| Dokumendiregister | Riigi Infosüsteemi Amet |
| Viit | 4.1-1/24/242-1 |
| Registreeritud | 16.12.2024 |
| Sünkroonitud | 17.12.2024 |
| Liik | Leping |
| Funktsioon | 4.1 Andmevahetuskihi x-tee töö korraldamine |
| Sari | 4.1-1 Koostöökokkulepped liitumiseks andmevahetuskihiga X-tee |
| Toimik | 4.1-1/2024 |
| Juurdepääsupiirang | Avalik |
| Juurdepääsupiirang | |
| Adressaat | |
| Saabumis/saatmisviis | |
| Vastutaja | Martin Grünberg (RIA, AVO) |
| Originaal | Ava uues aknas |
1
Application for membership
Signatory of the application for membership Battlecat Gaming Ltd., registry code NTRMT- C109730, address 170, Peter House, Level 1, Suite A318, Triq Salvu Psaila, Birkirkara, BKR
9077, Malta, who is represented by (a person entitled to represent, e.g., based on the articles
of association, the general manager or a member of the company's board or another person
based on a power of attorney) AKVILĖ SVIDRAITĖ,
hereinafter referred to as the customer, agrees to the following:
RIA allows the customer to use the data exchange layer of information systems (hereinafter
X-tee) on the basis of a subscription request in accordance with the subscription agreement
and its annexes and the provisions of Regulation No. 105 "Data exchange layer of information
systems" of the Government of the Republic of Estonia dated 23.09.2016.
The parts of the subscription agreement are: general terms of service (Appendix 1), data
protection terms (Appendix 2) and service level terms (Appendix 3).
By signing the subscription application, the customer confirms that he has read the terms of
the subscription agreement and undertakes to comply with them.
The subscription agreement is considered to have been concluded the moment the customer
has signed the subscription request in the self-service environment. The membership
agreement is valid indefinitely.
Battlecat Gaming Ltd
AKVILĖ SVIDRAITĖ
NTRMT- C109730
170, Peter House
9077 Malta
/signed digitally by the client/
2
The general terms and conditions of use of the X-tee data exchange layer for
information systems (Annex 1)
1 GENERAL PROVISIONS
1.1 The Information System Authority (hereinafter referred to as RIA) enables the use of the
data exchange layer for information systems (hereinafter referred to as the X-tee) as an
administrative duty established by the law, Regulation no. 105 of the Government of the
Republic of 23 September 2016 ‘Data exchange layer for information systems’, and the
statutes for secure data exchange that ensures evidential value.
1.2 State and local government authorities, legal persons, and other subjects of law established
on the basis of the law can subscribe to X-tee.
1.3 RIA enables access to X-tee under the terms and conditions specified in Regulation no. 105
of the Government of the Republic of 23 September 2016 ‘Data exchange layer for
information systems’ and in the subscription contract and the annexes thereto, including
these general terms and conditions of using X-tee (hereinafter referred to as the general
terms and conditions).
2 DEFINITIONS
Terms are used in the following meanings in the general terms and conditions:
Data exchange layer for
information systems (X-tee)
a technical infrastructure and environment between the
members of X-tee which enables secure online data exchange
that ensures evidential value
Client an applicant for an X-tee membership or a member of X-tee
Member of X-tee a state or local government authority, legal person, or another
subject of law established on the basis of the law which has
subscribed to X-tee
Data service a service of a member of X-tee which involves online data
exchange
Data service provider a member of X-tee who provides a data service to other
members
Data service user a member of X-tee who uses a data service
Data service mediator a member of X-tee who grants an external physical or legal
person access to a data service through their information system
Data service end user a natural person who uses a data service through the
information system of a member of X-tee
Message a formatted dataset which is exchanged between the data
service provider and the user through X-tee
Subsystem a technologically and organisationally defined part of the
information system of a member of X-tee used for the provision
3
or use of a data service
Access right provision of access to using a data service in the X-tee software
Basic protocol of X-tee a set of rules which ensure secure functioning of the data
exchange through the computer network
Secure server a software solution which follows the basic protocol of X-tee
Messaging protocol of X-tee a part of the basic protocol of X-tee which enables processing
of messages by the members of X-tee
Electronic seal a set of electronic data which is compliant with the
requirements for an advanced or qualified electronic seal
established in Regulation (EU) No 910/2014 of the European
Parliament and of the Council of 23 July 2014 on electronic
identification and trust services for electronic transactions in
the internal market and repealing Directive 1999/93/EC (OJ L
257, 28. April 2014, pp. 73–114) (hereinafter referred to as
Regulation (EU) No 910/2014 of the European Parliament and
of the Council).
