TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-01-06 13:37:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs(legal): adds legal section (#1742)

Browse Source 
* initial structure

* change structure

* change structure

* example values

* remove uneeded package lock

* remove uneeded files append Load Testing

* docs(legal): adds legal section

* adds infobox for DE

* adds darft privacy policy

* updates reviewed privacy policy

* fixes table

* adds DPA

* removes edit link

* starts TOS

* replaces ASCI chars with utf8

* fix: dpa, sla update from review

* apply review of privacy policy

* futher changes from review

* updates TOS

* update sidebar

* updates rate limit policy

* changes to intro

* updates intros w link to agreement

* Check files with MD Lint

* Apply suggestions from code review

Co-authored-by: Florian Forster <florian@caos.ch>

* apply review privacy policy

Co-authored-by: Florian Forster <florian@caos.ch>

* changes effective dates

Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: Florian Forster <florianÂ@caos.ch>
This commit is contained in:
mffap 2021-06-15 11:18:41 +02:00 committed by GitHub
parent 465081ee6d
commit ef9d6fe812
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 1051 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
docs/docs/apis/ratelimits/accounts.md Normal file
View File

@ -0,0 +1,14 @@
---
title: Login Rate Limits
---
:::caution
This is subject to change
:::
## accounts.zitadel.ch
| Path | Description | Effective Limit |
|---------------------|----------------------------------------|---------------------------|
| /* | Global Login, Register and Reset Limit | 100 request per 1 minute |
| /oauth/v2/authorize | Authorize endpoint | 10 request per 10 seconds |

26
docs/docs/apis/ratelimits/api.md Normal file
View File

@ -0,0 +1,26 @@
---
title: API Endpoint Rate Limits
---
:::caution
This is subject to change
:::
## api.zitadel.ch
| Path | Description | Effective Limit |
|-----------------------------------------------------|--------------------------|----------------------------|
| /oauth/v2/* | Sum of all OAuth request | 1000 request per 1 min |
| /oauth/v2/token | | 100 request per 10 seconds |
| /oauth/v2/introspect | | 100 request per 10 seconds |
| /oauth/v2/userinfo | | 100 request per 10 seconds |
| /auth/v1/* | | 100 request per 10 seconds |
| /caos.zitadel.auth.api.v1.AuthService/* | | 100 request per 10 seconds |
| /management/v1/* | | 250 request per 1 min |
| /caos.zitadel.management.api.v1.ManagementService/* | | 250 request per 1 min |
## issuer.zitadel.ch
| Path | Description | Effective Limit |
|------|-----------------------------------------|----------------|
| /* | Sum of all request to the issuer domain | none |

31
docs/docs/legal/acceptable-use-policy.md Normal file
View File

@ -0,0 +1,31 @@
---
title: Acceptable Use Policy
custom_edit_url: null
---
## Introduction
This policy is an annex to the [Terms of Service](terms-of-service) and clarifies your obligations while using our Services.
## Use
You will ensure that the use of our Subscription Services and Website by yourself, your customers, or third parties comply with all applicable legislation.
You may not:
1. Use Subscription Services or Website for phishing, social engineering, or committing fraud or any other illegal, malicious or fraudulent activity
2. Attempt to interfere with the functionality or proper working of the Subscription Services or Website
3. Upload any materials to the Subscription Services or Website in violation of any third-party privacy or data protection rights, to store and transmit any kind of malware
4. Attempt to probe, scan, penetrate or test the vulnerability of our Subscription Services, Website, systems, or network or try to circumvent our authentication. Any penetration testing must not be conducted without prior written consent by CAOS.
5. Use any organization or domain name that includes or is confusingly similar with trademarks, or any third parties. CAOS may determine any violation at its sole discretion
6. Collecting any information about our Customers, our Customers users, or our users without the consent of the person identified. This includes phishing, social engineering, scamming, spidering or harvesting information from any Subscription Service or Website
## Fair Use Principle
The “fair use” principle applies to the use of our services. We optimize our infrastructure in such a way that sufficient capacity is available to you even during short-term increased demand (“peaks”) and implement mitigation measures such as our [Rate Limit Policy](rate-limit-policy). You are nonetheless required to adhere to reasonable use of our resources in order to avoid negatively affecting the services for other customers.
You agree that we may delete any data on our systems or networks, if CAOS believes that this data may corrupt our systems, interfere or may compromise other customers' data.
## Violations of this policy
We may suspend or terminate your usage of our Services for any violation of this Acceptable Use Policy. You will not be entitled to any Financial Credit or compensation for any interruptions caused by violation of this policy.

