PXL Vision is an identity service provider offering digital identity verification services in order to support PXL Vision’s customers needing reliable identification of their users.

In addition, PXL Vision enables individual users of the contracted customers in collaboration with qualified trust service providers and contract partners to electronically sign legally binding contracts using qualified electronic signatures according to the eIDAS regulation.

The identity verification services are compliant with the Regulation No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (eIDAS). In particular, PXL Vision verifies the identity of natural persons in accordance with eIDAS, Article 24, paragraph 1 d) by using “other identification methods” which provide equivalent assurance in terms of reliability to physical presence.

This document is the Trust Services Policy & Practice Statement (TSPS) of PXL Vision AG. It is not a full Certification Practice Statement (CPS) according to RFC 3647 because PXL Vision only provides identity verification services and does not offer other certification services like the issuing of certificates or the provisioning of certificate validation services.

The purpose of this document is to serve as a base for compliance with eIDAS.

1.1 Overview

PXL vision’s services allow users of our customers to be reliably identified using an automated, AI based identification method while the user is not physically present. PXL Vision delivers the results of identity verifications in electronic form to its customers and/or to certification service providers for the issuance of qualified electronic certificates. The qualified certificates may then be used to sign legally binding electronic documents, e.g., contracts.

The PXL Vision platform consists of three core frontend applications, each offering the full identity verification functionality:

The Web application, which is accessible via the Internet and can be used via a web browser.
The native iOS app for an enhanced user experience on Apple mobile devices.
The native Android app for an enhanced user experience on Android mobile devices.

PXL Vision services are offered to all users of our customers without discrimination. One of the main focuses of PXL Vision is to provide products that can be used by any person, independent of technical capabilities, age or any other factors. Even though the strongest value of the services provided by PXL are heavily based on advanced technology, PXL Vision’s goal is to make the technology together with its services available and usable by every person that needs to verify its identity.

PXL Vision’s Daego (Mob App) identification services as described in this document conform to the eIDAS regulation on electronic identification and trust services. They have been assessed for compliance with the relevant requirements of eIDAS according to the standards ETSI EN 319 401, ETSI EN 319 411-1, and ETSI EN 319 411-2 and the compliance with the relevant requirements of eIDAS has been confirmed by an accredited conformity assessment body (CAB).

This TSPS applies to Identification Services for the following trust service policies:

EN 319411-1 LCP,
EN 319411-1 NCP, and
EN 319411-2 QCP-n

The Usage of the PXL Vision services is defined by the Terms and Conditions found in PXL Vision’s mobile and web app.

1.2 Document Name and Identification

This Document’s Name	PXL Vision Trust Services Policy & Practice Statement - Daego Mobile
This Document’s Owner	PXL Vision AG
This Document’s Version	v.92
This Document’s Release Date	07.04.2022

1.3 PKI

The following participants are relevant

1.3.1 Trust service provider (TSP)

A party that provides trust services under eIDAS regulation. A TSP is a customer of PXL Vision.

1.3.2 Certificate authorities (CA)

A Certification Authority is an entity authorized to issue public key certificates. A CA is also responsible for the distribution, publication, and revocation of certificates.

PXL Vision AG does not operate a CA but offers identification services on behalf of CAs.

1.3.3 Registration authorities (RA)

A Registration Authority acts on behalf of a CA.

RAs are responsible for verifying both business information and personal data contained in a subscriber’s certificate. An RA submits certificate requests to issuing CAs, approves applications for certificates, renewal, or re-keying, and handles revocation requests.

PXL Vision does not operate an RA but offers identification services on behalf of a CAs RA.

1.3.4 Subscribers

Subscribers are the end-entities of certificates issued by a CA. Subscribers are individual persons.

PXL Vision identifies the subscribers on behalf of contracted partners or CAs.

1.3.5 Relying parties

A Relying Party or contracted partner is an individual or entity that relies on a certificate.

A Relying Party or contracted partner uses a Subscriber’s certificate to verify the integrity of a digitally signed document and to identify the signer of the document.

1.3.6 Other participants

PXL Vision's Daego Mobile application provides online identity document verification and biometric verification services for TSPs during their CA/RA activities, i.e., enrollment, renewal, and reactivation of electronic identities for digital certificates for natural persons. PXL Vision is ISO/IEC 27001:2013 certified and scoped to identity verification services.

A public cloud provider is a sub-contractor of PXL Vision and hosts the Daego Server that processes all identity document data and orchestrates any data exchanges. There is a contractual agreement between the public cloud providers and PXL Vision. The Daego service is provided as a SaaS. The organizational/contractual and technical security measures provided by the cloud providers meet the relevant requirements laid down by eIDAS and ETSI for TSPs. It is the responsibility of PXL Vision to control and monitor this process. Consequently, security requirements in terms of certifications are set for the public cloud providers (for instance an ISO/IEC 27001:2013 certification and a SOC2 report or similar).

1.4 Certificate usage

Does not apply

1.5 Policy administration

1.5.1 Organization administration

This TSPS is administered by PXL Vision AG, Mühlebachstrasse 164 , CH-8008 Zürich.

1.5.2 Contact person

The contact person for the TSPS is Roxana Porada (Certifications@PXL-Vision.com).

1.5.3 Person Determining CPS Suitability for the Policy

PXL Vision’s Contact Person determines the suitability of this TSPS with the Policy.

1.5.4 TSPS Approval Procedures

This TSPS document has been prepared for compliance with the requirements of eIDAS Chapter III on identity verification for Trust Services, with RFC 3647, ETSI EN 319 401, ETSI EN 319 411-1, ETSI EN 319 411-2 and CA/B Forum Baseline Requirements.

The TSPS document is approved by PXL Vision Executive Management and published and communicated to all relevant employees and external parties upon release at the website (please, see https://www.pxl-vision.com/ for details). The Terms and Conditions are made available to all subscribers and relying parties through durable means of communication. The Terms and Conditions can be found in the app.

The TSPS and the Terms and Conditions are reviewed at regular intervals, at least once a year. Amendments to these documents must be approved by PXL Vision Executive Management before becoming effective.

Amended versions or updates of this TSPS, the PKI Disclosure Statement (PDS) are published upon release at the same website . Substantial changes to the TSPS which might affect the acceptance of the service by the subject, subscriber or relying parties, are announced on the website at least one month prior to the change becoming effective.

1.6 Definitions and Acronyms

1.6.1 Definitions

App	Application running on user’s phone
Mob App	Native Mobile Application accessible from the AppStore or PlayStore installed on the user’s mobile device
Web App	Web Application running through a web browser on the user’s mobile device
ID Document	An official and government issued identity document such as passports, driving licenses, or identity cards.
Biometric ID Document	ID Document that includes a biometric NFC chip as defined by the ICAO Doc 9303 specification
Security features	Specific security features present on the ID Document or Passport, as holograms, lenticulars, or other formats
User	The natural person using the identity verification services, defined as Subscriber
Document Validation	The process of extracting and verifying the information available on the identity document
Face Verification	The process of verifying the biometric features of 2 different faces present in a picture or in a video
Liveness Check	The verification that the features being presented to the biometric application are those of a living subject, and not a copy or imitation of those features

1.6.2 Acronyms

API	Application Programming Interface
BSI	Bundesamt für Sicherheit in der Informationstechnik (Federal Office for Information Security) in Germany
CA	Certification Authority
CP	Certificate Policy
CRL	Certificate Revocation List
DG	Datagroup
DPIA	Data protection impact assessment
eID	electronic Identity
eMRTD	electronic Machine Readable Travel Document
ETSI	European Telecommunications Standards Institute
GDPR	General Data Protection Regulation
ICAO	International Civil Aviation Organization
ISMS	Information Security Management System
MRZ	Machine Readable Zone
NFC	Near Field Communication
OCR	Optical Character Recognition
PKI	Public Key Infrastructure
RA	Registration Authority
SaaS	Software as a Service
SDK	Software Development Kit
SLA	Service Level Agreement
TSA	Time-Stamping Authority
TSP	Trust Service Provider
TSPS	Trust Service Practice Statement
QTSP	Qualified Trust Service Provider
VIZ	Visual Inspection Zone

