Image

Disclaimer:

This register is kept with the utmost care. However, EuroPriSe does NOT guarantee the accuracy of information found on the Site. Your reliance on information found on the Site is at your own risk. For more information please go to EuroPriSe Terms & Conditions.

Product/Version

VALid-ZLC® v2

Function as provided in October 2017

Qualification: IT-based service

View the VALid-ZLC Certificate (201710)

Cert. No.

EP-S-K8LJ52

Version of Certification Criteria

11/2011 (95/46/EC)

Validity

05/10/2017 - 31/10/2019

Initial certification on August 12, 2014

Monitoring

06/2018 (O.K.)

02/2019 (O.K.)

Public report

2017 recertification VALid-ZLC public report [PDF] Image 

2014 VALid-ZLC - Short Public Report [PDF] Image

Manufacturer/Provider


VALIDSOFT LIMITED
Arthur Cox Building
Earlsfort Terrace
Dublin 2
Ireland

BEST

VALid-ZLC® sticks to the principle of data avoidance and minimisation by keeping the personal data processed to the minimum. In addition, information will only be disclosed to ZLC when certain specific events occur. When ZLC receives the information that the country information about a bank customer's mobile phone has changed, the previous country entry is deleted (i.e., no history is kept). Customers of ValidSoft are comprehensively informed about their data protection obligations and contractually bound to ensure compliance with the applicable data protection law when making use of VALid-ZLC.

ATTENTION:

ValidSoft offers ZLC as an SaaS ("Software-as-a-Service") solution. The service is not yet in any actual deployment (Update: This is still true in October 2017). Thus, neither an actual online banking app that has been amended by the ZLC code nor any processing by ValidSoft on behalf of banks or payment processors when providing the ZLC service could be evaluated by the EuroPriSe experts. Rather, only a test implementation was examined during the evaluation. In addition, the appropriateness of technical and organisational measures that had been stipulated by ValidSoft for any future service provision was verified. As soon as there will be any actual deployments, additional checks will be conducted by the experts.

Summary

Valid-ZLC® verifies, with the help of data previously obtained from the data subject’s mobile phone, whether the debit or credit card that is being presented is, or is not, in the same country as the mobile phone that the card owner has registered with the bank. This data is sent to Valid-ZLC® as a result of the inclusion of certain ZLC code snippets into the software code operating a client’s device such as, typically, the relevant bank’s mobile banking application. ZLC's conditions of use make it compulsory for users of the service to obtain the entirely free and fully-informed consent of the data subjects (bank customers) for the use of ZLC.

Details

Recert 201710

The target of evaluation has not changed.

Initial Cert 201408

Valid-ZLC® is a software program installed on a dedicated carrier or server installed at and operated by ValidSoft in the UK. The software is a proprietary database, to and from which data are sent and managed. Specifically, this database, on the one hand receives data from mobile phones enlisted to the service by the user of Valid-ZLC®, and on the other hand is linked to the user’s own computers. ZLC will be provided by ValidSoft as “Software-as-a-Service". A mobile banking app that is amended by certain ZLC code snippets will pass on to the ZLC database the country code of the country where a mobile phone is, and even that only if this information changes (or has not changed for some 12 hours). Moreover, the data that is made accessible to the user of the product is restricted to no more than a simple “result”: “Confirm” (the mobile phone is in the same country as the country in which the bank card is being presented) or “Refute” (the phone is not in the same country), with a Probability Score (or a „Fail“ in case the check was unsuccessful).

The evaluation covered the following:

  • the specifications for the bit of software (the “ZLC snippet”) that banks should use to instruct the app that is installed on their enrolled customers’ mobile phones to send country information to the ZLC database operated by ValidSoft in certain specified instances. Since the product is not yet in any actual deployment, the experts could not evaluate any actual app. However, they did evaluate a test version of the app.;
  • the parameters (security/encryption specifications) specified by ValidSoft for the data flows to and from the ZLC database (i.e., for the sending of the mobile phone country information from the app to the database; the sending of the card country information from the bank to the database; and the returning of a “result” from the database to the bank); and
  • all the processing within the ZLC database, i.e., the receiving of the above-mentioned country information from, respectively, the app and the bank; the correlation of those data within the database, leading to the creation of “results” (in the format “Yes” [mobile phone is in the same country as the card], “No” [mobile phone is not in the same country as the card], or “Fail” [when for some reason the check could not be performed], with a “confidence score”).

