Open Badge Factory (OBF) is a platform used by thousands of organisations to create, issue and manage open badges. We have been developing OBF for six years now in collaboration with our user community and at times it can be challenging for developers to find technical solutions that fit diverse and sometimes opposing customer needs.
The Open Badge standard made the choice early on of baking badge metadata into image files (png or svg) and this affects the way badges can be displayed and shared today. A badge currently requires its recipient to create an account in a “backpack” or “passport” to be displayed as a valid badge and to be shared.
Most badge recipients in associations or schools are happy with this requirement because displayer platforms such as Open Badge Passport generally offer other interesting services and features to enable recipients to leverage greater value from their badges. By greater value, we mean, firstly, the opportunity for badge earners to enrich their badges with new evidence. Secondly, badge earners can add a social aspect to their badges by having them endorsed by colleagues or peers, and use their badges to connect with other users using badges they hold in common.
Clients, especially in the corporate sector, however, need “standalone” badges that can be easily displayed without using a display platform. Many client use cases require these badges to be forgery-proof signed digital certificates verified with blockchains. To make things even more challenging, some clients need both solutions.
When OBF development team started to look for solutions to these needs, an interesting question was raised: “Could the format of a badge be something else than a png or svg picture?” A PDF is an open format (ISO 32000-2) truly portable (Portable Document Format) that supports metadata and digital signatures and can also be self-hosted and is easy to share and view. It is a perfect format for baking and issuing a badge and validating it with a digital signature! The solution we implemented does not replace an Open Badge baked in a picture. Soon in Open Badge Factory you can issue a badge both as a hosted badge that can evolve in Passport and as a standalone signed PDF badge that is forgery-proof, (fully compliant with Open Badge standard version 2.0) and can be used without a displayer service.
The most interesting aspect of this innovation is not only the fact that OBF can issue the same badge both ways but the lifecycle of the badge.
When a signed PDF badge is uploaded in Open Badge Passport it is turned into a hosted badge that can be enriched with endorsements and additional evidence. This same badge can later be revalidated in Open Badge Factory with a new signature in PDF format.
We are excited to announce that this new feature will be released at the beginning of December at OBF Premium and PRO levels!
Author: Eric Rousselle, CEO, Open Badge Factory
Open Badge Factory provides the tools your organisation needs to implement a meaningful and sustainable Open Badges system. OBF is certified by IMS Global and follows the latest version of the standard.
This personal data processing agreement (”Annex”) is an inseparable part of the agreement entered into between Open Badge Factory Oy (”Service Provider”) and its customer (”Customer”) concerning Open Badge Factory services (”Agreement”).
The purpose of this Annex is to agree on the privacy and data protection of the personal data of the Customer in the services of the Service Provider. This Annex constitutes a written agreement in accordance with the EU General Data Protection Regulation (679/2016) concerning the processing of personal data.
If the terms concerning the processing of personal data of the Annex and the Agreement are in conflict, the parties shall primarily apply the terms of this Annex.
In accordance with the EU General Data Protection Regulation, the terms below are defined as follows:
“controller” shall mean the Customer, who shall define the purposes and methods of personal data processing.
“processor” shall mean the Service Provider, who shall process personal data on behalf of the controller based on the Agreement.
“processing” shall mean any operation or set of operation which is performed on personal data or sets of personal data using automated means or manually, such as data collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“personal data” shall mean any information relating to an identified or identifiable natural person, hereafter ”data subject”; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“personal data breach” shall mean means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
3.1 Obligations of the Service Provider and the Customer
The Service Provider shall process the personal data of the Customer on behalf of, and commissioned by the Customer, on the grounds of the Agreement. The personal data that the Service Provider processes may relate to, e.g. employees or customers. The Customer shall be the controller and the Service Provider shall be the processor of the data processed in the service. The parties undertake to abide by the current and in force legislation, decrees and authority orders and guidelines concerning personal data processing, and if necessary, to amend the terms of this annex to conform to them.
