Signicat Terms and Conditions

# Danish MitID

Last updated: 28/09/2023
Current version effective from: 28/09/2023

Page contents

# 1 This appendix and the terms

1.1 The terms in this appendix 4, apply when Signicat provides services regarding MitID to the Customer and the terms of exhibit A to this appendix apply when Signicat provides services regarding MitID for Business.

# 2 Defined terms

2.1 In this appendix 4, the terms defined below, shall have the following meaning:

  • Authentication, is an electronic process, confirming the electronic identification of an ID Subject.
  • ID Subject, is a physical person using MitID.
  • MitID Provider, is Nets Danid A/S. In the Agreement the MitID Provider is considered an Identity Issuer.
  • MitID Solution, is a national Danish eID solution, which will be notified in accordance with eIDAS and provides Authentications.
  • The Partnership, is FR I af 16. September 2015 A/S (on behalf of Finans Danmark) and Digitaliseringsstyrelsen (on behalf of the Danish State, the Danish regions and municipalities etc.).
  • Service Provider, is a business or public authority, which through the Broker makes use of the MitID Solution for Authentications of an ID Subject. Often, the Service Provider and the Customer are the same.

Other defined terms shall have the meaning given in the Agreement.

# 3 The customer

3.1 The Customer shall use the MitID services provided by Signicat, for the Customer’s services only. With the exception of Affiliates, as defined in Section 15 of this appendix, which have agreed to be bound by this Appendix, the Customer shall not allow any other entity to make use of the MitID services provided by Signicat, except where such other entity makes use of the Customer’s services, for which the MitID services are used by Customer.

3.2 Signicat is entitled to use information on the Customer’s name, business register number and VAT-number in order to set up the Customer within the broker management system operated by MitID Provider.

# 4 Customer's fees

4.1 The Customer is not allowed to charge any fee to ID Subjects for Authentication made through the use of the services provided by Signicat regarding MitID, and the Customer shall ensure, that no such fees are charged based on the use of the MitID services provided by Signicat to the Customer.

# 5 Visual identity and use of marks etc.

5.1 The Customer is entitled to and must use MitID marks when providing Authentications through the MitID Solution and the marketing thereof.

5.2 The Customer, shall comply with the at any time current graphical requirements regarding MitID, and requirements for use of the MitID marks, including names, logos and domain names with relation to the Partnership or MitID. Signicat has listed such relevant requirements at: https://developer.signicat.com/enterprise/identity-methods/mitid/requirements.html#background (opens new window). Signicat may update the relevant requirements at any time if changed by the MitID provider or if changes are otherwise deemed necessary.

5.3 If any changes are made by the MitID provider to the graphical requirements regarding MitID or requirements regarding MitID marks etc., Signicat may require for such changes to be performed in the graphical flow of authentication used by the Customer. Where the standard Signicat MitID login box and graphical flow of authentication is used, Signicat will perform such changes in the standard Signicat MitID login box and graphical flow. If a Customer specific design is used by the Customer, Signicat and Customer shall enter into separate agreement on Signicat performing such changes.

# 6 Personal data etc.

6.1 The terms below, on roles and responsibilities when processing personal information related to MitID broker services, are based on the Danish Act on MitID and NemLog-in (Lov nr. 783 of 4 May 2021).

6.2 When collecting personal data on ID Subjects in relation to log-in with the MitID Solution (“upstream dataflow”) the Danish Agency for Digitisation (Digitaliseringsstyrelsen) is data controller regarding personal information being processed in relation to the MitID Solution (operated by Nets DanID acting as data processor on behalf of the Danish Agency for Digitisation), including in regard to personal information on ID Subjects. The MitID Provider is processing such personal data on behalf of the Danish Agency for Digitisation.

