPONSE
7.1. You shallestablish and maintain documented escalation processes for all securitybreaches and responses to incidents, with procedures for notifying Orangewithin twenty-four (24) hours after a breach involving personally-identifiableinformation communicated by Orange.
7.2. You shallcooperate and provide information if requested by Orange or any consultant,contractor, lawyer or other third party authorized by Orange to investigate asecurity breach in Your operating environment.
7.3. In the eventof a security breach affecting Orange, You must send Orange, within forty-eight(48) hours after its discovery, a post mortem report with (1) identification ofall the potentially compromised Orange information, (2) actions by You tomitigate the damage caused, and (3) protection to prevent the recurrence ofsaid breach.
8. RIGHT TO RISKASSESSMENT
8.1. Orangereserves the right to perform a Risk Assessment on Your software and hardware.The risk assessment may, at the discretion of Orange, take place once a year orafter each software and/or hardware launch and include, but is not limited to,vulnerability assessments and penetration tests of: (1) software and hardware,(2) underlying infrastructure and operating environment in which softwareand/or equipment operate or are hosted, (3) network and premises inherent inthe operation or maintenance of software and/or hardware and (4) Youradministrative, technical and/or physical controls inherent in such softwareand/or hardware. For Risk Assessments requiring Your involvement, resources,premises or systems, the Parties shall come to an agreement (1) on the extentof its involvement, (2) the resources, premises, or systems that would berequired, and (3) the Risk Assessment schedule.
8.2. The rightgranted to Orange to carry out its own Risk Assessment shall not replace or bea substitute for, under any circumstances, Your Risk Assessment Processspecified in this Document. A third-party security provider may, at thediscretion of Orange, be used to carry out this Risk Assessment.
9. VULNERABILITYMANAGEMENT
9.1. You shallimplement and maintain an Industrial Standard Vulnerability Management Program.You shall assign one or more staff members to the monitoring of appropriatepublic channels for the disclosure of the vulnerability (such as the NIST,National Vulnerability Database) that affect its software or hardware. Thisprogram will include (1) the underlying platform (e.g. operating system,database product, web server, etc.) and (2) all third-party software or (3)freeware that is part of Your software or hardware. This program shall include:
9.2. Assignment byYou of one or more staff member(s) to liaise with the Orange VulnerabilityManagement staff.
9.3. You shalladdress the vulnerabilities identified in its hardware and software at its ownexpense.
9.4. With respectto Your software and hardware included in the Orange network and managed byOrange, You will be required to provide a patch with a regression test withinfifteen (15) days from the date on which the vulnerability was initiallydisclosed or to which You were notified by Orange.
9.5. With respectto Your software and hardware hosted in the Orange network and managed byOrange, You will be required to implement in production a patch with aregression test within fifteen (15) days from the date on which thevulnerability was initially disclosed or on which You were notified by Orange.
9.6. With respectto Your software and hardware hosted outside of the Orange network, You will berequired to implement in production a patch with a regression test withinfifteen (15) days from the date on which the vulnerability was initiallydisclosed or on which You were notified by Orange.
Appendix C - ORANGE SECURITY REQUIREMENTS
Orange allows You to access its APIs remotely for the solefulfillment of its Services commitments.
This access to the Orange programming interface will beauthorized under the following terms and conditions.
1. Definitions
The terms defined in this Section have the meanings below asthey appear in Appendix C, unless the context in which they are used requires adifferent meaning or a different definition is indicated for a particularSection or provision.
"Services" means all services ordered and providedby You, for which access to the Orange Network is required.
"Orange Network" means the internal networkmanaged by Orange and all the Orange network access infrastructures that arenecessary to ensure communication between the resources of each party.
"Access Point” means the technical network interfacebetween Orange and You. This Access Point consists of different types ofequipment managed by Orange and made available to You. This Access Point willbe used to create a dedicated network between several partner sites. ThisAccess Point will always be used for all network connections and communicationsbetween You and Orange.
