Description of the FaaS Service

Federation as a Service – FaaS is an easy entry point for NRENs who are developing or are in early stage of operating a WebSSO Identity federation. FaaS service is offered to organisations which operate an Identity Federation as a Federation Operator (typically an NREN)to facilitate efforts needed for uptake and day-to-day operations. In a nutshell, by using the FaaS offer, Federation Operators can:

  • operate their Identity federation in scalable manner which accommodates best current practices;
  • exchange metadata with eduGAIN metadata service in an automated manner.

GÉANT is the body which is responsible for operating and maintaining the FaaS offering. FaaS is used by Federation Operators who are ultimately responsible for entering the data into their dedicated FaaS instance or delegating this responsibility to their member institutions.This privacy policy concerns the FaaS service offering operated by GÉANT and concerns all the personal data that is processed by the service.

We are fans of privacy, and we are proud to say that the FaaS service is designed for minimal disclosure of personal data. To view the general Privacy Notice for GÉANT, please visit the GÉANT website.

Why We Process Personal Data

FaaS processes personal data:

  • to fulfill the service order and support processes.
  • to monitor use of the FaaS web user interface, for security purposes.
  • for authentication and notification purposes of the administrative personnel from Identity Federation and their members who are authorized to access their FaaS instance.

FaaS also processes data:

  • that is made available in entities metadata provided by the authorized personnel from Identity federation that uses the FaaS instance. 
  • that is made available in metadata aggregates provided by eduGAIN. 

What Personal Data We Process

FaaS processes the following information:

  • Name, email and affiliation of representative of Identity Federation which uses the service. The personal data is provided by the data subject on placing the order for the service. This is process as part of a contract that GÉANT has with the Identity Federation for this data processing. 
  • Logs from each instance of FaaS. We collect the usual web server logs, i.e. timestamp of access, IP address which requested the page, the page being requested, the HTML result code, etc. GÉANT has a legitimate interest in this data processing.
  • Username and a hashed password (in the case that local account is used), name, email and affiliation of the administrative personnel from Identity Federation and their members who are authorized to access their FaaS instance. GÉANT has a legitimate interest in this data processing.
  • Personal data made available by entities participating in the identity federation by registering through the FaaS UI is processed as part of the identity federation upstream and downstream metadata aggregates. This data may include name, surname, email, phone number and affiliation to the entity. FaaS strongly advises identity federations to use function contacts rather than the personal ones. GÉANT has a legitimate interest in this data processing.
  • Personal data made available by identity federations participating in eduGAIN in publicly available metadata streams is processed as part of the federation downstream metadata aggregate. This data may include name, surname, email, phone number and affiliation to the entity. eduGAIN strongly advises Identity Federations to use role-based contacts rather than the personal ones. GÉANT has a legitimate interest in this data processing.

Who Do We Share Data With?

Personal data of the representative of Identity federation which uses the service is only shared with the FaaS Operational Team for service order and support purposes. Personal data gathered within web server logs is only shared with the FaaS Operational Team for management and security purposes. Personal data of the Identity Federation administrative personnel is visible to the Identity Federation administrative personnel with administrator privileges and by the FaaS Operation Team for management and support purposes. Personal data in Identity Federation upstream and downstream metadata is made publicly available by the Identity Federations in question. Personal data in eduGAIN metadata is made publicly available by the eduGAIN.

Personal Data Retention

Personal data of the representative of the Identity Federation which uses the service is retained as long as the service is provided to the Identity Federation. Web server logs are retained for 4 weeks or long as the service is provided to the Identity Federation. Personal data of the Identity Federation administrative personnel is retained as long as the service is provided to the Identity Federation. Personal data in Identity Federation upstream and downstream metadata is retained as long as the service is provided to the Identity Federation. Personal data in eduGAIN metadata is retained as long as the service is provided to an Identity Federation.

Security

We support the following processes to ensure the security of your data:

  • Minimisation of personal data we collect;
  • Managing, limiting and controlling access to personal data;
  • Resilience of processing systems and services;
  • Regular testing of the effectiveness of measures implemented.

Your Rights

You have the right to ensure:

  • We process your data fairly and lawfully;
  • Your data is accurate (to rectify data released by your home organisation, please contact directly);
  • The data we collect is not excessive but only the data we require to provide the service;
  • Your data is secure;
  • Your personal data is securely destroyed when no longer required,

You also have the right to ask what personal data we hold about you, and to complain to the Supervisory Authority (Autoriteit Persoonsgegevens) about our data processing activities if you feel your data is not being managed as described here.

Contact Information

Data Controller and ContactData Protection Officer
GÉANT Association
Hoekenrode 3
1102 BR
Amsterdam – Zuidoost
Netherlands
Telephone number: +31 20 530 4488
email: gdpr@geant.org
JurisdictionNetherlandsDutch Data Protection Authority
Autoriteit Persoonsgegevens
Postbus 93374 2509 AJ DEN HAAG.
Telephone number: (+31) – (0)70 – 888 85 00.