Terms and conditions of service¶
1 Definitions¶
1.1 The GARRbox service¶
GARRbox is the cloud storage service for synchronising and sharing data with users. Access to data contained in GARRbox is possible both via web browser and via applications for different platforms and devices.
The service is accessible at gbox.garr.it
Users can use GARRbox only if the organisations they belong to have subscribed to the service. At the time of subscription, the organisation will be assigned the service resources, the available aggregate storage space and the number of users allowed. The organisation can independently manage access authorisations and the assignment of storage space quotas to its users.
GARRbox is created and managed by Consortium GARR.
1.2 Data¶
The service acquires and manages two types of data: digital contents and the user's personal information.
Contents are defined as data uploaded by users, i.e. text documents, presentations, images and videos, etc. These are organised, as is usual, in files and directories. Shares and links that users create on their own data and on that shared with them are also considered contents.
Personal information means data that characterises the user's identity, such as first and last name, username and any encryption passwords for contents, the organisation of membership and the IP addresses with which the user accesses the service. Personal data is mainly extracted from information provided by Identity Providers of the IDEM Federation and is used for authentication, authorisation and monitoring purposes.
1.3 Actors¶
The main roles that people can play when interacting with GARRbox are reported in the following table. Some service procedures and related technical documents may introduce and define in more detail some sub-roles involved in specific process activities.
| Code | Role | Description |
|---|---|---|
| Administrative roles | ||
| AG | GARR Administration | Handles the contractual and administrative aspects between GARRbox subscribing organisations, through the Administrative Contact, and Consortium GARR. |
| RA | Organisation Administrative Contact for the GARRbox service | The person who subscribes to GARRbox for their organisation and interacts with AG for the necessary bureaucratic procedures. |
| ES | Subscribing Organisation | Organisations and Institutions (Legal Entities) that access the GARR network and subscribe to the GARRbox service agreement. |
| Technical roles | ||
| UT | GARRbox User | The person who accesses GARRbox, uploads their data to the service, synchronises it between their devices and shares it with other users of their organisation or via public links. |
| RT | Organisation Technical Contact | A GARRbox user who has been granted special permissions to manage the virtual resource quotas assigned to other GARRbox Users of the organisation or project they belong to. Provides first-level support to the GARRbox Users whose resources they manage. |
| SG | GARRbox Service Support | The group of experts who manage GARRbox. Provides second-level support, handling requests from local Technical Contacts. Also handles the allocation of aggregate storage resources to subscribing organisations. |
2 Service characteristics¶
GARRbox is accessible via the Internet, both from the web interface (gbox.garr.it) and through applications (clients) for different platforms. The service allows users to synchronise contents between different devices and share them with other users. The service is characterised by keeping its servers, whose operation is managed by GARR, within Italian territory. GARRbox is designed as an alternative to cloud file-sharing services that keep user data in countries where the application of Italian laws on privacy and confidentiality of online content is not guaranteed.
3 Operation¶
3.1 Subscription and access¶
GARRbox can only be used by users who have been authorised by an organisation that has subscribed to the service. Only organisations that have a digital identity management system adhering to the IDEM Federation are eligible to request subscription to the service. Registration with GARRbox takes place through a specific account for each user created, on first access, using IDEM federated credentials. The Technical Contacts of the organisation enable the new account and assign a personal storage quota. From that moment the registered user can access the service using the credentials of the service-specific account. Registered users have full access to the features offered by the service. They can upload files and folders to GARRbox and, by sending links, can invite third parties, both registered users and those external to the system, to download shared content or to change its content, if authorised.
Third-party users who access shared user data via links may not belong to either the organisation of the user who originally owned the content, nor to the GARR Community. The service features to which registered users have access are limited to the context of the sharing link received and the authorisation settings that the registered user has activated in GARRbox before forwarding the invitation to third parties. Before sharing with third parties, users should consider that authorised non-registered users could pass the invitation link to other recipients not originally planned or desired, and these in turn to other third parties.
3.2 User management and reporting¶
Given the subscription of an organisation to the GARRbox service, users register autonomously. When a user leaves their organisation, the organisation will remove the credentials from its systems. The Technical Contacts of the organisation, as delegates for local authorisation to the service, must block access for the departing user via the PrimoLogin administrative interface accessible from GARRbox.
The revocation of the organisation's membership of the IDEM Federation formally implies the revocation of access to the service.
GARR reports the use of resources made by a subscribing organisation and accounts to the organisation the costs for the use of such resources.
3.3 Data location¶
The servers hosting the data that users upload via the service are located in Italy and are within the GARR infrastructure, which also manages their maintenance and operations. Users who access the service via the local networks of organisations reach the data via the GARR network; in all other cases access to the servers takes place via the Internet.
3.4 Storage capacity, replication and backup¶
The maximum storage capacity offered to each user and the remaining quota relative to usage can be consulted via the service interfaces.
GARR does not perform regular backup of user contents. GARR may decide to perform ad hoc backups of contents solely for the purpose of greater protection during service maintenance activities. Users are responsible for creating backups of their own contents uploaded to the service, preserving them in an appropriate location and form (see Section 4.6).
GARR performs daily backups of the databases containing the information necessary for the regular operation of the service.
3.5 User support¶
The first level of user support consists of the Technical Contacts of the organisations: contacts manage the routine administration of user quotas and support users belonging to their organisation in the first contact with the service. Users can identify and contact their Technical Contacts from the GARRbox administrative interface.
Users also have access to FAQs and online documentation.
For any problem, need for clarification or suggestion, users can contact GARRbox Service Support, which will take charge of analysing the incident encountered or evaluating the request made. The contact channels with GARRbox Service Support are described on the service website.