# Roles and responsibilities

# Signicat acting as MitID Broker

6.3 The MitID Provider transfers answers on Authentication requests as well as risk-data regarding each individual Authentication performed through the use of MitID services provided by the MitID Provider to Signicat (“downstream dataflow”). When receiving such information, Signicat in the role as MitID Broker becomes data controller regarding the personal data contained within, including risk-data and Signicat processes such data with the purpose of being able to disseminate Authentication answers to the Customer.

# Customer acting as Service Provider

6.4 Signicat transfers answers received on the Customer’s Authentication requests to the Customer (continued “downstream dataflow”). The Customer becomes data controller in regard such received answers on Authentication requests for the specific purpose of deciding whether an ID Subject shall be granted access to its service, except where the Customer has an independent legal basis for other processing of such personal information for another purpose. Each party; the Customer and Signicat, defines their respective means of processing the personal data in question.

6.5 As independent data controllers in relation to the personal data being processed, cf. section 6.3, and 6.4 both the Customer and Signicat are each responsible for complying with their individual obligations in accordance with Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) and any applicable national data protection regulation.

6.6 The Customer and Signicat agree to co-operate with and assist each other, to the extent necessary and proportionate for each party to meet their respective obligations to respond to requests for exercising the ID Subject’s rights laid down in chapter III of the General Data Protection Regulation.

6.7. If either the Customer or Signicat experience any personal data breach, as defined in the General Data Protection Regulation, involving personal data being processed, cf. section 6.3 and 6.4, in relation to the MitID services being provided by Signicat to the Customer, each party shall without undue delay notify the other, and to the extent necessary and proportionate co-operate with and assist each other in complying with their individual obligations to notify the competent supervisory authority and the ID Subjects if relevant.

6.8 Signicat does not currently use risk-data received in conjunction with authentication answers from the MitID Provider. Hence, such risk-data received from MitID Provider in conjunction with authentication answers will be deleted by Signicat upon receipt and no later than 24 hours thereafter. Upon specific agreement between the Customer and Signicat, Signicat may transfer risk-data received from the MitID Provider. Such agreement presupposes that the Customer shows to have an independent legal basis for the processing of such risk-data.

6.9 The Service Provider shall retain personal information received in relation to answers on Authentication requests for a period of no more than 24 hours from having received such information from Signicat, after which time such data shall be deleted by the Service Provider. The Service Provider may retain such personal information for a longer period, only if the Service Provider has an independent legal basis for other processing of such personal information, which provides for such longer retention period.

# 7 Security

7.1 The Customer shall not under any circumstance subject the MitID Solution to any security risk as regarding authenticity, integrity, confidentiality or otherwise.

7.2 The Customer must implement appropriate security measures when making use of the MitID Solution and the services provided by Signicat regarding MitID to ensure a security level appropriate to the risks. The Customer shall adhere and follow integration guidance and protocols as well as security measures which are at any time specified by Signicat. Signicat are obligated to set such security requirements, in accordance with its agreement with the MitID Provider. The security measures required, as a minimum, by Signicat, are in the, at any time, current version listed on the Signicat website at this address: https://developer.signicat.com/enterprise/identity-methods/mitid/requirements.html#background (opens new window)

Signicat is entitled to modify the minimum security requirements listed at the Signicat website upon a notice of 30 days, unless modifying the minimum security requirements from a security perspective is necessary on a shorter notice. At the Customers request, the Customer and Signicat may enter into separate agreement on Signicat assisting Customer with such issues.

7.3 If any breach of security should occur, the Customer shall immediately inform Signicat.

# 8 Use of MitID Authentication

8.1 Any MitID Authentication is valid only for at certain period of time, as defined by the MitID Provider, currently 5 hours from forwarding such Authentication.

8.2 If the Customer makes use of a MitID Authentication for any following authentication of an ID Subject beyond the period of time referred to in section 8.1, without authenticating the ID Subject through requesting a new MitID Authentication, such authentication shall not be purported to be, referred to as or otherwise claimed to be a MitID Authentication.

8.3 If the Customer makes use of an authentication, as described in section 8.2, the Customer is fully responsible and liable for the validity and security related quality of such authentication. The Customer shall make itself aware of the security aspects on using such authentications.