228
docs/docs/legal/data-processing-agreement.md Normal file
View File

@ -0,0 +1,228 @@
---
title: Data Processing Agreement
custom_edit_url: null
---
## Background
Within the scope of the [**Framework Agreement**](terms-of-service), the **Processor** (CAOS Ltd.) processes **Personal Data** on behalf of the **Customer** (Responsible Party), collectively the **"Parties"**.
This Annex to the Agreement governs the Parties' data protection obligations in addition to the provisions of the Agreement.
## Subject matter, duration, nature and purpose of the processing as well as the type of personal data and categories of data subjects
This annex reflects the commitment of both parties to abide by the applicable data protection laws for the processing of Personal Data for the purpose of Processor's execution of the Framework Agreement.
The duration of the Processing shall correspond to the duration of the Agreement, unless otherwise provided for in this Annex or unless individual provisions obviously result in obligations going beyond this.
In particular, the following Personal Data are part of the processing:
<table>
<tr>
<th>Type of personal data</th>
<th>Examples</th>
<th>Affected data subjects</th>
</tr>
<tr>
<td><strong>Basic data</strong></td>
<td>
<ul>
<li>Surname and first name</li>
<li>Email addresses</li>
<li>User name</li>
<li>Language</li>
</ul>
</td>
<td>All users</td>
</tr>
<tr>
<td><strong>Login data</strong></td>
<td>
<ul>
<li>Randomly generated ID</li>
<li>Password</li>
<li>Public keys / certificates ("FIDO2", "U2F", "x509", ...)</li>
<li>User names or identifiers of external login providers</li>
<li>Phone number(s)</li>
</ul>
</td>
<td>
<p>All users</p>
<p>Password: Users who use authentication methods with password.</p>
<p>Public Keys: Users who use an authentication procedure with cryptographic keys.</p>
<p> External login provider identifiers: Users who use an external login provider.</p>
<p>Phone number: Users who use authentication methods with SMS</p>
</td>
</tr>
<tr>
<td><strong>Profile data</strong></td>
<td>
<ul>
<li>Profile pictures</li>
<li>Gender</li>
<li>Birthday</li>
<li>Language</li>
<li>Address(es)</li>
<li>Phone number(s)</li>
</ul>
</td>
<td>Users who voluntarily add profile data</td>
</tr>
<tr>
<td><strong>Communication data</strong></td>
<td>
<ul>
<li>Emails</li>
<li>Chats</li>
<li>Call metadata</li>
</ul>
</td>
<td>Customers and users who communicate with us directly (e.g. support)</td>
</tr>
<tr>
<td><strong>Payment data</strong></td>
<td>
<ul>
<li>Billing address</li>
<li>Customer number</li>
<li>Customer history</li>
<li>Credit rating information</li>
</ul>
</td>
<td>
<p>Customers who use services that require payment</p>
<p>Credit rating information: Only customers who pay by invoice</p>
</td>
</tr>
<tr>
<td><strong>Usage meta data</strong></td>
<td>
<ul>
<li>User agent</li>
<li>IP addresses</li>
<li>Operating system</li>
<li>Time and date</li>
<li>URL</li>
<li>Referrer URL</li>
<li>Accept Language</li>
</ul>
</td>
<td>All users</td>
</tr>
</table>
## Scope and responsibility
Under this Agreement, the Processor shall process Personal Data on behalf of the Customer.
This Annex applies to all processing of Customer's data (including data of the users of Customer's organization) with reference to persons ("**Personal Data**") which is related to the Agreement and which is carried out by the Processor, its employees or agents.
The Customer shall be responsible for compliance with the statutory provisions of the data protection laws, in particular for the lawfulness of the transfer of data to the Processor as well as for the lawfulness of the data processing.
The Processor is responsible for taking appropriate technical and organizational protection measures so that its processing complies with the legal requirements and ensures the protection of the rights of the Data Subjects.
## Obligations of the processor
### Bound by directions
The Processor processes personal data in accordance with its privacy policy (cf. [Privacy Policy](privacy-policy.md)) and on the documented directions of the Customer. The initial direction result from the Agreement. Subsequent instructions shall be given either in writing, whereby e-mail shall suffice, or orally with immediate written confirmation.
If the Processor is of the opinion that a direction of the Customer violates the Agreement, the GDPR or other data protection provisions of the EU, EU Member States or Switzerland, it shall inform the Customer thereof and shall be entitled to suspend the Processing until the instruction is withdrawn or confirmed.
### Obligation of the processing persons to confidentiality
The Processor shall ensure that the persons authorized to process the Personal Data have committed themselves to confidentiality, unless they are already subject to an appropriate statutory duty of confidentiality.
### Technical and organizational measures
The Processor has taken appropriate technical and organizational security measures, maintains them for the duration of the Processing and updates them on an ongoing basis in accordance with the current state of technology.
The technical and organizational security measures are described in more detail in the [annex](#annex-regarding-security-measures) to this appendix.
### Involvement of subcontracted processors
A current and complete list of involved and approved sub-processors can be found at [https://zitadel.ch/trust/](https://zitadel.ch/trust/).
The Processor is entitled to involve additional sub-processors. In this case, the Processor shall inform the Responsible Party about any intended change regarding sub-processors and update the list at <https://zitadel.ch/trust>. The Customer has the right to object to such changes. If the Parties are unable to reach a mutual agreement within 90 days of receipt of the objection by the Processor, the Customer may terminate the Agreement extraordinarily.
The Processor obligates itself to impose on all sub-processors, by means of a contract (or in another appropriate manner), the same data protection obligations as are imposed on it by this Annex. In particular, sufficient guarantees shall be provided that the appropriate technical and organizational measures are implemented in such a way that the processing by the sub-processor is carried out in accordance with the legal requirements. If the sub-processor fails to comply with its data protection obligations, the processor shall be liable to the customer for this as for its own conduct.
### Assistance in responding to requests
The Processor shall support the Customer as far as possible with suitable technical and organizational measures in fulfilling its obligation to respond to requests to exercise the data subject's rights. The parties shall agree separately on the compensation of the Processor for this.
### Further support for the customer
The Processor shall, taking into account the nature of the processing and the information available to it, assist the Customer in complying with its obligations in connection with the security of the processing, any notifications of personal data breaches, and any data protection impact assessments.
### Deletion or destruction after termination
Upon Customer's request, the Processor shall delete personal data received after the end of the agreement, unless there is a legal obligation for the Processor to store or further process such data.
### Information and control rights of the customer
The Processor shall provide the Customer with all information necessary to demonstrate compliance with the obligations set forth in this annex. It shall enable and contribute to audits, including inspections, carried out by the Customer or an auditor appointed by the Customer.
The procedure to be followed in the event of directions that are presumed to be unlawful is governed by the section [Bound by directions](#bound-by-directions) of this Appendix.
## Annex regarding security measures
The Processor has taken the following organizational and technical security measures to ensure a level of protection of the Personal Data processed that is appropriate to the risk:
### Pseudonymization / Encryption
The following measures for pseudonymization and encryption exist:
1. All communication is encrypted with TLS &gt;1.2 with PFS
2. Critical data is exclusively stored in encrypted form
3. Storage media that store customer data are always encrypted
4. Passwords are irreversibly stored with a hash function (bcrypt)
5. Data for web analytics are pseudonymized and do not contain any personal data
### Ensuring certain properties of the systems and services
#### Confidentiality
The following confidentiality measures exist:
1. Implementation of information security policies
2. Implementation of secure authentication policies
#### Integrity
The following integrity measures exist:
1. Code and container images are automatically checked for vulnerabilities
2. An automated system is used to keep dependencies up to date
3. Secrets are automatically rotated whenever possible and are short-lived (for example, signing keys)
4. Changes to code or infrastructure require mandatory review by at least one other employee
#### Availability
The following measures of availability exist:
1. Operation of the systems in combination with a CDN/DDoS mitigation service
2. High availability operation
3. Geo-redundant operation over at least two data centers
#### Load capacity
The following measures of availability exist:
1. Automatic scaling of resources
2. Monitoring, logging, tracing and alerting
#### Restoring availability and access
The following measures exist to restore availability and access:
1. Implementation of a backup concept
2. Emergency plan
3. Testing of the emergency plan
#### Regular review, assessment and evaluation of effectiveness
The following measures exist for regular review, assessment and evaluation of effectiveness:
1. At least annual audit and evaluation of processes within the framework of an information security management system
2. Responsible Disclosure and Bug Bounty policies
3. External audit of system security ("penetration testing")

6
docs/docs/legal/introduction.md Normal file
View File

@ -0,0 +1,6 @@
---
title: Overview
---
This section contains important agreements, policies and appendices relevant for users of our websites and services.
All documents will be provided in English language.

