Application for membership
Signatory of the application for membership Stoneridge Electronics AS, registration number 10508596, location Valdmäe 5, Tänassilma 76406 Harjumaa, who is represented by Per Lindberg, board member,
hereinafter referred to as the customer, agrees to the following:
RIA allows the customer to use the data exchange layer of information systems (hereinafter X-tee) on the basis of a subscription request in accordance with the subscription agreement and its annexes and the provisions of Regulation No. 105 "Data exchange layer of information systems" of the Government of the Republic of Estonia dated 23.09.2016.
The parts of the subscription agreement are: general terms of service (Appendix 1), data protection terms (Appendix 2) and service level terms (Appendix 3).
By signing the subscription application, the customer confirms that he has read the terms of the subscription agreement and undertakes to comply with them.
The subscription agreement is considered to have been concluded the moment the customer has signed the subscription request in the self-service environment. The membership agreement is valid indefinitely.
Stoneridge Electronics AS
Per Lindberg
Registration nr 10508596
Valdmäe 5, Tänassilma 76406 Harjumaa
/signed digitally by the client/
The general terms and conditions of use of the X-tee data exchange layer for information systems (Annex 1)
1 GENERAL PROVISIONS
1.1 The Information System Authority (hereinafter referred to as RIA) enables the use of the data exchange layer for information systems (hereinafter referred to as the X-tee) as an administrative duty established by the law, Regulation no. 105 of the Government of the Republic of 23 September 2016 ‘Data exchange layer for information systems’, and the statutes for secure data exchange that ensures evidential value.
1.2 State and local government authorities, legal persons, and other subjects of law established on the basis of the law can subscribe to X-tee.
1.3 RIA enables access to X-tee under the terms and conditions specified in Regulation no. 105 of the Government of the Republic of 23 September 2016 ‘Data exchange layer for information systems’ and in the subscription contract and the annexes thereto, including these general terms and conditions of using X-tee (hereinafter referred to as the general terms and conditions).
2 DEFINITIONS
Terms are used in the following meanings in the general terms and conditions:
Data exchange layer for information systems (X-tee)
a technical infrastructure and environment between the members of X-tee which enables secure online data exchange that ensures evidential value
Client
an applicant for an X-tee membership or a member of X-tee
Member of X-tee
a state or local government authority, legal person, or another subject of law established on the basis of the law which has subscribed to X-tee
Data service
a service of a member of X-tee which involves online data exchange
Data service provider
a member of X-tee who provides a data service to other members
Data service user
a member of X-tee who uses a data service
Data service mediator
a member of X-tee who grants an external physical or legal person access to a data service through their information system
Data service end user
a natural person who uses a data service through the information system of a member of X-tee
Message
a formatted dataset which is exchanged between the data service provider and the user through X-tee
Subsystem
a technologically and organisationally defined part of the information system of a member of X-tee used for the provision or use of a data service
Access right
provision of access to using a data service in the X-tee software
Basic protocol of X-tee
a set of rules which ensure secure functioning of the data exchange through the computer network
Secure server
a software solution which follows the basic protocol of X-tee
Messaging protocol of X-tee
a part of the basic protocol of X-tee which enables processing of messages by the members of X-tee
Electronic seal
a set of electronic data which is compliant with the requirements for an advanced or qualified electronic seal established in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28. April 2014, pp. 73–114) (hereinafter referred to as Regulation (EU) No 910/2014 of the European Parliament and of the Council).
Inquiry log
a part of a secure server which is based on the basic protocol of X-tee and used to save the messages exchanged over X-tee which have been verified with an electronic seal, or the headers thereof
3 SUBSCRIPTION
3.1 In order to subscribe to the environments of X-tee, the client must disclose the data requested by RIA and sign the subscription contract and submit the contract with the data required for subscription to RIA. RIA may ask the client to provide further information, if necessary.