Technical Evaluator

Javier Garcia-Romanillos Henriquez de Luna
Ernst & Young (Spain)
Calle Zurbarán 7, 6B
28010 Madrid
Spain

Legal Evaluator

Prof. Douwe Korff
Wool Street House
Gog Magog Hills
Babraham
Cambridge CB22 3AE
UK

Formerly Certified Versions

n.a.

Image

European Privacy Seal for Zero Latency Correlation (ZLC)

Recertification: 10/2017

Initial Certification: 08/2014

ValidSoft proved that its IT-based service ZLC facilitates its privacy-compliant use. Banks and payment processors may use the service as a tool that assists them in  identifying suspicious credit- and debit card “card-present” transactions. ZLC verifies, with the help of a mobile phone application, whether the card that is being presented at an ATM or POS-terminal is, or is not, in the same country as the mobile phone that the card owner has registered with the bank. Banks and payment processors can be sure that processing of personal data of their customers is in line with the demanding provisions of EU data protection law if they use the service as specified in ValidSoft's respective conditions of use. 

Press Release 2014 Image

© 2008 - 2019 | EuroPriSe GmbH - European Privacy Seal | Handelsregister-Nr. (Commercial Register No.): Bonn HRB 20387

No responsibility for the accuracy of the information. Contact | Privacy Notice | Imprint

Product/Version

REISSWOLF f.i.t.

v1.5; service function as provided in 05/2018

Qualification: IT product and IT-based service (processor service)

View the REISSWOLF f.i.t. certificate

Version of Certification Criteria

11/2011

Cert. No.

EP-S-X5TSCN

Validity

24/05/2018 - 31/05/2020

Monitoring

01/2019

09/2019

Public Report

f.i.t. Short Public Report Image Image 

Manufacturer/Provider

REISSWOLF Systems GmbH

Im Heegen 13
22113 Oststeinbek
Germany

BEST

Access policies can be used to restrict system usage to specific times of the day and/or IP addresses to reduce the attack vector for third-party access. A user session is controlled by means of a cross-tab synchronised session countdown.

ATTENTION

Regarding the processing of personal data on third persons by means of f.i.t., it must be highlighted that the (usually) corporate users of the service qualify as controllers whereas REISSWOLF Systems GmbH acts as a processor on behalf of the users. Customers are advised that the legitimate use of the service may require the collection of the data subject's consent and/or declaration of release from confidentiality.

SUMMARY

REISSWOLF f. i. t. is a web-based archiving system for data storage and access. It serves the purpose of uploading, storing, managing and exchanging data in the sense of a document management system. f.i.t. is a web application that can be used with common internet browsers. 

DETAILS

REISSWOLF f. i. t. is primarily designed for commercial use. It is distributed by REISSWOLF Systems GmbH and operated as Software as a Service (SaaS) in a data center in Germany.

The ToE includes

  • The web-based service REISSWOLF f.i.t. (for details, please cf. the short public report)

It does not include

  • REISSWOLF f.i.t. mobile app
  • REISSWOLF f.i.t. hotfolder
  • Office module
  • Teamviewer
  • Other alternative interfaces to clients

Technical + Legal Evaluator

Ann-Karina Wrede
Innungsstraße 7
21244 Buchholz
Germany

Initial Certification: 05/2018

REISSWOLF f.i.t. provides a web-based service that enables companies to upload, store, manage and exchange data in the sense of a document management system. Users of the service are controllers in respect of personal data on third persons that is processed by means of f.i.t.. The service is designed in a way that facilitates the users' compliance with EU data protection law.

Image

Disclaimer:

This register is kept with the utmost care. However, EuroPriSe does NOT guarantee the accuracy of information found on the Site. Your reliance on information found on the Site is at your own risk.

Image

European Privacy Seal for REISSWOLF f.i.t.