CSC - IT Center for Science Ltd, hereafter called the Operator, and “Organization”, hereafter called the Federation Member, together agree on the use of the authentication and authorization infrastructure (AAI) services as follows:
The Haka Federation is a group of organizations founded by Finnish universities and polytechnics which cooperate in the area of inter-organizational authentication and authorization. The purpose of the Federation is to support higher education and research institutions by developing and maintaining an infrastructure for user authentication and authorization.
To ensure development of the activities, the Advisory Committee and Operational Committee, as per Appendix 2, are nominated for the Federation.
Universities, polytechnics, state-owned and other publicly funded research institutions, university hospitals and other organizations supporting research and education are allowed to join the Federation as a Federation Member, as described in more detail in Appendix 2. Organizations that sign Service Agreement for Federation Members with the Operator, thus become Federation Members, forming the Federation together with the Operator and Federation Partners. The parties are aware that service agreements signed with other Federation Members have the same content as this Agreement.
Within the federation framework, a Federation Member can act both as a Home Organization and a Service Provider. A Home Organization means a university, polytechnic, research institution, university hospital or other organization supporting research and education that has signed the Agreement for Federation Members, maintains the identity and attributes of the person affiliated to the organization (End User) and is responsible for authenticating them. A Home Organization shall have an up-to-date user identity management system and comply with the other requirements set for it in Appendix 3.
A Service provider means an organization that has signed the Agreement for Federation Members or the Agreement for Federation Partners and provides services to End Users authenticated by Home Organizations. The Service Provider can be a university, polytechnic, research institution, a joint venture of them or another external organization (Partner) as defined in Appendix 2. The Service Provider is subject to the requirement to process personal data in compliance with the purpose of the Federation and to the other requirements set by the Federation, defined in Appendix 3.
For authentication and authorization purposes, the Haka Federation is entitled to collaborate also with corresponding foreign Federations.
This Agreement shall replace a possible earlier agreement signed between the Operator and the Federation Member concerning the AAI services of the Haka Federation.
1. Scope of the Agreement
The aim of this Agreement is to agree on a common set of policies and rules to ensure flexible and proper functioning of the AAI and compliance with legal obligations. The Agreement relates to operations that are new, still under development and not commercially available. The Federation’s activities are coordinated by the Operator as described in more detail in the Appendices hereto.
The scope of this Agreement is limited solely to providing inter-organizational network services related to the AAI and to the conditions for their use. The Agreement has no effect on possible contracts between Federation Members and service suppliers concerning the content of the services, pricing, access rights, or possible indemnification liabilities caused by them.
The Agreement is supplemented by the following eight Appendices:
(a) Appendix 1: Definitions
(b) Appendix 2: Organization of the Federation
(c) Appendix 3: Service description and requirements
(d) Appendix 4: Process for joining the Federation and the AAI
(e) Appendix 5: Software Licenses
(f) Appendix 6: General Terms of Agreement of CSC - IT Center for Science Ltd
(g) Appendix 7: End User’s consent for attribute release
(h) Appendix 8: Price list of services
This Agreement and its Appendices comprise a contract entity. In case of divergent interpretation, the Agreement itself shall prevail and thereafter the Appendices in ascending order. Appendix 6 shall be applied as applicable, taking into consideration that the General Terms of Agreement have been created to cover the provision of services, which is not relevant in this situation.
2. Obligations of the Operator
The Operator provides the inter-organizational AAI services for Federation Members in accordance with this Agreement and the Appendices hereto.
The Operator shall provide all Federation Members with the services presented in Appendix 3.
When attending to the maintenance of the AAI services and servers, the Operator shall pursue their maximum accessibility and availability of use. Under normal circumstances, the AAI services shall be available at all times notwithstanding short downtimes for maintenance. However, the Operator shall not be obliged to arrange emergency duty or maintenance services outside normal working time.
The Operator shall not be liable for interruptions or delays due to errors in system software, failures, maintenance or hardware installation of computers, data transmission or terminal equipment, or other similar valid reasons.
The normal policy is that downtime caused by maintenance etc. will be informed of in advance, but the Operator is entitled to interrupt the AAI services due to essential repair work or to avoid serious disorders or security problems.
The Operator shall inform Federation Members of the names and electronic addresses of AAI contact persons, to whom reports related to this Agreement can be submitted.
