Imprint / Impressum

Privacy Notice for Trusted Introducer and Imprint / Impressum

The Trusted Introducer Service is operated and maintained on behalf of the GÉANT Association (the controller) under contract by PRESECURE Consulting GmbH, incorporated in Germany (the operator). By using the TI Services, you agree to the application of the applicable laws and with the judgements by the responsible courts on comments, complaints and so forth in connection with the TI Services and systems used to provide this service.

More information about GÉANT’s general data protection policy can be found in the GÉANT Privacy Notice. (https://www.geant.org/privacy-notice).

Why do we process personal data?

Trusted Introducer processes personal data to provide a directory of incident response and security teams.  This enables effective communication in a trusted environment for incident and vulnerability management.  The personal details you enter on the TI Service or in communication with the TI Operator, will be used only for the tasks and work of the TI Service. These data will not be issued to third parties, unless it is related to the Trusted Introducer's tasks and work.

Trusted Introducer also processes log information for its sites and systems. Further information is shown below. 

What data do we process?

Published Contact Data

As part of the service to the CSIRT community and reporting sites, Trusted Introducer collects a set of personal data from to enable teams to be contacted in regard to attacks and suspected incidents as well as to contact each other in the event of a security incident.  Data is made available in two different formats:

  1. In the public Trusted Introducer directory, an email address (typically role-based but teams may register an individual address), a business address and a business telephone number is made available for each Listed, Accredited and Certified Team.  An emergency number is also made available – this is typically a mobile phone. 
  2. In the protected Trusted Introducer directory, individual email addresses and contact names are additionally made available.  This is accessible by Accredited Teams, Certified Teams, TI Associates, Trusted Introducer staff and GÉANT staff.

Data is made available with the consent and at the request of the teams in the directory. Data is revalidated every 4 months (accredited and certified teams) and every 12 months (listed teams) and updated accordingly.

All personal data collected is managed by Trusted Introducer through its TIMs system which is accessible only by Trusted Introducer staff.  Backups are regularly and routinely made and are kept in separate, off-site locations. Only authorized persons after having been authenticated based on signatures and passports or security token and PINs can access those locations.

For all services utilized within the TI community internally X.509 client and server certificates are used that are created, distributed and managed through TIMS and are protected by FIPS140 Level 3 certified HSM (High Security Modules, which are operated in an ETSI certified PKI environment.

Data made available may only be used for the purpose set out by Trusted Introducer – that is to support communication and cooperation for security attacks, incidents and vulnerabilities. 

Any misuse of data should be reported to Trusted Introducer or the TF-CSIRT Steering Committee and appropriate action will be taken.

Certificates

For access to the protected directory and services, teams are required to use the TI PKI service.

The PKI services are embedded within TIMS. Certificates are sent out to users by email protected by standard PKCS#12 mechanisms as well as PGP/GPG encryption based on public keys of team member representatives authorizing the registering of their individual team members.  By their nature, PKI certificates contain a small amount of personal data related to the individual.

Log information

When visiting www.trusted-introducer.org, tiw.trusted-introducer.org and service applications within the domain *.trusted-introducer.org personal data will be processed only for technical reasons in providing the requested website. For service monitoring and service delivery fault intolerance two log files are created: An access log as well as an error log. Before being stored in any log file the IP address is anonymized by discarding the last section. Based on the state of the art no person can be identified from this data. Therefore, the log files do not contain any personal data and processing of personal data ends with transmitting the website’s content to the recipient’s device.

The following data set is processed: IP address, source port, timestamp of the client, timestamp of the server, requested URL, http-referrer as well as other possibly personal related data fields which are provided by the configuration of the user’s web browser. The web server discards all data that is not required to provide the webpage respectively log the access or error. Since the webpage is static, no personal data is used to dynamically generate the website’s content.

No http-cookies are processed or stored on the user’s client.

Who has access to your data?

Some data is made available either publicly, or on a protected website to accredited teams, certified teams, TI Associates, Trusted Introducer staff and GÉAN staff.

Data is available to all members of the Trusted Introducer team via the TIMS system.  Only appropriately authorised staff can access TIMS. 

How long do we keep your data?

Data is kept for as long as we have the consent of the team members to process the information, and this is verified with a team either every 4 months (accredited and certified teams) or yearly (listed teams).  If we do not receive a response from a team within the given timeframe including a grace period, that team might be suspended and their information no longer made public.

When a team no longer wishes to participate in the Trusted Introducer Service, all data is removed from the public and protected directory information, but is maintained in the TIMS system. Historical information is essential to managing trust relationship with teams, so this data is maintained permanently alongside logs within PKI and CRL information. 

Your Rights

You have the right to complain to the Supervisory Authority (Autoriteit Persoonsgegevens at https://autoriteitpersoonsgegevens.nl) regarding data processed.

Contact Details

Data Controller and Contact

Data Protection Officer

GÉANT Association
Hoekenrode 3
1102 BR
Amsterdam – Zuidoost
Netherlands
Telephone number: +31 20 530 4488
Email <gdpr@geant.org>

Jurisdiction

Netherlands

Dutch Data Protection Authority
Autoriteit Persoonsgegevens
Postbus 93374 2509 AJ DEN HAAG.
Netherlands
Telephone number: (+31) - (0)70 - 888 85 00

Service Delivery

PRESECURE Consulting GmbH

Sachsenstraße 5
20097 Hamburg
Germany
Email <info@pre-secure.com>

Registered in Germany, AG Hamburg (HRB 133 548)
VAT Identification No.: DE 209907166
Represented by Dr. Klaus-Peter Kossakowski.

PRESECURE® and the PRESECURE logo are registered trade marks of PRESECURE Consulting GmbH.