As controller, the Customer shall be liable that it has the necessary rights and consents in order to process personal data pursuant to the Agreement. The customer shall be responsible for drafting a record and keeping it available as well as informing the data subjects and notifications to the data protection authorities. The Customer is responsible for the validity of the personal data is has delivered to the Service Provider.
The Customer is entitled and obligated to define the purpose and methods of personal data processing. The subject, character and purpose of processing is defined in more detail in the Agreement. The types of personal data and sets of data subjects processed in the services have been defined in the Agreement.
The Service Provider is entitled to process the personal data and other data of the Customer only on the grounds of the Agreement, this Annex and according to the written guidelines of the Customer and only to the extent and in the manner it is necessary in order to provide services. The Service Provider shall notify the Customer if any conflict with the data protection legislation of EU or Finland is detected in the guidelines and in this case, the Service Provider may immediately decline and stop the application of the guidelines of the Customer.
The Service Provider shall maintain the service description or other record of the processing operations of the service required by the EU General Data Protection Regulation. The Service Provider is entitled to collect anonymous and statistic data of the use of the services pursuant to the Agreement, that does not specify the Customer nor data subjects and uses it for analysing and developing its services.
3.2 Deletion/return of data
After the expiry of the Agreement, the Service Provider shall return or delete, according to the guidelines of the Customer, all the personal data of the Customer and delete all duplicates, unless applicable legislation requires the retention of personal data.
The Service Provider may use subcontractors for processing the Customer’s personal data. The Service Provider is responsible for its subcontractor’s actions as for its own and shall draft written agreements with the subcontractors concerning the processing of personal data. If requested, the Service Provider shall inform the Customer beforehand of subcontractors the Service Provider intends to use in processing the personal data pursuant to the Agreement. The Customer is entitled to oppose the use of a new subcontractor on reasonable grounds. If the Parties are unable to reach an agreement concerning the use of a new subcontractor, the Customer is entitled to terminate the Agreement with thirty (30) days’ notice, in so far as the change of subcontractor affects the processing of personal data pursuant to the Agreement.
3.4 Service Provider’s obligation to provide assistance
The Service Provider shall immediately forward all requests to inspect, rectify, erase or deny the processing of data or other requests received from the Data Subjects, to the Customer. It is the Customer’s duty to ensure a response to such requests. Taking into account the nature of the processing, the Service Provider shall help the Customer with appropriate technical and organisational measures, in order for the Customer to fulfil its duty to respond to the Data Subject’s requests.
The Service Provider is obligated, taking into account the nature of the processing of personal data and the data available, to assist the Customer in ensuring that the Customer complies with its legal obligations. These obligations may include data security, notifying of data breaches, data protection related effect assessments and obligations regarding prior consultations. The Service Provider is obligated to assist the Customer only to the extent that applicable legislation obligates the personal data processor. Unless otherwise agreed, the Service Provider is entitled to invoice the expenses incurred from action pursuant to this section 3.4 according to the Service Provider’s valid price list.
The Service Provider shall direct all inquiries of data protection authorities directly to the Customer, and the Service Provider shall not be authorized to represent the Customer, or act on behalf of the Customer with the data protection authorities supervising the Customer.
The Service Provider and its subcontractors shall not process personal data outside the EU/EEA area without the written approval of the Customer.
The Parties shall agree in writing of all moving or processing personal data outside of the EU/EEA and that the standard contractual clauses approved by the European Union concerning the transferal of data outside of the EU/EEA shall apply.
The Customer or an auditor authorized by the Customer (however, not a competitor of the Service Provider) is entitled to audit the activities pursuant to the Annex. The Parties shall agree on the time of the auditing and other details ahead of time and at latest 14 days before the inspection. The auditing shall be carried out in a way that does not harm the obligations of the Service Provider or its subcontractors in regard to third parties. The representatives of the Customer and the auditor must sign conventional non-disclosure commitments.