Inquiry log a part of a secure server which is based on the basic protocol of
X-tee and used to save the messages exchanged over X-tee
which have been verified with an electronic seal, or the headers
thereof
3 SUBSCRIPTION
3.1 In order to subscribe to the environments of X-tee, the client must disclose the data
requested by RIA and sign the subscription contract and submit the contract with the data
required for subscription to RIA. RIA may ask the client to provide further information, if
necessary.
3.2 RIA may refuse to enter into the subscription contract and to accept the client as a member
of X-tee, if:
3.2.1 the client does not have a unique identifier to which an electronic seal certificate
compliant with the requirements published on the website of the centre could be issued;
3.2.2 the client has failed to submit the documents required for verifying the right of
representation requested by the centre or the respective person does not have the right
of representation for representing the client;
3.2.3 the data provided by the client is incorrect;
3.2.4 the client or their information system is not compliant with the requirements established
in these general terms and conditions or in Regulation no. 105 of the Government of the
Republic of 23 September 2016 ‘Data exchange layer for information systems’, or with
the functioning principles of X-tee.
3.3 RIA will send the signed subscription contract to the client upon accepting the client as a
member of X-tee.
3.4 The membership of X-tee will be activated immediately after entry into the subscription
contract.
4
4 THE RIGHTS AND OBLIGATIONS OF THE PARTIES
4.1 A member of X-tee may:
4.1.1 use X-tee under the terms and conditions provided for in the legislation and in the
subscription contract;
4.1.2 send messages to the help desk of RIA;
4.1.3 request provision of the service based on the service level criteria of X-tee
environments;
4.1.4 get acquainted with the technical solution of X-tee;
4.2 A member of X-tee shall:
4.2.1 having subscribed to X-tee, ensure the continuity, administration, development, and
secure and uninterrupted functioning of their information system;
4.2.2 implement the elements for ensuring secure and standardised data exchange: create a
secure data exchange channel, ensure the integrity of the data exchange verified with
the electronic seal, define the subsystem, harmonise the requirements for provision of
the data service, determine the user of the data service through a data service user
agreement and by granting access rights;
4.2.3 implement measures to ensure the integrity, confidentiality, and suitability for
processing of data to alleviate the security risks and ensure independent auditing of the
measures implemented at least once in every four years; a state or local government
authority must ensure implementation of the security measures and independent
auditing of the measures implemented pursuant to legislation;
4.2.4 fulfil any orders received from RIA;
4.2.5 notify RIA as soon as possible of any changes in their contact details;
4.2.6 notify RIA immediately of any issues related to using X-tee and of any circumstances
which may have an impact on fulfilling the obligations of RIA or of the member of X-
tee;
4.2.7 notify RIA immediately of a security incident which has had an impact on using X-tee
or of an immediate threat thereof;
4.2.8 submit the information and security rules required for assessment of the security of the
secure server, as well as the description of implementation of the security measures
implemented, if requested by RIA;
4.2.9 grant RIA monitoring server access to the X-tee secure server, unless agreed otherwise
by the parties;
4.2.10 use X-tee for the intended purpose and do everything in their power to avoid damaging
the X-tee platform or other members of X-tee;
4.2.11 notify RIA 48 hours in advance of any scheduled changes which may be important from
the perspective of using X-tee, including resulting in a significant increase in the volume
of inquiries;
4.2.12 regularly read the mail sent to the e-mail address of their contact person by RIA;
4.2.13 compensate to RIA for any direct material damage caused wrongfully by a breach of
the contract.
4.3 RIA may:
4.3.1 demand using of X-tee for its intended purposes and in compliance with the
requirements specified in Regulation no. 105 of the Government of the Republic of 23
September 2016 ‘Data exchange layer for information systems’;
4.3.2 monitor the use of X-tee for statistical purposes and to ensure quality and security;
5
4.3.3 collect data service monitoring logs with the data which enable identification of the
person who has made an inquiry in the name of the member of X-tee and retain the logs
for three years after collection, after which the data will be anonymised;
4.3.4 compile and publish in a non-personal format data of using X-tee, except concerning a
security authority or a structural unit of the Defence Forces performing an intelligence
task of the Defence Forces;
4.3.5 restrict the rights of a member of X-tee in the cases specified in the subscription contract
or in legislation;
4.3.6 suspend the access of the client’s secure server to the information required for using the
data service if the client violates the terms and conditions established in Regulation no.
