LandSense Authorization Server - Privacy Statement
Name of the serviceLandSense Authorization Server - as.landsense.eu, in the following referred to the "Service".
Simplified Overall Description of the Service
The Service does not have user accounts. It collects user data (personal information based on user authentication) from a trusted Identity Provider where the user has an account at upon the user's consent. A list of such operators (the "Identity Providers") is available here. The user is enabled to determine the scope of such personal data that is to be collected (such determined data in the following referred to as the "Data"). The Service is to make such Data available to the operators of applications and services registered with the LandSense Engagement Platform (the "Operators"). A list of such operators is available at "Operators".
The Operators are contractually bound to only use the Data for the Purpose and/or the Determined Use determined below. Any further use of the Data requires a separate consent of the user. Further, Operators are contractually bound to comply with General Data Protection Regulation ("GDPR") standards or even higher standards also in case the Operators have their seats outside of the EU or EEA.
Please note that the above is a simplified explanation only. Below please find a more detailed description, including in particular explanations in regard to the Purpose and the Determined Use, the implemented security measures and the duration of storage.
Description of the Service
This Service controls the provision of the Data to Operators based on OpenID Connect scopes that were used when the application or service was registered with this Service. It is not possible that an Operator can obtain more Data than authorized to the Operator based on the scope(s). Which scopes exist and which user attributes are linked with a scope are defined by the OpenID specification.
In order to provide the Data to the registered Operators, this Service must first collect the Data from the Identity Provider used for login. Each Identity Provider must get user consent to release any personal information to this Service. By using this Service, you agree that the collected information is processed for the purpose of making it available to the registered Operators upon request.
Any registered Operator requires a valid access token to obtain Data. Each access token has a validity period that limits the time where it can be used to fetch Data. This Service allows you to see the amount of Data that is collected for the current lifetime of an access token.
This Service does not collect any more personal information as received from an Identity Provider as previously authorized by the user at login with the Identity Provider.
Controller of the personal data file and a contact personSecure Dimensions GmbH
Waxensteinstr. 28, 81377 Munich, Germany
Tel. +49 89 38151813
support <at> secure-dimensions.de
JurisdictionGermany - Bavaria (DE-BY)
Collected DataThe Data is collected from the Identity Provider used for login. The amount of Data available depends on the approval of the user at login with the Identity Provider. Only this information is the superset that can be made available to registered Operators.
Processed DataThe Data, collected from an Identity Provider is temporarily stored for the Purpose to make it available to registered Operators upon request. The Data is not processed for any other Purpose.
The Purpose of the processing of the Data
The Purpose of this Service is to fulfil the objective of brokering Data to Operators’ registered applications and services by presenting a valid access token. It is a technical requirement that the brokered information is stored for the validity of the access token. The lifetime of an access token begins when the user starting the registered application or service and ends after a predefined time. The lifetime ends before the expiration time with the user’s logoff.
A description of the Data being processedThe Data that can be requested by registered Operators is controlled via the concept of scopes. Please consult the OpenID specification for further information.
Scope openid (default)For this scope, this service provides a user cryptonym to registered applications and services. A cryptonym is only generated if a subject identifier was received from the asserting Identity Provider.
Scope profileAccording to the OpenID Connect specification, the following Data is linked with this scope:
name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at
Scope emailAccording to the OpenID Connect specification, the following Data is linked with this scope:
Email (mail), email_verified (was the email verified by the Identity Management at the Identity Provider)
Scope landsenseThis scope is project specific and contains the following Data:
idp_country (the country code of the Identity Provider), idp_name (the common name of the Identity Provider), idp_origin (either eduGain for any Identity Provider connected via eduGAIN, social for the Facebook and Google Identity Providers, landsense for any Identity Provider operated by a LandSense project partner)
Retention of the DataThe Data is stored for the duration of the lifetime of active sessions determined by the lifetime of access tokens.
Principles of protecting personal dataThis Service enforces all communication to be HTTP over TLS (HTTPS). For the storage of the Data at this Service, standard security procedures to ensure a secure data storage are applied.
Regular disclose of the Data to third partiesThis service provides the personal Data as OpenID Connect User Claims to registered Operators using a valid access token. The amount of Data depends on the scopes bound to the access token.
Operators are contractually bound to comply with GDPR standards or even higher standards also in case the Operators have their seats outside of the EU or EEA.
In case an Operator is seated outside of the EU or EEA, the Service will point this out to the user explicitly in the course of the user’s registration with such Operator’s application or service.