1.6.3 References

ETSI EN 319 401	ETSI EN 319 401, Electronic Signatures and Infrastructures (ESI); General Policy Requirements for Trust Service Providers
ETSI EN 319 411-1	ETSI EN 319 411-1, Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements
ETSI EN 319 411-2	ETSI EN 319 411-2, Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 2: Requirements for trust service providers issuing EU qualified certificates
eIDAS	Regulation No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC
ICAO 9303	ICAO stands for International Civil Aviation Organization and is part of the United Nations.
TR-03116-4	Kryptographische Vorgaben für Projekte der Bundesregierung Teil 4, issued 10.01.2020, BSI

Publication and Repository Responsibilities

2.1 Repositories

PXL Vision AG publishes this TSPS and the Data Protection Statement on its website https://www.pxl-vision.com/en/privacy-policy, where they are available 24x7. Terms and conditions for the identification service are accessible via the web and mobile app.

2.2 Publication of Certificate Information

Does not apply

2.3 Time or Frequency of Publication

This TSPS and any subsequent amendments are made immediately publicly available after approval. PXL Vision develops, implements, enforces, and annually updates this TSPS to meet the compliance standards of the documents listed in Section 1.6.3.

2.4 Access Controls on Repositories

The repository is publicly and internationally available. Read only access is unrestricted.

PXL Vision protects the integrity and authenticity of all documents in the repository. The repository is subject to access control mechanisms to protect its availability and prevent unauthorized persons from adding, deleting, or modifying information in the repository.

Identification and Authentication

This section describes the identification and authentication processes during initial registration and prolongation. It particularly focuses on the identity verification services provided by PXL Vision in order to enable a TSP to issue qualified certificates.

PXL Vision offers its services to the TSP based on a contractual agreement which includes – besides others –

applicable terms and conditions including aspect of consent for steps in the procedures,
legal duties and limitations in the interaction of both parties,
responsibilities for interaction management
a service level agreement and
technical aspects of the service rendered such as the type of input and output of data

PXL Vision’s identity verification steps provide an alternative to physical verification at the TSP during registration and to video-verification with a human agent. The steps taken to provide this verification are listed as below:

Document Validation
Face Verification
Liveness Check
Manual Verification Check (optional)

By applying all these checks in various configurations as applicable for each TSP, the identity verification process as well as proving the authenticity of the data upon which the identity verification is based, can be ensured. The TSP integrates this process performed via a mobile app within the registration process.

The TSP orchestrates the user registration step, after which the TSP redirects the user to the PXL Daego application, which is responsible to start the identification and authentication process of the subscriber.

The TSP communicates with the PXL infrastructure through a secured REST API, through which a request to start a new identification process is triggered. Depending on the TSP’s integration preferences the PXL Daego Mob App (in focus of this document) or PXL Daego Web App can be triggered as a starting point of the identification process. Both applications provide the same steps of the verification process, enforcing checks for each step that can be applied on mobile or web applications respectively.

Subsequently, PXL Vision Daego Mob App carries out the document validation, face verification and liveness check as described in section 3.2.3. This process is generally fully automated and happens with no waiting times for the subscriber. PXL Vision can be used 24/7. The algorithms used in this process are being continuously maintained and are secured against threats to its integrity and functions.

After completion of the process PXL Vision notifies the TSP of the results of the verification process. It is stressed that while PXL Vision delivers for each identity verification process an indicator for its confidence and the extracted results, the final verdict of whether an identification process was successful or not lies with the TSP.

Figure 1 depicts the data flow between the two relevant parties, the TSP and PXL Vision.

Figure 1: PXL Vision's integration with the TSP and the identity verification steps

3.1 Naming

3.1.1 Type of Names

Daego recognizes and interprets names as obtained from the legal identity documents.

3.1.2 Need for Names to be Meaningful

The names are meaningful, unambiguous, and allow the TSP to create/compile a Distinguished Name for a certificate that enables any relying party to identify the subscriber.

3.1.3 Anonymity or Pseudonymity of Subscribers

No stipulation

3.1.4 Rules for Interpreting Various Name Forms

No stipulation

3.1.5 Uniqueness of Names

No stipulation

3.1.6 Recognition, Authentication and Role of Trademarks

No stipulation

3.2 Initial Identity Validation

3.2.1 Method to Prove Possession of Private Key

Does not apply

3.2.2 Authentication of Organization Entity

Does not apply

3.2.3 Authentication of Individual Identity

The authentication of the individual identity is checked in three steps:

Document Validation
Face Verification
Liveness Check

The authentication of the individual identity is checked in different ways. Original individual identification methods include: personal user data as extracted and validated from the MRZ/VIZ sections of the ID Document, binding the user to the ID Document by running a Face Verification and a Liveness Check based on the picture of the face from the ID Document and the selfie video that the user needs to take.

DESCRIPTION OF METHOD: PXL Vision Daego (Mob App)

The subscriber is forwarded to the PXL Vision Service by the TSP through a deep link that uniquely identifies the start of the Daego Mob App process. The user is then guided through a verification process that includes various checks of the full identity data.

The authentication of the individual identity is checked in three steps:

Document Validation
Face Verification
Liveness Check

The Daego Mobile App follows the steps described below:

Document Validation

The document validation is the first step in the process and - as this - also presents the entry point from the TSP to PXL Vision.

The subscriber’s identity is checked against an official, valid, government-issued photo ID document. International passports must fulfill the ICAO 9303 Standards. For this, the subscriber is asked to scan their ID Document. The Daego Mob App will extract and validate the information of the ID Document in real time while the user is scanning the ID document. Both MRZ as well as VIZ information are extracted and validated. Based on the detection and extraction of the ID Document, the Daego Mob App determines whether this is a biometric ID Document or not and subsequently continues to the next step to detect the NFC chip on the ID Document.

The Daego Mob App performs the NFC data extraction and validation of the ID Document. The NFC chips in ePassports and similar documents contain personal information such as name, date of birth, nationality and face image.

The main standard for these security mechanisms is the ICAO Doc 9303 specification.

The main security mechanisms applied for NFC biometric documents are: privacy, authenticity and clone detection.

Privacy - protect the privacy of the document holder by implementing access control and preventing eavesdropping

Privacy is very important for the passport holder, since the chip contains personal information, such as personal numbers, which could be used for identity theft. Someone has to be very close to the NFC chip to be able to read the content, but access control is needed, nevertheless.

The best known and most used access control security mechanism is Basic Access Control (BAC). The combination of document number, date of expiry and date of birth forms an access key to access the chip. The idea behind this is that it is required to first get access to the holder page of the passport to be allowed to read the identity data on the chip. Since the chip basically contains the same personal information as the holder page, there is no privacy loss when reading the chip. BAC also establishes an encrypted communication channel that prevents eavesdropping.

BA has been replaced by PACE, many passports implement both BAC and PACE, but since 2020 there are documents that no longer support BAC. PACE is thus an important security mechanism.

Based on the MRZ data extracted during the Document Validation step, the required information to be granted access to the NFC chip can be used as an input value for starting the NFC extraction. The input data required is: Date of Birth, Date of Expiry, Document Number

Authenticity – to ensure that the chip is not a forgery and that it is not manipulated

From a security perspective, this is the most important of the three security goals: to make sure that the RFID chip content is actually issued by the government and is not manipulated. The underlying method for verifying integrity is digital signatures. It does not prevent the information from being seen, nor does it ensure that the sender of the information is currently in possession of the original passport.