The Customer shall be responsible for its own and the Service Provider’s expenses caused by the auditing. If notable defects are perceived during auditing, the Service Provider shall be liable for the costs incurred from the auditing.
The Service Provider shall implement the appropriate technical and organisational measures to protect the personal data of the Customer, taking into account all the risks of processing, especially the unintentional or illegal destruction, loss, alteration, unauthorised disclosures or access to personal data that has been transferred, saved or otherwise processed. The technical options and their costs shall be taken into account in organising the security measures, in relation to the special risks of the processing at hand and the sensitivity of the personal data processed.
The Customer shall be obligated to ensure that the Service Provider is notified of all the circumstances concerning the personal data the Customer has delivered, such as risk assessments and the handing of special sets of data subjects that affect the technical and organisational measures pursuant to this Annex. The Service Provider shall ensure that the personnel of the Service Provider or a subcontractor of the Service Provider shall abide by the appropriate non-disclosure commitment.
The Service Provider must notify the Customer of all data breaches concerning Personal data without undue delay after receiving information of the breach or after a subcontractor of the Service Provider has received information of the breach.
If requested by the Customer, the Service Provider shall, without undue delay give the Customer all relevant information concerning the data breach. In so far as the information in question is available to the Service Provider, the Service Provider shall describe at least the following to the customer:
(a) the occurred data breach,
(b) if possible, the sets of data subjects and the number thereof, as well as the sets of personal data types and estimated numbers,
(c) a description of the likely consequences caused by the data breach, and
(d) a description of reparative measures, that the Service Provider has implemented or shall implement in order to prevent data breaches in the future, and if necessary, the measures to minimise the harmful effects of the data breach.
The Service Provider shall document and report the results of the inquiry and the implemented measures to the Customer.
The Customer shall be liable for the necessary notifications to the data protection authorities.
If any tangible or intangible damage is caused to a person due to a breach against the EU General Data Protection Regulation or the Annex, the Service Provider shall be liable for the damage only in so far that it has not explicitly abided by the obligations directed to personal data processors in the EU General Data Protection Regulation or this Annex.
Both parties are obligated to pay only the part of the damages or administrative fine that corresponds to the liability for damages confirmed in the final decision of a data protection authority or a court of law. Otherwise the liability of the parties shall be determined pursuant to the Agreement.
The Service Provider shall notify the Customer in writing of all changes that may affect its ability or chances to abide by this Annex and the written guidance of the Customer. The Parties shall agree on all additions and amendments to this Annex writing.
This Annex shall enter into force upon the Customer’s acceptance of the Agreement. The Annex shall remain in force (i) as long as the Agreement is in force or (ii) the parties have obligations concerning personal data processing activities towards one another.
Those obligation that due to their nature are meant to survive the expiry of this Annex shall remain in force after the expiry of the Annex.
Open Badge Factory Oy
Kiviharjunlenkki 1 E, 90220 Oulu
(hereafter ”we” or ”Open Badge Factory”)
Kiviharjunlenkki 1 E, 90220 Oulu
Phone number: +358 400 587 373
CUSTOMER REGISTER FOR OPEN BADGE FACTORY SERVICE
The basis of processing personal data is Open Badge Factory’s justified interest on the basis of a customer relationship.
The basis of processing personal data is:
We process the following personal data regarding the customer’s user account (data subject):
We receive personal data primarily from the data subject him/herself, as the data is entered into the Service by the data subject.
For the purposes described in this privacy notice, personal data may also be collected and updated from publicly available sources and based on information received from authorities or other third parties within the limits of the applicable laws and regulations. Data updating of this kind is performed manually or by automated means.
Only the data subject’s admin display name which the admin can define him/herself, is displayed to other users in the Service.
We process information ourselves and use subcontractors that process personal data on behalf of and for us. We have outsourced the IT-management to an external service provider, to whose server the data is stored. The server is protected and managed by the external service provider.