3.2 RIA may refuse to enter into the subscription contract and to accept the client as a member of X-tee, if:
3.2.1 the client does not have a unique identifier to which an electronic seal certificate compliant with the requirements published on the website of the centre could be issued;
3.2.2 the client has failed to submit the documents required for verifying the right of representation requested by the centre or the respective person does not have the right of representation for representing the client;
3.2.3 the data provided by the client is incorrect;
3.2.4 the client or their information system is not compliant with the requirements established in these general terms and conditions or in Regulation no. 105 of the Government of the Republic of 23 September 2016 ‘Data exchange layer for information systems’, or with the functioning principles of X-tee.
3.3 RIA will send the signed subscription contract to the client upon accepting the client as a member of X-tee.
3.4 The membership of X-tee will be activated immediately after entry into the subscription contract.
4 THE RIGHTS AND OBLIGATIONS OF THE PARTIES
4.1 A member of X-tee may:
4.1.1 use X-tee under the terms and conditions provided for in the legislation and in the subscription contract;
4.1.2 send messages to the help desk of RIA;
4.1.3 request provision of the service based on the service level criteria of X-tee environments;
4.1.4 get acquainted with the technical solution of X-tee;
4.2 A member of X-tee shall:
4.2.1 having subscribed to X-tee, ensure the continuity, administration, development, and secure and uninterrupted functioning of their information system;
4.2.2 implement the elements for ensuring secure and standardised data exchange: create a secure data exchange channel, ensure the integrity of the data exchange verified with the electronic seal, define the subsystem, harmonise the requirements for provision of the data service, determine the user of the data service through a data service user agreement and by granting access rights;
4.2.3 implement measures to ensure the integrity, confidentiality, and suitability for processing of data to alleviate the security risks and ensure independent auditing of the measures implemented at least once in every four years; a state or local government authority must ensure implementation of the security measures and independent auditing of the measures implemented pursuant to legislation;
4.2.4 fulfil any orders received from RIA;
4.2.5 notify RIA as soon as possible of any changes in their contact details;
4.2.6 notify RIA immediately of any issues related to using X-tee and of any circumstances which may have an impact on fulfilling the obligations of RIA or of the member of X-tee;
4.2.7 notify RIA immediately of a security incident which has had an impact on using X-tee or of an immediate threat thereof;
4.2.8 submit the information and security rules required for assessment of the security of the secure server, as well as the description of implementation of the security measures implemented, if requested by RIA;
4.2.9 grant RIA monitoring server access to the X-tee secure server, unless agreed otherwise by the parties;
4.2.10 use X-tee for the intended purpose and do everything in their power to avoid damaging the X-tee platform or other members of X-tee;
4.2.11 notify RIA 48 hours in advance of any scheduled changes which may be important from the perspective of using X-tee, including resulting in a significant increase in the volume of inquiries;
4.2.12 regularly read the mail sent to the e-mail address of their contact person by RIA;
4.2.13 compensate to RIA for any direct material damage caused wrongfully by a breach of the contract.
4.3 RIA may:
4.3.1 demand using of X-tee for its intended purposes and in compliance with the requirements specified in Regulation no. 105 of the Government of the Republic of 23 September 2016 ‘Data exchange layer for information systems’;
4.3.2 monitor the use of X-tee for statistical purposes and to ensure quality and security;
4.3.3 collect data service monitoring logs with the data which enable identification of the person who has made an inquiry in the name of the member of X-tee and retain the logs for three years after collection, after which the data will be anonymised;
4.3.4 compile and publish in a non-personal format data of using X-tee, except concerning a security authority or a structural unit of the Defence Forces performing an intelligence task of the Defence Forces;
4.3.5 restrict the rights of a member of X-tee in the cases specified in the subscription contract or in legislation;
4.3.6 suspend the access of the client’s secure server to the information required for using the data service if the client violates the terms and conditions established in Regulation no. 105 of the Government of the Republic of 23 September 2016 ‘Data exchange layer for information systems’, the subscription contract or the annexes thereto, or the procedure for mediation of a data service;
4.3.7 make comments concerning the use of X-tee for any purposes other than its intended purpose;
4.3.8 process cyber incidents;
4.3.9 suspend access to X-tee immediately if the operability or security of X-tee are put to risk.
