ICANN | Revised VeriSign Registry Agreements: Appendix H

  ICANN Logo

Revised VeriSign Registry Agreements: Appendix H

Posted: 16 April 2001


VeriSign Equivalent Access Certification

VeriSign, as Registry Operator ("VGRS"), makes the following certification:

1. All registrars (including any registrar affiliated with VGRS) connect to the Shared Registration System Gateway via the Internet by utilizing the same maximum number of IP addresses and SSL certificate authentication.

2. VGRS has made the current version of the registrar toolkit software accessible to all registrars and has made any updates available to all registrars on the same schedule.

3. All registrars have the same level of access to VGRS customer support personnel via telephone, e-mail and the VGRS website.

4. All registrars have the same level of access to the VGRS registry resources to resolve registry/registrar or registrar/registrar disputes and technical and/or administrative customer service issues.

5. All registrars have the same level of access to VGRS-generated data to reconcile their registration activities from VGRS Web and ftp servers.

6. All registrars may perform basic automated registrar account management functions using the same registrar tool made available to all registrars by VGRS.

7. The Shared Registration System does not include any algorithms or protocols that differentiate among registrars with respect to functionality, including database access, system priorities and overall performance.

8. All VGRS-assigned personnel have been directed not to give preferential treatment to any particular registrar.

9. I have taken reasonable steps to verify that the foregoing representations are being complied with.

This Certification is dated this the __ day of __________, _____.

VeriSign, Inc.

 

By: __________________________
Name: Bruce Chovnick
Title: General Manager, VeriSign Global Registry Services



VeriSign Global Registry Services (VGRS)
Organizational Conflict of Interest Compliance Plan

VGRS has implemented the following organizational, physical and procedural safeguards to ensure that revenues and assets of VGRS are not utilized to advantage the registrar business of companies affiliated with VGRS to the detriment of other competing registrars with regard to Registry Services provided for the .com, .net, and .org TLDs. VGRS recognizes the potential for organizational conflicts of interest ("OCI") between its Registry Services business and the ICANN-accredited Registrar business associated with VeriSign and has placed these generally accepted, US Government recognized safeguards in place to avoid operational issues.

I. VGRS ORGANIZATIONAL STRUCTURE

In recognition of potential OCI, VeriSign, Inc. established organization barriers by separating VeriSign's registry business and its registrar business into separate profit and loss ("P&L") centers, each with its own General Manager. Each General Manager reports directly to separate division heads who in turn report directly to the Chief Executive Officer of VeriSign and has dedicated direct reporting employees in the finance, marketing, engineering, customer affairs and customer service functions, as appropriate. Each P&L employee is dedicated to the line of business for which he/she directly works.

The corporate administrative support functions under the Chief Financial Officer, Customer Experience Officer, Communications Officer, Business and Corporate Development Officer and Chief Strategy Officer provide support to each line of business on a cost allocated basis or a dedicated project accounting basis. These officers and the Chief Executive Officer will be compensated based on consolidated financial results, versus Registrar or Registry results.

The VGRS General Manager has authority over all operational decisions and is the business owner of this compliance plan. VGRS employs a Compliance Officer to administer day-to-day oversight and administration of this plan.

The VeriSign, Inc. General Counsel's office employs an overall OCI compliance function to oversee corporate adherence to the Plan and to resolve potential conflicts or actual conflicts among VeriSign functions.

II. FINANCIAL SEPARATION

The registry business accounts for its own costs, revenues, cash flow, etc. as a separate P&L center, using separate and distinct systems and accounting functions. Reasonable and independently auditable internal accounting controls are in place to ensure the adequacy of these systems and functions. The individual financial statements of each P&L center are then consolidated at the corporate level for tax and SEC reporting.

III. LOCATION CHANGE

To further separate businesses and, among other things, ensure that the risk of inadvertent disclosure of sensitive information is effectively mitigated, VeriSign's Registry and Registrar businesses are located in separate facilities.

IV. PHYSICAL BARRIERS

Each VeriSign business unit employee has a security badge that will provide him/her access only to the facility he/she works in and the VeriSign headquarters facilities. At the VGRS facility, only registry-assigned personnel ("Registry Personnel") and other personnel who are identified to have a legitimate need for access (excluding "Registrar Personnel") will have regular badge access to the premises and any other person will be treated as a visitor to the facility and will gain access only through established visitor sign-in and identification badge procedures.

