NORDUnet. AGREEMENT ADDENDUM No. 05 between. NORDUnet Af S Kastruplundgade 22 DK-2770 Kastrup DENMARK. UNINETf Abels gate 5 NO-7030 Trondheim NORWAY



Similar documents
Some practical experiences with negotiating cloud services

Recommendations for companies planning to use Cloud computing services

Getting Started with Single Sign-On

Data Processing Agreement for Oracle Cloud Services

Feide Integration Guide. Technical Requisites

Norwegian Data Inspectorate

Shibboleth Authentication. Information Systems & Computing Identity and Access Management May 23, 2014

The regulation applies to direct insurance only.

On Data Protection and the Detailed and Uniform Data Management Regulation

Software Development Agreement Agreement for the development of software Government Standard Terms and Conditions for IT Procurement SSA-U

Getting Started with Single Sign-On

Acquia Comments on EU Recommendations for Data Processing in the Cloud

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Act no 41 on Insurance Mediation ( )

Microsoft Online Services - Data Processing Agreement

Exhibit 2. Business Associate Addendum

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Cloud computing and the legal framework

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

GENERALLY ACCEPTED ACCOUNTING PRINCIPLES

Article 29 Working Party Issues Opinion on Cloud Computing

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS Risk Assessment 357-7

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Clause 1. Definitions and Interpretation

DATA RETENTION POLICY

COUNCIL OF THE EUROPEAN UNION. Brussels, 7 October 2003 (OR. en) 12858/03 RECH 152 OC 589

1.3 The Terms are accepted by the Customer upon registration or ordering of the Products or renewal of any such subscription.

BUSINESS ASSOCIATE AGREEMENT

TELEFÓNICA UK LTD. Introduction to Security Policy

Office 365 Data Processing Agreement with Model Clauses

Regulations concerning measures to combat money laundering and the financing of terrorism, etc.

GENERALLY ACCEPTED ACCOUNTING PRINCIPLES

Agreement concerning Fimnet authentication service. Address: Contact person:

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

Business Associate Agreement

SQ 901 Version D. Railway Application Quality Specification REQUIREMENTS FOR THE QUALITY MANAGEMENT SYSTEM AND QUALITY PLAN

Cloud Computing and Data Protection Compliance - Experiences from Norway

The supplier shall have appropriate policies and procedures in place to ensure compliance with

Feide Technical Guide. Technical details for integrating a service into Feide

Enclosure. Dear Vendor,

European Code of Conduct on Data Centre Energy Efficiency

EASYNET CHANNEL PARTNERS LIMITED PARTNER MASTER SERVICES AGREEMENT HYBRID CLOUD IT PRODUCT TERMS

PRIVACY POLICY. Consent

General Commercial Terms For Contracts on Internet Advertising

Regulations relating to the guarantee scheme for non-life insurance

Contracted representation powers of attorney

INFORMATION ON THE RULES OF THE GENERAL GOOD

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS

openqrm Enterprise Server and Client Licenses Agreement

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

Authorized. User Agreement

Signing the Contract - Contracture of People Managers

BUSINESS ASSOCIATE AGREEMENT

ANNOUNCEMENT ON CONVENING AN EXTRAORDINARY GENERAL MEETING OF GIEŁDA PAPIERÓW WARTOŚCIOWYCH W WARSZAWIE S.A. (WARSAW STOCK EXCHANGE)

PRESIDENT S DECISION No. 40. of 27 August Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

DOMAIN CONFLICTS AND THE LEGAL SYSTEM

Feide login (currently username/password)

Managing identities. TICAL 2012, Lima, Peru Roland Hedberg tisdag 3 juli 12

ANNOUNCEMENT ON CONVENING AN ORDINARY GENERAL MEETING OF GIEŁDA PAPIERÓW WARTOŚCIOWYCH W WARSZAWIE S.A. (WARSAW STOCK EXCHANGE)

AUTHORISATION JAMES PAGET UNIVERSITY HOSPITALS NHS FOUNDATION TRUST

Data Protection Policy.

VPO NOK Rules. Rules for the Central Securities Settlement. in Norwegian Kroner

Independent Contractor Agreement (ICA)

between United Nations Industrial Development Organization (UNIDO), Vienna, Austria and

BUSINESS ASSOCIATE AGREEMENT

1. Introduction. 2. Sectoral Areas Affected. 3. Data Security. 4. Data Breach Requirements. 5. Traffic Data

How To Protect School Data From Harm

RM BOOKS TERMS AND CONDITIONS

Terms and conditions of business for a NemID administrator of commercial NemID

Personal Data Act (1998:204);

General Conditions for the Assignment, Registration and Administration of Domain Names under the.dk Top Level Domain

Terms used in this Agreement, but not otherwise defined, shall have the same meaning as those terms contained within the Privacy Rule.

