Compliance with the LS AAI conditions
You are obliged to ensure that You recognise and comply with the baseline LS AAI requirements on secure operations and processing of personal data stipulated in articles (a) - (c) below. Your Service’s utilization of the LS AAI may be restricted or discontinued if You fail to comply with the stipulated conditions.
(a) Basic stipulations:
The Service shall not be detrimental to the LS AAI nor to any of its Participants.
(b) Secure operations and incident response
You shall provide and maintain accurate contact information (administrative, technical, security).
You should follow IT security best practices including pro-actively applying updates and configuration changes related to security.
You should collect and retain system generated information (logs), including accurate timestamps and identifiers of system components and actors, for a recommended minimum period of 180 days to be used during the investigation of a security or operational incident.
You shall apply due diligence in maintaining the confidentiality of any data You hold where there is a reasonable expectation of privacy, including logs and data exchanged during investigations of security incidents.
You recognise the role and responsibilities of the LS AAI Security Contact (as defined at the end of the document).
You must report to the LS AAI Security Contact any security incident related to the Service.
You must assist the LS AAI in security incident response and share data relevant for the incident investigation with the LS AAI Security Contact.
You shall respond appropriately, and in a timely manner, on receipt of security notices from the LS AAI or any of its Participants.
(c) Processing of personal data
Once your service is connected, LS AAI will transfer to You the requested Personal Data of end users (Data Subjects) who wish to access Your service. After the transfer, You will be in the position of a Data Controller. If You are located in the EU/EEA, You must comply with Your obligations as the Data Controller under the GDPR (Regulation No. 2016/679) and relevant national legislation.
The categories of the Personal Data transferred is determined by the requirements of Your service and the defined purpose of the processing. By using the LS AAI, You confirm that as a receiving Data Controller You comply with the obligations set in the GDPR. In particular, that You:
process the transferred Personal Data lawfully, fairly and in a transparent manner in relation to the data subject;
process the transferred Personal Data only for administrative, operational, accounting, monitoring and security purposes that are necessary for the safe and reliable operation of LS AAI and Services;
process the transferred Personal Data accurately and where necessary, keep the transferred data up to date;
retain the transferred Personal Data only as long as necessary for the fulfillment of above mentioned purposes;
ensure appropriate security of the transferred Personal Data.
You declare that You adhere to the data protection principles as described in Policy for Processing Personal Data [PersonalData].
Compliance with applicable legislation
You are obliged to ensure that You hold all necessary licenses, permits and rights and that You comply with any and all applicable laws in connection with the use of LS AAI.
You are aware that all users of the LS AAI are subjected to the Acceptable Use Policy [AUP].
If You have a direct agreement with LS AAI Service Owner, that agreement shall take precedence over these Terms. In any other case, the provisions of these Terms shall take precedence.
Governing law and jurisdiction
These Terms and any dispute or claim arising out of or in connection with them or their subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the legislation of the Czech Republic. The courts of the Czech Republic will have exclusive jurisdiction over any such dispute or claim.
Recommendations towards increased level of security operations and incident response
The stipulations specfied in the Section (b) above represent the necessary subset of wider requirements as specified in the following documents:
Full Service Operations Security Policy [SecureOperations]
Detailed Incident response Procedures [IR]
We highly recommend reading and adopting these policies, including the adoption of the Sirtfi framework (which might require cooperation with your institution and its CSIRT; LS AAI may assist with the adoption).
Definition of terms used in this and referenced documents
- LS AAI Life Science Authentication and Authorisation Infrastructure, a service operated by the LS AAI service owner and potentially uses the brand LS Login for the Users.
- LS AAI Service Owner. The LS AAI data controller. Masaryk University for the duration of EOSC-Life project or its post-project successor.
- Service (also: Relying Service) A service that relies at least partly on the LS AAI for authenticating its users and managing their access rights.
- Service Provider (also: Relying Party) An entity responsible for the management, deployment, operation and security of a Service.
- User An individual authorised to access and use Services.
- Virtual Organisation A group of users, organised with a common purpose, and jointly granted access to one or more Services. It may act as the interface between individual Users and Services.
- Participant A Service Provider, the LS AAI service owner or a Virtual Organisation.
- LS AAI Security Contact A group or individual responsible for coordination of operational security capabilities of the LS AAI and their coordination. The Security Contact may, in consultation with the LS AAI Service Owner and other appropriate entities, require actions by Participants as are deemed necessary to protect the LS AAI from or contain the spread of IT security incidents. The Security Contact is responsible for establishing and periodically testing a communications flow for use in security incidents.
- Data Controller, Data Subject, Personal Data are used as per GDPR
Version 27 January 2022
Based on AARC Policy development kit (CC BY-NC-SA 4.0)