"Contributors" means everyone formally authorizedby You to access the Orange Network remotely to perform only the Services. TheContributors may be Your staff members, agents or subcontractors.
"Resources" means the programming interfaces,networks, hardware, software, and/or data belonging to and/or managed under theresponsibility of You and Orange to provide the products stipulated or performthe Services.
2. Access Control
You shall:
a. only use theAccess Point to perform the Services, and
b. ensure that onlyYour Contributors and only Your duly authorized resources are interconnectedand in communication with Orange’s resources.
c. implement andmanage the organizational and technical processes necessary to accuratelyidentify a person using this remote access and its use or action associatedwith Orange resources.
With regard to the connection provided by Orange to theContributors to access Orange’s resources, You shall:
a. not divulge toany third party, other than the authorized contributing members, anyauthentication of the data giving access to Orange’s resources, and
b. implement andmanage all organizational and technical processes to identify and authenticatea person using this connection.
3. ResourceManagement and Use
You shall:
a. update, as soonas possible and as much as necessary, its IT security tools to maintain thelevel of security required for its resources, such as updated and effectiveanti-virus software,
b. implement logoffmechanisms after a short period of inactivity to protect access to itsresources,
c. implement andorganize a password management policy and connections to its own resources, sothat passwords are changed regularly and are hard to guess,
d. implement allthe means necessary to ensure the integrity of the data exchanged betweenOrange and You,
e. implement allnecessary means to ensure that the data transmitted to Orange by You are notinfected with malicious codes, and
f. return to Orangeall its equipment, or return to Orange or destroy all the data that are itsproperty after the Services are completed.
You will only use the Orange Resources they need to deliverthe Services.
You will only use their resources if they are needed todeliver the Services.
Access by physical interconnection (Pase Interco, forexample)
In the event that Orange allows You to access its networkvia a Pase Interco type infrastructure to execute these Terms, You shall:
a. ensure thatpremises hosting the Orange equipment which constitutes this Access Point aresubject to physical control and are only accessible by authorized Contributors,
b. ensure thatremote access or control is not possible on its own interconnected equipment,
c. comply with theaddressing rules imposed by Orange.
You recognize and accept that routers and accesses areprovided and administered by Orange.
4. SecurityIncident Management
You shall designate a point of contact who will be notifiedin the event of a security incident and promptly notify Orange of any changesaffecting this point of contact.
You or Orange will notify each other if it detects amalicious action, system failure, or security incident that may affect theresources of the other using the procedures and contacts previously determinedby the Parties.
In case of a serious incident related to Your connection(such a virus or intrusion into the system) likely to affect or threaten thesecurity of Orange resources, Orange may suspend remote access to the OrangeNetwork without notice until the security incident is fully resolved.
5. Right of Auditand Logging
Orange reserves the right to:
a. log Youraccesses to Orange's resources,
b. implementmanagement and monitoring tools on access infrastructure, and/or,
c. if needed, askYou for the identity of the user accessing the Orange Network and, whereapplicable, its subcontractors.
In addition, Orange or any third party authorized by Youwill be responsible for auditing Your resources to verify that it complies withthe commitments stipulated.
You shall assist in the proper conduct of the audit. It willtherefore have to agree to provide all the information necessary for thisaudit. This information will be covered by a non-disclosure agreement. You andOrange will agree on the preparation and drafting of the audit requirements.
In the event that Orange allows You to access its networkvia a Pase Interco infrastructure to execute these Terms or prepare the auditrequirements, You will provide, in writing, to Orange or any authorized thirdparty in charge of the audit:
a. its policy forcombating and avoiding malicious codes (such as names of anti-virus productsused on workstations and servers, strategies to update signatures andanti-virus engines, and applications or tools on workstations and servers),
b. a diagram ofYour networks and of the equipment connected to the Orange Network, and
c. any otherinformation necessary for this audit (security policy item, daily log files,etc.).