V. ACCESS TO THE REGISTRY FACILITY

VGRS provides access to all VGRS customers through the following mechanisms and separates VGRS systems and information from systems and information of any affiliated registrar through these processes:

1. All registrars (including any registrar affiliated with VGRS) connect to the Shared Registration System Gateway via the Internet by utilizing the same maximum number of IP addresses and SSL certificate authentication.

2. All registrars have the same level of access to VGRS-generated data to reconcile their registration activities from VGRS Web and ftp servers. All registrars may perform basic automated registrar account management functions using the same registrar tool made available to all registrars by VGRS.

3. The Shared Registration System does not include any algorithms or protocols that differentiate among registrars with respect to functionality, including database access, system priorities and overall performance.

4. No registrar affiliated with VGRS will be given any access to the registry not available to any other registrar except with regard to information specific to their registrar.

5. Any information needed by registrars regarding the technical interface of registry/registrar operations will be made equally available to all registrars.

VI. INFORMATION CONTROL

VGRS has in place various procedural safeguards to ensure that data and information of the registry business are not utilized to advantage the business of any registrar affiliated with VGRS. VGRS has adopted a policy regarding the marking, access and dissemination of business sensitive information (Exhibit A). This policy requires employees to mark all Registry sensitive information as "Registry Sensitive." Furthermore, the policy requires that all sensitive information be limited in access and disseminated only to those VGRS Personnel and other personnel who are identified to have a legitimate "need to know," which shall not include personnel assigned by any registrar affiliated with VGRS. The Registry General Manager maintains a matrix that dictates who can access particular categories of Registry Sensitive information. All sensitive information is secured in an appropriate manner to ensure confidentiality and security. Consent of the Registry General Manager is required prior to release of financial or statistical information relating to the registry business.

VII. TRAINING

All VGRS Personnel and other employees who have a need to know Registry business undergo a formal OCI Training Program, developed by the Registry Compliance Officer, providing the staff members with a clear understanding of this Plan and the staff members' responsibility under the plan. OCI training is required before any potential staff member is given an assignment or access to Registry Sensitive material. OCI refresher training is given on an annual basis.

VIII. NON-DISCLOSURE AGREEMENTS/OCI AVOIDANCE CERTIFICATIONS

Upon completion of the training program, all VGRS Personnel and other employees who have a need to know registry business (which shall not include personnel assigned by any registrar affiliated with VGRS), are required to sign a non-disclosure agreement and a Registry Business OCI Avoidance Certification acknowledging his/her understanding of the OCI requirements, and certifying that he/she will strictly comply with the provisions of the OCI Plan. Examples of the agreement and certification are attached as Exhibits B and C. The signed agreements are maintained in the program files and the individual's personnel file. Each staff member acknowledges verification of the annual refresher training required by this Plan.


Exhibit A
Access and Dissemination of Proprietary Information

Introduction

The purpose of this "Use of Proprietary Information" is to protect Sensitive Information of the Registry Business to ensure that the revenue and assets of the Registry Business are not utilized to advantage the Registrar Business to the detriment of other competing registrars. This document is also designed to establish policies for the protection of Proprietary Information developed by and/or in the possession of VeriSign, Inc. ("VeriSign"). This policy is applicable to all employees of VeriSign.

Definitions:

Proprietary Information. Proprietary information includes financial, personnel, business or other information owned or possessed by VeriSign that has not been authorized for public release. Proprietary Information also includes Technical Data, which is described in detail below.

Examples of Proprietary Information include:

A. Financial information, such as:

1. Sales forecast data

2. Financial planning data

3. Budgets and pricing data, including labor rates, indirect rates or pricing guidelines

4. Operating or contract performance costs

B. Personnel information, such as:

1. Employee lists or resumes giving detailed professional background

2. Salaries of individual personnel

3. Lists of addresses or home telephone numbers of personnel

4. Information which would assist a competitor in the proselytization of VeriSign

5. Information from employees' personnel files

6. Medical information concerning individual employees

C. Marketing information, such as:

1. Specific proposals that VeriSign is submitting or considering submitting

2. List of customers seeking proposals

3. Customer list and contracts

D. Corporate Communication, such as:

1. Information posted on the Vault

2. The Style Guide

Such information is frequently referred to as "Proprietary Data," "Trade Secret," "Confidential Information," "Privileged Information," "Private Data," and/or "Unpublished Data."