105 of the Government of the Republic of 23 September 2016 ‘Data exchange layer for
information systems’, the subscription contract or the annexes thereto, or the procedure
for mediation of a data service;
4.3.7 make comments concerning the use of X-tee for any purposes other than its intended
purpose;
4.3.8 process cyber incidents;
4.3.9 suspend access to X-tee immediately if the operability or security of X-tee are put to
risk.
4.4 RIA shall:
4.4.1 manage in X-tee environments the information of the members of X-tee, the secure
servers registered in X-tee, and the subsystems subscribed to X-tee which ensure the
availability of the information required for creating a secure X-tee data exchange
channel and using the data services for the secure server of a member of X-tee;
4.4.2 organise the processing of applications concerning X-tee membership, the subsystem,
and secure server;
4.4.3 develop the terms and conditions of subscribing to and using X-tee and publish the terms
and conditions on the website of RIA;
4.4.4 ensure access to X-tee;
4.4.5 advise a member of X-tee in any issues concerning X-tee;
4.4.6 notify the contact person of a member of X-tee of any changes in the administration or
use of X-tee, as well as of any known circumstances or maintenance works which
prevent access to X-tee, taking into consideration the service level criteria;
4.4.7 ensure the availability of the standardised secure server software;
4.4.8 create an opportunity for using X-tee after signature of the subscription contract by RIA.
4.5 The parties must:
4.5.1 notify the other party as soon as possible of any circumstances which damage or may
damage the other party’s information systems, as well as of any circumstances which
may be required for the secure functioning or maintenance of the technical solutions
and systems or for elimination of a failure;
4.5.2 in the event of finding a failure which has an impact on the other party, immediately
commence the elimination of the failure and notify the other party of the failure and of
the duration thereof.
5 THE SPECIFIC CONDITIONS APPLICABLE TO ENSURING SECURE AND
STANDARDISED DATA EXCHANGE
5.1 Creating a secure data exchange channel
6
5.1.1 In order to enable creating a secure X-tee data exchange channel, a member of X-tee
must install the secure server software in the information system and register at RIA the
authentication certificate of the secure server which must be compliant with the
requirements published on the website of RIA.
5.1.2 A member of X-tee may only use the secure server software which is compliant with
the basic protocol of X-tee acknowledged by RIA.
5.1.3 In using the secure server, a member of X-tee must:
5.1.3.1 ensure the existence of the inquiry log of the messages exchanged over X-tee which
have been verified with an electronic seal and, in the event of archiving the inquiry log,
develop a procedure for archiving the inquiry log which includes the frequency of the
archiving and the list of the information archived;
5.1.3.2 determine who and under which conditions will be granted access to the archived
inquiry log of the secure server in the event of archiving of the inquiry log;
5.1.3.3 ensure, in the event of archiving, the same confidentiality requirements for processing
the archived messages which are required for using the data service.
5.1.4 In using the secure server offered by RIA, a member of X-tee must observe the
obligations specified in these general terms and conditions and:
5.1.4.1 use the secure server software based on the instructions published on the website of the
centre;
5.1.4.2 update the secure server software no later than two months after a software update has
been made available by the centre.
5.1.5 In the event of sharing the secure server to other members of X-tee, a member of X-tee
must use an encrypted connection and double authentication for the connection of the
secure server and a subsystem.
5.1.6 A member of X-tee may only host the secure server outside of the territory under the
jurisdiction of the Republic of Estonia with RIA’s permission if the member of X-tee:
5.1.6.1 ensures the fulfilment of the obligations established in the subscription contract and in
Regulation no. 105 of the Government of the Republic of 23 September 2016 ‘Data
exchange layer for information systems’;
5.1.6.2 implements the measures which ensure the integrity, confidentiality, and suitability for
processing of the data to alleviate the security risks and independent auditing of the
measures implemented at least once in every two years.