If any non-compliance is revealed by the audit, You shallestablish a compliance program within ten (10) days after notifying Orange. Theprogram shall contain all the measures to be implemented and theirimplementation dates within a reasonable timeframe. Once authorized by Orange,this compliance program shall be applied by You. Otherwise, Orange may suspendremote access to the Orange network without notice and terminate these Terms asstipulated in Section 13 Term and Termination.
6. Subcontracting
You shall give Orange prior written notice of any changesinherent to the subcontracting parties involved during execution of theServices.
You shall ensure that its Contributors - includingsubcontractors - comply with the terms and conditions of this section, inparticular with regard to the strict confidentiality or integrity of allinformation to which they should have access to deliver the Services. Orangemay, depending on the type of information disclosed, ask You to sign anon-disclosure agreement.
7. Information
You shall notify Orange and specify in writing anymodification of the items it must provide to Orange in accordance with theprovisions of this Section, such as name of security contact or security rules.
NETWORK API SERVICE SPECIFIC TERMS
NUMBER VERIFICATION API
Article 1 - FOREWORD
To use the Network API Service, as referred to above, Youmust first agree to be bound with full and unreserved acceptance by theseSpecific Terms. These Specific Terms incorporate by reference the Networks APIsGeneral Terms (together the “Terms”). In case of discrepancy between theSpecific Terms and the General Terms, Specific Terms will prevail.
Article 2 - DEFINITIONS
For the purposes of the, the following terms shall have thefollowing definitions:
"End User Data": the data listed in Appendix A,Network API Service Description, that may be provided to You and BusinessCustomer under the Network API Service of these Terms. Only the Data referredto on the Form duly validated by Orange shall be submitted by You to YourBusiness Customer referred to on the Form.
"MSISDN" or "Mobile Station InternationalSubscriber Directory Number": the mobile phone number of the End Userholding an Orange mobile subscription attached to the SIM card.
"Orange AccountHolder": the End User who has a non-professional Orange subscription intheir name for their personal needs. Orange subscriptions are:
- mobile Orangesubscriptions ;
- bundlesubscriptions (Mobile + Internet) ;
- Internetsubscriptions.
Article 3. RELIABILITY OF SHARED INFORMATION ON END USERS
The End User Data transmitted in connection with thedelivery of the Network API Service is the data declared by the Orange AccountHolder as part of their Orange subscription. Therefore, Orange does notguarantee the accuracy of the data transmitted to You and Your BusinessCustomer.
Article 4. YOUR ELIGIBILITY CRITERIA
In order to qualify for the Network API Service, You mustmeet the following cumulative conditions:
- the Terms havenot been suspended or terminated in the last year following a breach of theircontractual obligations;
- You have paid anyamount You owe to Orange;
- You have notattempted fraud against Orange;
- You respect allof the Orange Group’s ethical rules and compliance policies available onorange.com, especially those regarding anti-corruption, money laundering andeconomic sanctions.
In the event that You, during the duration of these Terms,no longer meet any of the conditions listed above, these Terms may beterminated by Orange under the conditions set out in Section 13 of the GeneralTerms.
Article 5. TARIFF CONDITIONS
In return for the supply of Orange’s Network API Service,the rates conditions charged to You will be those set out in Appendix C tothese Terms.
Any unpaid amounts due at the scheduled time willautomatically result in the payment of interest on arrears. It will becalculated on the basis of the amount due multiplied by the ECB's rate + 10%,the sum of which is divided by 26. This clause cannot compromise the debt’spayability. These penalties shall accrue from the first day following thepayment deadline until Your actual payment is deemed effective on the day onwhich the Orange Bank Account is credited. The ECB's rate is the overnight rateof the day after the payment should have been made.
In addition, in the event of a late payment, a lump sumpayment for recovery costs will also be applied in full to You, starting on thefirst day of delay and without prior formal notice. The amount of thisindemnity shall be equal to forty (40) euros as set by Article D 441-5 of theCommercial Code on the date of the first late day.
You shall have a period of one (1) month from the date ofissue of the invoice to express the duly substantiated reservations that Youconsider necessary to Orange. Beyond that time limit, You will no longer beable to contest the invoice, which will be considered as final.
