NORDUnet AGREEMENT ADDENDUM No. 05 between NORDUnet Af S Kastruplundgade 22 DK-2770 Kastrup DENMARK And UNINETf Abels gate 5 NO-7030 Trondheim NORWAY regard ing Idp proxy for box NORDUnet I UNINETT Agreement Addendum no. 05
NORDUnet Rtrh 1. SCOPE OF THE AGREEMENT ADDENDUM This Agreement, being an Addendum to the NORDUnet General Terms & Conditions is specifying the services related to the Idp Proxy provided by NORDUnet to UNINETT. The service is governed by the data processing agreement in Annex 1. 2. DURATION OF THE AGREEMENT Upon signature the AgreementAddendum is effective from December 1st 2013. The agreement is automatically renewed for I year at a time, if not terminated within 30 days of the expiry of the initial or any renewed contract period. If terminated by the customer a notice must be submitted to contracts@nordu.net. 3. DELIVERYDATE The service delivery is expected to be December i 2013. 4. SERVICE SPECIFICATION The service is based on a shared virtual senter providing the ldp proxy functionality. 5. SERVICE CHARGES AND INVOICING The annual base charge is EUR 2.500. The setup fee is 1.500. The service will be invoiced on annual basis, first time December 2013. 6. SIGNATURE The below signatures by representatives of NORDUnet and UNINETT are to confirm the content of this Agreement Addendum. (Signature/Date) U NI NETT Petter Kongshaug NORDUnet! UNINETT Agreement Addendum no. 05
Data Handling Agreement in accordance with Section 13, cf, Seetion 15 of the Personal Data Act and Chapter 2 of the Norwegian Personal Data Regulations by and between UNINETT AS (Controller) and NORDUnet AIS (Processor) 1
1. Intention ofthe Data Handling Agreement in Agreement Addendum 5 - IdP proxy for Box T between NORDUnet A/S and UNINETT AS, UNINETT and NORDUnet have agreed that NORDUnet will operate an Identity Provisioning proxy for UNINETT s Box service. To provide this service NORDUnet needs to process certain personal data on behalfofuninett which both parties desire to regulate in this Data Handling Agreement ( The DHA ). As is the case for Agreernent Addendum 5, this DI-JA is subjec to the provision of the NORDUnet General Terrns and Conditions signed between UNJNETT and NORDUnet AIS The intention ofthe DHA is to regulate rights and obligations pursuan to the Norwegian Act of 14April 2000 No. 31 relating to the processing ofpersonal data (the Personal Data Act) and the Regulations of 15 December 2000 No. 1265 (the Personal Data Regulations). The DHA shall ensure that personal information relating to the data subjects is not used unlawfùlly or comes into the hands of a third party. The DHA concerns the Processor s use of personal data on behalf of the Controller, including collection, recording, alignment, storage and disclosure or a combination of such uses. 2 Purpose Controller offers a personal cloud storage solution based on the Box.com platform to its members, primarily the Norwegian higher education and research community. Controller uses Feide, the Norwegian SAML-based single-signon solution for higher education and research, for account creation and user logon. While Box.com supports SAML-based authentication it does not support authorisation based on SAML-attributes. Controller wants to allow its menibers a certain level of control with regards which user groups ofa member institution will have the ability to create a Box.com account. To facilitate basic authorisation, a SAML IdP logon proxy component is needed between Box.com and Feide. NORDUnet offers such a component as a service to the Nordic NRENs. Data subjects Users from a UNINETT niember institution who have or want to crcatc a Box account under the agreernent between UNINETT and Box. The personal data transfcrred concern the following categories of data: typical user account data pertaining to Users with a l3ox account under the agreement between UNINETf and Box, including but not limited to: name, email, other details transferred with federated logon, messages, identification data or location data. A detailed specification is inoluded in Annex i, Specification of SAML attributes. Processing operations 2