(Proprietary Information does not include financial, administrative, cost and pricing, and management data, or other information incidental to contract administration.)

Technical Data. Technical Data is recorded information, regardless of form or characteristic, of a scientific or technical nature. It may, for example, document research, experimental, developmental, or engineering work; or be usable or used to define a design process; or to procure, produce, support, maintain, or operate equipment/material. The data may be graphic or pictorial delineations in media such as drawings or photographs, text in specifications or related performance, or design-type documents or computer printouts.

Examples of Technical Data include:

1. Research and engineering data,

2. Engineering drawings

3. Products or process information

4. Corporate research plans or research results

5. Computer codes/programs

6. Internal reports or other work product such as notebooks, charts, drawings, notes of your employees and file material which employees compiled and used in performing duties as an employee of VeriSign.

7. Specifications, standards process sheets, manuals, technical reports, catalog item identifications and related information,

8. Computer software documentation (Computer Software Documentation includes computer listings and printouts, in human-readable form which (i) documents the design or details of computer software, (ii) explains the capabilities of the software, (iii) provides instructions for using the software to obtain desired results from a computer, or (iv) printed service code)

Registry v. Registrar Information:

Registry Sensitive information includes Proprietary Information or other financial, personnel, technical, or business information owned or possessed by VeriSign relating to its Registry business which could be utilized to advantage the Registrar business to the detriment of other competing registrars.

Registrar Sensitive information includes Proprietary Information or other financial, personnel, technical, or business information owned or possessed by VeriSign and/or its wholly owned subsidiaries relating to its Registrar business.

Registry Sensitive information shall not be disclosed to Registrar personnel at any time.

Examples of the distinction between Registry and Registrar information include:

a. Engineering information, including schematics, code, and engineering notes should be considered Registry Sensitive information.

b. Statistics, such as numbers of registrations, transfers, etc., performed by each registrar, as well as processing times, numbers of failures or any information that is trending negative or contains negative performance factors not generally available to the public should be considered either Registry Sensitive information or Registrar Sensitive information, as applicable. Unless otherwise approved, registration activity information must be protected from disclosure to any registrar other than the registrar to which the information refers. Such protection extends to precluding VeriSign's Board of Directors, Chief Executive Officer, Chief Financial Officer, and the General Manager of the Registrar business from access to Registry Sensitive information pertaining to any registrar other than that owned or controlled by VeriSign.

c. Some statistical information will be available for public consumption. Such information does not require any special treatment, so long as neither the Registrar nor Registry does not receive any preferential treatment (e.g., early access to such information).

d. Financial information and data related to either the Registry or Registrar is Sensitive Information and will not be released without the express consent of the applicable General Manager, Chief Executive Officer or Chief Financial Officer. Monthly expenses and income shall be kept sensitive and restricted from disclosure to any party other than the appropriate Registry or Registrar staff and select members of the company's senior staff.

Procedures for Protection of Proprietary Information:

Responsibility. All employees are responsible for identifying Proprietary Information, Registry Sensitive information and Registrar Sensitive information developed, produced, or possessed by their organizational units and for instructing employees reporting to them regarding the proper handling and safeguarding of such Proprietary Information.

Each VeriSign employee should exercise reasonable care to protect Proprietary Information, Registry Sensitive information and Registrar Sensitive information from unauthorized or inadvertent disclosure.

Every VeriSign employee must exercise caution and discretion to insure that divulging such information will not compromise the competitive position of VeriSign nor infringe on personnel information about specific employees.

Marking of Internal Documents. Employees should, as a matter of routine, mark each document containing Proprietary Information, Registry Sensitive information and Registrar Sensitive information with the appropriate legend at the time the document is produced.

Computer tapes and other recorded material should be identified by proper labeling which is visible to the ordinary person while the material is being stored. In addition, all such material should have a warning notice at the beginning of the material to ensure the user is forewarned about the proprietary nature of its contents (as soon as access is afforded to a computer tape or at the beginning of a sound recording, etc.).

For internal documents containing Proprietary Information, the following legend should appear on the first page of the document:

Copyright © 2001 VeriSign, Inc. All rights reserved.

