One of the central promises of GAIA-X is that the customer, regardless of which GAIA-X service offering he/she chooses, has full transparency on the compliance aspects of this offering and that it is accompanied by a level of assurance that the elementary requirements with regard to information security, data protection , portability/interoperability etc.
To this end the Onboarding and accreditation workflow (OAW) will be implemented to safeguard that alle offerings are subject to a validation process before entering the catalog.
At the first step, the registration of the GAIA-X participant will take place. This is a necessary precondition for offering services in GAIA-X.The master data of the entity, foreseen with a unique ID, will be provided through a process in the portal, enriched by meta data and additional documents and put forward to the notarization service which validates those data. Upon successful validation a verifiable credential (vC) for the entity will be issued which underpins the status as registered participant in GAIA-X.
Subsequently principals of those registered providers can register the service offerings for GAIA-X.
At this stage the self-description and additional evidence for the adherence to the GAIA-X policy rules (e.g. by Codes of Conduct, third-party certifications/attestations, acceptance of Terms and conditions) have to be provided.
Basis for the assessment of compliance for Release 1 is the minimum viable set (MVS) of policy rules developed in the policy rules committee and approved by the Board of Directors of the GAIA-X AISBL. Those are based on accepted standards and established conformity assessment tools ensuring that the additional effort for the provider to enter GAIA-X is kept at a minimum.
The information is forwarded to an auditor (either at the AISBL , at an entity acting on behalf of the AISBL or eventually independent accredited conformity assessment bodies) which analyzes the presented evidence and matches this to the objective requirements. Those requirements may differ according to the level of assurance the service has applied for.
The process may include several iteration cycles which require interaction with the applicant, this will be handled via the GAIA-X portal.
Upon successful completion of the validation process vCs will be issued representing the assurance levels of the service offering and registered in the GAIA-X catalog. Those vCs can be used to automatically indicate the compliance level across different federations.
Part of the OAW is the documentation of the validation process and the generation of an audit trail to guarantee adherence to generally accepted practices in conformity assessment.
The OAW comprises furthermore special elements for:
- Monitoring of the compliance relevant basis (e.g. expiration dates of certificates)
- Update of the data of the service offering (the provider has the obligation to put forward substantial changes to the offering for compliance checks
- Suspension of offerings (e.g. in case of pending investigations of possible infractions)
- Revocation of offerings (e.g. in case of proven infractions)
As mentioned before the OAW will be designed in a way that it can be used by different accredited stakeholders in different federations.
Furthermore it will enable Federations to add e.g. domain-specific compliance criteria to the “common core”.