TRUST SERVICES PROVIDER INFORMATION
Trade Name |
Coloriuris, S.L. |
Commercial trading name |
Coloriuris, Trusted Services Provider. (CIPSC) |
CIF |
B 99091696 |
Business address |
Alfonso I Street, 23 – mezzanine floor-/centre. 50.003 Zaragoza (Spain) |
Telephone |
(+34) 976 203 670 |
|
|
Main URL. |
|
URL Trusted site |
|
Public Register |
R.M. of Zaragoza – Document: 1/2013 / 4794,0, Volume 3330, Sheet Folio 111, page Z-40193, Registration number 11 |
INTRODUCTION
FIRST. – The new activities of the information society arising from the increase in the use of communication networks and which, in part, have been regulated by Law 34/2002, of July 11, for services of the information society and e-commerce, are improving the activity of the public services and the private sector. As well as their relations with individuals thanks to the immediacy in obtaining information and the increasing possibility of carrying out transactions and contracting electronically through the Network. Within these services is, among others, the activity of Time Stamping as a Trusted Services Provider, according to the EU Regulation 910/2014, of July 23 (Regulation eIDAS).
SECOND. – Coloriuris Trusted Services Provider, hereinafter referred to as CIPSC, has the necessary technical infrastructure to carry out the services of electronic Time Stamping. Moreover, CIPSC has a long experience in the sector. The activities of Trusted Services Provider in reference to the evidence and proof of electronic contracts must be subject to the general rules of the corresponding procedural laws and, as the case may be, to that established in the law on electronic signature and EIDAS Regulation and its implementing regulations.
THIRD. – Coloriuris, S.L. has submitted the Time Stamping Trust Service to the audit of a Conformity Assessment Body accredited by the ENAC, as established by the eIDAS Regulation.
FOURTH.- The policy applicable to the service described will be the latest version published on the Coloriuris website of the Policy and Statement of Practices of the Time Stamping Authority with OID 1.3.6.1.4.1.37799.20.5.0.2.0 (https://cipsc.coloriuris.net/politicas/) that has been redacted in accordance with the ETSI 319 421 and in conform to the best practice: itu-t(0) identified-organization(4) etsi(0) time-stamp-policy(2023) policy-identifiers(1) best-practices-ts-policy (1).
CLAUSES
FIRST.- PURPOSE
CIPSC is the provider of the following trusted service:
1. – Electronic Time Stamping, in order to record the date and time of the existence of a particular document or electronic transaction. This electronic Time Stamping does not include the custody and storage of the electronic document on which is applied the above said stamp.
Coloriuris will preserve the information relative to the provided services (including the logs) for 15 years after the extinction of the certificate or the finishing of the provided service.
SECOND. – PROVISION OF SERVICES
1. – The provision of the service referred to in clause one, shall be made in accordance with what is established in:
- Annex 1: Time Stamping.
2. – The source of time to be used by CIPSC for the Time Stamping is synchronized with the laboratory of the Royal Institute and Observatory of the Navy of San Fernando, hereinafter ROA, who in accordance with the provisions on the legal time in the Royal Decree 1308/1992, of October 23, is declared as national time standard. From which, as a proof, certifications of the state of synchronism are obtained at the request of CIPSC. It gives a time that, at least, will have the accuracy of + / – 1 second on the time of a GPS receiver- to which the CIPSC Digital Date Authority is connected through an NTP protocol, and that will be the time of the moment when an electronic transaction is performed and susceptible to have an electronic time stamp.
The accreditation of performing an electronic time stamp by CIPSC will be submitted as legal evidence, when appropriate, to the assessment of the competent courts, in accordance with the procedural rules of application.
THIRD. – OBLIGATIONS OF THE PARTIES.
1. – For the effective provision of services, CIPSC commits itself to the following additional services:
- Provision of the accreditation services of the electronic time stamps generated during the term of the contract, providing that the service contractor has electronically signed the requests for services.
- CIPSC compromises to the restoration of the service in the next 24 hours in case of incidents affecting the avaliability of the service; as it is established on the Contingency Plan, on it’s 2.2 version with O.I.D. 1.3.6.1.4.1.37799.0.0.2.2.2.