8.4 The Customer shall, if using an Authentication from the MitID Solution and/or another identity provider to create other electronic identities (diverted identities), be highly aware of the security aspects associated with such setup. See also sections 8.2 and 8.3. Prior to creating such other electronic identities based on an Authentication, Signicat recommends, that the Customer prepare a risk assessment as well as a security policy, taking especially into account how secure the diverted identity is, how the diverted identity is issued and how strong the mechanism, which protects the diverted identity is. It is recommended, that the Customer evaluates the level of security against the levels of NSIS (Danish National Standard for the Security Level of Identities) or similar. The Customer is also recommended to assess whether a diverted identity shall maintain validity, if the electronic identity, having been used for issuing the diverted identity, has been revoked or otherwise blocked, restricted or cancelled. At request, the Customer and Signicat may enter into separate agreement on Signicat assisting Customer with such issues.

# 9 Restricting or blocking of access

9.1 Signicat may restrict or block access the Customer’s use of the MitID and related services, if the Customer to a material extent does not comply with its obligations according to the Agreement or this appendix; the conduct of the Customer constitute a security risk; or the conduct of the Customer materially affects or may materially affect ID Subjects’ perception of the MitID Solution in a negative manner.

9.2 The MitID Provider may restrict or block the Customer’s use of MitID and related services in situations where security reasons necessitate this.

9.3 If for any reason Customer’s access to the use of MitID or related services is restricted or blocked, cf. this section 9, Signicat will inform the Customer of this as soon as possible.

9.4 Signicat shall in such situations where the Customer’s access to use MitID or related service is blocked or restricted, cf. this section 9, not be liable to the Customer.

# 10 Outsourcing within financial businesses etc.

10.1 Where the Customer is encompassed by the Danish legislation on outsourcing regarding credit institutions etc. (Bkg. 877 af 12. juni 2020) or regarding Group 2-insurance companies (Bkg. 723 af 28. maj 2020), such entities’ use of the MitID Solution will be exempted from the requirements of legislation on outsourcing within financial businesses etc. in Denmark in regard the MitID Solution (L193 B FT 2020-21, as adopted by the Danish Parliament on 1 June 2021). If such legislation providing an exemption does not apply to the Customer, or is otherwise not applicable, refer to section 10.2.

10.2 If the Customer is or becomes encompassed by legislation containing requirements regarding outsourcing arrangements for financial institutions, the Customer shall, if the Customer considers the services provided by Signicat to be encompassed by such legislation, ensure and is responsible for compliance with such legislation, and shall in this regard contact Signicat immediately. Signicat will against standard consultancy fee, and payment of costs, cooperate with the Customer to have the necessary documentation drawn up.

# 11 Liability

11.1 Any claim, which the Customer may have regarding the MitID services provided by Signicat, shall be directed at Signicat. This does however not apply to any liability or claim which in accordance with mandatory law can be directed at the MitID Provider, which shall not be directed at Signicat.

11.2 If the Customer’s non-compliance with the security related issues in the above section 7, should lead to any claim against Signicat from ID Subjects or any other third party, the Customer shall fully indemnify and hold harmless Signicat for any such claim including any with such claim associated costs, including legal fees.

# 12 Termination

12.1 The agreement between Customer and Signicat on Signicat providing the Customer with services related to the MitID Solution, and hence this appendix, may be terminated in accordance with the Agreement.

12.2 If for any reason due to the MitID Provider or for which Signicat is otherwise not responsible, Signicat is not able to provide services regarding MitID to the Customer, including where the agreement between the MitID Provider and the Partnership, allowing the MitID Provider to provide the MitID Solution ceases or terminates, Signicat may terminate the Agreement regarding such MitID services. Signicat shall to the extent possible, provide the Customer with a reasonable notice in such situation.

