Abonnentavtale for Buypass Class 3 BCSS Personsertifikater
Versjon 1.1 | Publisert 18.12.2023 | Gyldig fra 18.12.2023
1. About the Subscriber Agreement
1.1 Parties to the agreement
This is an agreement between you, as the Subscriber and Buypass AS (organization no. 983163327), hereafter referred to as "Subscriber" or "you" and "Buypass" or "we" respectively.
1.2 Scope of agreement
This document (Part 1), the Certification Practice Statement for Buypass Class 3 BCSS Person Certificates (CPS) (Part 2) and the Signature Policy and Practice Statement (SCPS) (Part 3) constitutes the Subscriber Agreement for Buypass Class 3 BCSS Person Certificates as used in Buypass Cloud Signature Services (BCSS) Person Signing.
The Buypass Class 3 BCSS Person Certificates are short-term certificates supplied as Qualified Certificates supporting Qualified Electronic Signature and Non-Qualified Certificates supporting Advanced Electronic Signature in the BCSS Person Signing service.
The BCSS Person Signing service is delivered by a Signature Creation Application Service Provider (SCASP) in cooperation with Buypass as both the Certificate Authority (CA) issuing certificates and Server Signing Application Service Provider (SSASP) managing the private keys. The SCASP manages the documents signed using the service.
The identity of the Subscriber is defined by an Identity Proofing Service Provider (IPSP) which is responsible for authenticating the Subscriber using an existing eID means.
1.3 Acceptance of agreement
We consider these terms and conditions as accepted once the Subscriber confirms that the Subscriber Agreement has been read and accepted when using the BCSS Person Signing service.
By accepting the terms and conditions of this agreement, the Subscriber accepts that the Buypass Class 3 BCSS Person Certificate is made available to relaying parties. The Buypass Class 3 BCSS Person Certificate is made available for the Signature Creation Application Service Provider (SCASP) as a part of the BCSS Person Signing service.
The obligations the Subscriber undertakes by applying for the Buypass Class 3 BCSS Person Certificate by using the BCSS Person Signing service are described under the Subscriber's responsibilities and rights within this document.
This Subscriber Agreement, the CPS and SCPS are available from the Buypass website (Legal Documents).
2. Buypass Class 3 BCSS Person Certificates
Buypass Class 3 BCSS Person Certificates are for signing purposes in the BCSS Person Signing service only. Buypass Class 3 BCSS Person Certificates are herein referred to as Certificates.
2.1 About Buypass BCSS Person certificates
Buypass is the CA for the Certificates. The Certificates are certificates for electronic signature according to Regulation (EU) No 910/2014 (eIDAS).
The Certificates are issued to natural persons based on already existing eID means controlled by the Subscriber. The eID means must be issued in conformance with eIDAS LoA High or Substantial according to Regulation (EU) No 910/2014.
In order to issue a Qualified Certificate, the eID means must be compliant with eIDAS art 24.1 (b).
The Certificate is linked to a private key managed by Buypass as SSASP, in a remote secure cryptographic device (HSM). The Subscriber alone has sole control of the private key using the BCSS Person Signing service. The Subscriber authorizes the access to the private key by using a personal, already existing eID.
The private key will be usable in only those cases for which the signer's consent has been obtained. Subscriber's acceptance of this Agreement is considered such consent.
The Certificates are short-term certificates with a validity period of hours and the corresponding private key residing in the remote HSM is only to be used for a single signing operation (which may include several signature transactions).
Certificates may only be used for Advanced Electronic Signatures (using Non-Qualified Certificates) or Qualified Electronic Signatures (using Qualified Certificates) in the BCSS Person Signing service. The quality of the signature is decided by the SCASP and the Level of Assurance (LoA) of the eID means used.
The private key is deleted when the signing operation is completed.
3. The Subscriber's responsibilities and rights
The issuance of Certificates in the BCSS Person Signing service requires that an existing eID means supporting our requirements are used. The eID means used for verifying the identity must comply with eIDAS LoA Substantial or High.
This is a personal eID that you as a Subscriber must manage under sole control. Others must not be given access to your eID. Contact your eID provider if you need information about your eID, or if you suspect fraudulent usage.
3.1 Applying for certificates
The Subscriber applies for Certificates by using the BCSS Person Signing service as provided by the SCASP, authenticating with an existing eID means at an IPSP.
3.2 Use of certificates
Certificates are only to be used in the BCSS Person Signing service for generating an Advanced Electronic Signatures (Non-Qualified Certificates) or Qualified Electronic Signatures (Qualified Certificate).
3.3 Acceptance of certificates
By using the BCSS Person Signing service and accepting Certificate contents based on attributes from your eID, Buypass considers that the Certificate has been accepted.
4. Buypass' responsibilities and rights
4.1 Collecting, processing, and storing information
Whenever you sign up for using the BCSS Person Signing service, your identity is verified using your eID for authentication.