280
docs/docs/legal/privacy-policy.md Normal file
View File

@ -0,0 +1,280 @@
---
title: Privacy Policy
custom_edit_url: null
---
## Introduction
This privacy policy applies to CAOS Ltd., the websites it operates (including caos.ch and zitadel.ch) and the services and products it provides (including ZITADEL). This privacy policy describes how we process personal data for the provision of this websites and our products.
If any inconsistencies arise between this Privacy Policy and the otherwise applicable contractual terms, framework agreement, or general terms of service, the provisions of this Privacy Policy shall prevail. This privacy policy covers both existing personal data and personal data collected from you in the future.
The responsible party for the data processing described in this privacy policy is:
CAOS AG
Teufener Strasse 19
9000 St. Gallen
SWITZERLAND
Contact for questions and issues regarding data protection is:
CAOS AG
Data Protection Officer
Teufener Strasse 19
9000 St. Gallen
SWITZERLAND
Phone: 043 215 27 44
E-mail: legal@caos.ch
## General notes
Based on Article 13 of the Swiss Federal Constitution and the data protection provisions of the Swiss Confederation (Data Protection Act, DSG), every person has the right to protection of their privacy as well as protection against misuse of their personal data. The operators of these websites and services take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the legal data protection regulations as well as this data protection declaration.
In cooperation with our suppliers, we make every effort to protect the databases and any of our users data as well as possible against unauthorized access, loss, misuse or falsification. We point out that data transmission over the internet in general may result in security risks. A complete protection of the data against access by third parties is not possible.
This website uses TLS encryption for security reasons and to protect the transmission of confidential content, such as requests that you send to us as the website operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://".
## Processing of personal data, legal basis, storage period
**Personal data** is any information that relates to an identified or identifiable person. A **data subject** is a person about whom personal data is processed. Processing includes any handling of personal data, regardless of the means and procedures used, in particular the storage, disclosure, acquisition, deletion, storage, modification, destruction and use of personal data.
We process personal data in accordance with Swiss data protection law. In addition, we process - to the extent and insofar as the EU Data Protection Regulation is applicable - personal data in accordance with the following legal bases within the meaning of Art. 6 (1) DSGVO :
- Insofar as we obtain the consent of the data subject for processing operations, Art. 6 (1) a) DSGVO serves as the legal basis.
- When processing personal data for the fulfillment of a contract with the data subject as well as for the implementation of corresponding pre-contractual measures, Art. 6 para. 1 lit. b DSGVO serves as the legal basis.
- To the extent that processing of personal data is necessary to comply with a legal obligation to which we are subject under any applicable law of the EU or under any applicable law of a country in which the GDPR applies in whole or in part, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
- For the processing of personal data in order to protect vital interests of the data subject or another natural person, Art. 6 para. 1 lit. d DSGVO serves as the legal basis.
- If personal data is processed in order to protect the legitimate interests of us or of third parties and if the fundamental freedoms and rights and interests of the data subject do not override our interests and the interests of third parties, Article 6 (1) (f) of the GDPR serves as the legal basis. Legitimate interests are in particular our business interest in being able to provide our website and our products, information security, the enforcement of our own legal claims and compliance with Swiss law.
We will retain personal data for the period of time necessary for the particular purpose for which it was collected.
Subsequently, they are either deleted or made anonymous, unless we need them for a longer period of time in exceptional cases, e.g. due to legal storage and documentation obligations or our legitimate interests, such as the protection of rights to which we are entitled or the defense of claims.
### Processing of personal data when using the website, contact forms and in connection with newsletters
Our websites can generally be visited without registration. Each time one of our website is requested, data such as content of the requested page, name of the requested file, IP address, date and time are automatically stored in log files on the server.
This data is processed to enable correct delivery and functioning of the website. In addition, we use the data to optimize the website and to ensure the security of our systems.
Personal data, in particular name, address or e-mail address are collected as far as possible on a voluntary basis, for example when you contact us via a contact form or by e-mail. Without your consent, the data will not be passed on to third parties, unless shown in this privacy policy.
If you send us inquiries via contact form, your data from the form, including any data you provided, will be stored by us for the purpose of processing the inquiry and in case of follow-up questions. We do not pass on this data without your consent, except insofar as this is shown in this privacy policy.
If you would like to receive newsletters offered on our websites, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the specified e-mail address and agree to receive the newsletter. Further data will not be collected. We use this data exclusively for sending the requested information and do not pass it on to third parties, except as described in this privacy policy.
You can revoke your consent to the storage of the data, the e-mail address and their use for sending the newsletter at any time, for example via the "unsubscribe link" in the newsletter.
### Processing of personal data in connection with the use of our products
The use of our services is generally only possible with registration. During registration and in the course of using the services, we collect and process various personal data.
In particular, the following personal data are part of the processing:
<table>
<tr>
<th>Type of personal data</th>
<th>Examples</th>
<th>Affected data subjects</th>
</tr>
<tr>
<td><strong>Basic data</strong></td>
<td>
<ul>
<li>Surname and first name</li>
<li>Email addresses</li>
<li>User name</li>
<li>Language</li>
</ul>
</td>
<td>All users</td>
</tr>
<tr>
<td><strong>Login data</strong></td>
<td>
<ul>
<li>Randomly generated ID</li>
<li>Password</li>
<li>Public keys / certificates ("FIDO2", "U2F", "x509", ...)</li>
<li>User names or identifiers of external login providers</li>
<li>Phone number(s)</li>
</ul>
</td>
<td>
<p>All users</p>
<p>Password: Users who use authentication methods with password.</p>
<p>Public Keys: Users who use an authentication procedure with cryptographic keys.</p>
<p> External login provider identifiers: Users who use an external login provider.</p>
<p>Phone number: Users who use authentication methods with SMS</p>
</td>
</tr>
<tr>
<td><strong>Profile data</strong></td>
<td>
<ul>
<li>Profile pictures</li>
<li>Gender</li>
<li>Birthday</li>
<li>Language</li>
<li>Address(es)</li>
<li>Phone number(s)</li>
</ul>
</td>
<td>Users who voluntarily add profile data</td>
</tr>
<tr>
<td><strong>Communication data</strong></td>
<td>
<ul>
<li>Emails</li>
<li>Chats</li>
<li>Call metadata</li>
</ul>
</td>
<td>Customers and users who communicate with us directly (e.g. support)</td>
</tr>
<tr>
<td><strong>Payment data</strong></td>
<td>
<ul>
<li>Billing address</li>
<li>Customer number</li>
<li>Customer history</li>
<li>Credit rating information</li>
</ul>
</td>
<td>
<p>Customers who use services that require payment</p>
<p>Credit rating information: Only customers who pay by invoice</p>
</td>
</tr>
<tr>
<td><strong>Usage meta data</strong></td>
<td>
<ul>
<li>User agent</li>
<li>IP addresses</li>
<li>Operating system</li>
<li>Time and date</li>
<li>URL</li>
<li>Referrer URL</li>
<li>Accept Language</li>
</ul>
</td>
<td>All users</td>
</tr>
</table>
Unless otherwise mentioned, the nature and purpose of the processing is as follows:
