Practices Statement

08.04.2020 | 08:34 CET

  1. Introduction
    1. The cloud software cidaas ID Validator (hereinafter “cidaas ID Validator” or “software”) is provided by
      Widas ID GmbH
      Maybachstraße 2
      D-71299 Wimsheim
      represented by the managing directors
      Sadrick Widmann and Yael Widmann
      Phone: +49 (0)7044 / 95103-100
      (hereinafter referred as “Provider” or “Widas”).
      With cidaas ID Validator, Widas offers a cloud software solution for eIDAS compliant digital onboarding (digital identification of the user).
    2. The Practice Statement describes the procedures and policies that Widas ID follows regarding cidaas ID Validator.
  2. Definitions
    1. This section describes the eIDAS legal base on which the cidaas ID Validator is developed. The cidaas ID Validator handles the eIDAS compliant identification of the customer.
    2. Official Gazette of the Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway, Notices, Qualified electronic signature, Part A, Notices of the Federal Network Agency, Notice No. 208/2018, Order pursuant to Section 11 (1) VDG, 11/2018.
    3. Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Council Directive 1999/93/EC.
    4. Law implementing Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (eIDAS Implementing Law).
    5. Ordinance on Trust Services (Trust Services Ordinance – VDV).
  3. cidaas ID Validator Practices
    1. The cidaas ID Validator Practice Statement is being approved from the Widas ID management and its applicability is assured through regular internal and external audits.
    2. Widas ID can make changes in this practice statement at any time by posting the changed practice statement on its website and informing by mailing. Widas ID will provide information about changes which it intends to make to the Practice Statement. The updated practice statement shall indicate when the changes will come into force.
    3. Before entering a contractual relationship with Widas ID, all users receive the user terms and conditions in an understandable way
    4. cidaas ID Validator practices are based on the aforementioned legal requirements. This Practice Statement addresses in particular the “Official Journal of the Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway, Notices, Qualified Electronic Signature, Part A, Notices of the Federal Network Agency, Notice No. 208/2018, Order pursuant to Section 11 (1) VDG, 11/2018”.
    5. cidaas ID Validator performs the following steps to verify the identity of a living person online, with similar security as the Video Ident process.
      • Registration of the customer
      • Seeking consent
      • Liveness detection of the customer
      • Verifying that this is a valid ID document
      • Verification that the ID document belongs to the identified person
      • Verifying logged in and valid person
    6. Widas ID functions as a processor in accordance with Art. 28 GDPR. The client is then the responsible body within the meaning of Art. 4 No. 7 GDPR. The supplier has to observe the principles of proper data processing. The supplier has to ensure the contractually agreed and legally required measures for information security, particularly compliance with the principles in Art. 4 No. 7 GDPR. 5 I lit. f, 25 and 32 GDPR. All confidential and protected information revealed to Widas ID while using the cidaas ID Validator are considered confidential information. Confidential information does not include information that: (I) enters the public domain through no fault of Widas ID; (II) is transmitted to Widas ID by a third party without any obligation of confidentiality; (III) was developed independently by Widas ID and without reference to confidential information of the disclosing party; (IV) were lawfully in the possession of Widas ID prior to the Practice Statement Disclosure and were not received, directly or indirectly, from the Disclosing Party; or (V) are required by law to be disclosed, provided that Widas ID has promptly notified the Disclosing Party in writing of any such requirement and has granted the Disclosing Party a reasonable period of time to object.
    7. Widas ID fulfills the general security requirements applicable to the cidaas ID validator in ETSI EN 319 401. Adequate security mechanisms and principles related to physical, personnel and information assets which perform the provisioning of cidaas ID Validator are defined in specific security policies. Regular reviews ensure that the security policies are in line with regulatory, organizational or product changes.
    8. Widas ID communicates its information security policy and its changes to all employees and external parties that are affected by it
    9. All information which is exchanged during the verification of an identity is encrypted during transmission and storage.
    10. Widas ID is obliged to perform an external audit by the conformity assessment body for the cidaas ID Validator every 24 months. The status is monitored by the Federal Network Agency. Internal control and monitoring activities are regularly carried out by automated and human checks and tests.
    11. According to the “Official Gazette of the Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway” paragraph 8 “Notification of suspected fraud”, the user is obliged to post these in the admin dashboard. The cidaas ID Validator thus enables a report to tsp-incidents@bnetza.de (see terms of use).