2. – The contracting party undertakes:
- To accept that the logs of the operations (logs) made and conserved by CIPSC, on the services provided under the requests made, will be evidence to justify the service performed.
- To have available the computer applications and equipment required for the requests of time stamping, to CIPSC.
- To preserve the support of the electronic transactions that served as the base for the execution of the service requests to CIPSC.
- Encrypt the communications sent and received, using the SSL protocol.
- Sign electronically, the requests for electronic time stamps, by means of the qualified electronic stamp certificate.
- In reference to the computer applications in which users interact with the contracting party, this one assumes the obligation to incorporate a clause or mention in the contracts in reference to the fact that the activities carried out by CIPSC (electronic time stamps) will be inter-parties legal evidence in the relations maintained with the mentioned users.
- The contracting party must comply with obligations arising from consumers and users standards norms, distance selling and e-commerce. CIPSC is not part in the relationships of the consumers and users with the contracting party.
3. – Obligations of the user parties:
- Parties relying on time stamps should verify that the time stamp has been correctly signed and that the key used to sign the time stamp has not been compromised until the time of verification.
- Parties relying on time stamps should take into account any limitations on the use of the time stamp indicated by the time stamp policy.
FOURTH. – ECONOMIC CONDITIONS.
1. – CIPSC shall receive from the contracting party, for the service of electronic time stamping described in clause one, the corresponding amount and this one calculated in accordance with that established in Annex II of Economic Conditions.
2. – CIPSC, may issue annual invoices for the maintenance fee, and on quarterly basis for the variable fee to be paid by the contracting party.
3. – The payment of invoices shall be made within 30 days of their issue.
4. – The price for the provision of the service shall be updated on an annual basis by applying the Consumer Price Index (CPI) to the price from the previous year, corresponding to the annual period prior to the update date . All this without prejudice to the revision of the economic regime for the provision of the service.
5. – The invoices from CIPSC shall be issued in the name of:
Denomination:
Street:
City:
Province - Post Code:
NIF / CIF:
Contact person:
Phone:
Reference:
FIFTH. – ASSIGNMENT AND SUB-CONTRACTING
The contracting party may not act, on behalf of third parties, as provider of these services by reselling those received from CIPSC.
The contracting party is forbidden from assigning the contract to third parties without prior written authorization from CIPSC. Any subcontracting, which the contracting party could carry out, which could affect the security and reliability of the service provision must be approved by CIPSC prior to its implementation.
SIXTH. – RESPONSIBILITY
CIPSC (as provider of the services referred to in clause one) and the contracting party (as user of the electronic time stamp system and participant in the procedure of encryption and submission of stamp applications to CIPSC) shall each respond within the scope of their respective functions, for damages caused by the operation of the system in accordance with the applicable general rules of the legal system and in accordance with contractual obligations.
In any case, it will be presumed the veracity of the documents or transactions sent and signed electronically, on which CIPSC will apply an electronic time stamp, and that such data has not been produced by fraud of third parties, nor infringes the current legality. The contracting party shall assume and respond to any claim or revendication regarding the veracity and legality of the electronic documents submitted, exempting CIPSC from any responsibility for the contents that are not known by this Trusted Services Provider.
Specifically, CIPSC will only be responsible for its operation in relation to the service rendered in application of the herein terms and conditions. CIPSC is not responsible for the transactions and / or business engaged by the contracting party with its own clients, no matter which the amount is, providing that the possible damages do not come from a faulty or negligent action in the service provided by CIPSC.
The contracting party shall hold CIPSC harmless from any right or action exercised by the clients of the contracting party or for this last one in their reciprocal relations, which would be based on the business engaged by the contracting party with its own clients on which CIPSC has provided the described services.
For the services deriving from this contract, CIPSC’s maximum liability limit is established in the amount corresponding to the 50% of the fixed amount of the annual economic consideration, and with effects of penalty clause in accordance with article 1,152 and following of the Civil Code. This amount will replace, in case of non-compliance, the possible compensation for damages that would proceed.
SEVENTH-RESOLUTION
The contracting of the service may be resolved when there is a manifest lack of quality of the service provided by CIPSC or serious breach of its obligations in the development of its activity.
CIPSC may request the resolution for non-payment of the agreed price or for breach of the obligations that correspond to the contracting party and that are contained in the clauses of these terms and conditions.