4 Terms of use¶
4.1 Application of terms¶
The provisions of the following documents in their most recent version are applicable to the use of GARRbox:
- For users belonging to a member of Consortium GARR: Statute of Consortium GARR and Acceptable use policy;
- For users belonging to a Contracted Organisation of Consortium GARR: Agreement and related annexes and among these notably the AUP;
- For organisations subscribing to a framework agreement with Consortium GARR: terms of the agreement, implementing agreements and AUP;
- For all users: the "Terms and conditions of use" described in this document.
In the event of conflicting statements, this document prevails over the provisions of the other documents mentioned above. GARR reserves the right to modify the terms and conditions of use at any time. Organisations and users will be informed of any changes in an appropriate manner.
4.2 Acceptable use¶
GARRbox can be used to upload, synchronise, modify, download and share digital contents. It can be used by members of an organisation subscribing to the service and also by non-registered users who receive a sharing link as described in Section 3.1.
Any use of the service is acceptable only insofar as such use is not in conflict with this service description, the GARR AUP, the law or the rights of third parties. It is the user's responsibility to decide which files and directories to upload, synchronise, modify, download or share via the service.
4.3 User responsibility for contents¶
Users and organisations bear sole responsibility for their conduct, use, and the contents they upload to the service. It is not acceptable to use the GARRbox service in any way that could conflict with this service description or with the rules indicated in the AUP.
The activities that third-party users can do on shared data are many (for example, copying the file, modifying them, sharing them with third parties, publishing them, etc.).
It is not acceptable to use the GARRbox service in any way that could cause offence, defamation or harm to third parties, for example by using the service to disseminate obscene or indecent material or that causes any form of anxiety and defamation, or in a way that violates laws or regulations.
It is not acceptable to use the GARRbox service to disseminate advertising material.
It is also forbidden to transfer one's user credentials to third parties.
GARR disclaims any responsibility for actions carried out voluntarily or involuntarily by users on contents.
4.4 Improper use of the service¶
Illegitimate use of the service is governed by what is reported in sections 4.2, 4.3, 4.4, 4.5 and 4.10 of this document.
In the event of reasonable suspicion that the service is being used in violation of legal norms or regulations or in violation of the norms contained in this paragraph 4, GARR reserves the right to block access to the contents in question immediately (for example, pirated copies or illegal content), deactivating the accounts holding the contents, eliminating any shares and placing the contents in quarantine. The users and their organisations involved will not have the right to assert any claims for compensation following the measures taken by the GARRbox Support Service in response to improper use of the service.
Furthermore, in all cases of improper use of the service, GARR reserves the right to cooperate with the competent authorities where this is required by law or if deemed necessary. In this context GARR will offer all the collaboration required by the competent authority, providing all the information necessary to pursue illegal actions. Users and their organisations undertake to cooperate with GARR in order to promptly interrupt improper use and ascertain the causes. The responsibilities of users and organisations are discussed in section 4.10.
4.5 Notifications of improper use¶
If a user identifies illegal content or content that constitutes improper use of the service, the user is required to inform GARR by sending a report to GARRbox Service Support in the manner indicated on the service website. The report must contain the following information: a) name and address of the user, b) description of the improper content identified, c) explanation of how the content harms the user or the service or third parties based on the criteria established in section 4.4, d) URL or links at which the content is reachable, e) date and time when the content or improper use was identified, f) screenshots that help to better understand the location and access conditions of the content.
GARR will evaluate on a case-by-case basis the actions to be taken in response to a report from users.
4.6 Password and data backup¶
The user is responsible for protecting the passwords used to access the service. The user undertakes not to disclose them to third parties. The user is responsible for all activities carried out through their account or through the use of their passwords.
Excluding the service backups described in paragraph 3.4, GARR will not create any backup of user contents for the purpose of long-term storage. GARRbox is designed for the management of active data and therefore is not suitable for massive backup purposes, such as user workstations.
4.7 Personal data protection¶
The user determines the scope with which the contents of their data are made accessible to third parties at the time of sharing. Organisations, through their Technical Contacts, have the responsibility to ask their users to comply with the applicable terms and conditions for the processing of personal data in the contents.
The service uses, during registration, user information provided according to the methods and constraints imposed by the IDEM Identity Federation. During access to the service GARR traces some information (IP address, date and time, username) for the purpose of maintaining and improving the service. GARR traces the number of user accounts and storage assigned in aggregate form to subscribing organisations.
4.8 Guarantees and security¶
GARR guarantees that data is stored on its own infrastructure in Italy. GARR applies best practices in network and service protection but does not guarantee a specific security level (QoS) or a specific availability level (SLA).
4.9 GARR's responsibilities¶
The responsibilities and related limitations of GARR in managing the GARRbox service are added to any constraints governed by agreements and conventions stipulated individually or collectively between organisations and GARR. The aforementioned agreements must be considered prevailing if in conflict with the norms of this document.
4.10 Responsibilities of organisations and users in case of improper use¶
Subscribing organisations and users are entirely responsible, to the extent provided by law, for damages suffered by GARR due to improper use of the service and for other indirect damages. Each user and their organisation bear personal responsibility at their own expense for violations of copyright or intellectual property rights and/or violations of current legal provisions on personal data protection caused by content uploaded to the service.
The User and the subscribing Organisation respectively undertake to indemnify and hold harmless GARR from any and all claims, damages, losses, costs or expenses (including costs for legal assistance as well as those resulting from any judicial measures issued against GARR), which GARR may incur as a result of the violation by the User or the Organisation of any of the norms contained in or referred to by this document.