Clone detection - to detect if the chip is a copy.

Active Authentication is one mechanism which can be used. The goal of this validation is to make sure that the data is read from the original issued document and not from a copy of it. The principle on how this is done is based on asymmetric cryptography, whereby a randomly chosen challenge is sent to the passport, which is then signed by a private key residing on the passport chip. The public key associated with this private key can then be used to check the signature. The principle on how this works is that this public key is part of the chip data that is signed by the issuing country. Since the private key cannot be read (as it’s private) and thus cannot be copied from the passport chip, Daego Mob App can use the Active Authentication mechanism to ensure it is communicating with a real passport contrary to a clone.

Alternatively, Chip Authentication can be used to establish secure messaging between the passport and the mobile device while also performing clone detection. The trick with Chip Authentication is that the passport does not generate a key pair, but instead always uses the same public and private keys. Like Active Authentication, the public key is stored as part of the passport data that is signed by the issuing country. After the terminal has successfully executed the Chip Authentication protocol, it is certain that the passport is not a clone, reason being that the passport is in possession of the passport’s private key, which a clone would not have.

The Daego Mob App extracts all the data of the ID Document (MRZ, VIZ, NFC where applicable) as well as the image of the ID Document captured during the scanning process of the ID Document. In addition, also the face image captured from the ID Document and/or from the NFC chip (where applicable) will be used to run the next identification steps.

The extracted data is compared and checked for inconsistencies (e.g. different names read from MRZ and the NFC Chip). In case of inconsistencies the end result of the extracted data will contain a check information, which the TSP can use to take the decision on whether to accept or revalidate the subscriber’s personal information.

Face Verification

Once the ID Document has been verified the subscriber is asked to take a selfie video. The picture of the face captured from the ID Document or from the NFC chip (where applicable) is used to compare the user to the selfie video taken. This ensures that the person on the ID Document is the same person taking the selfie video. The assessment is done automatically by a trained AI.

Liveness Check

As a third and final step, a Liveness Check is performed to ensure that the person behind the camera is a real person. It uses the same selfie video as the Face Verification. The assessment is done automatically by a trained AI.

After the Liveness Check is performed, the full identification process is completed.

The information collected during the identification is transferred to the TSP with the results of all the checks and the results performed through the process. The data fields provided to the TSP are

First Name, Last Name
Date of birth
Document Type
Document Number
Document Country
Nationality
Gender
Expiration Date
Other fields applicable for specific documents (e.g., the type of the permit in case of a permit, driving categories in case of driving licenses, etc.)
Face Image
Images of the ID Document
Selfie Video

All data transmission to / from communicating entities is fully encrypted in accordance with TR-03116-4.

Once the Identification process has been completed, the TSP will be automatically notified and will be able to access all the Identification Data detected and extracted throughout the process.
The TSP is responsible at this stage to define if the process can be completed and accepted automatically based on the extracted data, in which case the Daego Mob App will redirect the user to a web page defined and controlled by the TSP, where the user can continue the user journey.
If an automatic check of the extracted data is considered insufficient, the user will be informed that the process has been completed, but a confirmation of the successful identity verification step will be communicated at a later stage (this step being entirely defined and in the control of the TSP directly). For the cases where identity verifications cannot be completed automatically, PXL Vision offers an additional tool (PXL Check) which allows the TSP to perform an extra validation of the full identity data. This process is performed with agents or resources on the TSP side. PXL Vision enables the TSP to be automatically notified in the backend if an identity verification transaction has been marked for a manual review. The TSP has therefore the possibility to react on these transactions and check them in a separate process in the TSP’s back office.
PXL Vision is responsible for managing the data flow and the status of each transaction. Once a TSP agent has gone through the transaction review manually and marked it as reviewed (accepted / rejected), PXL Vision will notify the TSP backend that the manual review of the transaction has been completed (providing the TSP all the logs and information that was collected through the manual review of the agent), enabling therefore the TSP to inform the user on the next steps of the process which are considered to be from this point on in the responsibility of the TSP and are not part of the scope of the process provided by PXL Vision.

3.2.4 Non-verified Subscriber Information

Does not apply

3.2.5 Validation of Authority

Does not apply

3.2.6 Criteria for Interoperation

No stipulation

3.3 Identification and Authentication for Re-key Requests

TSPs that support re-key requests may make use of the identification features described in section 3.2.

3.4 Identification and Authentication for Revocation Requests

For revocation requests the TSP may make use of the identification features described in section 3.2.

Certificate Life-Cycle Operational Requirements

Does not apply

Management, operational, and physical controls

PXL Vision Executive Management has approved a general information security policy document. It is published, and communicated, as applicable, to all employees, suppliers, relying parties, assessment bodies, supervisory or other regulatory bodies affected by it.

This policy is supplemented by detailed policies and procedures for personnel involved in identity verification. The information security policy contains a definition of information security, its overall objectives and scope, and the importance of security as an enabling mechanism for information sharing. It contains a statement of management intent, supporting the goals and principles of information security, and explains the security policies, principles, standards, and compliance requirements of particular importance to the organization.

The information security policy lists general and specific responsibilities for information security management, including reporting security incidents, and contains references to documentation which supports the policy.

Responsibilities for the protection of individual assets and for carrying out specific security processes are clearly defined. PXL Vision Executive management ensures that there is clear direction and visible management support for security initiatives. PXL Vision’s management is responsible for maintaining the security policy and coordinates the implementation of information security measures. This includes regular reviews (at least yearly) of the information security policy and associated documents like the risk assessment, the inventory of assets, and the TSPS.

PXL Vision carries out regular risk assessments to identify, analyze, and evaluate risks related to its services taking into account business and technical issues. PXL Vision then selects appropriate risk treatment measures taking into account the results of the risk assessment.

The chosen risk treatment measures ensure that the level of security is commensurate with the degree of risk. The risk assessment is approved by PXL Vision Executive Management who accepts the residual risks identified in the risk assessment with this approval. PXL Vision's information security management system (ISMS) is ISO/IEC 27001:2013 compliant and certified. The ISMS ensures that proper security controls adequate to manage the risks are taken and the information security of PXL Vision is constantly being improved upon.

Note: The requirements from chapter 5.1 apply to PXL Vision as well as to its external service partners relevant to providing the identification services described in 3.2.3.

5.1 Physical Security Controls

PXL Vision has implemented security policies which support the security requirements of the services, processes, and procedures covered by this TSPS.

These security mechanisms are commensurate with the level of threat in the identity validation environment.

5.1.1 Site Location and Construction

All PXL Vision’s operations facilities are specifically designed for computer operations.

PXL Vision operates its platform from ISO/IEC 27001:2013-certified data centers in Switzerland and Germany. PXL Vision has an effective service provider agreement in place with the data center provider ensuring appropriate security. The data centers are equipped with logical and physical controls that make PXL Vision’s identity service operations inaccessible to non-trusted personnel.

In particular, backend operations related to identity verification are conducted within a physically protected environment that deters, prevents, and detects unauthorized use of, access to, or disclosure of sensitive information and systems. Several layers of physical security controls restrict access to the sensitive hardware and software systems used for performing operations. The systems used for identity verification services are logically separated from other systems so that only authorized employees can access them.

Relevant prevention and detection mechanisms exist to address environmental incidents, such as power loss, loss of communication, water exposure, fire and temperature changes.

5.1.2 Physical Access

PXL Vision ensures that its relevant systems, especially the relevant database servers and the systems used for the identity services, are operated with physical security mechanisms to:

permit no unauthorized access to the hardware;
store all identity validation data in encrypted form;
monitor for unauthorized access or intrusion at all times;
maintain and periodically inspect an access log.