Failure to comply with the obligation to pay the services to CIPSC will authorize the latter to suspend services or, if necessary, to terminate the contract.
Failure to comply with any of the obligations set forth in these terms and conditions or, as the case may be, in the applicable legal provisions, will authorize CIPSC to demand compliance with the obligation, with compensation for damages and losses caused, or to urge the resolution of the legal relationship constituted, also demanding the damages caused.
EIGHTH. – PROTECTION OF DATA
8.1. – Regime.
The Personal Data Protection Regime will be the regime provided in the Organic Law 3/2018, of December 5, on Personal Data Protection and Guaratee of Personal Rights (LOPDGDD) and in its development regulations; each party will be responsible for its own performance in matters of data protection.
Only the strictly necessary, appropriate and relevant for each purpose data are processed. CIPSC is responsible for the processing of personal data with CIF: B99091696. The contact details of the data controller are as follows:
- Postal address: Calle Alfonso I, 23 – entlo. ctro. – 50.003 Zaragoza (Spain)
- E-mail: cipsc@coloriuris.net
They will be kept as long as they are necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from that purpose and the processing of the data.
In compliance with the provisions of Article 32 of the RGPD, CIPSC shall ensure the permanent confidentiality, integrity, availability and resilience of the processing systems and services. The level of security will be proportionate to the risk in the processing of each type of personal data.
We recognize our visitors and users’ rights of access, rectification, deletion and portability of their data, and the limitation or opposition to its processing, which can be exercised in the manner provided by law at the addresses indicated above.
For more information on how to exercise your rights, the Spanish supervisory authority, the Spanish Data Protection Agency, provides the following link with its description and form to send the request to us: Exercise rights
The contact details of our Data Protection Delegate are: dpo@coloriuris.net
8.2. – Access to data on behalf of third parties.
The access that the contracting party may have on the personal data held by CIPSC from its individual users shall not be considered data communication, since the only object of the procedure is to request the service described in the contract, when it is carried out in accordance with Article 28 of the LOPDGDD and the RGPD.
In that case, the data processor:
-
They shall only treat the data according to the instructions of the person in charge of the treatment and that it refers exclusively to the effective realization of the services contemplated in this contract.
- They shall not apply or use data for a different purpose than the one contained in this contract, nor will they communicate them to other persons, not even for storage purposes, unless expressly authorized by the data controller or under a legal obligation.
- They shall apply technical and organizational security measures according to the level of risk presented by the processing of personal data, in order to ensure the confidentiality, integrity and availability of such data.
- They will not store personal data for longer than necessary to fulfill the purposes set forth in this contract, and once this contract ends, they will destroy or return the data to the person in charge of the treatment.
In the event that the contracting party uses the data for another purpose, communicate them or use them in breach of the provisions of this contract, they will also be considered responsible for the processing and shall be liable for any infractions that they could have personally incurred.
NINE. – CONFIDENTIALITY.
The information known or transmitted by the parties shall be considered confidential, and its transfer, communication or disclosure to third parties shall be prohibited, without prejudice to any administrative or judicial resolution ordered or agreed by both parties.
It is prohibited to carry out any acts of publicity of this present legal relationship, unless the parties agree.
The obligations contained in the two previous paragraphs herein shall be extended indefinitely.
TEN. – APPLICABLE LAW AND CONFLICT RESOLUTION
The contractual relationship between CIPSC and the contracting parties is private in nature. The parties undertake to resolve by mutual agreement any incidents that may arise in their interpretation and compliance.
The disputed matters that may arise between the parties during the development and execution of the contractual relationship will be submitted to civil-mercantile jurisdiction, in accordance with the provisions of the Law regulating of the same.
The parties hereby waive the jurisdiction that may correspond to them by submitting to the Courts and Tribunals of the City of Zaragoza.
In the event that consumer legislation is applicable, the provisions of the same shall apply and you are informed of the existence of an arbitration dispute resolution system at https://ec.europa.eu/consumers/odr/main/?event=main.adr.show2
In compliance with the legislation applicable to arbitration, you are obliged, before requesting arbitration, to notify CIPSC in writing of any claim or dispute with the aim of obtaining an amicable solution.
All of the above will be applicable only in the event that this regulation may be enforceable against CIPSC.
