The first step in establishing an Affiliate Registration Organisation requires the interested organisation to demonstrate its capacity to perform ARO functions and meet the requirements as described in section II. This is essential as failure to exercise the functions appropriately can incur legal liability for the organisation. After sending an official request by using the ARO Request Form an organization needs to submit all required documents. After WISeKey has examined those documents with the result that the Applicant is compliant to the requirements the next phase will begin.

A chain of contracts supports the WISeKey PKI hierarchy, which includes a contract between Affiliate Registration Organisations and the Affiliate Certification Authority that issued its certificate or the Affiliate Registration Authority it is subordinated to. The second phase in deployment is thus the establishment of a contractual relationship between the Affiliate Registration Organisation and the relevant entity. This contract allocates the rights and obligations of the parties in the operation of their respective PKI entities, which in the case of Affiliate Registration Organisations, include the following:

• The existence of no de legge or de facto conflicts or incompatibilities in the nature of the organisation that will be implementing and providing of certification services.

• Compliance with standards no lower than those required by the traditional law (where it allows such certification methods to meet formal or evidentiary requirements) or with electronic commerce and electronic signature legislation (under discussion or enacted).

• Respect of statutory or contractual privacy and data protection rights of its clients and compliance with the corresponding obligations arising from the Affiliate Certification Authority’s Certification Practice Statement and Privacy Policy.

• Compliance with any applicable consumer protection legislation as well as any other relevant law.

• Attainment of the necessary authorisations for the importation, use, sale and provision of cryptographic goods and services of the quality and security levels imposed by statutory or contractual requirements.

Insurance (where available) covering among other things:

• The erroneous or omitted identification of a certificate applicant.

• Damages incurred as a result of claims based on the Registration Authority's activities, loss of information caused by system malfunction or misuse.

• Loss, theft, modification or unauthorized access to the Registration Authority's private cryptographic key or other information stored in its secured systems.

• Loss, damage to or theft of the ARO system.

Performance of Affiliate Registration Organisation functions as described in section I.

Infrastructure and procedural security to maintain a high level of security of the hardware, software, cryptographic keys, activation data (e.g. passwords) and the records of the Affiliate Registration Organisation activities.

Once the basic requirements are met and the contract is signed, payment of 50% of the ARO system costs is required to be made by the Applicant. After receiving this payment, the ARO System shall be delivered to Applicant. WISeKey or the Affiliate Certification Authority provides a system that includes the hardware and software specified in the section II of this document, providing full ARO functionality.

After system delivery, a one-day training workshop held in Geneva (or at Applicant’s offices – travel and accommodation expenses paid by Applicant) is held, were the Applicant considers it is prepared to commence operations, an audit is undertaken to ensure compliance and capability to comply with the requirements. The training workshop is available for 2 Applicant representatives (conducted in Geneva, Switzerland) and focuses on:

• ARO implementation, operation and maintenance, designed for the applicant organisations’ technical staff that will operate the system.

• Strategy, legal and technology issues related to secure electronic transactions designed for applicant organisations’ management and/or sales staff.

Some modifications on the End User Agreement and other documentation may be required in the Applicant’s jurisdiction (e.g. adjustments to comply with local law, translation to local language, drafting of a customised Certificate Policy). The costs of the modifications will be paid by the Applicant.

The successful completion of the audit will be followed by the activation of the ARO at the CA level, after which the ARO is able to issue certificates. Within a period of 15 days following activation, the Applicant is required to pay the remaining 50% of the ARO System invoice.

The audit costs, travel and accommodation expenses as well as any taxes and transactions costs are paid by ARO in accordance with the invoice and expense reports presented by the auditor and relevant WISeKey staff.