In addition, PXL Vision ensures that the physical access to its data centers incl. database servers, routing and switching components, and firewalls are sufficiently restricted. All IT components (servers, databases) required for the implementation of the PXL Vision service are in specially secured locations.

There are strict access controls in place: Physical access is via a gate with gate keeper, revolving doors, individual access cards, logging. Only selected administrators from PXL Vision have access to the PXL Vision cabinets at the data centers. Any other person incl. suppliers/support must be accompanied. Every entry and exit is logged.

PXL Vision has implemented physical access controls to reduce the risk of unauthorized persons being able to access PXL Vision’s offices. Visitors to PXL Vision’s offices cannot enter those without support of authorized employees. Visitors must be accompanied by authorized employees. Within PXL Vision’s office, a clean desk policy is in place.

5.1.3 Power and Air Conditioning

The data centers used by PXL Vision have taken reasonable precautions to protect PXL Vision’s IT system from power failures by installing and maintaining uninterruptible power supply (UPS) as backup power source. Air conditioning is in place, monitored and maintained on a regular basis.

5.1.4 Water Exposure

PXL Vision’s secure data centers have monitoring and alerting in place to detect water and moisture in addition to reasonable precautions to minimize the impact of water exposure. By relying on a physically separated back-up site, PXL Vision further reduces this impact.

PXL Vision has not taken extra precautions to minimize the impact of water exposure in its office, as the rooms are located on the third floor.

5.1.5 Fire Prevention and Protection

PXL Vision’s secure data centers have industry standard fire prevention, detection and fighting mechanisms. By relying on a physically separated back-up site, PXL Vision further reduces this impact of fire and smoke.

PXL Vision has not taken extra precautions to minimize the impact of fire or smoke in its office.

5.1.6 Media Storage

All sensitive media are stored digitally either in two data centers at two separate locations or - where appropriate - with public cloud service providers. The data centers are equipped with redundant servers, storage, network links and other IT components.

Media on mobile devices is stored exclusively in encrypted form. Upon end of life, a suitable destruction is ensured.

Paper-based information is digitized and securely destroyed.

The unauthorized removal of media is prevented via a set of specified measures including general access control, clean desk and clear screen policies.

5.1.7 Waste Disposal

Adequate measures are taken to dispose of sensitive information.

5.1.8 Off-site backup

PXL Vision performs regular routine backups of critical system data, audit log data, and other sensitive information (e.g. proprietary source code and other crucial software components) to a secondary site. PXL Vision is not obliged to keep identity verification data for a long period of time because all relevant identity verification data is sent to the Qualified Trust Service Provider (QTSP) for the purpose of issuing a qualified certificate immediately after the identity data has been collected. The QTSP is then obliged to archive these data according to the regulations made in eIDAS.

5.2 Procedural Controls

5.2.1 Trusted Roles

Trusted persons include all employees that have access to the source code or administer the PXL Visions service. Special roles include:

Chief Technology Officer (CTO)

The PXL Vision CTO is overall responsible for the IT environment including the production environment.

Chief Product Officer (CPO)

The PXL Vision CPO has overall responsibility for the development process of the product, ensuring that the process is conformant with the regulations, security practices applicable for the product and ensuring that any updates to the product have undergone the corresponding acceptance process.

Information Security Officer

PXL Vision has appointed an Information Security Officer. His main tasks include:

Coordination of information security goals with the company management
Coordination and planning of information security in cooperation with the Information Security Team
Creation and maintenance of guidelines and regulations for information security in the company
Advising management on information security issues
Documentation of information security measures
Information security training for employees
Planning and design of incident management ("Incidents") and emergency precautions (incl. emergency plan/manual)

Data Protection Officer

PXL Vision has appointed a Data Protection Officer, whose responsibilities are governed by the applicable regulations.

Product Owners

PXL Vision product owners' responsibility includes ensuring that changes are made according to the definition of done, and that new versions of the software are well tested. Importantly, the product owners are authorized to approve software for production use.

Developers

Developers are charged with software development. In this role, developers need a broad variety of permissions and access to systems and source code within the development environment. This does not include access to customer production systems. Because malicious changes may impact the security of PXL Vision’s service, this role is regarded as a 'trusted role'.

System Administrators

PXL Vision has appointed system administrators with the responsibility to administer the PXL Vision systems (i.e., install, configure, maintain, and recover systems).

System Operators

PXL Vision has appointed system operators with the responsibility to operate and monitor the PXL Vision systems on a day-to-day basis.

System Auditors

PXL Vision’s System Auditor has the right and responsibility to audit the components to verify that the operation of these components complies with the rules and regulations of this TSPS. The System Auditor is authorized to view archives and/or audit logs of all the PXL Vision's trustworthy systems within the limitation of the audit scope. The System Auditor has no direct operative abilities on the production environment.

5.2.2 Number of Individuals Required per Task

PXL Vision ensures that the number of staff available for tasks is adequate to meet demand, but also adequate to ensure that all security, risk and compliance regulation requirements are met.

If a risk analysis identifies tasks as requiring dual control, then dual control is applied.

5.2.3 Identification and Authentication for Trusted Roles

Initially, the identity of all personnel in trusted roles is verified through personal, physical presence and the check of an official photo ID document.

Identity is further confirmed through the background checking procedures in section 5.3.2. The person who takes over a trusted role must agree to this before approval. Personnel have no access to the trusted functions until the necessary checks are completed.

Personnel in trusted roles are named and approved by the Executive management of PXL Vision before being permitted to access relevant systems requiring the principle of "least privilege" when accessing or when configuring access privileges.

Identification and authentication during operations for each role is based on individual passwords, individual access tokens and PINs.

5.2.4 Roles Requiring Separation of Duties

A segregation of conflicting duties and areas of responsibility is implemented to reduce opportunities for modification and misuse to its minimum.

5.3 Personnel Security Controls

Note: The requirements stated in this chapter also apply to external service providers and the outsourcing partners relevant for the provisioning of PXL Vision’s identity verification services.

5.3.1 Qualification, Experience, and Clearance Requirements

All employees involved in the operation of PXL Vision’s services have appropriate knowledge and experience related to their duties. They must have demonstrated security consciousness and awareness regarding their duties and receive appropriate training in organizational policies and procedures.

Employees involved in identity verification services have signed a confidentiality (non-disclosure) agreement as part of their initial terms and conditions of employment. Managerial personnel possess professional experience with the services provided and are familiar with information security procedures for personnel with information security responsibilities.

Personnel in trusted roles are held free from conflict of interest that might prejudice the impartiality of operations.

5.3.2 Background Check Procedures

All employees of PXL Vision are thoroughly checked for their qualifications for the tasks for which they are responsible before being hired. Training and previous employment are examined on the basis of training and work certificates.

In addition, new employees undergo a criminal record check. This consists of presenting a certificate of conduct. The checks must be clear of records related to trustworthiness.

5.3.3 Training Requirements and Procedures

All personnel performing duties with respect to the operation of the PXL Vision systems and services receive comprehensive training. Training and/or rehearsals is conducted in the following areas:

Information Security,
Data Protection,
Incident handling and reporting,
Disaster recovery procedures.

PXL Vision conducts regular information security and data protection training sessions to raise awareness. The training is mandatory not only for PXL Vision's technical staff (e.g., system administrators and developers), but also for administrative staff and for the respective target groups. The courses cover all relevant topics of Information Security and Data Protection, from current threats to attacker procedures (including social engineering) to the consequences of successful attacks and methods for risk minimization.

PXL Vision maintains records of Information Security and Data Privacy training performed.

5.3.4 Re-Training Frequency and Requirements

All employees are required to attend annual data protection and information security awareness training sessions. Job specific retraining is performed to the extent and frequency required to ensure that the required level of proficiency is maintained.