The Operator may also sign agreements with external Service Providers (Federation Partners), as set forth in Appendix 2, as well as with foreign collaboration partners providing AAI services provided that the Advisory Committee, defined in Appendix 2, has approved the respective draft agreement in writing. When making agreements with the aforementioned external Service Providers (Partners) or foreign collaboration partners providing AAI services, the Operator shall adhere to the commitments set forth in this Agreement. A currently valid model Agreement and the appendices attached thereto shall be available for Federation Members on the Operator’s website.
3. Obligations of the Federation Member
The Federation Member is entitled to act as set forth in this Agreement and, as defined in Appendix 2, may serve as both Home Organization and Service Provider.
The Federation Member
shall undertake the responsibilities for appropriate use of the service, as defined in Appendix 3, and ensure that the requirements as per Appendix 3 are met, and
shall notify the Operator of its technical and administrative contact persons with electronic addresses, to which reports related to this Agreement can be submitted.
Prior to starting operating as a Home Organization, the administrative contact person of the Federation Member shall provide the Operator with a description of the Member’s user administration implementation and other clarifications as defined in more detail in Appendix 3.
When acting as a Home Organization, the Federation Member
- shall ensure that the End User is committed to comply with the rules and policies of use as set forth in Appendix 3,
- should the AAI procedure require disclosure of personal data, shall ensure that the End Users, prior to disclosure of their personal data required by the AAI procedure, give their consent for the data to be released for the Service Providers (consent model in Appendix 7),
- shall inform the End User which data concerning his AAI use will be collected by the Home Organization, where they will be used and possibly disclosed (obligation to inform the data subject),
- is liable to ensure that when personal data is disclosed to the Service Provider, only the data that is relevant to enable proper functioning of the services is disclosed, and
- is liable to ensure that the data disclosed is accurate and kept up to date and in line with what has been mutually agreed (concerning, for example, the funetEduPerson schema), particularly as regards the specification of the personal data syntax and semantics, as set forth in Appendix 3.
When acting as a Service Provider, the Federation Member
Should any disturbance or abuse be observed, the Federation Member shall actively participate in the settlement procedures.
4. Limitation of indemnity regarding other Federation Members, external Service Providers or End Users
The Operator shall not be liable for damage caused to the Federation Member or its End User and the Federation Member shall not be liable for damage caused to the Operator due to the use of the AAI services, service downtime or other issues relating to the use of the AAI services. For any other damage, the liability for damages in case of a breach is limited to one thousand (1000) euros.
The Operator and the Federation Member shall refrain from claiming damages from other Federation Members or external Service Providers for damages caused by the use of the AAI services, downtime or other issues relating to the use of the AAI services. The Operator shall ensure that a corresponding obligation is also included in agreements signed with external Service Providers. In the event that the Operator has neglected to ensure that the abovementioned obligation be included in agreements made with external Service Providers, the Operator shall be liable for damage caused to the Federation Member due to this neglect.
The liability for damages caused by handling personal data in conflict with the provisions of the Personal Data Act is set forth in section 47 of the Personal Data Act.
Neither party shall be liable for any consequential or indirect damage.
5. Interruption to provision of the service, restraint from use of the service or consequences of poor quality
(a) Interruption to provision of the service
Without separate liability for indemnification, the Operator shall be entitled to interrupt provision of the services to the Federation Member either completely or partially in the following situations:
(a) Should the Federation Member commit an essential breach, the Operator shall be entitled to interrupt provision of the services until the Federation Member fulfills his obligations again;
(b) Should minor breaches committed by the Federation Member recur and continue in spite of the Operator’s written reminders, the Operator shall be entitled to interrupt provision of the services until the Federation Member fulfills his obligations again;
(c) Should the Federation Member, through his action or neglect, have caused deterioration of quality or other adverse effect on the functionality of the Operator’s servers, without having remedied his action or neglect within a reasonable period of time upon a written notice; or
(d) Should it be necessary to interrupt the service due to repair, improvement or preventive maintenance activities.
Hence, interruption of the services shall not release the Federation Member from remittance of fees as per the price list. The Operator shall be entitled to terminate the Agreement immediately, if the service has been interrupted for at least 60 days.
The Operator shall be entitled, without liability for damage, to interrupt or terminate providing the service completely or partially for one or several End Users of the Federation Member including but not limited to the following situations:
(a) Should the End User of the Federation Member, through his operations, cause technical problems to the service;
(b) Should there be reason to believe that the End User of the Federation Member may have used the service in a fraudulent or illegal manner; or
(c) Should it be necessary to interrupt the service due to repair, improvement or preventive maintenance activities.