We collect and store your personal data to the extent this is necessary for the performance of our rights and obligations under the agreement, GDPR Article 6(1)(b) and in order to comply with our legal obligations, GDPR Article 6(1)(c), including (without limitation) our obligations under Regulation (EU) No 910/2014 (eIDAS).
The authentication may be performed by the eID provider, or some other IPSP allowed to represent the eID provider.
Information about your identity retrieved from the use of the eID means are collected and stored together with the consent to the terms and conditions in the Subscriber Agreement.
4.1.1 The purpose of collecting information
To be able to issue a Certificate we retrieve identity attributes like given name and surname from the authentication.
Buypass will store a unique reference to the eID used as evidence for the authentication and authorization to generate a signature on behalf of the Subscriber.
4.1.2 Processing and storing of information
Buypass is responsible for the security of your personal information. We shall provide satisfactory information security (integrity, confidentiality, and availability) through planned and systematic work and that this is in accordance with applicable legislation.
Buypass is responsible for the confidentiality of the information obtained in the use of the BCSS Person Signing service.
Collecting of information is subject to the Norwegian Personal Data Act (Personopplysningsloven). In accordance with applicable regulations relating to the use of the BCSS Person Signing service, all information about the application for and use of the Certificate will be retained for 7 years after the certificate expires.
Whenever you use your existing eID in the BCSS Person Signing service regulated by this agreement at one of our SCASPs, Buypass is not responsible for information collected, stored or processed beyond the provisions stated in this document. This is regulated by our SCASPs own terms and conditions in accordance with applicable privacy regulations.
4.1.3 Right of access, correction and deletion of information
Buypass is regarded as the controller of the information processed in connection with your use of BCSS Person Signing service. You can find information about the processing of personal data on the Buypass website (Privacy Policy), or you can make an enquiry through Buypass customer support.
4.2 Sharing of information
Buypass will not disclose personal information to third parties beyond those stated in this document, unless such information is required according to the authority's request for extradition, the principle of Lex superior or by your own written consent.
4.3 Revocation of certificates
The Certificates are short-term certificates with no support for revocation. The certificate expires after a few hours and the corresponding private key are deleted before expiry.
4.4 Liability
The use of the BCSS Person Signing service regulated by this agreement is your own responsibility. If you suspect unwanted activities as possible fraudulent use of your eID you are obliged to notify the eID provider.
4.4.1 Limitation of liability
Buypass is only liable for loss or damage arising out of the use of the Certificates in the BCSS Person Signing service, in cases where the Subscriber or a third party had a reasonable basis to rely on the Certificates. In such cases, Buypass’ liability is limited to direct, documented losses up to 1,000 EURO per Qualified Certificate and 500 EURO per Non-Qualified Certificate.
Buypass shall not be liable for loss of profits, loss of business, loss of data or any other indirect, consequential or incidental damages.
Buypass shall not be liable for any loss or damage arising out of or in connection with the unavailability, interruption, delay, malfunction or failure of the BCSS Person signing service, whether due to technical faults, or for any loss of profits, loss of business, loss of data or any other indirect, consequential or incidental damages.
Buypass shall not be liable for any loss or damage arising out of or in connection with the Subscriber’s use of the eID in the BCSS Person signing service in violation of the terms and conditions of this agreement.
5. Changing the terms and conditions of this agreement
Current terms and conditions will be communicated to the Subscriber for each certificate issued.
New versions of this agreement will be published and announced on Buypass website at least fifteen (15) days before the amendment(s) take(s) effect.
If you do not wish to accept changes in conditions, you must not use the BCSS Person Signing service.
6. Complaints and dispute settlement
Complaints may be notified to Buypass on the Buypass website (Complaints procedure).
Should disagreement arise between the parties regarding the interpretation or legal effect of this agreement or concerning services, the parties may seek to resolve the dispute between themselves.
If agreement cannot be reached, the parties may seek a settlement in the courts. Oslo District Court will be the legal venue.
7. Duration and termination
Current terms and conditions as described in this agreement will be communicated to the Subscriber and must be accepted for each Certificate. This agreement will only be valid during the period of validity of the Certificate and the signing operation.
Termination of the agreement is not supported.
8. Force Majeure
Should an extraordinary situation arise, which is outside of the parties’ control and which, according to normal purchase law, is regarded as Force Majeure, and which makes it impossible for one or both parties to satisfy one or more obligations of this agreement, the affected obligations will be suspended for the duration of the extraordinary situation.
9. Buypass contact information
If you have questions concerning this agreement or require information in other matter, please contact us using one of the following methods:
Buypass customer support, Email: support@buypass.com
Buypass customer support, Phone: +47 22 70 13 00
Buypass customer support, Buypass website: https://www.buypass.com/the-company/contact-customersupport