Criipto is now Idura. Read why here →
LEGAL

MitID Erhverv Terms of Service

1. General

This document (“MitID Erhverv Terms of Service”) governs the Customer’s use of NemLog-in and is an addendum to Idura’s Terms of Service and any applicable Service Agreement.

2. The Services

Idura is a certified Sub-broker connected to NemLog-in, the national authentication infrastructure operated by Digitaliseringsstyrelsen. IN Groupe Denmark A/S (“IN Groupe”) provides technical support and operation of NemLog-in on behalf of Digitaliseringsstyrelsen. Through its connection to NemLog-in, Idura provides the Customer with access to NemLog-in authentication services, including authentication via MitID and other identification means supported by NemLog-in.
Any regulation, including definitions, service levels, and data protection policy, from Idura’s Terms of Service apply to these NemLog-in Terms of Service as well, unless specifically stated otherwise.

3. Registration

To use the NemLog-in services, the Customer must register as a service provider by signing up for the NemLog-in Service via Idura's website.

During the registration process the Customer must provide:

  • the name of the Customer’s company,

  • the Customer’s CVR-number/VAT-number/SE-number and

  • a statement specifying whether the Customer is a public authority, a public-law body or a private legal entity, and whether each of the Customer's self-service solutions constitutes a public or private self-service solution.

There are two ways of identifying the Customer:

  • The Customer identifies itself by performing a MitID company login.

  • Idura performs the KYC (know your customer) process of the Customer.

4. The Customer’s Obligations

Digitaliseringsstyrelsen has specified rules and conditions for service providers' use of NemLog-in services.

Pursuant to the agreement between Idura and Digitaliseringsstyrelsen (the "Sub-Broker Agreement”), Idura must ensure that the terms and conditions set out by Digitaliseringsstyrelsen, from time to time, are reflected in Idura’s terms with the Customers.

The Customer shall comply with the following obligations:

Security

The Customer shall comply with the security requirements set out on NemLog-in’s service provider site. The Customer shall not expose NemLog-in or any connected solutions, including the MitID solution, to any security risk with respect to authenticity, integrity or confidentiality. The Customer shall promptly notify end users and Idura of any security breach related to the Customer's use of NemLog-in.

Technical Requirements

The Customer shall comply with the technical requirements applicable to service providers as set out on the NemLog-in service provider site.

Derived Identities

Where the Customer uses a NemLog-in authentication to establish a derived identity (e.g. an alternative login mechanism for the Customer's own self-service solution based on the original NemLog-in authentication), such authentication shall not be presented, described or otherwise reproduced as a NemLog-in authentication or an authentication from any identification scheme facilitated by NemLog-in, including MitID.

Neither Digitaliseringsstyrelsen nor Idura shall be liable for the security or any other aspect of such derived authentication. I.e., the Customer shall be solely responsible for, and shall bear all risk associated with, the validity and security of any such derived authentication.

Maximum Session Length

The total session length for a NemLog-in authentication at the Customer's self-service solution shall not exceed eight (8) hours, after which the end user must re-authenticate via NemLog-in. The Customer may only extend a session beyond eight (8) hours if the following conditions are satisfied: 

  • the end user remains active throughout the entire session in accordance with applicable session inactivity requirements; 
  • there is a specific and legitimate business need for the session to exceed eight (8) hours, including that the purpose of the end user's authentication and use of the self-service solution would be lost if the session were not maintained; and 
  • it is not reasonably practicable to configure the self-service solution such that the business need can be fulfilled within the eight (8) hour maximum session length.
Assurance Levels

The Customer is responsible for ensuring that the assurance level contained in the authentication response from NemLog-in is sufficient to meet the end user’s specific requirements of the Customer's self-service solution. 

Use of NemLog-in and MitID Trademarks 

The visual identity and design components made available through the NemLog-in infrastructure shall only be used in connection with NemLog-in authentication. The Customer shall not use such elements to support its own or any third party's services. 

The Customer shall comply with the applicable rules for the use of NemLog-in and MitID trademarks, including names, logos and domain names. Guidelines for UX/UI and communication related to NemLog-in and MitID are set out on the NemLog-in service provider site. 

The Customer has a right to use such trademarks and is obligated to use them in connection with offering and marketing NemLog-in authentication. 

The guidelines and trademarks may be amended at any time, and the Customer is obligated to keep itself informed of any such changes and to comply with the guidelines in force from time to time. 

Upon termination of the Customer's use of NemLog-in authentication services, all the Customer’s rights obtained under this Appendix cease and the Customer shall remove all references to such trademarks and stop all use thereof.

5. Fees

The Customer shall not charge end users any fee for authentication or signing services provided through NemLog-in.

6. Blocking and Suspension

Idura may block or suspend the Customer's access to NemLog-in authentication and other services if i) the Customer materially fails to comply with the obligations set out in this Appendix, ii) if the Customer's conduct constitutes a security risk, or iii) if the Customer’s conduct materially affects or is likely to materially affect end users' perception of NemLog-in or any connected solutions, including the MitID solution, in a negative manner. 

Further, Idura is entitled to enforce any restrictions or suspensions imposed by Digitaliseringsstyrelsen, including any suspensions based on significant security grounds.

7. The Customer’s obligations when receiving a certificate

Prior to relying on a certificate from Den Danske Stat Tillidstjenester, the Customer shall verify: 

  • that the certificate is valid, i.e. not listed on the suspension list (In Danish: Den Danske Stat Tillidstjenesters spærreliste) at the time of signing;

  • that the intended use of the certificate is appropriate in light of any usage restrictions contained in the certificate; and

  • that the use of the certificate is otherwise appropriate in light of the level of security described in the applicable certificate policy. 

Where a timestamp forms part of a signed document, the Customer shall further verify (before the timestamp is accepted): 

  • that the timestamp is correctly signed and that the private key used to sign the timestamp has not been marked as compromised at the time of verification; 

  • that the use is within any limitations set out in the applicable timestamp policy; and

  • that any other precautions specified in applicable agreements or similar instruments have been satisfied.

8. Liability

Idura acts as a Sub-broker in the NemLog-in infrastructure and does not itself operate the NemLog-in solution or the MitID solution.

Accordingly, Idura shall not be liable for any loss or damage (whether in contract, tort, misrepresentation, restitution, under statute or otherwise) arising out of or in connection with any party’s (including the Customer's, end users' or others') use of the NemLog-in services or the MitID solution, unless the injured party can demonstrate that the loss or damage is attributable to circumstances within Idura’s control.

Any claim by the Customer relating to NemLog-in services shall be directed to Idura, who will subsequently pursue any recourse claim against IN Groupe or Digitaliseringsstyrelsen as applicable. Claims relating to errors in signatures or seals from NemLog-in Digital Signering shall, however, be directed to Digitaliseringsstyrelsen, cf. clause 8.4 below.

9. Changes to NemLog-in Terms of Service

These NemLog-in Terms of Service may be amended by Idura without prior notice to the Customer, including where Idura amends its general Terms of Service or where the terms and conditions imposed by Digitaliseringsstyrelsen on service providers' use of NemLog-in services are amended pursuant to the Sub-Broker Agreement. The Customer acknowledges and agrees that such amendments shall be binding upon the Customer upon taking effect.

10. Termination

Upon termination – irrespective of the reason - of the agreement between Idura and the Customer, the Customer shall immediately cease all use of NemLog-in services and shall remove all references to NemLog-in and MitID trademarks in accordance with clause 4.7.5 above.