The data is uploaded by customers in our services or collected by us based on requests from users. The personal data is processed by us exclusively for the provision of the requested services or the use of the agreed services.
The fulfillment of the contract includes in particular, but is not limited to, the processing of personal data for the purpose of:
- Authentication and authorization of users
- Storage and processing of user actions in the audit trail
- Processing of personal data and login information
- Verification of communication means
- Communication regarding service interruptions or service changes
## Disclosure to third parties
We use third-party services to provide the website and our offers. An up-to-date list of all the providers we use and their areas of activity can be found on our "[Trust Page](https://zitadel.ch/trust)".
This website uses external payment service providers through whose platforms users and we can make payment transactions. For example via
- Stripe (<https://stripe.com/ch/privacy>)
- Bexio AG (<https://www.bexio.com/de-CH/datenschutz>)
As an alternative, we offer customers the option to pay by invoice instead of using external payment providers. However, this may require a positive credit check in advance.
The data processed by the payment service providers includes personal data, such as the name and address, bank data, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as the contract, totals and recipient-related information. The information is necessary to carry out the transactions. However, the data entered is only processed by the payment service providers and stored with them. We as the operator do not receive any information about (bank) account or credit card, but only information to confirm (accept) or reject the payment. Under certain circumstances, the data is transmitted by the payment service providers to credit agencies. The purpose of this transmission is to check the identity and creditworthiness of the payment service provider. In this regard, we refer to the terms and conditions and data protection information of the payment service providers.
For payment transactions, the terms and conditions and the data protection notices of the respective payment service providers apply, which can be accessed within the respective website or transaction applications. We also refer to these for the purpose of further information and assertion of revocation, information and other rights concerned.
We disclose personal information to law enforcement agencies, investigative authorities or in legal proceedings to the extent we are required to do so by law or when necessary to protect our rights or the rights of users.
We also share data with third parties in aggregate form and/or in a form that does not allow the recipient to identify the data subject from that data third parties, for example for analytics.
## Cookies
Our websites use cookies. These are small text files that make it possible to store specific information related to the user on the user's terminal device while the user is using the website. Cookies enable us, in particular, to offer a single sign-on procedure, to control the performance of our services, but also to make our offer more customer-friendly. Cookies remain stored beyond the end of a browser session and can be retrieved when the user visits the site again.
In particular, we use the following cookies to provide our services:
### Cloudflare
\_\_cfuid
\_\_cflb
\_\_cf\_bm
For further reference see Cloudflare's [privacy policy](https://www.cloudflare.com/privacypolicy/) or their article [Understanding the Cloudflare Cookies](https://support.cloudflare.com/hc/en-us/articles/200170156-Understanding-the-Cloudflare-Cookies).
### ZITADEL
\_\_useragent
\_\_csrf
Cookies are only used for technical purposes to enable the functionality and efficient use of our website and our offers, such as:
- Session management
- Single Sign On
- Rate Limiting
- DDoS Mitigation
If you do not want us to use cookies during your visit, you can disable their use in your browser settings. In this case, certain parts of our website (e.g. language selection) may not function or may not function fully.
## Rights of data subjects
### Right to information
Any person affected by the processing has the right to obtain information from the responsible data processor at any time about the personal data stored about him or her.
### Right to rectification
Every person affected by the processing has the right to demand the correction of inaccurate personal data concerning him or her. Furthermore, the data subject has the right to request the completion of incomplete personal data, taking into account the purposes of the processing.
### Right to erasure (right to be forgotten)
Any person affected by the processing has the right, in certain cases, to request from the responsible data processor to delete the personal data concerning him or her.
### Right to restrict processing
Every person affected by the processing has the right in certain cases to request from the responsible data processor to restrict the processing.
### Right to data portability
Every person affected by the processing has the right to receive the personal data concerning him or her in a structured, common and machine-readable format. He or she also has the right to have this data transferred to another data processor if the legal requirements are met.
### Right to object
Every person affected by the processing has the right to object to the processing of personal data concerning him or her, insofar as we base the processing of his or her personal data on a balancing of interests. This is the case if the processing is not necessary, for example, to fulfill a contract or a legal obligation.
To exercise such an objection, the data subject must explain his or her reasons why we should not process his or her personal data as we have done. We will then review the situation and either stop or adjust the data processing or show the data subject our reasons for continuing the processing.
### Right to revoke consent under data protection law
Insofar as our processing is based on consent, the data subject has the right to revoke this consent at any time with effect for the future.
### Assertion of rights by the data subjects
If you wish to exercise your rights, you may do so by contacting the above-mentioned contact person.
A data subject also has the right to lodge a complaint with the competent data protection authority. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (www.edoeb.admin.ch). The competent data protection authorities of EU countries can be viewed at this link: [https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index\_en.htm](https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm)
## Note on data transfer abroad
Our websites and services make use of tools from companies based in countries outside of Switzerland or the EU/EEA, namely those based in the USA. When these tools are active, your personal data may be transferred to the servers of the respective companies abroad. We would like to point out that some of these countries, namely the USA, are not a safe third country in the sense of Swiss and EU data protection law. In these cases, we only transfer personal data after we have implemented the legally required measures for this, such as concluding standard contractual clauses on data protection or obtaining the consent of the data subjects. If interested, the documentation on these measures can be obtained from the contact person mentioned above.
We actively try to minimize the use of tools from companies located in countries without equivalent data protection, however, due to the lack of alternatives, this is currently not always feasible without major inconvenience. If you have any concerns, please contact us directly and we will try to find a mutual solution for your needs.
## Changes
We may amend this privacy policy at any time without prior notice. Always the current version published on our website applies to users and customers of our website and services. Insofar as the data protection declaration is part of an agreement with you, we will inform you of the change by e-mail or other suitable means in the event of an update.
## Questions about data processing by us
If you have any questions about our data processing, please email us or contact the person in our organization listed at the beginning of this privacy statement directly.
## Entry into force
This privacy policy is valid from 16.06.2021
St. Gallen, 16.06.2021