12.3 Upon termination of the Agreement between the Customer and Signicat, leading to Signicat no longer providing services regarding MitID to the Customer, the Customer shall without undue delay, remove any reference to MitID marks and cease any use of these, unless the Customer through another agreement obtains a right of use to such marks.

# 13 Modification and changes to these terms

13.1 Signicat is entitled to make modifications and changes to this appendix if such changes follow from changes of applicable legislation or from changes of Signicat’s contractual obligations with the MitID Provider or from changes in underlying documentation provided by the MitID Provider, as well as where such right follows form this appendix. As far as Signicat is provided sufficient notice of such modifications or changes, the Customer shall be notified of such modifications or changes no less than three months in advance, unless otherwise follow from this appendix.

13.2 Other changes to this appendix shall be in accordance with the Agreement between the Customer and Signicat.

# 14 Nem-ID / MitID

14.1 If, and to the extent, the Customer has entered into an agreement with Signicat regarding Signicat providing Nem-ID services to the Customer, such Nem-ID services and the services regarding MitID to the Customer, shall be provided on a side-by-side basis, until such time, where the agreement on providing Nem-ID services is terminated in accordance with the terms of such agreement, or until Nem-ID is no longer supported by The Danish Agency for Digitisation (Digitaliseringsstyrelsen).

# 15 Affiliates of customer

15.1 If any Affiliates of Customer are to use the MitID services provided by Signicat, such Affiliates are to be considered Service Providers in a MitID Context, which requires for such Affiliates of Customer to be bound by the terms of this appendix and the Agreement. Hence, each Affiliate of Customer are to enter into these terms by signing this appendix.

15.2 When signing this appendix as an Affiliate of Customer the Affiliate agrees to be bound by the obligations of the Agreement, including this appendix, as if the Affiliate was a Customer. The Affiliate shall be entitled to make use of the MitID services provided by Signicat; is to be considered a Service Provider in MitID context, considered a Customer in regard this appendix and otherwise as an Affiliate of Customer, cf. section 3.1 of the main Agreement.

By accepting these terms and conditions the Customer confirms it is a privately held company and not a government organization.

Exhibit A

  1. Applicability

    1. The terms of this Exhibit A apply to the services provided by Signicat regarding MitID for Business.

    2. The terms of this Exhibit A apply in addition to the MitID terms as set out above. The MitID terms apply to the MitID for Business services. The following definitions of the MitID terms shall be read as follows:

      ​i. MitID Provider: shall also mean the MitID for Business provider.

      ​ii. MitID Solution: shall also mean the MitID for Business solution.

  2. Service description

    1. Signicat transfers answers from MitID/ Nemlog-in3 received on the Service Provider’s Authentication requests to the Service Provider.
      This service enables the Service Provider to ensure that the ID subject is indeed affiliated with the organization as claimed, according to MitID for Business Provider’s register, when the ID Subject attempt to use the Service Provider's online service.
    2. The Service Provider has the right to use the MitID for Business services subject to the terms and conditions as set out in this appendix and as supplemented by the MitID for Business specific terms and conditions as set out below.

  3. Service Provider’s obligations regarding the use of MitID for Business

    1. The MitID terms as set out in this appendix 4 are in case of use of MitID for Business applicable to MitID for Business any reference to MitID and/or MitID services or the MitID Solution shall be read as a reference to MitID for Business where relevant and applicable.
    2. The Service Provider shall not use the Authentication as provided by Signicat from NemLog-in3 for services that require a higher level of assurance than the level of assurance of the Authentication.

  4. Use of marks and design components

    1. The Customer, shall comply with the at any time current graphical requirements regarding MitID for Business, and requirements for use of the related marks, including names, logos and domain names. Signicat has listed such relevant requirements at: https://developer.signicat.com/enterprise/identity-methods/mitid/requirements.html#background (opens new window).
    2. Signicat may update the requirements mentioned in this section 3 at any time if changed by the provider of MitID for Business or if changes are otherwise deemed necessary.
Last updated: 28/09/2023 13:52 UTC