4.4 RIA shall:
4.4.1 manage in X-tee environments the information of the members of X-tee, the secure servers registered in X-tee, and the subsystems subscribed to X-tee which ensure the availability of the information required for creating a secure X-tee data exchange channel and using the data services for the secure server of a member of X-tee;
4.4.2 organise the processing of applications concerning X-tee membership, the subsystem, and secure server;
4.4.3 develop the terms and conditions of subscribing to and using X-tee and publish the terms and conditions on the website of RIA;
4.4.4 ensure access to X-tee;
4.4.5 advise a member of X-tee in any issues concerning X-tee;
4.4.6 notify the contact person of a member of X-tee of any changes in the administration or use of X-tee, as well as of any known circumstances or maintenance works which prevent access to X-tee, taking into consideration the service level criteria;
4.4.7 ensure the availability of the standardised secure server software;
4.4.8 create an opportunity for using X-tee after signature of the subscription contract by RIA.
4.5 The parties must:
4.5.1 notify the other party as soon as possible of any circumstances which damage or may damage the other party’s information systems, as well as of any circumstances which may be required for the secure functioning or maintenance of the technical solutions and systems or for elimination of a failure;
4.5.2 in the event of finding a failure which has an impact on the other party, immediately commence the elimination of the failure and notify the other party of the failure and of the duration thereof.
5 THE SPECIFIC CONDITIONS APPLICABLE TO ENSURING SECURE AND STANDARDISED DATA EXCHANGE
5.1 Creating a secure data exchange channel
5.1.1 In order to enable creating a secure X-tee data exchange channel, a member of X-tee must install the secure server software in the information system and register at RIA the authentication certificate of the secure server which must be compliant with the requirements published on the website of RIA.
5.1.2 A member of X-tee may only use the secure server software which is compliant with the basic protocol of X-tee acknowledged by RIA.
5.1.3 In using the secure server, a member of X-tee must:
5.1.3.1 ensure the existence of the inquiry log of the messages exchanged over X-tee which have been verified with an electronic seal and, in the event of archiving the inquiry log, develop a procedure for archiving the inquiry log which includes the frequency of the archiving and the list of the information archived;
5.1.3.2 determine who and under which conditions will be granted access to the archived inquiry log of the secure server in the event of archiving of the inquiry log;
5.1.3.3 ensure, in the event of archiving, the same confidentiality requirements for processing the archived messages which are required for using the data service.
5.1.4 In using the secure server offered by RIA, a member of X-tee must observe the obligations specified in these general terms and conditions and:
5.1.4.1 use the secure server software based on the instructions published on the website of the centre;
5.1.4.2 update the secure server software no later than two months after a software update has been made available by the centre.
5.1.5 In the event of sharing the secure server to other members of X-tee, a member of X-tee must use an encrypted connection and double authentication for the connection of the secure server and a subsystem.
5.1.6 A member of X-tee may only host the secure server outside of the territory under the jurisdiction of the Republic of Estonia with RIA’s permission if the member of X-tee:
5.1.6.1 ensures the fulfilment of the obligations established in the subscription contract and in Regulation no. 105 of the Government of the Republic of 23 September 2016 ‘Data exchange layer for information systems’;
5.1.6.2 implements the measures which ensure the integrity, confidentiality, and suitability for processing of the data to alleviate the security risks and independent auditing of the measures implemented at least once in every two years.
5.2 Ensuring the integrity of the data exchange by using an electronic seal
5.2.1 The integrity of the data exchange and identification of the connection between the message exchanged over X-tee and a member of X-tee will be ensured by an electronic seal and the client must use the following trust services compliant with the requirements specified in Regulation (EU) No 910/2014 of the European Parliament and of the Council to create the seal in the secure server:
5.2.1.1 a certification service which is used to issue a certificate qualified by the electronic seal;
5.2.1.2 a certificate response service;
5.2.1.3 a time stamp service.
5.2.2 A member of X-tee may use the electronic seal certificate issued by RIA to create the electronic seal.
5.2.3 An electronic seal formed in X-tee is valid if the period between the response to the certificate used and the time stamp does not exceed eight hours.