37
docs/docs/legal/rate-limit-policy.md Normal file
View File

@ -0,0 +1,37 @@
---
title: Rate Limit Policy
custom_edit_url: null
---
## Introduction
This policy is an annex to the [Terms of Service](terms-of-service) and clarifies your obligations while using our Services, specifically how we will use rate limiting to enforce certain aspects of our [Acceptable Use Policy](acceptable-use-policy).
## Why do we rate limit
To ensure the availability of our Services and to avoid slow or failed requests by our Customers, due to overloads, we impose rate limits on certain API. These limits helps us guarantee the performance and availability of ZITADEL Cloud.
## How is the rate limit implemented
ZITADEL Clouds rate limit is built around a `IP` oriented model. Please be aware that we also utilize a service for DDoS mitigation.
So if you simply change your `IP` address and run the same request again and again you might be get blocked at some point.
If you are blocked you will receive a `http status 429`.
:::tip
You should consider to implement [exponential backoff](https://en.wikipedia.org/wiki/Exponential_backoff) into your application to prevent a blocking loop.
:::
## What rate limits do apply
### Login, Register, Reset Limits
For the rate limits of the Login, Register and Reset features please visit [Login Rate Limits](/docs/apis/ratelimits/accounts)
### API Rate Limits
For our API rate limits please check the [API Endpoint Rate Limits](/docs/apis/ratelimits/api)
## Load Testing
If you would like to conduct load testing of ZITADEL Cloud or a managed instance, you MUST request to do so with a minimum of 2 weeks notice before the test by contacting us at support@zitadel.ch.
You MUST NOT conduct load testing without prior approval by us. Without prior approval and setup there is a high risk of being flagged by our DDoS solution as malicious traffic. This can have a severe impact on your service quality or result in termination of your agreement.

83
docs/docs/legal/service-level-description.md Normal file
View File

@ -0,0 +1,83 @@
---
title: Service Level
custom_edit_url: null
---
## Introduction
This annex of the [Framework Agreement](terms-of-service) describes the service levels offered by us for our Services (ZITADEL Cloud).
## Definitions
**Monthly Uptime Percentage** means total number of minutes in a month, minus the number of minutes of Downtime suffered from all Downtime Periods in a month, divided by the total number of minutes in a month.
**Downtime Period** means a period of one or more consecutive minutes of Downtime. Partial minutes or intermittent Downtime for a period of less than one minute will not count towards any Downtime Period.
**Downtime** means any period of time in which Core Services are not Available within the Region of the customers organization. Downtime excludes any time in which ZITADEL Cloud is not Available because of
- Announced maintenance work
- Emergency maintenance
- Force majeure events.
**Available** means that Core Services of ZITADEL Cloud respond to Customer Requests in such a way that results in a Successful Minute. The Availability of Core Services will be monitored from CAOS facilities from black-box monitoring jobs.
**Successful Minute** means a minute in which ZITADEL cloud is not repeatedly returning Failed Customer Requests and includes minutes in which no Customer Request were made.
**Customer Requests** means a HTTP request made by a Customer or a Customers users to Core Services within the Customers organizations region.
**Successful Minute** means a minute in which ZITADEL Cloud is not repeatedly returning Failed Customer Requests and includes minutes in which no Customer Requests were made.
Failed Customer Request means Customer Requests that
- Returns an server error; or
- is received by ZITADEL Cloud and results in no response where one is expected
This excludes specifically:
- Failed Customer Requests due to malformed requests, client-side application errors outside of ZITADEL Clouds control
- Customer Requests that do not reach ZITADEL Cloud Core Services
**Core Services** means the following ZITADEL Cloud Services and APIs:
- **Authentication API** Endpoints
- **OpenID Connect 1.0 / OAuth 2.0 API** Endpoints
- **Login Service** means the graphical user interface of ZITADEL Cloud for users to Login, Self-Register, and conduct a Password Reset.
- **Identity Brokering Service** means the component of ZITADEL Cloud that handles federated authentication of users with third-party identity provider, excluding any failure or misconfiguration by the third-party
**Financial Credit** means the percent of the monthly subscription fee applicable to the month in which the guaranteed service level was not met, according to the actual achieved monthly uptime percentage, as shown in the following table
Achieved vs. Guaranteed| 99.50% | 99.90% | 99.95%
--- | --- | --- | ---
99.5% - < 99.9% | n/a | n/a | 10%
99.0% - < 99.5% | n/a | 10% | 25%
95.0% - < 99.0% | 10% | 25% | 50%
< 95.0% | 50% | 50% | 50%
## Service Levels
### Availability Objective
1. During the term of the subscription agreement under which CAOS has agreed to provide ZITADEL Cloud to Customer, the Core Services will provide a Monthly Uptime Percentage to Customer conditional on the subscription plan as follows (the “SLO”):
Subscription plan | Monthly Uptime Percentage
--- | ---
FREE | Not applicable
OUTPOST | 99.50%
STARBASE | 99.90%
FORTRESS | 99.95%
2. If CAOS Ltd. does not meet the guaranteed service level, Customer might be eligible to receive Financial Credit as described in this document. Financial Credit shall be the sole and exclusive remedy for breach of this SLA.
3. The Customer must request Financial Credit and must notify CAOS Support in writing within 30 days of becoming eligible for Financial Credit and must prove Failed Customer Requests during Downtime Periods. Financial Credit will be made in the form of a monetary credit applied to the next possible subscription invoice of ZITADEL Cloud, may only be used to book services in the future, and will in no case be paid as a cash equivalent. No further guarantees are provided.
4. The Service Level commitments apply only to organizations with a subscription plan where a Service Level is applicable and does not include any other organizations of the same customer. The Customer is not entitled to any Financial Credit, if it is in breach of the Agreement at the time of the occurrence of the event giving rise to the credit.
### Quality of Service Objective
1. During the term of the subscription agreement under which CAOS has agreed to provide ZITADEL Cloud to Customer, the Customer Requests will be prioritized according to the the Quality of Service Level included in the respective Subscription Plan
Subscription plan | Quality of Service Level | Request Priority
--- | --- | ---
FREE | high | When ZITADEL Cloud receives concurrent requests, it will try to process these requests first, and with higher priority over other requests
OUTPOST | medium | Give way to requests with priority high
STARBASE | low | Give way to requests with priority high or medium
FORTRESS | best effort | No priority for requests
2. The Service Level commitments apply only to organizations with a subscription plan where a Service Level is applicable and does not include any other organizations of the same customer. Customers are not entitled to Financial Credit or further reimbursement.