5.2 Ensuring the integrity of the data exchange by using an electronic seal
5.2.1 The integrity of the data exchange and identification of the connection between the
message exchanged over X-tee and a member of X-tee will be ensured by an electronic
seal and the client must use the following trust services compliant with the requirements
specified in Regulation (EU) No 910/2014 of the European Parliament and of the
Council to create the seal in the secure server:
5.2.1.1 a certification service which is used to issue a certificate qualified by the electronic seal;
5.2.1.2 a certificate response service;
5.2.1.3 a time stamp service.
5.2.2 A member of X-tee may use the electronic seal certificate issued by RIA to create the
electronic seal.
5.2.3 An electronic seal formed in X-tee is valid if the period between the response to the
certificate used and the time stamp does not exceed eight hours.
5.2.4 A member of X-tee may not process the data exchanged over X-tee if the data cannot
be verified with an electronic seal compliant with the requirements described in these
standard terms and conditions.
5.3 Interfacing a subsystem with X-tee
7
5.3.1 In order to use or provide a service over X-tee, a member of X-tee must register the
subsystem at RIA and submit an application to RIA for this purpose.
5.3.2 A subsystem can be registered in X-tee if:
5.3.2.1 a natural person responsible for the functioning of the subsystem has been appointed
and if the contact details of the administrator of the secure server servicing the
subsystem are made available;
5.3.2.2 measures are implemented with regard to the subsystem which ensure the integrity,
confidentiality, and suitability for processing of the data to alleviate the security risks
and independent auditing of the measures implemented at least once in every four years
is ensured, unless prescribed otherwise in legislation.
5.3.3 After the registration of a subsystem, a member of X-tee must:
5.3.3.1 specify the positions which have the authority to use the subsystem and thereby the data
services available to the subsystem and only permit access to the persons with the
respective authority in their organisation;
5.3.3.2 ensure secure and uninterrupted functioning of the subsystem interfaced with X-tee and
compliance with the data service user agreement between the members of X-tee.
5.3.4 RIA may reject an application for the registration of a subsystem or delete a registered
subsystem from the register if any of the requirements specified in the general terms and
conditions is not met.
5.4 The provision, use, and mediation of a data service
5.4.1 A data service must:
5.4.1.1 be compliant with the messaging protocol of X-tee established by RIA;
5.4.1.2 be documented with an up-to-date and relevant data service description which is
compliant with the requirements of RIA and include information about the security
measures required for using the data service, taking into consideration the composition
of the data included in the data service and the nature of the data service.
5.4.2 The data service is provided based on the data service user agreement between the
members of X-tee, which specifies:
5.4.2.1 the information security measures required for using the data service and the
organisational, physical, and information technology-related security measures required
from the subsystem of the user of the data service, taking into consideration the
composition of the data processed and the requirements arising from legislation;
5.4.2.2 the permission for mediation of the data service to a third party;
5.4.2.3 the service level criteria.
5.4.3 In the provision of a data service, a member of X-tee must:
5.4.3.1 register the data service, including the technical description of the data service, in the
secure server and keep the description of the data service in the secure server up to date;
5.4.3.2 ensure that the user of the data services implements sufficient measures for ensuring the
integrity, confidentiality, and suitability for processing of the data to alleviate security
risks;
5.4.3.3 ensure the compliance of X-tee information system access rights with the data service
user agreement between the members of X-tee.
5.4.4 The data service can be used in the subsystem of a member of X-tee which has been
granted access rights for using the specific data service.
5.4.5 A member of X-tee as a user and provider of a data service must:
5.4.5.1 observe the data service user agreement;
5.4.5.2 bind the messages received by the secure server with a time stamp;
5.4.5.3 ensure the authentication and authorisation of the end user participating in the provision
or use of the data service through their information system.
5.4.6 A member of X-tee may only grant an external person access to the subsystem if:
8
5.4.6.1 the member of X-tee has drawn up and published a procedure for the mediation of the
data service which includes the grounds for mediation of the data service, the procedure
for authentication and authorisation of what is mediated by the subsystem using the data
service, the procedure for archiving the log of authentication and authorisation of what
is mediated by the subsystem using the data service and the period of retention of the
log, as well as the procedure of archiving the X-tee inquiry log and for access to and the
period of retention of the archive;
5.4.6.2 the member of X-tee has registered as a mediator of the data service in X-tee;
5.4.6.3 the permission to mediate the data service is included in the data service user agreement
between the members of X-tee.