5.2.4 A member of X-tee may not process the data exchanged over X-tee if the data cannot be verified with an electronic seal compliant with the requirements described in these standard terms and conditions.
5.3 Interfacing a subsystem with X-tee
5.3.1 In order to use or provide a service over X-tee, a member of X-tee must register the subsystem at RIA and submit an application to RIA for this purpose.
5.3.2 A subsystem can be registered in X-tee if:
5.3.2.1 a natural person responsible for the functioning of the subsystem has been appointed and if the contact details of the administrator of the secure server servicing the subsystem are made available;
5.3.2.2 measures are implemented with regard to the subsystem which ensure the integrity, confidentiality, and suitability for processing of the data to alleviate the security risks and independent auditing of the measures implemented at least once in every four years is ensured, unless prescribed otherwise in legislation.
5.3.3 After the registration of a subsystem, a member of X-tee must:
5.3.3.1 specify the positions which have the authority to use the subsystem and thereby the data services available to the subsystem and only permit access to the persons with the respective authority in their organisation;
5.3.3.2 ensure secure and uninterrupted functioning of the subsystem interfaced with X-tee and compliance with the data service user agreement between the members of X-tee.
5.3.4 RIA may reject an application for the registration of a subsystem or delete a registered subsystem from the register if any of the requirements specified in the general terms and conditions is not met.
5.4 The provision, use, and mediation of a data service
5.4.1 A data service must:
5.4.1.1 be compliant with the messaging protocol of X-tee established by RIA;
5.4.1.2 be documented with an up-to-date and relevant data service description which is compliant with the requirements of RIA and include information about the security measures required for using the data service, taking into consideration the composition of the data included in the data service and the nature of the data service.
5.4.2 The data service is provided based on the data service user agreement between the members of X-tee, which specifies:
5.4.2.1 the information security measures required for using the data service and the organisational, physical, and information technology-related security measures required from the subsystem of the user of the data service, taking into consideration the composition of the data processed and the requirements arising from legislation;
5.4.2.2 the permission for mediation of the data service to a third party;
5.4.2.3 the service level criteria.
5.4.3 In the provision of a data service, a member of X-tee must:
5.4.3.1 register the data service, including the technical description of the data service, in the secure server and keep the description of the data service in the secure server up to date;
5.4.3.2 ensure that the user of the data services implements sufficient measures for ensuring the integrity, confidentiality, and suitability for processing of the data to alleviate security risks;
5.4.3.3 ensure the compliance of X-tee information system access rights with the data service user agreement between the members of X-tee.
5.4.4 The data service can be used in the subsystem of a member of X-tee which has been granted access rights for using the specific data service.
5.4.5 A member of X-tee as a user and provider of a data service must:
5.4.5.1 observe the data service user agreement;
5.4.5.2 bind the messages received by the secure server with a time stamp;
5.4.5.3 ensure the authentication and authorisation of the end user participating in the provision or use of the data service through their information system.
5.4.6 A member of X-tee may only grant an external person access to the subsystem if:
5.4.6.1 the member of X-tee has drawn up and published a procedure for the mediation of the data service which includes the grounds for mediation of the data service, the procedure for authentication and authorisation of what is mediated by the subsystem using the data service, the procedure for archiving the log of authentication and authorisation of what is mediated by the subsystem using the data service and the period of retention of the log, as well as the procedure of archiving the X-tee inquiry log and for access to and the period of retention of the archive;
5.4.6.2 the member of X-tee has registered as a mediator of the data service in X-tee;
5.4.6.3 the permission to mediate the data service is included in the data service user agreement between the members of X-tee.
5.4.7 A member of X-tee as a mediator of a data service must:
5.4.7.1 observe the procedure for mediation of the data service established by them;
5.4.7.2 notify the centre and the provider of a data service whose data service the mediator has access rights to of any changes to the procedure for mediating the data service;
5.4.7.3 proceed pursuant to the rights and obligations of the parties defined in the data service user agreement between the members of X-tee and ensure the permissibility of mediation of the data service;
5.4.7.4 disclose the data of the participants mediated by the subsystem to the provider of the data service pursuant to the basic protocol of X-tee.
