Skip to main content

The Ísland.is App

Digital Iceland Frontpage
Digital Iceland Frontpage

Digital Iceland

Service System

Terms and conditions for the Service system

General

Digital Iceland is the operator of the service system on behalf of the Ministry of Finance and Economic Affairs (service provider). Government agencies, ministries, and other public entities can use the system (service recipients). The purpose of the service system is to make it easier for public entities to manage their communications with the public through a centralized service request system. The system can receive many types of inquiries, such as from emails, phone calls, web chat, inquiry forms, social media, and applications from the Ísland.is Application system. These terms form an agreement between the service provider (Digital Iceland) and the service recipient (agency/public entity) regarding the services. The terms are intended to define the areas of responsibility of the parties when it comes to the operations of the service system. By using the services, the service recipient agrees to these terms.

1. Definitions

Service recipient: An agency or public entity that uses the services.
Service provider: Digital Iceland, under the mandate of the Ministry of Finance and Economic Affairs.
Service system: Digital Iceland operates the service system. Such systems are known by many names, e.g., ticketing system, request system, CRM system, etc. The system itself is from Zendesk.
Sub-processor: Zendesk Inc. is a sub-processor for Ísland.is based on a processing agreement.
Initiator: The individual who submits a case or a request for services.

2. Obligations of the parties

The service provider is the contracting party with Zendesk and is responsible for the technical setup and basic configuration of the system. The service provider is a data processor for the service recipient to the extent that it processes personal data on its behalf. The service provider undertakes the following:

  • Manage users within the system. Employees of the service recipient apply for access to the system through Digital Iceland's central SSO login portal.

  • Provide the service recipient with support during the implementation of the service system.

  • Provide continuous education and training materials for users of the system.

  • Assist with the connection between the service system and the service recipient's case management systems.

  • Handle the technical setup of the communication channels within the system (including email, web chat, phone calls, social media, and application systems) that the service recipient intends to use.

  • Supervise the general system configuration and functionality of the system.

  • Allocate API tokens as needed.

  • Manage the setup of integrations such as web services and webhooks within the system.

  • Install approved apps (applications) that connect to the system.

  • Handle the registration and setup of OAuth Clients.

  • Keep the service recipient informed about changes and new features concerning the functionality or service offerings within the system.

The service recipient, who gains access to the system, acts as a data controller regarding the processing of personal data that takes place in connection with their own use of the system, e.g., in connection with communications with initiators and their users. The service recipient undertakes to:

  • Manage system administration and ensure the maintenance and security of the system components for which it is responsible.

  • Handle further adaptation and configuration of its own parts of the system after formal implementation.

  • Provide continuous education and training for its employees after the implementation process is complete.

  • Supervise and ensure the correct forwarding of email addresses in the system, including that SPF and DNS records are correctly registered in accordance with technical instructions.

  • Only process personal data in accordance with applicable laws and regulations on data protection and confidentiality.

  • Take measures to ensure that users of the system within its own operations are informed of and comply with the institution's requirements and policy on security, confidentiality and the protection of personal data.

In other respects, the privacy terms of Digital Iceland apply to the processing of personal data in the service system, including the division of responsibility, unless otherwise specifically agreed. On the basis of the agreement between the registered parties, the service recipient is granted access to the services. By using the services, the service recipient undertakes to comply in all respects with the rules and terms that apply to the services.

2.1. General obligations of the registered parties

The service recipient is responsible for ensuring that the information does not fall into the hands of unauthorised parties and that the service recipient's staff who have access to incident logs ensure the security of the information contained therein. If the service recipient outsources its systems or their management to a third party, such work is always carried out under the responsibility of the service recipient.

3. Operations and services

The service provider is responsible for the basic operations of the system. Basic operations include general operational management, procurement of the software and the business relationship with the sub-processor, as well as general security settings in the system. The service provider provides general training on the system and manages user administration, including the creation of new users. User login to the service system takes place through the central login portal (SSO) of Digital Iceland.

4. Security matters

The service provider is responsible for implementing appropriate technical and organizational measures to ensure the security of the services. Security measures shall take into account the latest technology, implementation costs, scope, context, purpose of processing, and the risk of a security breach.

The Digital Iceland service system (Zendesk) is a SaaS system hosted in AWS data centers within the EEA. The data centers have various security certifications, including ISO 27001, PCI DSS, and SOC-2. Zendesk regularly performs security audits and certifications on the solution.

The system's design is based on multi-layered security where different units are protected according to best practices in cybersecurity. Network traffic is continuously monitored to ensure it is normal, and vulnerability scans are performed regularly. The operator (Zendesk) collects data on network traffic in a central system (SIEM) which notifies security monitoring of any abnormal traffic or actions.

Attempted attacks are monitored 24/7, as are potential risks at any given time. Zendesk maintains defenses against denial-of-service attacks (DDoS) and works with Cloudflare to defend against potential attacks on the network edge (e.g., network edge defenses).

All network communication with the service system is encrypted with HTTPS/TLS. Email communication with the service system is encrypted with TLS. Data stored in the system is encrypted with AES-256 keys.
The service system meets the technical and organizational requirements of the General Data Protection Regulation (EU) 2016/679 (GDPR) and Icelandic Act No. 90/2018 on Data Protection and the Processing of Personal Data.

The data is stored within the EEA according to the agreement.

