NemID Service Provider Agreement

 

The Agreement consist of two documents

Standard terms and conditions for receiving OCES certificates

General terms and conditions of sale for services from Nets DanID

 

 

Standard terms and conditions for receiving OCES certificates from Nets DanID

January 2018

 

1       OBJECTIVE AND SCOPE

Upon entering into this agreement and connecting to the Nets DanID infrastructure, the NemID service provider acquires the right to use Nets DanID's provision of services for identification and signing as specified in detail in this agreement. In order to be able to use Nets DanID's services within the infrastructure, the NemID service provider must enter into this NemID service provider agreement (the Agreement), irrespective of whether the NemID service provider is directly connected to the Nets DanID infrastructure or is redirected via an operations provider, public SSO service, trading partner or similar.

This Agreement covers receipt of OCES Certificates.

In addition to this Agreement, the General terms and conditions of sale in respect of services from Nets DanID A/S also apply.

 

2       THE SERVICES

 
2.1      Signature services

Nets DanID operates and maintains a certification centre that issues OCES certificates and enables checking of the validity of OCES certificates. The NemID service provider can thus use Nets DanID's CA system to validate a user's OCES certificate, including to check whether the certificate is valid (not expired or revoked).

Nets DanID has prepared and maintains a Certificate Practice Statement (CPS) which defines the level of security applicable to Nets DanID's services. The CPS can be found at www.certifikat.dk/repository.

Nets DanID issues and administers NemID – a security solution for logins and digital signing. A public digital signature with an OCES certificate can be linked to NemID.

 
2.2      The NemID service provider package

Nets DanID makes a NemID service provider package available so that the NemID service provider can connect to Nets DanID's services. The NemID service provider package contains descriptions of and guidance in the use of Nets DanID infrastructure, e.g. checking the revocation list, LDAP look-ups, basic test functions, etc.

 
2.3      PID/RID

The NemID service provider has the option of establishing a user's identity by means of the PID/RID for CPR service offered by the Danish Agency for Digitisation. Access to the PID/RID service is contingent on the NemID service provider's entering into an agreement on provision of NemID services with appurtenant terms of use of the service. To order an agreement on provision of NemID services, please complete an online form on the Nets DanID website. Nets DanID administers the agreement on behalf of the Danish Agency for Digitisation.

 
2.4      Other services

If the NemID service provider wishes to purchase services other than those set out above, separate agreements must be entered into.

 

3       NETS DANID'S OBLIGATIONS DURING OPERATION

 

3.1      Nets DanID issues OCES certificates on the basis of:
  • OCES CPs from the Danish Agency for Digitisation
  • Nets DanID's CPS
  • CA system containing access to use database searches of Certificate owners
 
3.2      CP

Nets DanID fulfils the requirements set out in the relevant CP from time to time in effect, including continuous updating and publication of the revocation list at intervals of no more than 12 hours.

 
3.3      Accessibility

During normal operation, access to the revocation list is available 24/7.

As regards accessibility and Service Level (SLA), please refer to www.certifikat.dk/repository (in Danish).  Changes in accessibility will be made known three months before they take effect and will be communicated to the NemID service provider's designated contact, cf. the online form on the Nets DanID website, nets.eu/tu-bestil (in Danish).

There will be no advance notice of temporary loss of access, e.g. inability to obtain information on certificate status, when this is caused by acute and unforeseen circumstances. Nets DanID will subsequently provide information on any such unforeseen disruptions via www.nemid.nu.

 
3.4      Notification of changes

Written notification will be given to the contact named in the online form on the Nets DanID website, nets.eu/tu-en-support, at least three months prior to implementation regarding any changes to be made to interfaces or technical specifications that are of significance to the NemID service provider's solution.

 

4       NEMID SERVICE PROVIDER'S OBLIGATIONS DURING OPERATION

The NemID service provider undertakes to operate its business in such a way as not to put Nets DanID in a bad light morally or ethically or to bring Nets DanID into disrepute.

 

4.1      As the Verifier, the NemID service provider must make sure that:
  • any Certificate received is valid, i.e. the period of validity shown on the Certificate has not expired
  • any Certificate received has not been revoked, i.e. is not included on Nets DanID's revocation list on the Nets DanID website. If the Certificate has not expired and has not been revoked, it may be utilised in accordance with any usage restrictions laid down in relation to the Certificate
  • the purpose for which the Certificate is to be used is appropriate in relation to the usage restrictions specified in the Certificate, e.g. certificates for young people aged between 15 and 18 which specify "Young person aged between 15 and 18 – cannot generally enter into binding agreements", as well as
  • use of the Certificate is in all other respects appropriate to the security level described in the relevant CP.

    The NemID service provider must arrange its content service to facilitate compliance with the above obligations.