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

NSW Government Digital Information Security Policy

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

BUSINESS ASSOCIATE AGREEMENT

User Guide to Retention and Disposal Schedules Council of Europe Records Management Project

Janison Terms and Conditions. Updated Jan 2013

technical factsheet 176

Act on the Supervision of Credit Institutions, Insurance Companies and Securities Trading etc. (Financial Supervision Act)

Act on Payment Services

Lessons Management Hub. Support and maintenance agreement

HIPAA BUSINESS ASSOCIATE AGREEMENT

CONTRACT ADDENDUM BUSINESS ASSOCIATE CONTRACT 1

HIPAA Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

Corporate Policy. Data Protection for Data of Customers & Partners.

European Code of Conduct on Data Centre Energy Efficiency

Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union

TUPAS Identification Service. Identification Principles

ADDENDUM TO THE BLACKBERRY SOLUTION LICENSE AGREEMENT FOR BLACKBERRY BUSINESS CLOUD SERVICES FOR MICROSOFT OFFICE 365 ( the ADDENDUM )

C O N T R A C T N o. F M V I D 2015/106. ACL Desktop

Service Agreement SURE Project Workspace

GRTGAZ NETWORK TRANSMISSION CONTRACT

HIPAA Business Associate Contract. Definitions

TERMS AND CONDITIONS FOR BUSINESS PARTNERS:

CLIENT / PROJECT MANAGER AGREEMENT

Transcription:

NORDUnet AGREEMENT ADDENDUM No. 05 between NORDUnet Af S Kastruplundgade 22 DK-2770 Kastrup DENMARK And UNINETf Abels gate 5 NO-7030 Trondheim NORWAY regard ing Idp proxy for box NORDUnet I UNINETT Agreement Addendum no. 05

NORDUnet Rtrh 1. SCOPE OF THE AGREEMENT ADDENDUM This Agreement, being an Addendum to the NORDUnet General Terms & Conditions is specifying the services related to the Idp Proxy provided by NORDUnet to UNINETT. The service is governed by the data processing agreement in Annex 1. 2. DURATION OF THE AGREEMENT Upon signature the AgreementAddendum is effective from December 1st 2013. The agreement is automatically renewed for I year at a time, if not terminated within 30 days of the expiry of the initial or any renewed contract period. If terminated by the customer a notice must be submitted to contracts@nordu.net. 3. DELIVERYDATE The service delivery is expected to be December i 2013. 4. SERVICE SPECIFICATION The service is based on a shared virtual senter providing the ldp proxy functionality. 5. SERVICE CHARGES AND INVOICING The annual base charge is EUR 2.500. The setup fee is 1.500. The service will be invoiced on annual basis, first time December 2013. 6. SIGNATURE The below signatures by representatives of NORDUnet and UNINETT are to confirm the content of this Agreement Addendum. (Signature/Date) U NI NETT Petter Kongshaug NORDUnet! UNINETT Agreement Addendum no. 05

Data Handling Agreement in accordance with Section 13, cf, Seetion 15 of the Personal Data Act and Chapter 2 of the Norwegian Personal Data Regulations by and between UNINETT AS (Controller) and NORDUnet AIS (Processor) 1

1. Intention ofthe Data Handling Agreement in Agreement Addendum 5 - IdP proxy for Box T between NORDUnet A/S and UNINETT AS, UNINETT and NORDUnet have agreed that NORDUnet will operate an Identity Provisioning proxy for UNINETT s Box service. To provide this service NORDUnet needs to process certain personal data on behalfofuninett which both parties desire to regulate in this Data Handling Agreement ( The DHA ). As is the case for Agreernent Addendum 5, this DI-JA is subjec to the provision of the NORDUnet General Terrns and Conditions signed between UNJNETT and NORDUnet AIS The intention ofthe DHA is to regulate rights and obligations pursuan to the Norwegian Act of 14April 2000 No. 31 relating to the processing ofpersonal data (the Personal Data Act) and the Regulations of 15 December 2000 No. 1265 (the Personal Data Regulations). The DHA shall ensure that personal information relating to the data subjects is not used unlawfùlly or comes into the hands of a third party. The DHA concerns the Processor s use of personal data on behalf of the Controller, including collection, recording, alignment, storage and disclosure or a combination of such uses. 2 Purpose Controller offers a personal cloud storage solution based on the Box.com platform to its members, primarily the Norwegian higher education and research community. Controller uses Feide, the Norwegian SAML-based single-signon solution for higher education and research, for account creation and user logon. While Box.com supports SAML-based authentication it does not support authorisation based on SAML-attributes. Controller wants to allow its menibers a certain level of control with regards which user groups ofa member institution will have the ability to create a Box.com account. To facilitate basic authorisation, a SAML IdP logon proxy component is needed between Box.com and Feide. NORDUnet offers such a component as a service to the Nordic NRENs. Data subjects Users from a UNINETT niember institution who have or want to crcatc a Box account under the agreernent between UNINETT and Box. The personal data transfcrred concern the following categories of data: typical user account data pertaining to Users with a l3ox account under the agreement between UNINETf and Box, including but not limited to: name, email, other details transferred with federated logon, messages, identification data or location data. A detailed specification is inoluded in Annex i, Specification of SAML attributes. Processing operations 2

