Summary of Entrust FFIEC Compliance Guarantee

Terms and Conditions

The following is a summary of the terms and conditions for the Entrust FFIEC Compliance Guarantee. Terms in an individual contact may differ depending on the Customer's specific circumstances and the particular Entrust products and services that are selected. The Entrust FFIEC Compliance Guarantee is also subject to Customer meeting certain technical requirements and providing Entrust with requested access to the Customer Environment and Online Application.

  1. FFIEC Compliance Guarantee
    Subject to Customer acceptance and implementation of Entrust's deployment and integration requirements, Entrust warrants that (i) the Software System will be deployed prior to January 1, 2007 for one (1) Online Application in one (1) Customer Environment, and (ii) the technical capabilities of the Software System will not serve as the sole basis for a finding that the Online Application failed to comply with the authentication requirements in the FFIEC Guidance on Authentication in an Internet Banking Environment, FIL-103-2005, issued October 12, 2005 (hereinafter, the "FFIEC Compliance Guarantee"). The FFIEC Compliance Guarantee shall be subject to the limitations set forth below and to Customer fully complying with all of the conditions and requirements set forth below. The FFIEC Compliance Guarantee shall also be predicated on Customer making available to Entrust all equipment, material, information, data, and facilities that Entrust may reasonably require to perform its obligations and also upon Customer providing Entrust with timely access to appropriate members of Customer's staff as may be reasonably required by Entrust in the performance its obligations. Customer acknowledges that any delay on its part in the performance of its obligations may have an impact on Entrust's performance of its activities and will void the FFIEC Compliance Guarantee. The FFIEC Compliance Guarantee shall terminate on May 31, 2007 (the "FFIEC Guarantee Termination Date").
  2. Exclusive Remedy for Breach of FFIEC Compliance Guarantee. Customer's exclusive remedy for breach of the FFIEC Compliance Guarantee shall be the right to receive one (1) year of additional Support for the Software System (hereinafter, the "Deployment Support"). Such Deployment Support shall be (i) at the same level (i.e. Silver, Gold or Platinum) as the Support level that was purchased by Customer for the Software System at the time that the Customer acquired the Software System, and (ii) may only be used for the specific copies of the products (excluding non-Entrust products which shall not be eligible for Deployment Support) that were part of the Software System. Under no circumstances shall Customer be entitled to any refund of any amounts paid to Entrust in respect to the Software System for license fees, Support, or services. Customer shall not be entitled to receive any cash or product substitute if Customer elects not to accept the Deployment Support. Except for the obligation to provide Deployment Support, Entrust shall have no other liability or obligation to Customer or any other person for any breach of the FFIEC Compliance Guarantee. All claims of breach of the FFIEC Compliance Guarantee must be submitted by Customer to Entrust by the FFIEC Guarantee Termination Date. No cause of action may be asserted by Customer against Entrust in relation to any breach or alleged breach of the FFIEC Compliance Guarantee later than one (1) year following the FFIEC Guarantee Termination Date.

For the purposes of FFIEC Compliance Guarantee, the following terms shall have the following meanings:

"Software System" shall mean the specific copies of Entrust products licensed by Customer (as set forth in the applicable software license agreement) that are to be deployed during the project subject to this FFIEC Compliance Guarantee;

"Entrust IdentityGuard Lite" shall mean a version of Entrust IdentityGuard that is contractually restricted to the use of machine fingerprint authentication, question-and-answer authentication, and out-of-band authentication for user authentication and that is restricted to the use of picture and caption replay for mutual authentication.

"Online Application" shall mean one (1) application that has been selected by Customer for integration with the Software System using one application integration technology (Java, SOAP, .NET or ISAPI). The Online Application shall be a single software program developed by Customer or from a single vendor that is used to perform a single function such as consumer Internet banking or consumer online mortgage processing; and

"Customer Environment" shall mean one (1) environment that has been selected by Customer in which the Software System is to be deployed. The Customer Environment shall be a single set of server(s) and communications equipment that can be connected to Customer's information technology infrastructure to allow the Online Application to communicate with the Software System to provide the data required by the Software System to perform its authentication functions. An example of a Customer Environment would be a development lab, a test lab, user acceptance test system, or a production system.

The Online Application and Customer Environment must be selected by the Customer and identified to Entrust prior to the start of the project. Once the project has started, neither the Online Application nor the Customer Environment can be changed without voiding the FFIEC Compliance Guarantee (other changes in time lines and fees may also be applicable). If Entrust is prevented from deploying in the Customer Environment because of any development freezes or other freezes of the Customer Environment or the Online Application then the FFIEC Compliance Guarantee shall also be voided.

IdentityGuard Option
The FFIEC Compliance Guarantee under this option will be restricted to the selected Online Application in the Customer Environment and to the deployment of a maximum of three (3) user authentication methods supported by Entrust IdentityGuard. This option will also include the deployment of one (1) type of mutual authentication supported by Entrust IdentityGuard. If grid authentication is selected and Customer elects to have the grid cards produced by Entrust, then the maximum deployment allowed for the purposes of the FFIEC Compliance Guarantee shall be 5000 cards. If Vasco tokens are selected for an authentication option, Customer shall be responsible for procurement and subsequent distribution of such Vasco tokens (including all costs associated with the acquisition and distribution of such Vasco tokens). If the acquisition or deployment by Customer of Vasco tokens delays or otherwise impacts any of the timelines for the deployment activities, then the FFIEC Compliance Guarantee shall be voided. The FFIEC Compliance Guarantee shall not be applicable to scenarios that include the deployment of more than 5000 grid cards. Additionally, any grid card production by Entrust shall be limited to Entrust's standard grid card offering and shall not include an non-standard features such as, for example, and without limitation, production of Braille grid cards. The FFIEC Compliance Guarantee is also conditional on use by Customer of the environments, platforms and repositories that are currently supported by Entrust IdentityGuard.

