Product conditions registration and use of trust services
Version 1.0.1
21-08-2023
Table of Contents
- 1. Preface and general definitions
- 2. Costs related to using the service
- 3. What should you expect from us as a User?
- 4. What do We expect from you as a User?
- 5. Quitting the use of Vidua?
- 6. Modification of product conditions
1. Preface and general definitions
These are the Product conditions for Registration and use of Vidua qualified trust services. Vidua is a brand name and trademark owned by Cleverbase ID B.V. Cleverbase ID B.V. (hereinafter: Vidua or We) is an ETSI/eIDAS accredited Qualified Trust Service Provider under supervision of the Radiocommunications Agency. We are established at Maanweg 174, 2516 AB The Hague end registered at the Chamber of Commerce (Kamer van Koophandel) under number 67419925. Vidua also is the brand under which We deliver our services to you as a user.
Because Vidua provides multiple services, we have divided our Conditions per service. This way we keep them concise. These Product conditions are effective from the moment you register for a qualified certificate. They apply to:
- Registration for and holding of qualified certificates.
- The use of trust services using a qualified certificate. Currently these are qualified electronic signing and identification.
1.1 Which definitions do We use in this document?
Terms as defined in the General Terms and Conditions are also used here. In addition, we use the following definitions:
Certificate: an electronic document that connects data for verifying an electronic signature to a particular person and confirms that person’s identity. In the context of Vidua, every certificate is also a qualified certificate.
Certificate Holder: an entity which will be identified in a certificate if the holder ‘s identity is confirmed by Vidua. The Certificate Holder will be a natural person, if the Certificates are personalised.
Qualified certificate: a certificate that complies with the highest trust norms as stated in the EU eIDAS regulation.
Qualified trust service: electronic service for qualified electronic signing or identification in conformance with the highest trust norms as stated in the EU eIDAS regulation.
EU trusted list: a EU Member State list including information related to the qualified trust service providers for which it is responsible, together with information related to the qualified trust services provided by them.
Certificate Revocation List (CRL): a publicly available list containing all certificates that have been issued by Cleverbase that are now no longer valid due to revocation or expiration.
1.2 Hierarchy of documentation
This document is written with due care. However, in case of disputes between documentation, the following hierarchy exists:
- The certification practice statement
- PKI disclosure statement
- The terms & conditions in Dutch
- The terms & conditions in English
- The product conditions in Dutch
- The product conditions in English
- Other public outings by Cleverbase
2. Costs related to using the service
There are no costs related to registering for and holding a certificate for Users, nor for using trust services.
3. What should you expect from us as a User?
You can expect several things from us related to, the issuance and management of Certificates and the availability of our trust services.
3.1 Certificates
Vidua uses Certificates for creating electronic signatures and login. For each person, Vidua creates one or more Certificates. The Dutch government and the European Union impose strict rules on the issuance of Certificates. This entails obligations both for us as Vidua and for you as a user. Vidua complies with the obligations it has imposed on itself in its internal procedures. It also undertakes this towards its Users and the parties who rely on the certificates issued and managed by Vidua. Vidua has been certified against the standards imposed on her by PKIoverheid.
Vidua’s internal procedures are laid down in its Certification Practice Statement (CPS). Vidua may change the Certification Practice Statement or the procedures included therein, but it will ensure that these procedures continue to meet the requirements that apply from PKIoverheid.
For the purpose of the certificates, Vidua archives the log files and other registration data relating to a specific Certificate during the validity period of that Certificate. After that period of validity, Vidua will keep the log files of that Certificate for another seven years.
For the provision of certification services, Vidua conforms to ETSI 319 411-1, 319 411-2 and the Programma van Eisen PKIoverheid. This has been determined by an external auditor, in accordance with the certification scheme ETSI 319 403-1.
3.2 Availability of services
The certificate status information will never be unavailable for more than four hours in a row. The certificate status information will also be available after the expiration of the certificate validity period for a period that is consistent with the laws and regulations governing Certificates. Vidua has a termination plan to meet this obligation.
4. What do We expect from you as a User?
4.1 Correct and complete information
Upon request by Vidua, the Certificate Holder will provide all the information necessary to execute the certificate service. The Certificate Holder will provide documented evidence in support of this information within fourteen days.
If any information in the certificate is incorrect or is no longer correct because of a change, the Certificate Holder shall immediately inform Vidua of this situation.