5.3.5 Job Rotation Frequency and Sequence

PXL Vision does not use this method.

5.3.6 Sanctions for Unauthorized Actions

PXL Vision employees are accountable for their activities.

PXL Vision employees failing to comply with this TSPS, whether through negligence or malicious intent, are subject to internally maintained processes specifying guidance on administrative or disciplinary actions, up to and including termination of employment and legal sanctions.

5.3.7 Independent Contractor Requirements

Independent contractors who support the regular employees are required to fulfill the same requirements as regular employees.

5.3.8 Documentation Supplied to Personnel

All employees are provided with a contract of employment and a defined job role. This TSPS, applicable system operations documents, operations procedures documents, and any relevant other documents required to perform their jobs have been made available to PXL Vision employees.

5.4 Audit Logging Procedures

5.4.1 Types of Events Logged

PXL Vision keeps audit trails and system log files that document actions taken as part of the identity verification services.

All relevant events related to the services provided are logged, including changes relating to the security policy, system start-up and shutdown, system crashes and hardware failures, firewall and router activities and PKI system access attempts.

When setting up any kind of logging or monitoring activities, the security and sensitivity of the information collected is considered.

Security log entries include in particular the following elements:

date and time of the entry,
description/kind of entry.

The security logs are automatically collected. The identity verification audit logs in particular include:

record of identification presented,
identity of service requesting / providing the identity.

These audit logs are automatically created and integrity protected. They require special privileges for access.

5.4.2 Frequency for Processing & Archiving Audit Log

PXL Vision’s system and its components are continuously monitored and can provide real time alerts if unusual security and operational events occur and allow an immediate review by system security administrators.

The security logs are regularly reviewed including verification that the logs have not been tampered with and an investigation of any alerts or irregularities detected in the logs. Actions taken based on security log reviews are documented.

5.4.3 Retention Period for Audit Log

Audit logs concerning the infrastructure are stored and accessible for one year, unless required otherwise by specific legislation or TSP demands.

Audit logs concerning the identification process are stored and accessible according to the applicable contracts with the customer in compliance with Swiss data protection regulation and - if applicable - GDPR.

5.4.4 Protection of Audit Log

Procedures are implemented to protect archived data and audit data from destruction or modification prior to the end of the audit log retention period. Access to audit logs is restricted to authorized personnel.

5.4.5 Audit Log Backup Procedures

Audit logs are stored within the data centers which provide sufficient redundancy and the geographically distinct locations.

5.4.6 Audit Collection System (Internal vs. External)

Audit data is generated and recorded automatically at the network, and operating system level.

5.4.7 Notification to Event-Causing Subject

No stipulation

5.4.8 Vulnerability Assessments

Software may have errors. Some of these errors can lead to security vulnerabilities. The same applies to the security measures implemented, be they of personnel, organizational, technical, or infrastructural nature. Despite evaluation of these measures with regard to security, security gaps may arise which were not identified in the evaluation.

In order to identify such vulnerabilities, PXL Vision’s systems are assessed via internal and external vulnerability scans and penetration tests. Automated vulnerability scans are carried out on public and private IP addresses with every major release of PXL Vision’s software, at least once every three months. The scans are set up, maintained, reviewed and documented by a PXL Vision employee with the skills and proficiency to do so. Penetration tests are carried out by external contractors regularly. The contractors are chosen with the skills, tools, proficiency, code of ethics, and independence necessary to provide a reliable report.

All foreseeable internal and external threats are assessed with the risk analysis of PXL Vision at least once per year or in case of significant changes to the infrastructure or applications. For any vulnerability, given the potential impact, PXL Vision creates and implements a plan to mitigate the vulnerability. In case the identified vulnerability does not require remediation, the factual basis for this determination is documented. Any critical vulnerability not previously addressed by PXL Vision is addressed within a period of 48 hours after its discovery.

5.5 Records Archival

5.5.1 Types of Records Archived

At a minimum, PXL Vision records the following data for archival:

this TSPS
contractual obligations
system and equipment configuration
modifications and updates to systems or configurations
audit logs mentioned in section 5.4
documentation required by compliance auditors.

5.5.2 Retention Period for Archive

All records are archived in accordance with legal or regulatory requirements.

Long term archival of such evidence collected during identifications and supporting information, i.e., identification data according to the requirements of eIDAS, is in the responsibility of the QTSP. In any case, in accordance with data protection regulation all person-related data is deleted from PXL Vision’s systems after the archive period has expired.

5.5.3 Protection of Archive

PXL Vision protects the archive so that only authorized persons in trusted roles are able to access the archive. The archive is stored in a trustworthy system protecting it against unauthorized viewing, modification, deletion, or other tampering.

The media holding the archive data and the applications required to process the archived data is maintained to ensure that the archive data can be accessed for the time period defined above.

5.5.4 Archive Backup Procedures

PXL Vision performs regular database backups according to PXL Vision’s backup concept. This concept takes into account the criticality of the data and defines the minimum backup cycles and backup methods.

The backups are performed by the System Administration Team. The team lead is responsible for the correct execution of the backup.

5.5.5 Requirements for Time-Stamping of Records

No stipulation

5.5.6 Archive Collection System (Internal or External)

No stipulation

5.5.7 Procedures to Obtain and Verify Archive Information

Access to the archive is restricted to personnel in trusted roles.

5.6 Key Changeover

Does not apply

5.7 Compromise and Disaster Recovery

Information security incidents are events leading to or have led to:

Unavailability of service, e.g., downtimes of the identification service
Integrity breaks, e.g., verification bypasses or return of invalid information
Loss of confidentiality, e.g., data breaches or unauthorized viewing of TSP applicant data

Such incidents will be handled and evaluated in accordance with legislation, SLAs, and internal procedures. This process is in scope of periodic internal and external audits.

Incident reporting and response procedures are employed in such a way that damage from security incidents and malfunctions are minimized. Based on a risk assessment, PXL Vision has analyzed possible scenarios and prepared appropriate countermeasures. These countermeasures documented in a continuity plan ensure continuity when an incident or disaster occurs. Their aim is to ensure the orderly recovery of business operations within an established timeframe, communication to subscribers and relying parties, and continuity of services for the subscriber affected while remediating the cause for disaster.

Recovery measures are tested regularly and updated periodically. Back-up arrangements are also regularly tested to ensure that they meet the requirements of PXL Vision.

In addition, the current security situation is regularly monitored, additional risk assessments are conducted, and measures implemented as necessary.

In the event of a data breach, regulatory bodies must often be informed timely by the party responsible for the data. PXL Vision, therefore, informs its TSP customers of such events timely and in accordance with existing regulation.

5.7.1 Incident and Compromise Handling Procedures

Incidents or compromises are handled according to the PXL Vision’s internal incident response procedure. The defined process ensures that trusted role personnel as defined in 5.2.1 follow up on alerts of potentially critical security events. It is the CTO’s responsibility to ensure that the defined process is followed with the Information Security Officer conducting regular audits to monitor the effectiveness and appropriateness of the process and provide insights for potential improvements.

The incident procedures include procedures to notify the appropriate parties in line with the applicable regulatory rules of any breach of security or loss of integrity with impact on the services provided and on the personal data maintained therein within 24 hours of the breach being identified.

Where the breach of security or loss of integrity is verified to affect natural or legal persons, PXL Vision will notify the appropriate parties without undue delay. In general, as PXL Vision operates as a data processor for TSP, PXL Vision will inform the TSP which will in turn inform the subscribers.

5.7.2 Recovering Procedures if Computing Resources, Software, and/or Data are Corrupted

In case of corruption of computer resources, software and data, PXL Vision falls back to its incident response procedure.