5.4.7 A member of X-tee as a mediator of a data service must:
5.4.7.1 observe the procedure for mediation of the data service established by them;
5.4.7.2 notify the centre and the provider of a data service whose data service the mediator has
access rights to of any changes to the procedure for mediating the data service;
5.4.7.3 proceed pursuant to the rights and obligations of the parties defined in the data service
user agreement between the members of X-tee and ensure the permissibility of
mediation of the data service;
5.4.7.4 disclose the data of the participants mediated by the subsystem to the provider of the
data service pursuant to the basic protocol of X-tee.
6 THE FORMAT OF NOTIFICATIONS
The parties will send all notifications electronically by e-mail or through the self-service
environment of X-tee. Notification in the case of an incident is an exception, in which case
notification over the phone may be used.
7 THE FEE AND SETTLING OF ACCOUNTS
7.1 Subscription to the service is free for the client.
7.2 A member of X-tee must cover their costs on development of their information system
and interfacing and the cost of purchasing and maintenance of the components of their
information system.
8 PROCESSING OF PUBLIC INFORMATION AND PERSONAL DATA
8.1 As RIA enables the use of X-tee as their administrative duty arising from the law and the
Statutes, the information generated within the framework thereof is public information with
access rights applied to the information on the grounds and pursuant to the procedure
provided for in the law.
8.2 The composition of personal data processed within the service and the terms of data
retention are provided in the data protection conditions.
8.3 The parties must maintain the confidentiality of any information which becomes known to
them in the course of using X-tee which is subject to access restrictions and only process
and disclose the information on the grounds and pursuant to the procedure provided for in
the law.
8.4 The obligation to maintain confidentiality remains in force based on the period of validity
of the access restrictions and irrespective of the validity or expiry of the contract.
8.5 The parties may only transfer the information which is subject to access restrictions to the
employees who are directly connected to the service and ensure that these employees are
aware of and will observe the confidentiality requirement.
8.6 The parties will implement appropriate technical and organisational measures to protect
the information which is subject to access restrictions, including personal data, to ensure
the confidentiality, integrity, and suitability for processing of the information.
8.7 The parties must notify one another immediately of any obstacles concerning the fulfilment
of the confidentiality obligation which have arisen or may likely arise.
9
8.8 A breach of the confidentiality obligation will be treated as a material violation of the
contract.
9 AMENDMENT OF THE TERMS AND CONDITIONS
9.1 RIA may unilaterally amend the terms and conditions of the subscription contract,
including these general terms and conditions and other annexes to the subscription contract,
if this is necessary due to any changes to the applicable legislation or customs, technical or
substantial developments of the respective field or service, creating further or better
opportunities for the clients for using the service, or a need to specify the circumstances
related to the provision or use of the service. RIA must notify the client of amendment of
the general terms and conditions at least 14 calendar days in advance.
9.2 If a member of X-tee does not consent to the amendments referred to in subsection 9.1,
they may cancel their X-tee membership by submitting a respective application to RIA.
The subscription contract will remain valid until the cancellation of the X-tee membership
and the member of X-tee must fulfil their contractual obligations; thereat, the same terms
and conditions will be applied to the member of X-tee in fulfilling these obligations.
9.3 If a member of X-tee does not express their intention to terminate their X-tee membership
within 1 (one) month after entry into force of the amendments, they will be deemed to have
accepted the amended terms and conditions.
10 LIABILITY
10.1 RIA will not be held liable for any circumstances out of RIA’s control which have an
impact on the availability or quality of X-tee (incl. the functioning of X-tee inquiries in the
extent in which they are the responsibility of a third party) or for any failures, delays in the
transmission of information, or other cases which are out of RIA’s control.
10.2 RIA will not be held liable for destruction or loss of data which arises from the client’s
action or inaction or for non-functioning of the service if the interruption was caused by
the client’s action or inaction.
10.3 A party will not be held liable for non-performance of their obligations if it was caused by
force majeure. The parties deem any circumstances which are out of the party’s control
force majeure, including, but not limited to, a fire, explosion, natural disaster, war, strike,
general power cut, thunder, and exceptional weather conditions.
10.4 A party whose activity in fulfilling their contractual obligations was prevented due to
circumstances of force majeure must notify the other party thereof as soon as possible by
using the means of communication which ensure the most operative information exchange
possible.