4.2 Continuity of use
After expiration of the validity of the certificate, the certificate can no longer be used. As Certificate Holder, you are responsible for the timely renewal of Certificates. As a Certificate Holder cannot derive any rights from an internal policy, Vidua will inform the Certificate Holder about the expiration of the certificate at the end of the validity period.
You are also responsible for emergency replacement if the key material is compromised or some other calamity occurs.
4.3 Revocation and correct use
The User prevents improper use of the Certificate. A Certificate is issued for a predetermined purpose, namely Authentication or Signing. As a User, you may therefore not use the Certificate for any purpose other than that for which the Certificate was issued.
The User ensures that no unauthorized or unlawful use is made of the services or certificates. In any case, she ensures that no action is taken in violation of the law or regulations, that no criminal offenses are committed or assisted in doing so, and that no damage is caused to Vidua, its reputation or integrity. This entails that the User takes reasonable measures to:
- ensure the confidentiality of the PIN, including at least:
- preventing someone else from viewing the entry of the PIN code,
- not writing down the PIN code
- and not providing the PIN code to another person;
- ensure confidentiality of the use of the Vidua app.
You, as the Certificate Holder, will cease the use of the certificate and withdraw it as soon as possible if:
- the key material has possibly been compromised,
- the PIN code may have been compromised,
- you no longer have access to the key material yourself (for example: you lost your cell phone,
- the information in the certificate is not or no longer correct, or
- there is any other reason that justifies a revocation of the certificate.
After a new registration, use of services can be resumed.
4.4 Other rules regarding the services and Certificates
A certificate is not designated as an identity document in the Dutch Compulsory Identification Act (Wid). Therefore, it can not be used to identify persons in cases where the law requires that the identity of the person in question is known and is established by means of a document designated in the Compulsory Identification Act (Wet op de identificatieplicht). Perhaps superfluously, it follows that a certificate may not be used in the provision of government services where the law requires the identity of persons with a document designated in the Dutch Compulsory Identification Act.
4.5 Relying party
The relying party is the recipient of the message that is provided with the certificate. He is expected to check the validity of Certificates used. If the relying party requests the status of a certificate, then it will have to verify the electronic signature and the associated certification path. For this check, he can request the crl of Vidua (trademark of Cleverbase) on https://pki.cleverbase.com/cleverbase3c.crl or perform an OCSP status check. See paragraph 4.10 of the Certification Practice Statement for a further explanation of retrieving the certificate status. In addition to this, the relying party should know that, for a certificate to be relied upon as an EU qualified certificate, the CA/trust anchor for the validation of the certificate shall be as identified in a service digital identifier of an EU trusted list entry with the service type identifier https://uri.etsi.org/TrstSvc/Svctype/CA/QC/. ETSI TS 119 615 provides guidance for relying parties on how to validate a certificate against the EU trusted lists.
Furthermore, it is recommended that the relying party is aware of the limitations of the use of the certificate, as can be derived from the certificate itself and from the Terms and Conditions.
5. Quitting the use of Vidua?
You may decide to no longer be a User of these services. The services you are using from Vidua and for which you have entered into a subscription agreement with us can be terminated. You must submit your termination to us by email or in writing.
5.1 Termination by Vidua
If a certificate is revoked by Vidua or by PKIoverheid, then your subscription agreement as a User with Vidua will continue to exist. Vidua retains the right to terminate your use of services for reasons mentioned in paragraph 7.2 of the terms and conditions.
6. Modification of product conditions
Vidua may be required to change its services or parts of its services due to new laws or regulations. If Vidua has to make this change to its services or other significant changes to its general terms and conditions, We will inform you as a User in advance via the website www.vidua.nl. These changes will then apply with effect from 30 calendar days after Vidua has informed you.
Vidua also reserves the right to make changes or adjustments to the Product Conditions. If We decide to make such significant changes or additions, We will inform you as User in advance via the website www.vidua.nl. This amendment will then apply with effect from 30 calendar days after notification to you as a User, for all the current subscription agreements and for all the services still purchased by you.
When it occurs that certain conditions or agreements in these Product conditions are not valid or can be destroyed, then that does not affect the validity of the other conditions and agreements described here. For the condition or agreement that is then no longer valid, Vidua shall have the right to propose a new condition and agreement that comes as close as possible to the content and purport of the previous agreement.
Deviation from these Product conditions is only possible if Vidua confirms this in writing in advance. What is then agreed upon in writing between Vidua and the User, and deviates from what has been determined here, will prevail. The rest of the terms and conditions that are not deviated, will continue to exist and be valid.