106
docs/docs/legal/support-services.md Normal file
View File

@ -0,0 +1,106 @@
---
title: Support Services
custom_edit_url: null
---
## Introduction
This annex of the [Framework Agreement](terms-of-service) describes the support services offered by us for our Services (ZITADEL Cloud).
Support Services for products and services provided by CAOS is offered to customers according to the terms and conditions outlined in this document. The customer may purchase support services from CAOS Ltd. directly.
## Support Services
**Business hours** means 08:00-17:00 Monday - Friday Switzerland time (or as per agreement with the customer). All times exclude public holidays in Switzerland / Canton St. Gallen.
**Ticket** means a discrete technical or non-technical issue that was submitted by the customer and exists in the support portal. A ticket includes a record of all communication associated with the issue.
### Description of Services
Customers in ZITADEL Cloud FREE plan or using the Open Source Version of ZITADEL are excluded from the support plans. For ZITADEL Enterprise and ZITADEL Enterprise Cloud please refer to the relevant documents. Support features for ZITADEL Cloud Subscription plans are as follows:
Subscription Plans | FREE | OUTPOST | STARBASE | FORTRESS
--- | --- | --- | --- | ---
Support hours | not applicable | Mo-Fr, <br/> business hours | Mo-Fr, <br/> business hours | Mo-Fr, <br/> business hours
Response Time <br/> (Severity 1) | n/a | Best effort | 4 business hours | 1 business hour
eMail Support | n/a | yes | yes | yes
Chat Support | n/a | no | yes | yes
Phone Support | n/a | no | yes | yes
Technical Account Manager | n/a | n/a | n/a | n/a
### SLO - Initial response time
CAOS service level objective (SLO) for Support Services is defined in terms of initial response time to a support request, as outlined in the table below per plan. CAOS will use reasonable efforts to resolve support requests, but does not guarantee a work-around, resolution or resolution time.
Subscription Plans | FREE | OUTPOST | STARBASE | FORTRESS
--- | --- | --- | --- | ---
Severity 1| not applicable | not applicable | 4 business hours | 1 business hours
Severity 2| not applicable | not applicable | 12 business hours | 2 business hours
Severity 3| not applicable | not applicable | 24 business hours | 12 business hours
Severity 4| not applicable | not applicable | 48 business hours | 24 business hours
### Communication
- Support is available in Swiss-German, German, and English
- Default contact: Whenever customers require support, Customers should consult the documentation of ZITADEL or post a question to our community.
- When Customer is eligible for support services through a Subscription Plan, Customer may contact CAOS support via the following channels
Support Feature | Contact information
--- | ---
eMail Support | support@zitadel.ch
Chat Support | Private chat channel between CAOS and Customer that is opened when Subscription becomes active
Phone Support | +41 43 215 27 34
- ZITADEL Cloud system status, incidents and maintenance windows will be communicated via https://status.zitadel.ch
- Questions regarding pricing, billing, and invoicing of our services should be addressed to billing@caos.ch.
- Security related questions and incidents can also be directly addressed to security@caos.ch.
### Technical account manager
CAOS will enhance its support offering by providing eligible clients with a Technical Account Manager (TAM), who will perform the following tasks for up to the specified amount of time per week during the term of service:
- Provide support and advice regarding best practices on platform, product and configuration covered by the applicable Support Services;
- Participate in review calls every other week at mutually agreed times addressing customers operational issues.
*We currently offer TAM services only in the Enterprise plans. If you require consulting for your projects, please request a quote via hi@zitadel.ch*
## Support
### Support request
CAOS agrees to handle support incidents in the following scenarios:
1. ZITADEL Cloud software or configuration as provided by CAOS contains errors or critical security-related issues
2. ZITADEL Cloud requires upgrades or changes through the customer
3. ZITADEL Cloud have incorrect or missing documentation
Support features include:
- Answer questions regarding usage of specific features or configurations of ZITADEL Cloud
- Provide high-level suggestions regarding appropriate usage, features or configurations of ZITADEL Cloud functionality and configuration
- Assist in troubleshooting of issues to isolate potential root cause
- Document and advise alternative solutions for reported defects
Excluded are broader consulting & customer-specific engineering requests regarding use of ZITADEL Cloud. Moreover first level support requests by Customers end users must be handled by the Customer directly.
### Support service process
The customer may submit support requests (“ticket”) through any means of eligible communication channels, consisting of
- Single discrete problem, issue, or request
- Initial severity level and impact statement for assessment
- Description of the issue and if possible a description of the observed and expected behavior, steps to reproduce the issue, evidence that issue is not caused by connectivity / compute, relevant anonymized log-files etc.
- All information requested by CAOS as we resolve the ticket (e.g. system logs)
CAOS will review the case information and determine the severity level (see below), working with the customer to assess the urgency of the request and use reasonable efforts to respond to support requests within the initial response time
CAOS will use reasonable efforts to resolve support request as defined below, but does not guarantee a workaround, resolution or resolution time
Severity Level | Description
--- | ---
**Severity 1**<br/> Critical / Service down| <p>Widespread failure or complete unavailability of CAOS Core Services. </p><p> CAOS will use continuous effort to provide a workaround or permanent solution. When Core Services are available, the severity will be lowered to the new appropriate level.</p>
**Severity 2**<br/> Core functionality unavailable or severely degraded| <p>Core Services of CAOS software continue to operate in severely restricted fashion, yet long-term productivity may be impacted.</p><p> When Core Services are no longer severely degraded (eg, through a viable workaround or release), the severity level will be lowered to Severity 3.</p>
**Severity 3**<br/>Standard support request| <p>Partial and non-critical loss of CAOS software functionality or major software defect, yet a workaround exists for viable long-term operation.</p><p>CAOS will continue to work on developing permanent resolution.</p>
**Severity 4**<br/>Non-urgent request| <p>Defined as follows: <ul><li>Request for information or general query</li><li>Feature request</li><li>Performance issues and little to none functional impact</li><li>Defects with workarounds and little to low functional impact</li></ul></p>
<p>CAOS will continue to work on developing permanent resolution and response to general requests. CAOS does not provide a timeline or guarantee to include any feature requests.</p>
### Escalation
The customer may escalate support requests following the escalation process:
1. For non-urgent needs, the client may request management escalation within the ticket. A manager will review the request and provide a response within one business day.
2. For urgent needs, the client may escalate directly by calling +41 43 456 84 69 and emailing to hi@caos.ch
### Termination
If the customer decides to terminate, or downgrade the subscription, the customer may continue to use the software products, but the support level will be adjusted according to the new ZITADEL Cloud Subscription Plan. CAOS does not provide support on per-issue-basis.