 

4.2      Validation of Certificates

The NemID service provider must validate certificates against the revocation list published by Nets DanID. The NemID service provider can choose one of the options made available by Nets DanID (OCSP or CRL look-up). The NemID service provider's application should be arranged in such a way that a Certificate received can be checked against a revocation list that is up to date after receipt of the signed data. If the NemID service provider's application so dictates, the NemID service provider must select the additional service "Online Certificate Status Protocol (OCSP)" instead of the standard set-up to perform a CRL look-up in order to check against the revocation list.

If the application does not undertake Certificate verification against a revocation list that is up to date after receipt of the signed data, the NemID service provider should check the revocation list manually on the Nets DanID website or opt to utilise the Certificate after undertaking a risk assessment of the commercial significance of the data.

The NemID service provider itself bears the risk of utilising a Certificate checked against a revocation list that was updated before receipt of the signed data.

 
4.3      Non-qualified certificate

OCES certificates are not "qualified Certificates", cf. the Danish Electronic Signatures Act, and should not be used in circumstances where qualified Certificates are required.

 
4.4      Documentation

The NemID service provider must itself store the documentation substantiating that a Certificate from Nets DanID has been used in a particular context. The NemID service provider is thus responsible for storing documentation containing the necessary information about transactions, e.g. logs showing transaction dates and times.

 
4.5      Marketing by the NemID service provider

The NemID service provider must follow Nets DanID's guidelines or instructions in its marketing or coverage of Nets DanID's Certificates and NemID. In its marketing, the NemID service provider is not permitted to create the impression that the NemID service provider's goods or services are being offered, sold or in any other way supported by Nets DanID.

 
4.6      Restrictions in the NemID service provider's use of Certificates

The NemID service provider provides an electronic service and in that connection receives Nets DanID Certificates in relation to user login and signing.

Certificates from Nets DanID may not be used to generate or sign Certificates for other parties or otherwise to form the basis of identification in relation to third parties.

The NemID service provider consents that, unless otherwise agreed, Nets DanID's services must not be passed on or used to forward the user on to a different service provider, whereby the latter could gain access to use the previous authentication undertaken using OCES Certificates and NemID. Any agreement permitting this kind of forwarding would require the other service provider to which the user is forwarded also to have entered into a NemID service provider agreement with Nets DanID, and for the transaction fee to be billed per user. "Other service provider" refers to a company, institution or organisation with a CVR number that is different from the CVR number to which this Agreement pertains.

Use of third-party services, e.g. "Software as a Service", "Business Process Outsourcing", embedded into the proprietary service, shall not be regarded as forwarding.

The NemID service provider may only use NemID for identification and electronic signing purposes. The NemID service provider is not permitted to support solutions, e.g. payment service solutions, that imply that the user, knowingly or unknowingly, circumvents the security of NemID, including asking the user to pass on his/her access code and code card/code token codes or in any other way to infringe the NemID rules for online banking services and public digital signatures with addenda.

 

5       FEES AND PAYMENT [This item does not apply to public authorities]

Nets DanID's prices and invoicing models for private companies are set out in Appendix 2. All prices are stated in Danish kroner and are exclusive of VAT.

 
5.1      Special measures for the receipt of Non-OTP based signatures

In connection with the receipt of non-OTP based OCES signatures, where the OpenSign applet or the NemID CodeFile client is used, including employee digital signatures as key files as well as hardware/crypto-token personal or employee digital signatures, the NemID service provider is obliged to submit a statement of receipt of these non-OTP based signatures. The statement is to be submitted quarterly, no later than ten working days after the start of a new quarter, to Nets DanID at faktura@nemid.nets.eu.

The statement must include:

  • CVR number of the company.
  • A statement of the number of unique users who have performed a login and/or signed using non-OTP based OCES signatures where the OpenSign applet or NemID CodeFile client was used in that period with the NemID service provider
  • A statement of the number of non-OTP based OCES sessions, the number of logins and signings where the OpenSign applet or the NemID CodeFile client was used in that period with the NemID service provider.
  
5.2      Statement documentation

In selecting an invoicing model, cf. Appendix 2, based on the NemID service provider's own statement of sessions and/or unique users, the NemID service provider is obliged, on request, to present documentation of the merchant settlement file. If Nets DanID has grounds to suspect that errors have been made in the NemID service provider's statement, Nets DanID may require an inspection of the NemID service provider's merchant settlement file, cf. item 5.3.

Initially, Nets DanID itself will review the NemID service provider's merchant settlement file and may ask the NemID service provider to provide supplementary documentation if Nets DanID deems this necessary.

 

5.3      External audit, etc.

If, after obtaining supplementary documentation, cf. item 5.2, Nets DanID deems necessary, Nets DanID may demand that the merchant settlement file and supplementary documentation be reviewed and approved by an external auditor.