Orange is duly authorized to offset any amount unpaid by Youwith any amount owed by Orange to You or belonging to You and held by Orange.
Appendix A Network APIs SERVICE DESCRIPTION
1. Generalstipulations on the protection of personal data for the Network APIs service
The nature and scope of the Processing, the Personal Datacategories, and their retention period by You for the Network APIs service aredescribed in the table below:
Number Verification:
Verification that the mobile phone number of the End Userholding an Orange mobile subscription declared to Your Business Customer isidentical to the mobile phone number used
YES/NO answer to the question is the declared MSISDNidentical to the MSISDN used
No retention by You of personal data transmitted by Orange
5. Specificconditions of the Number Verification Service
5.1. Objective: Thepurpose of the service is to provide Your Business Customer with real-timeconfirmation that the mobile phone number (MSISDN) that an End User claims tobe using is the same as the mobile terminal that he/she is actually using atthe time of the request. The service thus makes it possible to meet the needsof line authentication and verification of the veracity of the declared MSISDN.
5.2. Method: Uponrequest, the service provides a method of mobile line authentication byallowing validation of an End User's mobile number when using an online serviceon his/her mobile terminal connected to the 3G/4G/5G mobile network.
5.3. Implementationconditions: This Service does not imply the prior and express consent of theEnd User in the User's option as this is only offered when the legitimateinterest is demonstrated by Your Business Customer and approved by Orange. Thejustification for this processing must be documented to Orange by You. Ifnecessary, Your Business Customer will inform the End User, by any means inaccordance with the regulations, that the number declared may need to beverified with Orange.
5.4. End User Datatransmitted: Only a YES/NO answer will be provided to the question: "Isthe declared MSISDN identical to the MSISDN used?” In addition to thedefinition of “Orange Account Holder” (Article 2 DEFINITIONS), the NumberVerification Service is also aimed at prepay customers or customers who havesigned up for a mobile package for the VSE sector.
5.5. Use andRetention of End User Data:
You cannot retain End User Data obtained from Orange.However, Your Business Customer may retain End User Data obtained from Youunder the terms agreed upon with Your Business Customer concerned. In addition,You may retain information relating to transfers (other than Personal Data) forrecord-keeping, financial reporting and audits for its own account.
5.6. API calls: SeeAppendix B “Technical Conditions” for details on API.
- Verify the EndUser if the End User information is available to Your Business Customer or ifthe End User account is eligible for the use case.
- If the End User'saccount is eligible for the use case, only a YES/NO answer will be provided tothe question: "Is the declared MSISDN identical to the MSISDN used?”
- Optionally and atYour request, Orange will activate the Eligibility API functionality.
Appendix B - TECHNICAL CONDITIONS
A- TECHNICAL FLOWS
B- REQUIREMENTS FORDATA FROM YOU
The fields below will be sent to Orange by You under theOrange APIs as appropriate.
1. RequestId -registration of the transaction transmitted by Your Business Customer to You.
2. AgreggatorTransactionId - randomly generated number so that You cantrack the transaction.
3. Your BusinessCustomer name - to ascertain whom the identifiers were transferred to.
4. MSISDN - toconfirm the subscriber who has been authenticated.
5. ConsentID - codefor obtaining authorization from the User.
6. Date/Time - timestamp of the request (or response) transaction.
7. StatusCode -success/failure.
8. ReasonCode - ifnecessary, reason for the transaction’s failure (non-existent, user auth.failure, etc.).
C. SERVICE QUALITYAND MAINTENANCE
Data recoveryresponse time <1 sec. in 95% of cases.
Incident availabilitytime: 95%
Disaster availabilitytime: 96%
C: Standard
SLA Bronze Level 2
Impact
Sensitive Guaranteed operation 12x5
RIO incident = 1 day
RTO damage = 5 days
RPO damage = 1 day
No redundancy Availability
Incident 95% annual
Damage 96% annual