The service recipient and the service provider must notify the other party as soon as possible if there is a suspicion of unintentional, unauthorized, or illegal processing of information or if there is a suspicion of any kind of security breach in the handling of information obtained from the services. The notification shall be sent to the general email address of the relevant party (in the case of the service recipient, island@island.is). In such a notification, the relevant party shall describe the nature of the breach, including the estimated quantity of registered individuals it affects and the use of the information. The relevant party shall also describe the likely consequences of the breach and the measures it has taken or plans to take in response to the security breach. The service recipient is responsible for reporting the security breach to the Icelandic Data Protection Authority within 72 hours if required by data protection legislation.

5. Responsibility

The service recipient shall indemnify and hold the service provider harmless from any and all losses, claims, actions, damages, liabilities, fines, penalties, and costs (including legal fees) that the service provider may incur due to or in connection with the actions or omissions of the service recipient, whether arising from negligence, intent, or carelessness of the service recipient or users in connection with the use of the service provider's Authentication system or resulting from a breach of the parties' agreement. This indemnity does not in any way limit other contractual or statutory rights that the service provider may have against the service recipient, and any potential benefits or indemnity payments do not justify a breach of the service recipient's duties and obligations.

The service recipient is responsible for all damages resulting from their or their users' use of the information exchanged between the service provider and the service recipient.

The service provider is not responsible for damages resulting from the use of the services that arise from the service recipient's or users' lack of knowledge, misunderstanding, or misuse. The service provider is not responsible for damages resulting from the service recipient's equipment not functioning properly.

The service provider is not directly or indirectly responsible for damages caused by an unannounced shutdown of the services, e.g., due to failures in the service provider's hardware or software or related third-party hardware or software, or for other reasons. Should any errors, interruptions, or delays occur in the service provider's services, its responsibility shall be limited to correcting such errors, interruptions, or delays as quickly as possible.

The service provider is only responsible for the service recipient's damages if they can be attributed to the gross negligence or intent of the service provider's employees. In such a case, the service provider's responsibility is limited to direct damages only and never to consequential damages that may arise from these causes, such as business interruption, lost business, or damage to reputation.

Damages due to violations of Act No. 90/2018 on Data Protection and the Processing of Personal Data are subject to Article 51 of the Act and Article 82 of Regulation (EU) 2016/679 of the European Parliament and of the Council.

6. Payments

Each license costs ISK 7,000 per month, and the service provider will issue regular invoices for them. Payment is only for licenses in use, and the service provider will review the quantity of these on a monthly basis. The service recipient may cancel licenses between months and is therefore not obligated to use the service.

7. Operational Security

The registered parties undertake to promote the secure operations of the service and to work together on repairs in the event of operational disruptions.

If the service recipient becomes aware that the service is in any way malfunctioning, they must notify the service provider without delay. In such cases, the service recipient is generally not permitted to use the service until the service provider has completed its investigation.

If it proves necessary to temporarily close the service for system maintenance, file updates, and/or other technical measures related to the operations of the service, the service provider shall notify the service recipient of this as soon as possible, but with at least 24 hours' notice.

The service provider is authorized to interrupt the service recipient's access to the service without warning if this proves necessary due to a suspected security breach on the part of the service recipient or if the service provider believes it is clear that the service recipient's equipment does not meet the service provider's requirements for using the service.

If the service recipient or the service provider is prevented from fulfilling the agreement towards the other party for reasons beyond their control, the relevant obligations shall be postponed until such obstacles are removed and the registered parties to the agreement can fulfill their agreed obligations.

8. Termination

The institution only pays for the licenses that are in use at any given time. The institution is authorized, at the end of each month, to request the termination of some or all licenses. A request to close all licenses is equivalent to termination.

9. Confidentiality

The service provider shall maintain confidentiality towards the service recipient regarding information that is to be kept secret. The service provider shall ensure that its employees and contractors sign confidentiality agreements or are bound by a duty of confidentiality by law.

The service recipient shall in all respects maintain confidentiality towards users. The service recipient is not permitted to request or use information obtained through the service for any purpose other than to identify a user on its website, for direct identification, or as authorized.

10. Data Protection

In accordance with the Act on Data Protection No. 90/2018, as well as Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, the service recipient is the data controller and the service provider is the data processor for personally identifiable data generated and handled in the service system.

The data controller determines the purpose and methods of processing personal data and guarantees that it has the authorization to process the personal data it entrusts the data processor to handle in connection with the service. The data processor processes personal data on behalf of the data controller, specifically the personal data necessary for it to provide the service under this agreement. The data controller is, among other things, responsible for ensuring that the processing of personal data is lawful and has a basis in Article 9 and, where applicable, Article 11 of the Act, and that the processing of personal data complies with the main principles of the Act, cf. Article 8 of the Act.

11. Changes to Terms

The service provider reserves the right to make changes to these terms, and they shall be announced to the service recipient in an electronic notification sent to the service recipient's provided email address or by other verifiable means at least half a month before new or amended provisions take effect. New and/or updated terms are also announced on Ísland.is before they take effect.

The service provider is authorized to make changes to the terms with shorter notice if such changes are required by law. In such cases where the notice period may be shorter, the service provider shall endeavor to announce such changes as soon as possible.

These terms were published: 1.9.2025.

This text was translated from Icelandic using a machine translation. Be advised that content generated by machine translation can be inaccurate or flawed.

Collaboration with Digital Iceland
Digital journey in numbers
Institutional websites on Ísland.is