Data may be disclosed to authorities under compelling provisions. We don’t disclose information of the register to external quarters. We do not transfer personal data outside of EU/EEA.
The personal data is collected into databases that are protected by firewalls, passwords and other technical measures. The databases and the backup copies of them are in locked premises and can be accessed only by certain pre-designated persons, i.e. only those of our employees, who on behalf of their work are entitled to process customer data. These persons include the Service Provider’s customer service personnel and the technical administrators of the Service. Each user has a personal username and password to the system.
The data subject may at any time add, change and remove all data from the Service as well as delete the account entirely.
We store the data as long as it is necessary for the purpose of processing the data. We estimate regularly the need for data storage taking into account the applicable legislation. In addition, we take care of such reasonable actions of which purpose is to ensure that no incompatible, outdated or inaccurate personal data is stored in the register taking into account the purpose of the processing.
As a data subject you have a right to inspect the personal data concerning yourself, which is stored in the register, and a right to require rectification or erasure of the data. This may be done by accessing, modifying and/or deleting your personal data stored in the Service by logging into the Service. If you need assistance, please contact the person mentioned in Section 2 above.
As a data subject you have the right to object processing at any time free of charge, including profiling in so far as it relates to direct marketing.
All contacts and requests concerning this privacy notice shall be submitted in writing or in person to the person mentioned in section two (2).
Should we make amendments to this privacy protection statement, we will place the amended statement on our website, with an indication of the amendment date. If the amendments are significant, we may also inform you about this by other means, for example by sending an email or placing a bulletin on our homepage. We recommend that you review these privacy protection principles from time to time to ensure you are aware of any amendments made.
The User promises that the information the User provides or provided in connection with registration to, and use of the Service is true and accurate. The use of the Service requires a username and a personal password or other user identification method approved by the Service Provider (hereinafter referred to as User ID). Unless otherwise agreed, the User ID requires valid email address of the User for generating the username.
The User must keep the password required for the use of the Service secret and not disclose it to anyone else. User may not assign or transfer its User ID to a third party and may not allow a third party use the Service with its User ID. If a third party has obtained User´s password or the User has a reason to believe that a third party has obtained its password, the User must immediately inform the Service Provider. The User is solely responsible for actions taken by using its User account until it has informed the Service Provider of the loss of the password and the Service Provider has had a reasonable time to prevent the use of the Service with the User ID.
The Service contains different service levels. The prices of service levels in force from time to time are specified in the Service website. Service levels are provided subject to the payment of prices. User can purchase desired Service levels during or after a 60-day free trial period. If the subscription and payment are made during the trial period, the remaining days of the trial period will be added to the subscription time purchased by User. The minimum subscription period is one year.
Service levels can be upgraded anytime during a subscription period. For example, User can purchase a one-year subscription for Basic Service level and upgrade the Service level to Premium few months later if needed.
Downgrading a Service level is only possible after the current subscription period has expired. If there are more than 2 badges in the environment, User will have to select the badges he/she wish to preserve and delete the rest of the badges when downgrading to Free Service level. Similarly, when User has more than 10 badges and downgrades from an upper service level to Basic Service level. The badges that have been deleted will not be restorable even if User later upgrades his/her Service level back to an upper service level.
Paytrail Oyj (2122839-7) acts as an implementer of the payment handling service and as a Payment Service Provider. Paytrail Oyj will be shown as the recipient in the invoice and Paytrail Oyj will forward the payment to the merchant. Paytrail Oyj is an authorised Payment Institution. For reclamations, please contact the website you made your payment to.
Paytrail Oyj, business ID 2122839-7
Phone: +358 207 181830
Paytrail Oyj (FI2122839) provides netbank related payment transfer services in co-operation with Finnish banks and credit institutions. For consumer the service works exactly the same way as traditional web payments.
