Terms of Service

1. General provisions

paiza LLC ("we", "us", "our") is the official Certificate Authority (CA) issuing digital signature certificates for the citizens of Mongolia. Users of the Service agree to comply with Mongolia's Electronic Signature Act, the Personal Data Protection Act, and these Terms.

2. Service description

The paiza service consists of the following components:

• Issuance of digital signature certificates (citizen identification via DAN)
• On-device digital signing (iOS, Android)
• Processing of authentication and signing requests from Relying Parties (RPs)
• Secure data exchange with registered relying parties over TLS
• Real-time certificate validity status (OCSP, CRL)

3. Eligibility

You may use the Service if you:

• Are a citizen of Mongolia aged 18 or over (per the Electronic Signature Act)
• Hold a valid national ID
• Can be verified through the DAN system
• Use a device running iOS 16+ or Android 9+

Minors under 18 and persons whose legal capacity has been restricted may not use the Service.

4. Account registration and authentication

To use the Service you must complete the following steps:

• Verify your identity through the DAN system (national ID number, biometric)
• Set a PIN (4–6 digits). Safeguarding your PIN is YOUR responsibility
• Optionally enable biometric unlock (Face ID / Touch ID / fingerprint)
• Your private key is generated inside the device's Secure Enclave / Keystore — neither you nor we can extract it

You must promptly notify us at support@eidmongol.mn of any suspicious activity related to your account.

5. User obligations

• Keep your PIN confidential and never share it
• Do not let others use your device; if it is lost or stolen, immediately revoke your certificate
• Keep your certificate information accurate and notify us of any changes
• Do not use the Service for unlawful or fraudulent purposes
• Report any security issue immediately (security@eidmongol.mn)
• Keep your operating system and the app up to date

6. Certificate validity

Conditions governing digital signature certificates:

• Certificates are valid for 5 years from the date of issuance
• May be renewed before expiry
• May be revoked in the following cases: user request, lost/stolen device, data compromise, death of the holder, legal requirement
• Once revoked, a certificate cannot be reinstated — a new one must be issued
• Revocation status is propagated to RPs in real time via OCSP / CRL

7. Prohibited use

When using the Service, you must NOT:

• Impersonate others or sign falsified documents
• Reverse-engineer or modify the application, or run it on jailbroken / rooted devices
• Bypass security mechanisms or perform unauthorized testing (outside an authorized bug-bounty program)
• Conduct DDoS, brute-force, or other abusive access against our infrastructure
• Attempt to extract your private key or spoof biometric checks
• Use bots, scrapers, or automated scripts to interact with the Service

8. Intellectual property

All intellectual property rights in the paiza application, logos, design, code, and documentation are owned by paiza LLC. Except for personal use of the Service, any copying, distribution, modification, sale, translation, or incorporation into other products requires our prior written consent.

9. Suspension and termination

We may suspend or terminate your access to the Service if you:

• Breach these Terms
• Engage in fraud or unlawful activity
• Pose a threat to the security of the Service
• Are subject to a valid order from a competent authority

You may stop using the Service at any time via the in-app "Delete Account" button. Personal data is erased within 30 days of deletion (except for audit-log entries that we are legally required to retain).

10. Limitation of liability

paiza is NOT liable for the following:

• Loss arising from a compromised PIN or lost device caused by the user
• Loss arising from misuse by third-party Relying Parties (RPs)
• Loss arising from false information provided by the user or attempts to bypass DAN verification
• Service interruptions caused by force majeure, cyber-attacks, or regulatory changes
• Failures of the user's internet connection or device

Our maximum aggregate liability is capped at the amount you paid us in the previous 12 months. Because the Service is provided free of charge to citizens, these limitations apply to the maximum extent permitted by law.

11. Dispute resolution

Any dispute arising from these Terms shall first be resolved through good-faith negotiation. If no settlement is reached within 30 days, the dispute shall be referred to the courts of Mongolia. These Terms are governed by the laws of Mongolia.

12. Updates to the Terms

We may update these Terms from time to time. We will notify you of material changes at least 30 days in advance via the app and our website. Continued use of the Service after the changes take effect constitutes acceptance. If you do not agree, you must stop using the Service and delete your account.

13. Governing law and standards

The Service operates in compliance with the following laws and standards:

• Mongolia's Electronic Signature Act (2011, amended 2022)
• Mongolia's Personal Data Protection Act (2021)
• Mongolia's Cybersecurity Act (2021)
• ETSI EN 319 4xx Trust Services standards
• RESTful API over TLS interoperability standards

14. Contact us

If you have any questions about these Terms, please contact us:

• Email (general): support@eidmongol.mn
• Email (legal / DPO): privacy@eidmongol.mn
• Email (security): security@eidmongol.mn
• Phone: +976 7000-1234
• Address: paiza LLC, Ulaanbaatar, Mongolia