The Personal Data transferred will be subject to the following basic processing activities: automated provisioning and further management of a Box user account using user account attributes from a users home organisation. As part ofthis particular processing activity a certain set of user attributes is transferred onward to Box service under the agreement between UNINETT and Box.com. A detailed specification of the attributes subjcc to onward transfer are detailed in Annex 1, Specification of SAML attributes. logging and other basic service provisioning activities data gathered as part of operating the service may be used in research projects. Such use is subjec to explicit acceptance by Processor. 3. The Processor s obligations When processing personal data on behalf ofthe Controller, the Processor shall follow any resonable routines and instructions stipulated by the Controller at any given time. The Processor is obliged to give the Controller aceess to his written technical and organizational security measures and to provide assistance so that the Controller can fulfil his responsibilities pursuant to the Act and the Regulations. Unless otherwise agreed or pursuant to statutory regulations, the Controller is entitled to access all personal data being processed on behalf of the Controller and the systcms used for this purpose. The Processor shall provide the necessary assistance for this. The Processor must observe professional secrecy in regard to the docurnentation and personal data to which be has aceess in accordance with this Agreement. This provision also applies after the DHA has been discontinued. 4. Use ofa subcontractor If the Processor uses a subcontractor or other resources not formally employed by the Processor, this shall be agreed in writing with the Controller prior to starting the processing of personal data. Anyone who performs assignrnents on behalf of the Processor which include further processing of the relevant personal data shall be familiar with the Processor s contraotual and legal obligations and fulfil the requirements thereto. At the start of the DHA no subcontractors are used by the Processor. 5. Security The Processor shall fulfil the requirements for security measures stipulated in the Personal 15 of the Personal Data Act and the Personal Data Regulations, in particular Sections 13 Data Act and Regulations thereto. The documentation shall be available upon the Controller s request. The Processor shall report to the Controller all discrepaneies according to Seetion 2-6. The Controller is responsible for reporting the discrepancy to the Data Inspectorate. 3:

6. Security audit The Processor shall make available a written security audity report not older than 18 rnonths. The security audit shall be executed according the requirements and guidelines of the Secretariat for IT security for the Norwegian higher education sector. At least once a year the Processor shall make itself available to discuss with Controller the security measures affecting the Service. 7. Duration ofthe DHA The DHA is valid for as long as Processor is processing personal data on behalf of Controller for the purpose of providing the service thldp proxy for Box as per Agreement Addendurn 5 regarding IdP proxy for Box. The DRA can only be terminated simultaneously with and on the same conditions as the Agreement Addendum 5 regarding IdP proxy for Box. In the event of breach of this Agreement or the Personal Data Act, the Controller can instruct the Processor to stop further handling ofthe information with immediate effect. 8. Termination Upon termination of this DHA, the Processor is obliged to retum all personal data received on behalfofthe Controller and covered under this DRA. The Controller shall scnd an cncrypted dump of all account-related data to Processor. The Processor shall delete or destroy in a secure and deflnite/irrevcrsible manner all documents, data, diskettes, CDs, etc. that contain personal data covered under this DHA. This also applies to any baok-up copies. If no other timetable has been agreed upon, deletion shall be executed i month after termination of this DHA. The Processor shall document in writing that deletion or destruction has taken place in accordance with the DRA within a reasonable period of time after termination of the DRA. 9. Notifications Notifications under this DI-TA shall be submitted in writing to: NORDUnet A/S UNINETT AS email: contracts@nordu.net postmottak@uninett.no telephone: address: 7465 Trondheim, Norway 4 _t

10. Signature This DHA has been drawn up in 2 two copies, of which the parties retain one copy each. Place and date For Controller For Processor (signature) (signature) I3 5

Annex i - Speficication of SAML attributes For detailed deseription see the Feide attribute specification at https://www.feidc.no/attributelist Personal data transferred from Feide to NORDUnet Box IdP proxy service: mai! displayname sn givenname edupersonprincipalname schachomeorganization edupersonscopedaffihiation edupersonaffiliation edupersonprimaryaffihiation Personal data transferred from NORDUnet Box IdP proxy service to Box: mall displayname sn givenname edupersonprincipalname schachomeorganization 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information