197
docs/docs/legal/terms-of-service.md Normal file
View File

@ -0,0 +1,197 @@
---
title: Terms of Service Agreement
custom_edit_url: null
---
## General
### Introduction
CAOS Ltd. (**"We"**, **CAOS AG**, or simply **CAOS**), with head office in Teufener Strasse 19, 9000 St. Gallen, Switzerland, offers "Identity and Access Management as service" with the brand name "ZITADEL Cloud Services" and all of our Websites (**Services** or **ZITADEL Cloud**).
The customer relationship (**Framework Agreement** or **The Agreement**) is created by the **Customer** (**"you"**) by creating a user or organisation within the ZITADEL Cloud Service. On the basis of this Framework Agreement you may then choose to make use of payable services (**Subscription**) as you wish, i.e. you may book services, options and packages yourself at any time (**Booking**) and subsequently terminate them.
The terms of service (**"TOS"**) outlined in this document establish the most important points of this Framework Agreement independently of the use of any services.
This Agreement has the following appendices. When you enter the Agreement with us, you accept these agreements.
* [**Data Processing Agreement**](data-processing-agreement) - How we process personal data on behalf of you
* [**Service Level Description**](service-level-description) - What service levels do we guarantee you
* [**Support Service Descriptions**](support-services) - How we provide support services to you
The following policies complement the TOS. When accepting the TOS, you accept these policies.
* [**Privacy Policy**](privacy-policy) - How we process personal data on our websites and products
* [**Acceptable Use Policy**](acceptable-use-policy) - What we understand as acceptable and fair use of our Services
* [**Rate Limit Policy**](rate-limit-policy) - How we avoid overloads of our services
### Alterations
Any provisions which deviate from these TOS must be agreed in writing between the Customer and us. Such agreements shall take precedence over the TOS outlined in this document.
### Transfer
You may only transfer the Framework Agreement or Services used in the context of the Framework Agreement to third parties with our prior written consent.
## Our Services
### Type and scope of the services
We provide the Services under the conditions stated on our websites at the time of booking.
### Modifications of services offered
We are entitled to offer new services, to withdraw existing services (**Termination**) or to modify the specifications and prices of existing services (**Modification**) at any time. If the modification or termination affects a service that you are using at that time, we will inform you via email that said service will be automatically modified and/or is no longer available after a period of 30 days.
### Modification of services booked by you
You may change or terminate Services or Subscriptions booked by you at any time. You may, where applicable, add more Services (e.g. add-ons) to your existing Services at any time.
### Due care
We take all appropriate physical and electronic precautions to ensure the security and availability of our infrastructure and the service offered thereupon, in particular to protect against unauthorized access to data, data loss, failures and misuse.
The [Annex of the data processing agreement](data-processing-agreement#annex-regarding-security-measures) outlines the measures we take in more detail.
### Support
We offer Support Services directly related to the use of our Services. The Description of Support Services is available as [Annex](support-services) to this document.
Customers without a Subscription or a Subscription plan that does not include Support Services should post inquiries and issues regarding ZITADEL from customers to our [GitHub Discussions](https://github.com/caos/zitadel/discussions), whenever feasible.
If you need support integrating or setting up ZITADEL, please contact our consulting team.
### Limited influence
Be advised that the scope of our influence is limited. For example, the actual accessibility of a service is also dependent on the connection to and between various Internet Service Providers ("ISPs"). Portions of our services, i.e. software components, may also be beyond our influence and be subject to their own contractual conditions. You accept that in such cases we reject any responsibility.
### Service level
Customers with a Subscription may be eligible for a SLA as outlined in our [Service Level Description](service-level-description).
### Inclusion of third parties
We may include third parties in the provision of our services. See our [Privacy Policy](privacy-policy) and our [Data Processing Agreement](data-processing-agreement) for more information.
## Your obligations
### Contact information
At our request you will provide your truthful contact information and keep it updated at all times. You must also ensure that you actually receive messages, in particular emails, intended for you.
### Use
You will ensure that the use of our Websites and Services by you or third parties complies with all applicable legislation, these these TOS, and our [Acceptable Use Policy](acceptable-use-policy) at all times.
### Security
You will take appropriate measures to prevent any misuse of the services you booked. These include, for example, securing the software used and the prompt installation of security updates as well as using suitably secure passwords.
### Disaster recovery
We take care of the necessary disaster recovery measures. The goal is to maintain a maximum 24h old restore point off all the vital data.
Any liability for damages, indirect or direct, in case of data loss is explicitly rejected.
### Reporting obligations
You will immediately report any knowledge of a misuse of your booked services.
### Cooperation
If the maintenance of service quality requires your cooperation, for example to remedy errors in the services you use, you will provide said cooperation promptly and free of charge.