The Personal Data transferred will be subject to the following basic processing activities: automated provisioning and further management of a Box user account using user account attributes from a users home organisation. As part ofthis particular processing activity a certain set of user attributes is transferred onward to Box service under the agreement between UNINETT and Box.com. A detailed specification of the attributes subjcc to onward transfer are detailed in Annex 1, Specification of SAML attributes. logging and other basic service provisioning activities data gathered as part of operating the service may be used in research projects. Such use is subjec to explicit acceptance by Processor. 3. The Processor s obligations When processing personal data on behalf ofthe Controller, the Processor shall follow any resonable routines and instructions stipulated by the Controller at any given time. The Processor is obliged to give the Controller aceess to his written technical and organizational security measures and to provide assistance so that the Controller can fulfil his responsibilities pursuant to the Act and the Regulations. Unless otherwise agreed or pursuant to statutory regulations, the Controller is entitled to access all personal data being processed on behalf of the Controller and the systcms used for this purpose. The Processor shall provide the necessary assistance for this. The Processor must observe professional secrecy in regard to the docurnentation and personal data to which be has aceess in accordance with this Agreement. This provision also applies after the DHA has been discontinued. 4. Use ofa subcontractor If the Processor uses a subcontractor or other resources not formally employed by the Processor, this shall be agreed in writing with the Controller prior to starting the processing of personal data. Anyone who performs assignrnents on behalf of the Processor which include further processing of the relevant personal data shall be familiar with the Processor s contraotual and legal obligations and fulfil the requirements thereto. At the start of the DHA no subcontractors are used by the Processor. 5. Security The Processor shall fulfil the requirements for security measures stipulated in the Personal 15 of the Personal Data Act and the Personal Data Regulations, in particular Sections 13 Data Act and Regulations thereto. The documentation shall be available upon the Controller s request. The Processor shall report to the Controller all discrepaneies according to Seetion 2-6. The Controller is responsible for reporting the discrepancy to the Data Inspectorate. 3:
6. Security audit The Processor shall make available a written security audity report not older than 18 rnonths. The security audit shall be executed according the requirements and guidelines of the Secretariat for IT security for the Norwegian higher education sector. At least once a year the Processor shall make itself available to discuss with Controller the security measures affecting the Service. 7. Duration ofthe DHA The DHA is valid for as long as Processor is processing personal data on behalf of Controller for the purpose of providing the service thldp proxy for Box as per Agreement Addendurn 5 regarding IdP proxy for Box. The DRA can only be terminated simultaneously with and on the same conditions as the Agreement Addendum 5 regarding IdP proxy for Box. In the event of breach of this Agreement or the Personal Data Act, the Controller can instruct the Processor to stop further handling ofthe information with immediate effect. 8. Termination Upon termination of this DHA, the Processor is obliged to retum all personal data received on behalfofthe Controller and covered under this DRA. The Controller shall scnd an cncrypted dump of all account-related data to Processor. The Processor shall delete or destroy in a secure and deflnite/irrevcrsible manner all documents, data, diskettes, CDs, etc. that contain personal data covered under this DHA. This also applies to any baok-up copies. If no other timetable has been agreed upon, deletion shall be executed i month after termination of this DHA. The Processor shall document in writing that deletion or destruction has taken place in accordance with the DRA within a reasonable period of time after termination of the DRA. 9. Notifications Notifications under this DI-TA shall be submitted in writing to: NORDUnet A/S UNINETT AS email: contracts@nordu.net postmottak@uninett.no telephone: address: 7465 Trondheim, Norway 4 _t
10. Signature This DHA has been drawn up in 2 two copies, of which the parties retain one copy each. Place and date For Controller For Processor (signature) (signature) I3 5
Annex i - Speficication of SAML attributes For detailed deseription see the Feide attribute specification at https://www.feidc.no/attributelist Personal data transferred from Feide to NORDUnet Box IdP proxy service: mai! displayname sn givenname edupersonprincipalname schachomeorganization edupersonscopedaffihiation edupersonaffiliation edupersonprimaryaffihiation Personal data transferred from NORDUnet Box IdP proxy service to Box: mall displayname sn givenname edupersonprincipalname schachomeorganization 6