IdentityGuard Lite Option
This option will be restricted to the selected Online Application in the Customer Environment and to the deployment of the permitted authentication techniques for Entrust IdentityGuard Lite. The FFIEC Compliance Guarantee is conditional on use by Customer of the environments, platforms and repositories that are currently supported by Entrust IdentityGuard Lite.

Zero Touch Fraud Detection Option
This option includes the right to have up to fifty (50) business signatures defined and implemented for the Online Application in the Customer Environment. Additional, business signatures can be identified and implemented, however, if the number of business signatures exceeds fifty (50), the FFIEC Compliance Guarantee is voided. The deployment will also include the right to have the standard out-of-the-box reports confirmed to be operational for the Online Application. This option does not include any integration or customization of the Zero Touch Fraud Detection and eFraudMart solutions. Customer agrees and acknowledges that if Customer selects a configuration of the Software System that does not include the Entrust Identityguard solution, then the customer shall be solely responsible for the compliance aspects of the FFIEC Guidance on Authentication in an Internet Banking Environment (hereinafter the "FFIEC Guidelines") that deal with protection of sensitive personal information and that the Software System will not provide any capabilities for addressing those requirements and that Customer will have to develop its own solution for protecting sensitive personal information that may be available in the Online Application (such as, for example, by masking such sensitive personal information, by using some non-Entrust provided second factor of authentication, or by not making such sensitive personal information available in the Online Application.)

Customer Responsibilities (All Options)
Customer will be required to provide access to the following personnel within Customer's organization:

  • Project Manager - The Customer Project Manager shall jointly own the plan to implement the project and also coordinate resources within Customer and with the Entrust Project Manager. The Customer Project Manager shall also navigate through internal Customer processes and organization as it pertain to the deployment of the Entrust products.
  • Technical Lead - The Technical Lead's responsibilities are to work with Entrust resources on the deployment and integration of the solution, and to provide input on the technical environment. The Technical Lead has overall responsible for the technical aspects of the deployment.
  • IT Manager/System Administrator - The IT Manager/System Administrator's responsibilities are to provide the IT resources needed to install and setup the servers as per Entrust checklist items. The IT Manager/System Administrator is also responsible for providing and co-ordinating the data center resources needed to open any firewall ports and complete install of the Entrust products.
  • IT/Network Architect/Engineer - The IT/Network Architect/Engineer's responsibilities are to provide input on network and other technical aspects of the Customer Enviroment and to assist with deployment.
  • Corporate and/or IT Security Personnel - The Corporate and/or IT Security Personnel are responsible for providing corporate and IT security requirements.
  • Application Developer/Support Personnel - The Application Developer/Support Personnel are responsible for coding and testing the integration of Entrust IdentityGuard with the Online Application.

Customer shall be responsible for all for any integration of the administration functionality of the Online Application with the Entrust IdentityGuard administrative capabilities. Customer shall also be responsible for any presentation layer components required to complete the integration of the authentication or administration functionality of Entrust IdentityGuard and the authentication or administration functionality of the Online Application. To the extent that any such integration affects the deployment timeline for the Entrust products, the FFIEC Compliance Guarantee shall be voided. Customer shall also responsible for the procurement and installation of all required third-party hardware and software, including the operating system. To the extent that any failure to acquire the necessary third-party hardware and/or software affects the deployment timeline for the Entrust products, the FFIEC Compliance Guarantee shall be voided.

The FFIEC Compliance Guarantee shall be subject to Customer providing the following:
  1. access to the selected customer facilities, equipment and the Customer Environment so that work on installation and deployment can commence on or before October 16, 2006;
  2. the following resources within the Customer project team, which shall be available for consultation with Entrust:
    1. Project Manager who will act as a single point of contact within the Customer's organization who will coordinate the resources and activities;
    2. Business Analyst or developer familiar with the Online Application to allow Entrust to understand the Online Application authentication methods;
  3. accurate information regarding the traffic volumes and load generated by the Online Application to allow Entrust to assess and scope the hardware needed according to the following parameters;
    1. logins and sessions/day and peak sessions/hour;
    2. If step-up authentication: number of step ups/; and
  4. access to the Customer Environment which shall have been configured and set-up as set forth the Entrust pre-install checklist, including the hardware, operating system and firewall rules to install the Entrust products;

The System Software may require the acquisition of high-performance, scalable application and database to support the rollout of the applicable product functionality. The customer shall be responsible for acquiring these servers and software within ten (10) business days after any such requirement is identified by Entrust. A failure to acquire these servers and software within that timeframe will void the FFIEC Compliance Guarantee. Entrust assumes that the Customer is sufficiently knowledgeable about the Online Application to work with Entrust IdentityGuard integration specialists to integrate the necessary Entrust IdentityGuard API calls with the Online Application. However, if this is not possible, then Entrust and the Customer will need to assess the work required to integrate the Online Application with Entrust IdentityGuard. If Entrust, in its sole discretion, deems that the scope of work is too significant, then the FFIEC Compliance Guarantee shall be voided.

Entrust Authentication and Information Security Solutions

Entrust is an industry recognized leader of information security solutions that help organizations protect critical information through innovative products and services. Our solutions enable risk based authentication, multifactor authentication, file encryption, and digital signatures along with numerous other security capabilities. Entrust provides trusted security and encryption software for less.