5.7.3 Recovery Procedures after Key Compromise

Does not apply

5.7.4 Business Continuity Capabilities after a Disaster

PXL Vision conducts regular disaster recovery and business continuity tests to ensure functionality of services in the case of a disaster.

5.8 Termination

5.8.1 Termination of Identification Service

PXL Vision has implemented a termination plan that defines which actions must be taken in case of termination of services. Among others, the termination plan covers the aspects, which entities must be informed about the termination, to whom remaining obligations will be transferred, and who will store relevant data that needs to be retained.

As relevant parties to be informed, the termination plan addresses supervisory bodies, PXL Vision customers – in particular TSPs – other partners including subcontractors and the successor operator.

The standard contractual agreement with the TSP provides for PXL Vision to transfer all relevant data directly as part of the identification process and for the TSP to ensure the required servicing and archiving obligations are met. Consequently, a transfer of these obligations as part of the termination is not needed. Other applicable obligations will be taken over by the successor operator as defined in the termination plan.

Termination of services and any implied costs for PXL Vision that are attached to this process, are stipulated in the individual agreement with QTSP.

Technical Security Controls

6.1 Key Pair Generation and Installation

Does not apply

6.2 Private Key Protection and Cryptographic Module Engineering Controls

Does not apply

6.3 Other Aspects of Key Pair Management

Does not apply

6.4 Activation Data

Does not apply

6.5 Computer Security Controls

6.5.1 Specific Computer Security Technical Requirements

All PXL Vision systems were designed from the outset with a view to the secure implementation of the PXL Vision service (Security by Design). These include not only the cryptographic methods used, but also the technical infrastructural, software-side and overarching elements for securing the service. Consequently, the systems storing and processing software and data are trustworthy systems protected against unauthorized access.

PXL Vision ensures that the identity verification system components are secure and correctly operated, with an acceptable risk of failure. PXL Vision has a variety of security controls in place:

Multi-factor authentication for systems,
Cryptographically secured connections,
Cryptographically secure audit logs,
Separation in development, acceptance, and production environments,
Network zoning, physical and logical access control, hardening of systems,
Risk based logging, monitoring, and alerting implemented,
Trusted roles assigned and training for operating these systems,
Security assessments; including vulnerability scanning and penetration testing.

PXL Vision’s information security policy embodies the commitment of PXL Vision to maintaining an appropriate level of information security (see also section 5). The document sets information security objectives of PXL Vision, which are further detailed and defined into measurable KPIs. The information security policy also describes how information security is organized and acts as a reference document for other, more specific policies.

PXL Vision’s IT Ops and Admin policy sets security requirements of PXL Vision’s deployments. It serves as a basis for the System Administration Team to adhere to. In the scope of this policy are all PXL Vision systems including the systems relevant for development, testing and production of the identity service in the scope of this TSPS.

Additional, detailed development instructions address the security of the software development process at PXL Vision and describe how PXL Vision employees should handle information security while developing and changing software.

Changes to the software are managed in accordance with defined change management procedures. These procedures include system testing in an isolated test environment and the requirement that changes must be approved by another developer (4-eyes principle). Each change approval or rejection is documented for further reference.

All critical software components are installed and updated from trusted sources only.

There are also internal procedures to protect the integrity of IT-infrastructure against viruses, malicious and unauthorized software. The PXL Vision policies and working instructions contain concrete information security instructions to empower all PXL Vision employees to abide by the Information Security Policy. They cover topics like office environment security, equipment security, communications security, portable media security, and credentials security.

PXL Vision has implemented security measures and enforced access control in order to avoid unauthorized access and attempts to add, delete or modify information in applications related to the services. User accounts are created for personnel in specific roles that need access to the system in question after proper training and explicit permission. Multi-factor authentication is required for getting access to critical systems. File system permissions and other features available in the operating system security model are used to prevent any other use. User accounts are removed as soon as possible when the role change dictates. Access rules are audited annually.

Furthermore, the security processes comply with the specific requirements in ETSI 319-411-1, ETSI 319-411-2 and ISO/IEC 27001:2013. PXL Vision is certified against these standards by an independent and accredited auditor.

6.5.2 Computer Security Rating

No stipulation

6.6 Life Cycle Technical Controls

PXL Vision’s software development process adheres to common practices to limit the risk of bugs and vulnerabilities. The cornerstones are:

Version control is applied to all code to ensure control over what code is to be released, and what is in development, and also provides an audit trail of all changes to our code;
Code changes have to pass several approval gates before being promoted to production environments. This includes peer reviewing, static code analysis, (unit) testing, approval testing and in some cases even approval by TSPs;
Static code analysis is applied to detect common vulnerabilities and deficits in code automatically;
All code is built and tested using a trusted build server;
New code is thoroughly tested using automated tests during development and manual acceptance tests before software is released to TSPs;
Larger features are subject to internal or external pen-tests before being declared a production feature;
General responsibility for a particular piece of code is always assigned.

PXL Vision regularly reviews the supported Android and iOS versions and will stop supporting individual versions when this is commercially unreasonable and/or because of security concerns and/or because of technical concerns. Typically, the support for the OS versions will closely follow the official support of the OS provider itself (e.g., the last 2 OS versions for iOS).

The TSP will be notified well in advance if the support for a specific OS version will cease, through a formal notification that will include all the updates that are planned to be included in the next release.

Unless there is an urgent technical or security reason that reasonably inhibits this, dropping support for an OS version is communicated to the TSP in advance.

TSPs also receive advance notification of application updates of environments that they use. Depending on the agreement, it is also possible for a TSP to conduct acceptance testing and fix any problems before a production environment is updated.

6.6.1 System Development Controls

PXL Vision’s development instructions provide guidelines that apply to the software development process at PXL Vision and describe how PXL Vision employees should handle information security while developing software.

The instructions cover aspects of assessing dependencies on external software libraries or applications, source code quality checks to limit the risks of vulnerabilities or other bugs in developed software, source code versioning and release procedures, approval procedures regarding software changes, and test procedures.

6.6.2 Security Management Controls

All operational systems and networks relevant to PXL Vision’s services are monitored, managed, and controlled to ensure their integrity and correct operation. PXL Vision has procedures and schedules for the systems and the related maintenance of them. Those responsible are required to carry out regular systems monitoring and checks. In addition to manual monitoring, there is also an automated process, where the relevant trusted personnel are alerted upon any activity which is out of the expected behavior.

6.6.3 Life Cycle Security Controls

PXL Vision policies, assets and practices for information security are reviewed periodically by their owners at least annually or in case of significant changes to ensure their continuing suitability, adequacy, and effectiveness. The configurations of the systems are regularly checked for changes that violate PXL Vision security policies. The Information Security Officer reviews changes that have an impact on the level of security provided.

PXL Vision has procedures for ensuring that security patches are applied to the identity verification system within a reasonable time period after they become available. Security patches are not applied if they introduce additional vulnerabilities or instabilities that outweigh the benefits of applying them. In these cases, the reasons for not applying security patches are documented.

PXL Vision manages an overview of information assets that are classified in terms of security levels and in a manner consistent with the risk assessment. Persons have been appointed that are responsible for keeping the information security of the most important assets up to date.

6.7 Network security controls

PXL Vision has separated its network into different zones with defined, homogeneous levels of security and applied security controls within a zone and varying levels of security measures across them in accordance with the criticality of the service operated and data handled in the respective zone.

All network zones of the PXL Vision service are administered by PXL Vision's System Administration Team, which allows connections to special computers within the PXL Vision platform. These hosts are used exclusively for the purpose of administration, a connection is only allowed for PXL Vision administrators with PXL Vision equipment realizing an effective separation of the networks used for administration of IT systems and the operational network.

There are firewalls in place for enforcing the network security policy. Firewalls are configured such that connections are explicitly allowed or forbidden. Services or connections that are not needed will be deactivated and denied per default. Firewall rules are reviewed regularly.