If the review of the NemID service provider's log and merchant settlement file documents that the NemID service provider has invoiced more than 3% too little compared to actual consumption during the period, the review will be at the expense of the NemID service provider. The NemID service provider must settle any outstanding payment at the request of Nets DanID.

Nets DanID reserves the right to undertake a review of the NemID service provider's merchant settlement file going back as far as 2 years.

The NemID service provider may order detailed documentation of Nets DanID's merchant settlement file going back as far as 2 years and use this as a basis for correcting any errors.

 

6       BREACH ON THE PART OF NETS DANID

 

6.1      Nets DanID shall be deemed to be in material breach of this agreement in the following circumstances, for example:
  • failure to comply with OCES CP
  • failure to comply with existing legislation, including the Act on the Processing of Personal Data (lov om behandling af personoplysninger)
  • failure to comply with the duty of confidentiality
  • failure to update the register of deleted and revoked Certificates (revocation lists or OCSP) or failure to make this information available within the timeframe required by CP.

 

7       BREACH ON THE PART OF THE NEMID SERVICE PROVIDER

 

7.1      The NemID service provider shall be deemed to be in material breach of this agreement in the following circumstances, for example:
  • failure to comply with aspects of this Agreement that are covered by the OCES CP
  • failure to comply with prevailing legislation, including the Act on the Processing of Personal Data (lov om behandling af personoplysninger) and the Payment Services Act (lov om betalingstjenester)
  • failure to observe the duty of confidentiality
  • failure to pay the fee as set out in Appendix 2
  • fraud or disloyal use of NemID, Nets DanID's name or trade marks
  • unethical or immoral business conduct.

 

8       TERMINATION

Upon cessation of the Agreement – irrespective of the reason – Nets DanID revokes the NemID service provider's capability to receive Certificates. The user can still use the OTP unit and Certificate issued to him by Nets DanID for logging in and signing in with other NemID service providers.

 

9       APPROVAL

When ordering "NemID service provider", cf. the online form on the Nets DanID website, nets.eu/tu-en-support, the provider agrees to be bound by the terms set out in this Agreement and in the General terms and conditions of sale in respect of services from Nets DanID A/S.

 

Appendix

1       APPENDIX 1 SERVICE LEVEL AGREEMENT (SLA) AND SUPPORT

The SLA from time to time in effect and available at www.certifikat.dk/repository (in Danish) is applicable to this Agreement. At the time of entering into the Agreement, the SLA for production systems relating to the operation of Nets DanID infrastructure applies to OCES digital signatures.

The standard support from time to time in effect and available at www.certifikat.dk/repository (in Danish) is applicable to this Agreement.

 

2       APPENDIX 2 PRICES AND INVOICING MODELS – PRIVATE COMPANIES

Private companies can choose from two invoicing models in connection with establishing a NemID service provider agreement. For both invoicing models it applies that invoicing is based on the user's use of his access code (employee digital signatures as key files as well as hardware/crypto-token personal or employee digital signatures) or his user ID, password and a one-time code from his code card/code token (personal or employee digital signatures with OTP) on the NemID service provider's website. Use of a user ID, password and one-time code counts towards the usage statement irrespective of whether the user gains access to the NemID service provider's service.

These invoicing models apply only to private companies. Public-sector companies do not have to choose an invoicing model as use of the solution is free pursuant to the agreement dated 21 August 2008 between the Danish Agency for Digitisation and Nets DanID.

 

2.1      Session payment

For each usage, login and/or signature using one or more of the NemID service provider's applications, DKK 1.04 is payable. The price is index-linked annually pursuant to the Nets DanID General terms and conditions of sale in respect of services from Nets DanID A/S.

Session charges are invoiced quarterly in arrear.

 

2.2      Annual payment per unique user

An annual amount of DKK 3.25 is charged per calendar year per unique user using Digital Signature or NemID in one or more of the NemID service provider's applications. There is no upper limit to the number of sessions per unique user under this invoicing model. The price is index-linked annually pursuant to the Nets DanID General terms and conditions of sale in respect of services from Nets DanID A/S.

Invoicing is per calendar year, annually in arrear.

 
2.3      Change of invoicing model

It is possible to switch from one invoicing model to another on giving three months' written notice to the 1st of a month. Nets DanID A/S will not credit excess payment if a change of invoicing model entitles a NemID service provider to a credit.

 

2.4      Choice of invoicing model

The NemID service provider selects one of the following invoicing models (mark with a cross):

Session payment:

Annual payment per unique user: 

 

2.5      Additional purchases of related services

In connection with establishing a solution with a NemID service provider for handling digital signatures, additional purchases of other services may be required. Any such agreement will be regulated in a separate agreement document.