RCauth Privacy Policy

The Service will keep a minimal amount of personal information, compatible with the goals of the service.

Goal of the information processing

The goal of the RCauth ICA data processing is to provide a service that issues unique, long-term, non-reassigned identity assertions to its subscribers and their explicitly authorized (software) agents for the purpose of access control to and secure operation and management of academic and research distributed digital infrastructures. All personal data processed by the RCauth ICA is a result of an explicit, user-initiated action, to which the user is a conscious and informed participant.

Besides this processing for delivering the certificate service, the Service will store user information in log files and audit archives. These logs and audit records are used solely for administrative, operational, monitoring, security, and dispute resolution purposes of the RCauth ICA service. It may be shared for security incident response purposes with other authorised participants in the academic and research distributed digital infrastructures via secured mechanisms, only for the same purposes and only as far as necessary to provide the incident response capability.

User information and legal basis

The processing of personal data is based on the legal grounds “performance of contract” (for data described here as needed for initial issuance) and on “legitimate interests” (to enable the RCauth ICA to protects its systems, to enable the trust infrastructure enabled by the CA, and to enable participation in information security incident response resolution). The processing is thus not based on “consent”. Before authenticating the applicant, the service will inform the user regarding the goal of the service and give the applicant the choice to continue or abort the authentication. The information will describe the types of personal data that will be processed, the fact that this information may be shared with other authorised participants as stated in section 9.4.1.1, and contain a reference to this CP/CPS and the Privacy Plan contained therein.

The user will be informed when a certificate is requested, and can at that point object to the processing of the data. By continuing the certificate request process, the user agrees to the processing for the goals stated under section 9.4.1.1. This attribute release agreement may be remembered across sessions, and this agreement can be withdrawn by the user discretionarily.

What information will be processed and stored

The following information will be processed

• The name (display name, common name, and given name and surname) of the user
• An administrative number provided by the IdP used to identify the applicant (eduPersonUniqueID, eduPersonPrincipalName, or eduPersonTargetedID)
• A business electronic mail address of the user
• The professional affiliation of the user, for the purpose of embedding it in the certificate and for the security logs and audit records
• Any specific entitlements and authentication assurance level information provided that enable the certificate issuance to proceed

The following information will be stored:

• The issued certificates, containing the name of the user, the IdP administrative number or an rendering thereof, and the affiliation
• In the security audit logs, the certificate subject name including the information listed above, together with the affiliation (IdP entity identifier) and the full IdP administrative number

The following anonymous information derived from the personal data will be stored:

• In a long-term persistent database a one-way cryptographically non-salted secure digest of the certificate subject user elements – to ensure non-reassignment of identifiers
• In a long-term persistent database a salted one-way cryptographically secure digest of the concatenation of all values of the attributes provided as by the IdP from the ordered list of displayName, givenName, sn, commonName, mail

Where will the information be processed

The information is processed by the Service at all its operating locations: Nikhef, Amsterdam, The Netherlands; Didcot, UK; and Athens, Greece - according to the conditions stated in section 5.1. Backups of data are stored under a confidentiality agreement by the contracted backup service provider.

Who may receive the information

The information is received and processed by the RCauth ICA service, by the Administrators and Operators responsible for this service, and where necessary by the PMA and by auditors. Certificates and certificate information may be disclosed, after explicit approval by the user, to software agents and services that act on behalf of the user, and that have registered with the RCauth ICA service .

Having been so informed and the user having so accepted during the certificate application, the name and contact information consisting of the organisational affiliation (the IdP name) may be shared for security incident response purposes with other authorised participants in the academic and research distributed digital infrastructures via secured mechanisms, only for the same purpose, and only as far as necessary to provide the incident response capability.

Information may be shared with law enforcement by each of the Operating Partners of the RCauth Service when so required by local applicable law.

User information and transparency

The user is informed about his or her data that is processed by the service via this privacy policy, a link to which will be presented to the user each time a certificate is requested, and a link to which will be posted on the RCauth public repository. For more information the user is referred to this comprehensive policy and practice statement at https://www.rcauth.eu/policy/. Users can request access to information regarding all their data at any time, and all reasonable requests to correct and/or amend the data will be processed promptly. Due to the nature of the service, the RCauth service has a legitimate interest in recording the information recorded as per section 3.2.3 for as long as the certificate is valid plus the audit log retention period.

Protection of personal data

The personal data is protected in accordance with this CP/CPS, specifically sections 5.1 and 5.2. Specifically the data is exclusively processed on

• The CA front-end web server, which is maintained at a high level of security and behind a double firewall both at the edge of the network and on the system itself, and where the software is maintained in accordance with best practices for vulnerability management and patching. It will run a minimal set of services. Access is via secure, encrypted and authenticated means only, and only from selected networks to which service personnel have access. This system is contained in a dedicated locked cabinet in a secure data centre to which access is individually controlled.
• The on-site disk back service, which is only accessible over a network from designated systems within Nikhef designated for secure system management operations, or through a VPN tunnel to which users authenticate with individual credentials, and to which only specifically authorized systems management personnel of Nikhef and the service have access. This system is contained in a secure data centre to which access is individually controlled.
• The off-site redundant tape backup service, which is managed under contract in the Netherlands, to which only authorized service personnel have access, and which is located in a vault inside a secure data centre where access is individually controlled.

All software is kept up to date and vulnerabilities in the software are patched promptly. Databases containing personal data are not accessible from outside the system. The specific data protection measures are disclosed and discussed with accrediting bodies and qualified relying parties. Incidents involving personal data shall be pro-actively disclosed with the active users of the service, based on the communications information available at that time.

Information retention periods

The information that is stored will be retained for the following periods:

• issued certificates, including the information contained therein – name of the user, the IdP-provided administrative number, and the users affiliation (organisation name) – for a period of 6 months after the end of the validity period of the issued certificate, i.e. in total 19 months.
• the subject name and the non-shortened versions of the affiliation (IdP entity identifier, home organisation name) and the full IdP administrative number for 19 months after the initial authentication transaction has completed, i.e. 6 months after the issued certificate has expired.

After this period, the information will be archived in a separate long-term archive. The information in the long-term archive will be kept for a period of 3 years after the issuance of the certificate. The information in the archive is accessible only to the Administrators and will be used exclusively for dispute resolution purposes. In separate security audit logs will be recorded the attributes used to construct and issue the certificate – the displayName, commonName, givenName, sn, mail, eP(Scoped)Affiliation, ePPN, ePTID, ePUID, ePEntitlement, ePAssurance, the SAML NameID and the SAML AuthenticationContextClassReference as provided by the IdP to the service – for a period of 6 months. This information is not further archived. The one-way cryptographically non-salted secure digest of the certificate subject user elements is not personal information and will be recorded in the database until 3 years after the RCauth service has ceased operation.
The salted one-way cryptographically secure digest of the concatenation of all values of the attributes provided as by the IdP from the ordered list of displayName, givenName, sn, commonName, mail is not personal information and will be recorded in the database until 3 years after the RCauth service has ceased operation. In addition to the above, backups of all data are stored – under confidentiality agreements and only for the purpose of security investigations and data recovery– for a period of 90 days.

Concerns and complaints

By law, you have certain rights over your personal data that we hold: to receive a copy of the data, to ask us to correct any errors, or to delete it once we no longer need it. To contact us regarding those rights, or anything else in this privacy notice, please write to the RCauth PMA at pma@rcauth.eu. If you do not feel we've dealt with your request appropriately, you can appeal to the data protection authority the country in which the Operating Partner is based. We refer your to the EDPB web site at https://edpb.europa.eu/about-edpb/board/members_en for contact information.