(b) Restraint from use of the service or poor quality
Should the use of the service be prevented due to the Operator’s activities or should the quality be repeatedly inferior, the Federation Member shall inform the Operator of the interruption of service or deterioration of quality and request corrective actions in writing, as set forth in section 9. A reasonable amount of time shall be reserved for the Operator to correct the possible deficiencies and defects observed in the contents and quality of the services. Should the use of the services be hampered by factors essentially attributable to the Operator, the Federation Member shall not be obliged to effect any payments for the said period as per the price list. However, a defect in the availability or quality of the services does not warrant any other indemnity for damage.
6. Personal data protection and data security
Both parties are committed to complying with the obligations imposed by the currently valid legislation on personal data protection as well as processing and disclosure of personal data, obligations of non-disclosure and secrecy, as well as a sufficient level of data security for the services. In particular, the Federation
Member shall exercise extreme care to ensure that the data concerning the End Users are accurate and kept up to date.
CSC - IT Center for Science Ltd, acting as the Operator, is a non-profit company and on the basis of this, CSC shall define pricing principles for the AAI services. The prices can be defined separately for the Home Organization and the Service Provider.
If the Federation Member has joined the Haka Federation as a Federation Member in the middle of an invoicing period, then for the first invoicing period, only the full calendar months shall be invoiced.
The principles of pricing and the invoicing schedule are defined in more detail in Appendix 8. The pricing principles and the invoicing schedule can be changed as agreed in section 10 concerning amendments to the Appendices of this Agreement.
Both parties agree to inform the other party of changes in their contact information.
The representatives of the Federation Member are entitled to participate in events and training arranged by the Operator for the Haka AAI service users. The normal course fees listed in the Operator’s training calendar shall apply. The pricing of tailored courses are separately agreed.
9. Notices and reports to the other party
The written notices and reports mentioned in this Agreement can be delivered electronically to the email addresses provided by the parties to each other or by mail to the contact persons designated by the parties. A notice delivered in electronic form is considered to be received by the recipient on the following working day from the date of sending. A notice delivered by mail is considered to be received by the recipient on the seventh day following the date of such mailing.
10.Validity period, amendment and termination of the Agreement
The Agreement shall be valid until further notice. The notice period for termination of the Agreement shall be six months.
The Operator shall be entitled to change the Appendices to this Agreement upon hearing to the Federation’s Advisory Committee. The amendment shall be notified to Federation Members in writing at least three (3) months prior to the effective date of the amendment. The notification shall be delivered to the administrative contact person designated by the Federation Member, as set forth in section 9. In addition, the amendment shall be informed on the Operator’s website accessible to the Federation Members. The information shall then contain not only a description of the amendment but also the new, amended Appendix to the Agreement in full. The amended Appendix shall, when enforced, replace the corresponding earlier Appendix.
The Federation Member shall be entitled to terminate the Agreement by submitting a written notice to the Operator, as set forth in section 9, within thirty (30) days from the date of receiving the Operator’s notification on the amendment of the Appendix. The termination shall then be valid on the effective date of the Appendix to the Agreement, informed by the Operator in advance.
Notwithstanding the above, amendments to the software licenses (Appendix 5) needed for the use of the AAI services shall become effective as stipulated in the respective amendments. Additionally, the Federation’s Advisory Committee shall be entitled to decide on urgent amendments that are imperative for the operational integrity of the Federation concerning Appendix 3 of the Agreement. Such amendments to Appendix 3 shall become effective after the Operator has confirmed the amendment and informed the Federation Members of the changes and the effective date of the amendment.
A party shall be entitled to terminate this Agreement immediately, if the other party commits an essential breach to a provision of this Agreement and does not cure the breach within a reasonable time (a minimum of 30 days) from having received a written notification about the breach. The Federation Member shall also be entitled to terminate the Agreement immediately, if the use of the services is essentially interrupted and 60 days have passed since a notification has been given to the Operator and the Operator has been unable to execute corrective actions regarding the service.
Disputes concerning this Agreement shall be settled primarily through negotiation.
If the issue cannot be resolved through negotiation, any disputes shall be submitted to the ordinary court at the domicile of the Operator.
This Agreement has been made in two identical copies, one for the Federation Member and one for the Operator.