10.5 Upon notification of a force majeure event, the parties will agree on how and to what
extent they will continue to fulfil the contract in compliance with the national crisis
management plan. This agreement will be formalised in writing as soon as possible.
11 TERMINATION OF THE AGREEMENT
11.1 The agreement is terminated on the grounds specified in the agreement, the general terms
and conditions, and/or legislation.
11.2 A member of X-tee has the right to cancel their membership at any time by submitting a
corresponding written application to RIA. If the deadline for termination of X-tee
membership is not indicated in the application for cancellation of membership, the
membership will be terminated on the working day following the receipt of the
aforementioned application.
11.3 RIA has the right to terminate the membership of a member of X-tee by notifying the
member by email 30 calendar days in advance if the member is not obliged by law to
organise data exchange via X-tee.
10
11.4 RIA has the right to terminate the membership immediately if:
11.4.1 the client violates the terms and conditions established in Regulation no. 105 of the
Government of the Republic of 23 September 2016 ‘Data exchange layer for information
systems’, the subscription contract or the annexes thereto, or the procedure for the
mediation of a data service, or endangers the availability or security of X-tee;
11.4.2 the client has provided incorrect or incomplete data;
11.4.3 the client violates the obligation specified in clauses 8.4, 8.6, 8.7, or 8.8 of the agreement.
11.5 The cancellation or termination of the agreement does not release the party from the
obligation to perform the obligations to the other party during the term of the agreement.
11
The terms and conditions of data protection of X-tee data exchange layer for
information systems (Annex 2)
This document explains which personal data and for which purposes are processed by the
Estonian Information System Authority (hereinafter referred to as RIA) in the management of
the data exchange layer for information systems (hereinafter referred to as X-tee). These terms
and conditions of data protection are applicable to all environments of X-tee.
A data subject (hereinafter referred to as a user) is a natural person who is authorised to make
inquires in the environment of X-tee in the name of a member of X-tee or makes inquiries about
their own data.
1 THE COMPOSITION OF THE DATA
1.1 RIA processes personal data within the framework of using X-tee to identify the person
who has submitted an inquiry in the name of a member of X-tee.
1.2 RIA monitors the use of X-tee and collects statistical data about the use. The collection of
statistical data requires the collection of the data of the monitoring log (operational
monitoring) of the data service of the secure server of a member of X-tee. The log files
collected by the centre only contain the header fields which include the data about which
member of X-tee exchanged data over X-tee, at which point in time, and with which
member of X-tee. The log files collected by the centre do not include the substance of the
body of the inquiries or the responses sent over X-tee.
1.3 RIA is the controller of personal data regarding the collection of the data service monitoring
log and the person who made the request on behalf of the member of X-tee.
1.4 The monitoring log of the data service of the secure server of a member of X-tee includes
the following data about the user:
1.4.1 the data which identify the user:
1.4.2 the personal identification code of an authenticated and authorised user
1.4.3 the technical data:
1.4.3.1 the dates and times of sending the inquiry and receiving the response;
1.4.3.2 the names of the X-tee environment, the member of X-tee, and their subsystem and the
code of the service used and the identifiers of the version;
1.4.3.3 the sizes of the inquiry and the response and the number of attachments;
1.4.3.4 other technical information about the inquiry which passed through the secure server.
1.5 The log does not include any information about which personal data and in which
composition is contained in the messages exchanged over X-tee.
2 RETENTION OF THE DATA
2.1 The term: RIA retains the monitoring log in a format which includes the user’s personal
data for 3 years after collection. After the 3-year period, the part which contains personal
data (i.e. the personal identification code) is removed from the log and the logs are retained
in a non-personal format permanently.
2.2 The purpose: RIA retains the monitoring log:
2.2.1 for detecting and investigating any abuse of the service, as well as cyber attacks;
2.2.2 for detecting and eliminating technical glitches; a technical glitch may be a hardware or
software glitch, a network connection failure, etc.;
2.2.3 for determining the causes of the technical issues reported by the members of X-tee;
2.2.4 for processing the information received from the users (notifications about potential
security issues or technical glitches).
12
3 DISCLOSURE OF THE DATA
3.1 Publication of the data: RIA publishes the statistical data about using X-tee on the website
www.ria.ee. The statistical data of the use is published as open data in a generalised and
non-personal form.