    12. External service providers offering hosting services for Widas are responsible for redundant power generation in their data centres, redundant Internet connections and continuous monitoring of critical performance parameters for smooth operation.
    13. Widas ID classifies the inventory of its assets and carries out the risk analysis based on this, in accordance with ISO27001. Media that carry sensitive data is stored securely and disposed of when it is no longer needed. This also involves a thorough deletion process or safe disposal of physical media containing sensitive data.
    14. The responsible personnel at Widas ID has the necessary experience and qualifications to perform their duties. The staff has been carefully selected. There are regular training sessions and knowledge transfers on security and privacy.
      • Security Officer: Overall responsibility for security practices
      • System Administrator: Authorized persons who can perform configurations, installations on production environments.
      • System Auditor: Authorized to review the system audit logs.
    15. Access to information and data will be controlled, verified and tracked.
    16. Only previously authorized staff has access to the physical systems. Power and network supply are redundant to ensure high availability. All alarms in the data center are forwarded to our alerting system. The people on stand-by duty are notified immediately in case of errors.
    17. Widas ID uses trustworthy systems and products that are protected against changes and guarantee the technical security and reliability of the processes they support. To ensure that the Widas ID network and information systems are protected against malicious code, appropriate mechanisms are implemented and regularly checked. Patch management practices are enforced to fix vulnerabilities in a timely manner, depending on their severity. Operating systems and application software are subject to strict change control, including testing, risk assessment, fallback and approval procedures.
    18. Widas ID has a documented incident response plan and monitoring and management processes for vulnerabilities to address incidents in a timely and coordinated manner and to limit the impact of security breaches. These procedures provide for the parties concerned being informed within 24 hours, in accordance with the applicable legal provisions, in the event of a breach of security or loss of integrity that has a significant impact on the service provided and the personal data stored therein. The Data Protection Officer is involved in assessing the interests of the data subjects in the event of a possible breach of security.
    19. Audit logs are regularly reviewed by Widas’ ID staff, and an alert system identifies potential attacks.
    20. Widas ID’s Continuity Disaster Recovery Plan defines the implemented procedures to ensure that in the event of a disaster (including failure of critical components of Widas ID systems) operations can be restored as quickly as possible.
    21. In the event of a breach of security or a loss of integrity that has a significant impact on the Service, Widas ID will inform the subscribers, the trusted third parties and the competent public authorities immediately, and in any case within 24 hours of the incident being notified.
    22. Widas ID servers are divided into zones, each with strictly defined security controls. All systems within a given zone are subject to the same security controls and communication between zones is restricted.
    23. A strict separation between development, test and production systems is maintained to reduce the risk of unauthorized access or changes in the production system.
    24. The configurations of intrusion detection systems (IDS) are defined and regularly checked. Logs are reviewed daily, and alerts are triggered and resolved in a timely manner.
    25. Vulnerability checks in the network and penetration tests are carried out regularly.
    26. Widas ID maintains records of the operation of the cidaas ID validator to provide evidence of the proper functioning of the services. These records will only be made available to law enforcement authorities and those who have the right to access them, on legitimate request and only by court order.
    27. These records are treated confidentially in redundant facilities to ensure availability during the entire period.
    28. Full log backups are generated weekly and logs are retained for a time period of minimum of 5 years. The electronically archived records are stored in redundant servers that are subject to physical and logical access controls.
    29. According to eIDAS requirements, the Widas ID has a procedure plan in case of a termination of the services.
  4. Other business and legal issues
    1. Widas ID has enough financial resources and, in accordance with applicable law, has taken out adequate liability insurance to cover liabilities arising from its operations and/or activities
    2. Widas ID guarantees the execution of the enrolment process and the transmission/provision of the resulting data to the client. Widas ID is not liable for the suitability or authenticity of certificates issued under this Policy.
    3. Widas ID does not claim about the suitability of certificates issued under this Certificate Practice Statement for any purpose. Trusted third parties use these certificates at their own risk. Widas ID is not obligated to make any payments for costs incurred in connection with the malfunction or misuse of certificates issued under this Certificate Practice Statement.
    4. The contact point for support and complaint inquiries is regulated by contract
    5. In the case of disputes, the parties shall enter into an agreement, considering the applicable laws, regulations and agreements.
    6. German law is applicable.
    7. Widas ID operates its business in accordance with German non-discriminatory law.