VeriSign, Inc.
Division Name
PRIVILEGED AND CONFIDENTIAL
INTERNAL WORKING DOCUMENT [if appropriate]

[DATE]

The following legend should appear at the top of every page of the internal document containing Proprietary Information:

VERISIGN PROPRIETARY INFORMATION

The information on this document is proprietary to VeriSign.
It may not be used, reproduced or disclosed without the written approval of VeriSign.

The following legend should appear at the top of every page of the internal document containing Registry Sensitive information:

REGISTRY SENSITIVE

The information on this document is proprietary to VeriSign and the VeriSign Registry business.
It may not be used, reproduced or disclosed without the written approval of the
General Manager of VeriSign® Global Registry Services.

Not every piece of Proprietary Information in VeriSign's possession must be properly marked; for example, salary reviews or medical/insurance records do not need to be marked. Nevertheless, all such documents must be protected from unauthorized disclosure.

Policy Concerning Disclosure and Marking of External Documents.

a. Policy Concerning the External Disclosure of Proprietary Information

As a general rule, no employee may disclose Proprietary Information to anyone outside of the company. This general rule applies to business associates, affiliates of the company and personal contacts.

As a general rule, VeriSign employees shall not disclose Proprietary Information to other VeriSign employees unless the recipient of the information has a "need to know" that information.

VeriSign recognizes that there are occasions when it is necessary to disclose Proprietary Information to individuals who are not VeriSign's employees. Such disclosure must have the prior written approval of the appropriate VeriSign manager.

All documents containing Proprietary Information that are disclosed to third parties, must contain the following notice:

Copyright © 2001 VeriSign, Inc. All rights reserved.
THIS DOCUMENT CONTAINS PROPRIETARY INFORMATION THAT IS OWNED BY VERISIGN. THIS DOCUMENT MAY ONLY BE USED BY THE RECIPIENT FOR THE PURPOSE FOR WHICH IT WAS TRANSMITTED. THIS DOCUMENT MUST BE RETURNED UPON REQUEST OR WHEN NO LONGER NEEDED BY RECIPIENT. IT MAY NOT BE COPIED OR ITS CONTENTS COMMUNICATED WITHOUT THE WRITTEN CONSENT OF VERISIGN.

DISCLAIMER AND LIMITATION OF LIABILITY
VeriSign, Inc. has made efforts to ensure the accuracy and completeness of the information in this document. However, VeriSign, Inc. makes no warranties of any kind (whether express, implied or statutory) with respect to the information contained herein. VeriSign, Inc. assumes no liability to any party for any loss or damage (whether direct or indirect) caused by any errors, omissions or statements of any kind contained in this document. Further, VeriSign, Inc. assumes no liability arising from the application or use of the product or service described herein and specifically disclaims any representation that the products or services described herein do not infringe upon any existing or future intellectual property rights. Nothing herein grants the reader any license to make, use, or sell equipment or products constructed in accordance with this document. Finally, all rights and privileges related to any intellectual property right described herein are vested in the patent, trademark, or service mark owner, and no other person may exercise such rights without express permission, authority, or license secured from the patent, trademark, or service mark owner. VeriSign Inc. reserves the right to make changes to any information herein without further notice.

NOTICE AND CAUTION
Concerning U.S. Patent or Trademark Rights
VeriSign, [insert the specific trademark that is the subject to the material], and other trademarks, service marks and logos are registered or unregistered trademarks of VeriSign and its subsidiaries in the United States and in foreign countries. The inclusion in this document, the associated on-line file, or the associated software of any information covered by any other patent, trademark, or service mark rights does not constitute nor imply a grant of, or authority to exercise, any right or privilege protected by such patent, trademark, or service mark. All such rights and privileges are vested in the patent, trademark, or service mark owner, and no other person may exercise such rights without express permission, authority, or license secured from the patent, trademark, or service mark owner.

As a general rule, all recipients of such information should first sign a Non-Disclosure Agreement. When Proprietary Information is exchanged between VeriSign and another company with which VeriSign as a business relationship, the parties must execute a Non-Disclosure Agreement.

b. Policy Concerning the External Disclosure of Registry Sensitive Information.

As a general rule, no employee may disclose Registry Sensitive information to anyone outside of the company. This general rule applies to business associates, independent contractors, temporary employees, affiliates of the company and personal contacts.