The availability and utilization of required services within the PXL Vision network is monitored constantly. Local network components (e.g., routers) configurations are periodically checked for compliance with the requirements specified by this document.

Network connections on the PXL Vision service require strong authentication based on digital certificates. This includes the authentication of PXL Vision internal communication of services, external communication with contracted partners and administrator access to the log and monitoring system. PXL Vision has installed adequate protection from both inside and outside attacks (firewalls, etc.).

Logins to sensitive software generally require an additional second factor; this applies to all allowed users, not only administrators. Access to all servers is subject to authentication.

PXL operates data centers in separate sites for redundancy. Communication between sites is cryptographically secured. The same holds true for all communication channels between user, contracted partner and PXL Vision, namely:

Communication path between user (App or web browser) and PXL Vision customer/contracted partner
Communication path between user (App or web browser) and PXL Vision
Communication path between PXL Vision and PXL Vision customer/contracted partner

All data is transmitted both encrypted and authenticated. Only TLS versions and cipher suites recommended by the BSI are used, with exceptions in case the contracted partner explicitly requires it.

The respective communication partners must authenticate themselves during the establishment of the TLS connection. PXL Vision and its application partners use X.509 certificates issued by trusted Certification Authorities (CA).

Communication of sensitive information, especially personal data related to the identity services provided by the PXL Vision service, the communication between PXL Vision backend and app and the identity data submitted to the CA/TSP, is always protected through encryption and authentication via mutual TLS.

PXL Vision relies on external data centers and their infrastructure. The provider is responsible for the security of the data centers, i.e., it is responsible for protecting the infrastructure that runs all of the services offered including PXL Visions identity service. This infrastructure is composed of the hardware, software, networking, and facilities. The latter includes operating the infrastructure layer, the virtual and physical platforms. It includes the physical and logical access control to the infrastructure as well.

PXL Vision is responsible for the security in its service. Mainly this involves the management and configuration of the operating system (including updates and security patches), any application software or utilities installed by PXL Vision on the instances, and the configuration of provided firewalls on each instance, customers access the endpoints to store and retrieve data. Moreover, PXL Vision is also responsible for managing our data (including encryption options), classifying their assets, and using IAM tools to apply the appropriate permissions.

Despite these spheres of responsibility, the overall responsibility to ensure and monitor that the combined service meets all relevant (security) requirements specified by eIDAS and ETSI and that apply to the TSP lies with PXL Vision. Consequently, PXL Vision requires the data center provider to have an ISO/IEC 27001:2013 certificate and a SOC2 report or similar.

Trust Service Providers connected to the PXL Vision platform describe the relevant security measures in their Trust Service Practice Statement.

6.8 Time-Stamping

Audit logs and transactions are time-stamped based on a Reference Clock service. This Reference Clock is synchronized with UTC daily.

Certificate, CRL, and OCSP Profiles

Does not apply

Compliance Audit and Other Assessments

PXL Vision is subject to regular external audits. These include audits pursuant to ETSI EN 319 401, 319 411-1 and 319 411-2 which are required to prove conformity with the regulations made in eIDAS Chapter III. These audits require demonstration of a high level of security and conformity to well recognized policies and practices. In addition, PXL Vision performs internal self-audits. Topics covered by these audits include checks of proper implementation of applicable policies and extensive checks on the quality of identifications performed and on the quality of collected evidence collected during identifications. The results of these compliance audits are documented and archived. They may be released at the discretion of PXL Vision Executive Management to compliance auditors and if required by government authorities for the purpose of legal proceedings.

8.1 Frequency and Circumstances of Assessment

According to eIDAS, article 20 (1) compliance audits must be performed at least every 24 months. Surveillance audits are made 12 months after each full audit.

Additional assessments are required and performed if substantial changes are made to PXL Vision’s systems, configurations, or processes that might affect the overall security of the services.

8.2 Identity/Qualifications of Assessor

The conformity assessment required by eIDAS is performed by an appropriately accredited assessment body.

8.3 Assessor's Relationship to Assessed Entity

External auditors are independent and have no business interests in PXL Vision. No external auditor has any business affiliation with PXL Vision.

8.4 Topics Covered by Assessment

The purpose of a compliance audit is to verify that PXL Vision’s service complies with the statements of this TSPS, with the eIDAS regulation, and with the requirements specified in the audit standard under consideration.

Thus, all applicable aspects of this TSPS and all the standards mentioned in this section are covered by the compliance audits. The scope of the ETSI audit includes (but is not limited to)

environmental controls,
infrastructure and administrative CA controls,
network controls, and
identity verification processes and procedures.

8.5 Actions Taken as a Result of Deficiency

If, unexpectedly, deviations are identified during the compliance audit as defined in this section, corrective actions are drafted to correct the deviations. The corrective actions are agreed upon with the external auditor.

8.6 Communications of Results

No stipulation

8.7 Self-Audits

At least once a year, PXL Vision carries out regular internal audits to continuously assess compliance with the laws, regulations, internal policies and requirements mentioned in this document.

Other Business and Legal Matters

9.1 Fees

Fees for the identity verification services are subject to contractual agreements between PXL Vision and the TSP. Specific commercial agreements may vary per TSP.

PXL Vision does not charge a fee for access to this TSPS. Any use other than viewing, such as reproduction, redistribution, modification, or creating derivatives is not permitted.

9.2 Financial Responsibility

For both contractual and non-contractual users and customers the regulations of indemnification of Swiss law are binding.

PXL Vision AG undergoes regular financial assessments to verify that it has the financial stability and resources required to operate in conformity with this TSPS and the requirements of eIDAS.

9.2.1 Insurance Coverage

PXL Vision maintains a Professional Liability insurance coverage.

9.2.2 Other Assets

No stipulation.

9.3 Confidentiality of Business Information

9.3.1 Scope of Confidential Information

In the framework of the established andISO/IEC 27001:2013-certified information security management system (ISMS), the level of confidentiality of information is determined. Three levels of confidentiality are distinguished: public, internal, and confidential.

Confidential information includes in particular any information provided by users for purposes of identity verification.

9.3.2 Information Not Within the Scope of Confidential Information

Documents and other information classified within the ISMS classification scheme as public are not considered confidential information.

9.3.3 Responsibility to Protect Confidential Information

PXL-Vision, its employees and all other participants described in this TSPS have a responsibility to protect confidential information in their possession in accordance with this TSPS, in accordance with contractual agreements, and in accordance with Swiss law and applicable data protection regulations.

9.4 Privacy of personal information

Within the scope of this TSPS, PXL Vision is a data processor of personal data for the TSP. The TSP acts as the data controller. Conform GDPR, PXL Vision has performed a data protection impact assessment (DPIA) for its identity verification service. This DPIA provides an overview of the personal data being processed, identifies the risks associated with the processing of the data and describes the technical and organizational control measures implemented to mitigate the risks.

Access to personal data of applicants of a TSP by employees of PXL Vision is constrained. Only in exceptional situations such data may be accessed.

PXL Vision has appointed a Data Protection Officer. The task of the DPO is to ensure that the organization processes the personal data of its staff, customers, providers or any other individuals in compliance with the applicable data protection rules.

9.4.1 Privacy Plan

Please refer to the PXL Vision’s privacy statement available on the public website: https://www.pxl-vision.com/en/privacy-policy.

9.4.2 Information Treated as Private

Applicable data privacy law defines which information must be treated as private. Further information to be treated as private can be contractually agreed upon.

For further details, see also https://www.pxl-vision.com/en/privacy-policy.

9.4.3 Information not Deemed Private

Information included in the certificates that are issued by a CA based on identity verifications performed by PXL Vision is not considered to be private.