In the event that the user has any complaint and / or claim, Coloriuris offers a complaint channel expressly conceived for this purpose: https://www.coloriuris.net/canal-denuncias/formulario/coloriuris
APPENDIX 1
SERVICES TO BE PROVIDED
TIME STAMPING
INTRODUCTION
Time stamping is a method to prove that a data set (datum) existed before a given time and furthermore that no bit of this data has been modified since.
In addition, time stamping provides additional value to the use of electronic signature, since this one alone does not provide any information about the moment of creation of the signature. The electronic certificates used by the algorithm of the electronic signature has a period of validity and therefore, the signature without the digital date, after the validity of the certificate, can always be rejected.
To associate the data with a specific moment in time, it is necessary to use a Time Stamp Authority (TSA) as a Trusted Service Provider.
PROTOCOL
The TSA centralizes the issue of temporary certificates. The role of this entity will be to produce, store, verify and renew the temporary certificates. The TSA will be a Trusted Services Provider (TSP), being its signature on the temporary certificate sufficient proof to prove its validity.
This protocol allows time stamping on any type of digital information, and protects the confidentiality of the data dated.
The user of the time stamp service must be holder of a certificate issued by a Qualified Trusted Service Provider.
The TSA makes use of a certificate issued exclusively for time stamping purposes.
Time Stamp Application
Once the user has a X.509 certificate and its corresponding private key will be able to make time stamp requests. The process for making a time stamp request is as follows:
1. The user selects the electronic file from which is requested the TSA time stamp.
2. The client application compiles a summary (hash) of the contents of that file.
3. The user selects the service policy preferred, the reference number, the version…
4. The client application composes an electronic time stamp request and sends it via HTTPS.
Time stamping response
Once the TSA has received the time stamp request and has accepted it, this will proceed to return the time stamp response or Response via HTTPS to the client application. This Response is an object that contains a mandatory field, which is the state of the operation, and in the case that it was satisfactorily implemented, it contains a CMS Signed-Data object, which is the signature of the object that contains all the information of the time certificate. The client may choose to directly store that Response, validating it previously or he may choose to perform verification of it too, in case there have been no errors. For that:
1. The client application recomposes the Response object, extracting the state of the operation, and if it is GRANTED, the CMS Signed-Data object can be extracted too.
2. The client application recomposes the CMS Signed-Data object, extracting the signed data and verifying that the signature is correct, making use of the TSA certificate included in the CMS object.
3. The certificates included in the CMS object are obtained and «path validation» is done.
4. If the client has selected it, the OCSP verification (On-line Certificate Status Protocol) of the certificates is made, in order to check the revocation status of those certificates.
5. The client application will obtain the data of the time stamping of the token.
ANNEX II
ECONOMIC ANNEX
1. Time Stamping
The price of this service, purchased in an independently way, will be billed for two concepts:
The fixed price of this service is 10.000,00 €/ year. This price includes up to 40.000 stamps, which have to be spent within one year. If the stamps are not used, they cannot be accumulated for later years.
The payment is annual.
For a variable cost, which is established by the number of stamps made within a period of one year whose number exceeds the amount of 40.000, without greater limit, accounted for in the same way as the aforementioned, at a rate of 0,22 € / stamp.
2. Technical Support
The cost of the technical support made by CIPSC staff will be 300, 00 € / hour.
In the event that the technical support is provided at the contracting party’s premises, an additional cost will be added to the previous tariff, at a rate of 150,00 €/day per person, plus the cost resulting from the trip and overnight stay will be added to the previous rate.
3. Legal and Technical Consulting
The cost will be 300, 00 € / hour.
In the event that the technical support is provided at the contracting party’s premises, an additional cost will be added to the previous tariff, at a rate of 150,00 €/day per person, plus the cost resulting from the trip and overnight stay will be added to the previous rate.
4. Conditions
All the amounts set forth above which may involve fixed annual payments will be updated from the first annuality, applying the variation of the IPC published in the previous twelve months, according to the index approved by I.N.E, taking as reference the year of the signature of the contract.
All the amounts detailed herein above do not include the legally established tax (IVA), except those expressly indicated.
Zaragoza, April 14, 2023
OID: 1.3.6.1.4.1.37799.0.3.9.2.2.0
Version 2.0