6 THE FORMAT OF NOTIFICATIONS
The parties will send all notifications electronically by e-mail or through the self-service environment of X-tee. Notification in the case of an incident is an exception, in which case notification over the phone may be used.
7 THE FEE AND SETTLING OF ACCOUNTS
7.1 Subscription to the service is free for the client.
7.2 A member of X-tee must cover their costs on development of their information system and interfacing and the cost of purchasing and maintenance of the components of their information system.
8 PROCESSING OF PUBLIC INFORMATION AND PERSONAL DATA
8.1 As RIA enables the use of X-tee as their administrative duty arising from the law and the Statutes, the information generated within the framework thereof is public information with access rights applied to the information on the grounds and pursuant to the procedure provided for in the law.
8.2 The composition of personal data processed within the service and the terms of data retention are provided in the data protection conditions.
8.3 The parties must maintain the confidentiality of any information which becomes known to them in the course of using X-tee which is subject to access restrictions and only process and disclose the information on the grounds and pursuant to the procedure provided for in the law.
8.4 The obligation to maintain confidentiality remains in force based on the period of validity of the access restrictions and irrespective of the validity or expiry of the contract.
8.5 The parties may only transfer the information which is subject to access restrictions to the employees who are directly connected to the service and ensure that these employees are aware of and will observe the confidentiality requirement.
8.6 The parties will implement appropriate technical and organisational measures to protect the information which is subject to access restrictions, including personal data, to ensure the confidentiality, integrity, and suitability for processing of the information.
8.7 The parties must notify one another immediately of any obstacles concerning the fulfilment of the confidentiality obligation which have arisen or may likely arise.
8.8 A breach of the confidentiality obligation will be treated as a material violation of the contract.
9 AMENDMENT OF THE TERMS AND CONDITIONS
9.1 RIA may unilaterally amend the terms and conditions of the subscription contract, including these general terms and conditions and other annexes to the subscription contract, if this is necessary due to any changes to the applicable legislation or customs, technical or substantial developments of the respective field or service, creating further or better opportunities for the clients for using the service, or a need to specify the circumstances related to the provision or use of the service. RIA must notify the client of amendment of the general terms and conditions at least 14 calendar days in advance.
9.2 If a member of X-tee does not consent to the amendments referred to in subsection 9.1, they may cancel their X-tee membership by submitting a respective application to RIA. The subscription contract will remain valid until the cancellation of the X-tee membership and the member of X-tee must fulfil their contractual obligations; thereat, the same terms and conditions will be applied to the member of X-tee in fulfilling these obligations.
9.3 If a member of X-tee does not express their intention to terminate their X-tee membership within 1 (one) month after entry into force of the amendments, they will be deemed to have accepted the amended terms and conditions.
10 LIABILITY
10.1 RIA will not be held liable for any circumstances out of RIA’s control which have an impact on the availability or quality of X-tee (incl. the functioning of X-tee inquiries in the extent in which they are the responsibility of a third party) or for any failures, delays in the transmission of information, or other cases which are out of RIA’s control.
10.2 RIA will not be held liable for destruction or loss of data which arises from the client’s action or inaction or for non-functioning of the service if the interruption was caused by the client’s action or inaction.
10.3 A party will not be held liable for non-performance of their obligations if it was caused by force majeure. The parties deem any circumstances which are out of the party’s control force majeure, including, but not limited to, a fire, explosion, natural disaster, war, strike, general power cut, thunder, and exceptional weather conditions.
10.4 A party whose activity in fulfilling their contractual obligations was prevented due to circumstances of force majeure must notify the other party thereof as soon as possible by using the means of communication which ensure the most operative information exchange possible.
10.5 Upon notification of a force majeure event, the parties will agree on how and to what extent they will continue to fulfil the contract in compliance with the national crisis management plan. This agreement will be formalised in writing as soon as possible.