VeriSign recognizes that there are occasions when it is appropriate to disclose Registry Sensitive information to individuals who are not VeriSign's employees, such as independent contractors or temporary employees. Such disclosure must have the prior approval of the appropriate VeriSign manager.

No Registry Sensitive information shall be disclosed to any third party unless that third party has first agreed to a non-disclosure agreement or similar agreement restricting the third party's disclosure of the Registry Sensitive information in accordance with this policy.

All documents containing Registry Sensitive information that are disclosed to such third parties, must contain the following notice:

REGISTRY SENSITIVE
The information on this document is proprietary to VeriSign and the VeriSign Registry business.
It may not be used, reproduced or disclosed without the written approval of the
General Manager of VeriSign® Global Registry Services.

Procedure for Disclosing Proprietary Information and/or Registry Sensitive Information. The procedure to disclose Proprietary Information is as follows:

a. affix the appropriate legend on the document

b. execute Non-Disclosure Agreement

c. send the Proprietary Information through a secure system, such as overnight courier

d. log or note your disclosure of the information

e. maintain a record of and track your disclosures

Safekeeping:

When not in use, Proprietary Information should be stored in a locked desk, cabinet or file. Such material should not be left unattended during the workday and should be turned face down in the presence of visitors or employees who have no need to know.

Destruction:

Burning, shredding or comparable methods should be used for the destruction of Proprietary Information.

Terminating Employees:

Terminating employees should be reminded of their responsibilities and obligations in protecting Proprietary Information as outlined in the appropriate employee regulations and rules. Permission to retain such information after termination must be in writing and approved by the VeriSign's General Counsel prior to removal.

Third-Party Proprietary Information:

Proprietary Information received from other companies through contractual or precontractual relationships will be afforded the same level of protection given to VeriSign private information.

Questions:

Questions concerning implementation or interpretation of this policy should be referred to VeriSign's Legal department.


Exhibit B
NON-DISCLOSURE AGREEMENT

I understand I am an employee assigned to VeriSign Global Registry Services ("VGRS") or another employee who has a need to know information related to the VGRS business (but not an employee assigned by any registrar affiliated with VGRS) which is proprietary, confidential or business sensitive, belonging to VGRS, other companies or customers of VGRS ("Need to Know Employee"). I agree not to disclose or otherwise disseminate such information to anyone other than Need to Know Employees, except as directed, in writing, by the General Manager of the Registry Business or his/her designee. This prohibition is specifically intended to prevent the disclosure of any such information to personnel assigned by any registrar affiliated with VGRS. I understand that disclosure of such information to anyone other than a Need to Know Employee or use of such information could result in personal liability for such unauthorized use or disclosure.

I agree to use such proprietary, confidential and/or business sensitive information only in the performance of requirements necessary to carry out my duties as a Need to Know Employee, and I agree to take suitable precautions to prevent the use or disclosure of such information to any party, other than Need to Know Employees. I will report to the General Manager of the VGRS Business or his/her designee any potential violation of this agreement. I further agree to surrender any and all data and information, of any type whatsoever, to the General Manager of the VGRS Business or his/her designee upon the termination of my employment as an employee of VeriSign, or my assignment with VGRS.

I certify that I have read and fully understand this Non-Disclosure Agreement and agree to abide by all requirements contained herein. I understand that my strict compliance is essential to VGRS, and any violation of these requirements may result in termination of my employment.

Agreed to:

__________________________
Employee

Date

Verified:

__________________________
General Manager, Registry

Date

 


Exhibit C
REGISTRY BUSINESS ORGANIZATIONAL
CONFLICT OF INTEREST AVOIDANCE CERTIFICATION

I hereby certify that I have received training in and understand the requirements of conflict of interest issues and the requirements of the Organizational Conflict of Interest Compliance Plan of VGRS. I certify that I will strictly comply with the provisions of this Plan. I understand my obligation to (i) refrain from any activities which could pose a personal conflict of interest and (ii) report to the General Manager of VGRS, any conflict, whether personal or organizational, which is perceived or identified during the course of my employment with VGRS.

CERTIFIED

_______________________________
signature date

________________________________
name


Comments concerning the layout, construction and functionality of this site
should be sent to webmaster@icann.org.

Page Updated 16-April-2001
(c) 2001  The Internet Corporation for Assigned Names and Numbers. All rights reserved.