The Service Provider shall own all rights, title and interest in and to the Service as well as any material in or provided through the Service, including any copyright, patent, trademark, design right, trade secret and any other intellectual property rights (hereinafter referred to as Intellectual Property Rights). The User shall not receive any ownership rights by using the Service or for example by downloading material from or submitting material to the Service. Unless expressly authorized by mandatory legislation, Service may not be copied, reproduced or distributed in any manner or medium, in whole or in part, without prior written consent of the Service Provider. All rights not expressly granted to the User herein are reserved by the Service Provider.
The materials and information and any Intellectual Property Rights related thereto which the User inserts into the Service (User Material) remain the property of the User or a third party.
The Service Provider is responsible for technical implementation and maintenance of the Service. The Service Provider may suspend the Service when necessary for example for installation, amendment or maintenance work or if laws, regulations or authorities so require or if there are other justifiable reasons for suspension. The Service Provider aims to ensure that the suspension is as short as possible. The Service Provider will make an effort to inform Users a reasonable time in advance of substantial changes and breaks in service on the login page of the Service. If Service is not available for Use for more than two (2) consecutive days, subscription fee or any part of it shall not be refunded but equivalent amount of days will be added to User’s subscription time as compensation. However, the Service Provider reserves the right to perform small updates without informing about it in advance. A back-up of the service content is made once a day. The back-up is made in case the service content needs to be restored due to, for example, a technical problem. However, end-user’s content is not restored, if it accidentally deletes its content. The Service provider has the right to terminate the Service at its sole discretion. The Service Provider aims to notify a reasonable time in advance about the termination of the Service.
The Service Provider is committed to repairing possible software faults affecting the quality of the Service according to the valid product development plan.
It is the responsibility of the User of the Service to make sure that he/she has the right to use the images, content and email addresses that he/she uses in issuing his/her own badges. User agrees not to use the Service in a manner or otherwise submit any material that violates any Intellectual Property Rights, privacy, publicity or any other rights of others; or would be illegal or violate good manner. The Service Provider is not responsible for possible violations of the Users.
User shall use the Service in a manner that does not cause harm to the Service Provider, other Users, end-users or third parties. If the Service Provider receives a notice claiming that the User has submitted afore described material, The Service Provider is entitled to remove such material, the User or User organisation’s environment or prevent their use without notice.
The Service is provided on an “as-is” basis without warranties of any kind. The Service Provider does not warrant that the Service will function without interruptions or error-free. The Service Provider shall not be liable for the correctness, exhaustiveness or reliability of the information or other material presented on the Service nor for the content or other features of the products or services offered on or conveyed through the Service. THE SERVICE PROVIDER HEREBY DISCLAIMS ANY AND ALL EXPRESS, IMPLIED, AND STATUTORY WARRANTIES, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, SATISFACTORY QUALITY OR FITNESS FOR A PARTICULAR PURPOSE, TO THE FULL EXTENT SUCH WARRANTIES MAY BE DISCLAIMED BY LAW. THE SERVICE PROVIDER DISCLAIMS ANY AND ALL LIABILITY FOR THE ACTS, OMISSIONS AND CONDUCT OF ANY THIRD PARTIES IN CONNECTION WITH OR RELATED TO USER´S USE OF THE SERVICE.
The Service Provider shall not be liable for direct or indirect damages caused by a possible delay, a change or a loss of a service, product or material transferred through the Service. The Service provider is not liable for direct or indirect damages caused by interruptions and disturbances including loss or delay of data or changes in data due to technical defects or maintenance. Further, the Service Provider disclaims any liability for direct or indirect damages caused to the User by harmful programs (virus, worms etc.) or incorrect content in the Service, the Service provider bears no liability for damages caused by the User or by a third party.
The Service Provider is never liable for any indirect or unforeseeable damages caused to the User at any given circumstances.
User is entitled to stop using the Service and to delete their environment at any time. In this case, all content is deleted once and for all, but the badges issued before the deletion of the environment will be hosted for free as long as the service is provided.
When the term expires or if the Service is suspended or terminated for whatsoever reason, the Service Provider shall not return to the User any payments made.