### Third party obligations
You will ensure that your vicarious agents, customers and third parties fulfill these obligations as well.
## Financial
### Credit and payment
Signup to our Services does not require you to open a payment account. However, a payment account is required for the purchase of our Subscriptions. The costs for the services you have purchased will be debited periodically and in advance from your payment account.
### Payment procedure
If payment upon invoice is agreed, the payment deadline shall be 30 days after receipt of the invoice.
### Offsetting
Offsetting against a counterclaim is prohibited.
### Collection
In the event of default we reserve the right to transfer our claim to a collections agency. You will bear any resulting costs insofar as legally permissible.
## Termination
### Termination by you
You may terminate the Framework Agreement at any time by ceasing your use of the services and deleting your customer account on our website.
### Termination by us
We may terminate the Framework Agreement at any time via email message with a notice period of 90 days. Any use of the services will cease at the end of this period and the Framework Agreement will be terminated.
### Automatic termination
If you have neither used services nor made payment for a period of 3 years, the Framework Agreement will be considered automatically terminated at the end of this period.
### No reimbursement
Any remaining credit shall automatically expire upon termination of the Framework Agreement.
### Termination of services
We are entitled to suspend and terminate services used by you if
* Your credit has been used up by services and/or any applicable credit limit has been reached;
* You are in default in the payment of open invoices and/or prompt payment seems unlikely (i.e. in the event of insolvency proceedings);
* Your services were used illegally or in breach of contract, or if there is reasonable suspicion of such use (i.e. in the event of complaints or abuse reports);
* Other customers' services are being negatively affected in breach of the fair use provision, including in the event of your services being subject to attacks by third parties (i.e. DoS/DDoS attacks);
* We consider the suspension or termination of the services to be necessary for the protection of ourselves, our infrastructure or other customers.
We reserve the right to immediately terminate the Framework Agreement in such cases.
### Deletion of data
In the event of the termination of the contract, we reserve the right to irrevocably delete all of your data.
## Data protection
Please consult the annex to this Framework Agreement, specifically our [Privacy Policy](privacy-policy) and [Data Processing Agreement](data-processing-agreement), or our [Trust Site](https://zitadel.ch/trust/) for more information about how we process and protect your data.
## Liability
### Our liability
We and/or third parties which we involve are only liable for demonstrably willful or grossly negligent damages. Our liability per damage event is limited to the value of the services used during the previous contractual year. Any liability in other cases, for consequential damages or lost profits is hereby excluded.
### Your liability
You are liable for all damages and costs arising from the illegal or non-contractual use of the services which you have booked. We in particular reserve the right to invoice you for any additional costs incurred by us in this context.
### Force majeure
You acknowledge that we may be partially or entirely unable to provide our services during and/or as a result of events beyond our influence. These include events such as natural disasters, war, terrorism, sabotage, attacks on our infrastructure (i.e. DoS/DDoS attacks), failure of electrical or data connections and unexpected official requirements. We are not liable for any damages in such cases.
## Final provision
### Applicable law
The Framework Agreement is subject to Swiss law.
### Place of jurisdiction
The exclusive place of jurisdiction is St. Gallen, Switzerland.
### Severability clause
Should any provision of these TOS be or become invalid, this shall not affect the validity of the remaining TOS. The invalid provision will be replaced by a valid one which approximates the invalid one as much as possible.
### Entry into force
These TOS shall enter into force as of 16.06.2021
### Amendments
We are entitled to unilaterally amend these TOS at any time. The current version is accessible via our website. We will inform you of any amendments via email. These amendments shall be considered as accepted upon booking additional services or at the latest after 30 days. In the case of a rejection on your part we reserve the right to terminate the Framework Agreement.

6
docs/docusaurus.config.js
View File

@ -47,6 +47,12 @@ module.exports = {
label: 'Concepts',
position: 'left'
},
{
type: 'doc',
docId: 'legal/introduction',
label: 'Legal',
position: 'left'
},
{
href: 'https://github.com/caos/zitadel',
label: 'GitHub',

40
docs/sidebars.js
View File

@ -87,11 +87,21 @@ module.exports = {
apis: [
'apis/introduction',
'apis/domains',
{
type: 'category',
label: 'Rate Limits',
collapsed: true,
items: [
'legal/rate-limit-policy',
'apis/ratelimits/accounts',
'apis/ratelimits/api',
],
},
'apis/apis',
{
type: 'category',
label: 'Proto API Definition',
collapsed: false,
collapsed: true,
items: [
'apis/proto/auth',
'apis/proto/management',
@ -120,7 +130,7 @@ module.exports = {
{
type: 'category',
label: 'OpenID Connect & OAuth',
collapsed: false,
collapsed: true,
items: [
'apis/openidoauth/endpoints',
'apis/openidoauth/scopes',
@ -134,5 +144,29 @@ module.exports = {
'concepts/introduction',
'concepts/architecture',
'concepts/principles',
]
],
legal: [
'legal/introduction',
'legal/terms-of-service',
'legal/data-processing-agreement',
{
type: 'category',
label: 'Service Descriptions',
collapsed: false,
items: [
'legal/service-level-description',
'legal/support-services',
],
},
{
type: 'category',
label: 'Policies',
collapsed: false,
items: [
'legal/privacy-policy',
'legal/acceptable-use-policy',
'legal/rate-limit-policy'
],
}
],
};