OrPhEUS Privacy Policy and Description

Description of the service

The service OrPhEUS, or OIDC ProvidEr featUre Support portal, is a service providing comparisons of different OpenID Connect providers and their functionality. It can also be used to perform certain OIDC flows with said providers and display the underlying result. The service is operated by the Karlsruhe Institute of Technology (KIT).

What personal data is processed and why

At the moment, there are two scenarios supported by OrPhEUS, depending whether the users must log into the OIDC provider or not.

In the first use case, when OrPhEUS is used to compare different OpenID Connect providers without actually logging into any of the OIDC providers, no personal information is processed, other than the network data, such as IP addresses (see also below).

In the second use case, the user will log into the OIDC provider. In this instance, upon users' authorization, (i.e. user agrees to release the information from the OIDC provider to OrPhEUS), OrPhEUS will receive and process personal information. This information varies depending on the provider. In general, the provider should display to the user the infromation released to OrPhEUS. In some instances, if the provider supports it, this information may be edited by the user. Information released by the OIDC provider may include:

  • First name
  • Last name
  • Email adress
  • Subject identifier

This data is necessary in order for the user to compare the information released from different OIDC providers.

Usage of OrPhEUS service (i.e. access and executed actions) generates logs, which are retained. These records contain:

  • The network (IP) address from which you access OrPhEUS
  • Time and date of access
  • Details of actions you perform

This data is necessary to ensure that the OrPhEUS service is reliable and secure, and are used for assisting in the analysis of reported problems and responding to security incidents.

The legal basis for processing of personal data is legitimate interest, Article 6.1(f), GDPR.

Disclosure of personal data

The collected personal data is only accessible to the authorised personnel of Karlsruhe Institute of Technology (KIT), and then only for reasons outlined above. Personal data is not regularly disclosed to third parties.

How to access, rectify, and delete personal data

For the data retained and processed by OrPhEUS, you may use service manager contacts (provided below) to access or rectify information. To rectify the data released by an OpenID provider, contact the providers' operators.

Data protection code of conduct

Personal data will be protected according to the Code of Conduct for Service Providers, a common standard for the research and higher education sector to protect the users' privacy.

How long your personal data will be retained

Personal data released by an OpenID provider will be deleted after 5 minutes, or on request. The user can share information with others for a limited amount of time; in this case the data will be stored as long as the user requests. Records of your use of OrPhEUS, collected for reasons outlined above, will be deleted, at the latest, 24 months after the users' last use of the service.

Contact information

Service Operator: m-contact@lists.kit.edu
Service Operator Privacy: m-privacy@lists.kit.edu