11 TERMINATION OF THE AGREEMENT
11.1 The agreement is terminated on the grounds specified in the agreement, the general terms and conditions, and/or legislation.
11.2 A member of X-tee has the right to cancel their membership at any time by submitting a corresponding written application to RIA. If the deadline for termination of X-tee membership is not indicated in the application for cancellation of membership, the membership will be terminated on the working day following the receipt of the aforementioned application.
11.3 RIA has the right to terminate the membership of a member of X-tee by notifying the member by email 30 calendar days in advance if the member is not obliged by law to organise data exchange via X-tee.
11.4 RIA has the right to terminate the membership immediately if:
11.4.1 the client violates the terms and conditions established in Regulation no. 105 of the Government of the Republic of 23 September 2016 ‘Data exchange layer for information systems’, the subscription contract or the annexes thereto, or the procedure for the mediation of a data service, or endangers the availability or security of X-tee;
11.4.2 the client has provided incorrect or incomplete data;
11.4.3 the client violates the obligation specified in clauses 8.4, 8.6, 8.7, or 8.8 of the agreement.
11.5 The cancellation or termination of the agreement does not release the party from the obligation to perform the obligations to the other party during the term of the agreement.
The terms and conditions of data protection of X-tee data exchange layer for information systems (Annex 2)
This document explains which personal data and for which purposes are processed by the Estonian Information System Authority (hereinafter referred to as RIA) in the management of the data exchange layer for information systems (hereinafter referred to as X-tee). These terms and conditions of data protection are applicable to all environments of X-tee.
A data subject (hereinafter referred to as a user) is a natural person who is authorised to make inquires in the environment of X-tee in the name of a member of X-tee or makes inquiries about their own data.
1 THE COMPOSITION OF THE DATA
1.1 RIA processes personal data within the framework of using X-tee to identify the person who has submitted an inquiry in the name of a member of X-tee.
1.2 RIA monitors the use of X-tee and collects statistical data about the use. The collection of statistical data requires the collection of the data of the monitoring log (operational monitoring) of the data service of the secure server of a member of X-tee. The log files collected by the centre only contain the header fields which include the data about which member of X-tee exchanged data over X-tee, at which point in time, and with which member of X-tee. The log files collected by the centre do not include the substance of the body of the inquiries or the responses sent over X-tee.
1.3 RIA is the controller of personal data regarding the collection of the data service monitoring log and the person who made the request on behalf of the member of X-tee.
1.4 The monitoring log of the data service of the secure server of a member of X-tee includes the following data about the user:
1.4.1 the data which identify the user:
1.4.2 the personal identification code of an authenticated and authorised user
1.4.3 the technical data:
1.4.3.1 the dates and times of sending the inquiry and receiving the response;
1.4.3.2 the names of the X-tee environment, the member of X-tee, and their subsystem and the code of the service used and the identifiers of the version;
1.4.3.3 the sizes of the inquiry and the response and the number of attachments;
1.4.3.4 other technical information about the inquiry which passed through the secure server.
1.5 The log does not include any information about which personal data and in which composition is contained in the messages exchanged over X-tee.
2 RETENTION OF THE DATA
2.1 The term: RIA retains the monitoring log in a format which includes the user’s personal data for 3 years after collection. After the 3-year period, the part which contains personal data (i.e. the personal identification code) is removed from the log and the logs are retained in a non-personal format permanently.
2.2 The purpose: RIA retains the monitoring log:
2.2.1 for detecting and investigating any abuse of the service, as well as cyber attacks;
2.2.2 for detecting and eliminating technical glitches; a technical glitch may be a hardware or software glitch, a network connection failure, etc.;
2.2.3 for determining the causes of the technical issues reported by the members of X-tee;
2.2.4 for processing the information received from the users (notifications about potential security issues or technical glitches).
3 DISCLOSURE OF THE DATA
3.1 Publication of the data: RIA publishes the statistical data about using X-tee on the website www.ria.ee. The statistical data of the use is published as open data in a generalised and non-personal form.