9.4.4 Responsibility to Protect Private Information

All employees of PXL Vision receiving private information are obliged to protect it from compromise and disclosure to third parties. All employees must adhere to applicable privacy laws.

PXL Vision ensures protection of personal information by implementing security controls as described in section 5 of this TSPS.

9.4.5 Notice and Consent to Use Private Information

Unless otherwise stated in this TSPS, PXL Vision will not use private information without the owner’s consent.

9.4.6 Disclosure Pursuant to Judicial or Administrative Process

PXL Vision will only fulfill the requirements to supply data for forensic purposes as required by law enforcement and for the judicial process, per the legal administrative procedures.

9.4.7 Other Information Disclosure Circumstances

There are no other information disclosure circumstances.

9.5 Intellectual Property Rights

Any intellectual property rights associated with products and services supplied by PXL Vision, and associated materials, remain the property of PXL Vision, the licensee or supplier. All information regarding conditions pertaining to intellectual property rights can be found in the associated terms and conditions and any contractual agreements.

9.6 Representations and Warranties

PXL Vision is party to the mutual agreements and obligations between the TSP and other participants. This TSPS forms an integral part of these agreements.

The inter-working between PXL Vision and the TSP focuses on the identification and registration processes that the TSP has to perform during a certificate application by an end-user. It is emphasized that it is up to the TSP to interpret the verification output of PXL Vision’s service and decide what to do with it in the course of the application process. More specific:

The TSP shall decide if it will accept the CA signer certificate used for signing the data read from the chip and verified by Daego Mob App;
The TSP shall decide what to do in the situation that identity document verification (i.e., clone detection) was not successful or not possible to execute (not all identity documents support clone detection).

9.6.1 CA Representations and Warranties

Does not apply

9.6.2 RA Representations and Warranties

Towards the specific RA part of the TSP PXL Vision warrants to:

provide its services consistent with the requirements and the procedures defined in the contract between PXL Vision and RA, in this TSPS and service-based Policies and Practice statements - in particular to forwards complete, accurate, and verified data about subjects for further processing;
provide its employees with necessary training for supply of high-quality service;
without undue delay after having become aware of it, notify RA of any breach of security or loss of integrity that has a significant impact on the Trust Service provided or on the personal data maintained therein.

9.6.3 Subscriber Representations and Warranties

Users warrant that all representations made towards PXL Vision on its website and on its platform are true.

Towards a subscriber PXL Vision warrants to:

supply true and adequate information in the application for the services, and in the event of a change in the data submitted, subscriber shall notify the correct data in accordance with the rules established in the service-based policies and practice statements;
raise awareness of the fact that PXL Vision may refuse to provide the service if the subscriber has intentionally presented false, incorrect or incomplete information in the application for the service;
raise awareness concerning statements and service terms and conditions;
strive to optimize the experience of its services by the subscriber in terms of usability, intuitively, and accessibility as much as possible;
do its best to provide its services in a way suitable for subscribers with disabilities.

9.6.4 Relying Party Representations and Warranties

Does not apply

9.6.5 Representations and Warranties of Other Participants

No stipulation

9.7 Disclaimers of Warranties

No limitations of warranties apply other than those mentioned in section 9.6.

9.8 Limitations of Liability

No limitations of liability apply other than those mentioned in section 9.2 or contractually specified.

9.9 Indemnities

The regulations of indemnification of Swiss law are binding.

Indemnification by Subscribers

To the extent permitted by applicable law, users and CAs issuing qualified certificates based on the identity service performed by PXL Vision may be required to indemnify PXL Vision for:

submitting false facts or misrepresenting facts on the user’s identity,
failure to disclose a material fact on the identity verification with intent to deceive any party,
failure to protect the user’s private data, use of an untrusted system, or to otherwise take the precautions necessary to prevent the compromise, loss, disclosure, modification, or unauthorized use of the user’s private data.

9.10 Term and Termination

9.10.1 Term

The TSPS is effective upon publication on PXL Vision’s website. Amendments to this TSPS become effective upon publication.

9.10.2 Termination

By publishing a new version of the TSPS, the previous version of the TSPS is terminated.

9.10.3 Effect of Termination and Survival

Despite the fact that this TSPS may eventually no longer be in effect, the following obligations and limitations of this TSPS shall survive

section 9.2 (Financial Responsibility),
section 9.3 (Confidentiality of Business Information), and
section 9.6 (Representations and Warranties).

9.11 Individual notices and communications with participants

PXL Vision does not provide notifications to participants; this will always be done by the TSP.

9.12 Amendments

9.12.1 Procedure for Amendment

Amendments to this TSPS may be made by PXL Vision’s Executive Management. Amendments shall either be in the form of a document containing an amended form of the TSPS or an update. Amended versions or updates shall be published in the repository.

9.12.2 Notification Mechanism and Period

No stipulation

9.12.3 Circumstances under Which OID Must be Changed

Does not apply

9.13 Dispute Resolution Provisions

For disputes with end-users and relying parties the dispute resolution procedures of the issuing QTSPs apply.

All disputes between PXL Vision and another party are initially settled by negotiations. If the parties fail to reach an amicable agreement, the dispute will be resolved at the court of the location of PXL Vision or its contractor.

Other parties will be informed of any claim or complaint no later than 30 calendar days after the detection of the basis of the claim, unless otherwise provided by law. Complaints regarding PXL Vision’s services can be submitted to: Support@PXL-Vision.com.

9.14 Governing Law

PXL Vision, situated in Switzerland, is subject to national Swiss Laws for the provision of services and products.

9.15 Compliance with Applicable Law

PXL Vision’s solution provides identity verification services to the Trust Service Provider (TSP) as defined in EU Regulation 910/2014 also known as eIDAS. This requires PXL Vision to be compliant to the applicable requirements of the following standards, requirements, and regulations:

ISO/IEC 27001:2013 Information Security Management System (ISMS)
ETSI EN 319 401 General Policy Requirements for Trust Service Providers
ETSI EN 319 411-1 Electronic Signatures and Infrastructures (ESI) - Policy and security requirements for Trust Service Providers issuing certificates – Part 1: General requirements
ETSI EN 319 411-2 Electronic Signatures and Infrastructures (ESI) - Policy and security requirements for Trust Service Providers issuing certificates – Part 2: Requirements for trust service providers issuing EU qualified certificates
eIDAS Regulation (EU) N 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market
Underlying eIDAS implementing acts such as CIR 2015/1502 on assurance levels for electronic identification solutions.
GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
CA/Browser Forum Baseline Requirements
CA/Browser Forum Network and Certificate System Security Requirements

9.16 Miscellaneous provisions

9.16.1 Entire agreement

No stipulation

9.16.2 Assignment

No stipulation

9.16.3 Severability

If parts of any of the provisions in this TSPS are incorrect or invalid, this shall not affect the validity of the remaining provisions until the TSPS is updated. The process for updating this TSPS is described in section 9.12.

9.16.4 Enforcement (Attorneys' Fees and Waiver of Rights)

No stipulation

9.16.5 Force Majeure

PXL Vision shall not be responsible for any breach of warranty, delay, or failure in performance under this TSPS that result from events beyond its control, such as strike, acts of war, riots, epidemics, power outages, fire, earthquakes, and other disasters.

9.17 Other provisions

No stipulation

Document Maintenance

Document Name	PXL Vision Trust Services Policy & Practice Statement - Daego Mobile
Language	English
Classification	Public
Author	Roxana Porada
Contact	Roxana Porada
Date of entry into force
Last review	07.04.2022
Next review	07.04.2023

Document history

Version	Date	Comment
v.87	10.12.2021	Initial release
v.88	19.01.2022	Incorporation of external feedback
v.91	01.03.2022	Ready for Doc Review
v.92	07.04.2022	Inclusion of Auditor Feedback Stage 1