3.2 Access to the logs: access to the logs is organised strictly based on the access rights. The
access rights are granted only to the system and service administrators who are directly
involved with operating the service. In justified cases, access is grated to the public servants
who process cyber incidents.
3.3 Disclosure of the data on the basis of the law: the data may also be disclosed if this is
required by the law (e.g. to a law enforcement authority in a criminal procedure or to the
data subject based on their request).
13
The service level criteria of the X-tee data exchange layer for information systems
(Annex 3)
1. Availability of the service
1.1. Working time
The working time is the agreed period of time for
the duration of which the availability of the IT
service must be guaranteed to the client and the IT
service help desk service is provided (advice on
using, finding solutions to unscheduled
interruptions, etc.).
Mon.–Thu. 8.15 a.m. – 5 p.m.,
Fri. 8.15 a.m. – 3.45 p.m.
1.2. The maximum permitted number of
simultaneous inquires
50 global configuration
inquiries per minute
Name of the Service The X-tee data exchange layer for information systems
Owner of the service The Head of the State Data Exchange Department
Validity of the
requirements
From approval of the directive to the amendment or cancellation of
the directive.
Brief description of the
service
A data exchange platform of information systems through which the
users of the environment can provide to each other and/or use agreed
online services.
The environment of online services is an internet-based solution in
which a special X-Road technology is used for mutual communication.
Notifications of the service
RIA will notify the clients as soon as possible of any known
interruptions of the service or circumstances which prevent using the
service by e-mail or telephone.
Scheduled maintenance
works
Scheduled maintenance of the infrastructure of the production
environment of RIA takes place on the third Thursday of every
month from 6 p.m. to 1 a.m.
The users of the service will be notified of any interruptions of the
production environment of RIA during the working time of the
services and of any larger-scale maintenance works by e-mail at
least 2 working days in advance.
The information system
logs
The information system logs are retained for one year, except the
monitoring logs, which are retained for three years after collection
thereof, after which they are anonymised.
14
2. An unscheduled interruption under normal circumstances
Only the unscheduled interruptions which occur during the working time of the service are
considered unscheduled interruptions. A situation in which the work of a few users is interrupted
but the service is available at the authority (within the same building) is not an unscheduled
interruption. Under regular circumstances, the duration of an unscheduled interruption is
calculated in working hours.
2.1. The maximum duration of an unscheduled
interruption
The maximum permitted period of time in the
course of which the functioning of the service
must be restored. The service is recovered during
working hours.
12 h
2.2. The maximum permitted duration of unscheduled
interruptions per year
24 h
3. An unscheduled interruption in the situation of a catastrophe
The level of criticality means the maximum period of time in which the service is recovered
and the priority, i.e. the order in which the services are recovered in a situation of a catastrophe
(e.g. water or fire damage of the server rooms or another unexpected emergency situation).
Based on the recovery times, the parts of an information system are divided into classes of
criticality as follows:
I – recovery time 72 h;
II – recovery time 168 h;
III – recovery time undetermined.
3.1. Criticality class
I
4. Scheduled interruption
A scheduled interruption is a period of time agreed on in advance for the duration of which the
service is unavailable. Only the scheduled interruptions which occur during the working time
of the service are considered scheduled interruptions. Scheduled interruptions are used for
maintenance, testing, or improvement. The duration of the scheduled interruptions is calculated
in working hours (except the time of advance notice of the interruption).
4.1. The time of advance notice of a scheduled
interruption
48 h
4.2. The maximum duration of a scheduled
interruption
8 h
4.3. The maximum permitted duration of scheduled
interruptions per year
24 h
4.4. The maximum permitted number of scheduled
interruptions per month
2
5. Data loss and back-up
5.1. The maximum amount of data which may be
lost in the course of recovering the service, i.e.
the service recovery point class
24 h
15
The service recovery point class determines the
maximum amount of data which may be lost in
the course of recovery of the service. The
recovery point class is determined as a period of
time before the failure. For example, the
recovery point class of 24 hours is achieved by a
daily backup, in the case of which, the maximum
data loss is the data of 24 hours.
6. Response times
6.1. Functionality Normal reference Maximum reference
6.2. The response time of a
global configuration inquiry
(90% of the inquiries must
fit in the maximum
reference)
5s 30s