3.2 Access to the logs: access to the logs is organised strictly based on the access rights. The access rights are granted only to the system and service administrators who are directly involved with operating the service. In justified cases, access is grated to the public servants who process cyber incidents.
3.3 Disclosure of the data on the basis of the law: the data may also be disclosed if this is required by the law (e.g. to a law enforcement authority in a criminal procedure or to the data subject based on their request).
The service level criteria of the X-tee data exchange layer for information systems (Annex 3)
1. Availability of the service
Name of the Service
The X-tee data exchange layer for information systems
Owner of the service
The Head of the State Data Exchange Department
Validity of the requirements
From approval of the directive to the amendment or cancellation of the directive.
Brief description of the service
A data exchange platform of information systems through which the users of the environment can provide to each other and/or use agreed online services.
The environment of online services is an internet-based solution in which a special X-Road technology is used for mutual communication.
Notifications of the service
RIA will notify the clients as soon as possible of any known interruptions of the service or circumstances which prevent using the service by e-mail or telephone.
Scheduled maintenance works
Scheduled maintenance of the infrastructure of the production environment of RIA takes place on the third Thursday of every month from 6 p.m. to 1 a.m.
The users of the service will be notified of any interruptions of the production environment of RIA during the working time of the services and of any larger-scale maintenance works by e-mail at least 2 working days in advance.
The information system logs
The information system logs are retained for one year, except the monitoring logs, which are retained for three years after collection thereof, after which they are anonymised.
1.1.
Working time
The working time is the agreed period of time for the duration of which the availability of the IT service must be guaranteed to the client and the IT service help desk service is provided (advice on using, finding solutions to unscheduled interruptions, etc.).
Mon.–Thu. 8.15 a.m. – 5 p.m.,
Fri. 8.15 a.m. – 3.45 p.m.
1.2.
The maximum permitted number of simultaneous inquires
50 global configuration inquiries per minute
2. An unscheduled interruption under normal circumstances
Only the unscheduled interruptions which occur during the working time of the service are considered unscheduled interruptions. A situation in which the work of a few users is interrupted but the service is available at the authority (within the same building) is not an unscheduled interruption. Under regular circumstances, the duration of an unscheduled interruption is calculated in working hours.
2.1.
The maximum duration of an unscheduled interruption
The maximum permitted period of time in the course of which the functioning of the service must be restored. The service is recovered during working hours.
12 h
2.2.
The maximum permitted duration of unscheduled interruptions per year
24 h
3. An unscheduled interruption in the situation of a catastrophe
The level of criticality means the maximum period of time in which the service is recovered and the priority, i.e. the order in which the services are recovered in a situation of a catastrophe (e.g. water or fire damage of the server rooms or another unexpected emergency situation). Based on the recovery times, the parts of an information system are divided into classes of criticality as follows:
I – recovery time 72 h;
II – recovery time 168 h;
III – recovery time undetermined.
3.1.
Criticality class
I
4. Scheduled interruption
A scheduled interruption is a period of time agreed on in advance for the duration of which the service is unavailable. Only the scheduled interruptions which occur during the working time of the service are considered scheduled interruptions. Scheduled interruptions are used for maintenance, testing, or improvement. The duration of the scheduled interruptions is calculated in working hours (except the time of advance notice of the interruption).
4.1.
The time of advance notice of a scheduled interruption
48 h
4.2.
The maximum duration of a scheduled interruption
8 h
4.3.
The maximum permitted duration of scheduled interruptions per year
24 h
4.4.
The maximum permitted number of scheduled interruptions per month
2
5. Data loss and back-up
5.1.
The maximum amount of data which may be lost in the course of recovering the service, i.e. the service recovery point class
The service recovery point class determines the maximum amount of data which may be lost in the course of recovery of the service. The recovery point class is determined as a period of time before the failure. For example, the recovery point class of 24 hours is achieved by a daily backup, in the case of which, the maximum data loss is the data of 24 hours.
24 h
6. Response times
6.1.
Functionality
Normal reference
Maximum reference
6.2.
The response time of a global configuration inquiry (90% of the inquiries must fit in the maximum reference)
5s
30s