Below questions regarding data protection, IT security and various routines will be sent to the applicant after the application form has been received and the application fee has been paid. The answers to the questions form part of the application and are included in the overall assessment that is made as to whether an application is approved or not. Supplements to the answers may be requested.
Various routines
1. In order to be a registrar, at least two employees must have undergone training in the form of study materials and domain knowledge courses and update themselves regularly in the event of changes. Before you become an activated registrar, these people need to have undergone the training. and you will need to tell us the date when it was carried out. Enter the name and email address of the two people with you who will undergo the training.
2. The registrar must verify that it is the holder who has requested a registration service before this service is performed. Describe how you identify the customer and how this is documented.
3. How do you check the accuracy of the customer's contact details before they are sent to The Swedish Internet Foundation. What will your procedures look like to ensure that these are kept up to date against our register? (We carry out regular checks to ensure that the information in our register is updated with correct and valid information)
4. A registrar may only perform registration services on behalf of holders and not for the purpose of himself or through another legal or natural person holding, dealing with or leasing domain names (prohibition of warehousing). Confirm that you understand the meaning of this contractual requirement and that you will not stock domain names.
5. Will domain name registration be done by customer directly through you?
6. Will you, as registrar, use resellers (sub-registrars)?" If you answered yes to the use of resellers (sub-registrars), it is always you as the registrar who is fully responsible for the resellers' actions regarding domain names and registration services according to the registrar agreement. This means, among other things that you as the registrar are responsible for correcting any deficiencies. If this does not happen, sanctions can be applied against you as the registrar as you are The Swedish Internet Foundation's contracting party and The Swedish Internet Foundation has no agreement with the reseller (sub-registrar).
To clarify what is meant by such responsibility, here are a couple of examples:
The registrar must keep resellers and their staff informed about rules/conditions for .se and .nu as well as changes to these
The reseller may not have different rules, conditions or management of the registration services for .se and .nu than those contained in the agreement between the registrar and The Swedish Internet Foundation. For example. that the customer cannot reactivate domain names after the expiry date, that the characters of authorization codes are not compatible with the registry's system, etc.
The retailer needs to have a customer service that provides full support to the end customer.
Mandatory holder information needs to be taken in by the retailer in order to be able to validate these before they are sent on to the registry via the registrar.
The retailer needs to be able to handle and know how transfers to new owners take place in a safe manner and have routines and bring in documents that prove this. The reseller is an extended arm of a registrar and should not be there to act as an anonymization service. Please confirm that you understand the meaning of this. Also describe how your system is structured around dealers and what your solution looks like to be able to help customers who are with your dealers in the event that a dealer misbehaves and violates the agreement.
8. The registrar's website must have clear instructions on how the registration services are handled by the registrar, such as renewal, transfers, requests for auth code, change of ownership, re-pointing, change of DS records, etc. Please confirm that you understand the meaning of this. Before you become an activated registrar, you need to submit links that lead to this information on your website.
9. The registrar's website must have clear information on how abuse can be reported and handled. Before you become an activated registrar, you need to submit a link that leads to this information on your website.
10. Abuse and support cases need to be handled within the same time interval as registration services, i.e. within 5 days. Confirm that you can meet this requirement.
Data protection
1.Are there adopted policy documents (externally published as well as internal governing documents) regarding the processing of personal data for customers and suppliers/collaboration partners?
2. Does the business keep records of personal data that is processed?
3. Does the business employ personal data assistants for personal data processing?
4. If YES: Has the business entered into written personal data processor agreements with all personal data processors?
5.Explanation of procedures for, and ensuring of, data subject's rights according to GDPR (information/register extract, correction and deletion, restriction of processing, data portability, objection to processing, automated decision-makingthey and profiling (e.g. in the case of invoice purchases));
6. Do you have operating procedures in the event of a personal data incident?
IT security
1.Policy, responsibility, organization
Is there a functioning information security management system established by management? Is it spread in the organization?
Are there people with designated responsibilities and powers?
Has the management set aside resources to ensure that the information and security work can be carried out to the extent needed?
2.Security audits/penetration tests/code reviews
What measures has the business taken to achieve a relevant level for its IT systems and are you using adopted IT security measures?
Are regular security reviews carried out? Other external controls?
3.Risk analyzer
Does the business have a systematic and risk-based way of working to create the conditions to protect information assets even in the event of crises and in the event of heightened preparedness? Is there an information security risk assessment process? What does the risk picture look like?
Incident management/reporting
Are there routines for incident management and reporting? How well is it communicated in the organization?
5. Information security instructions
Are there information security instructions for employees in the business and is regular training provided?
6. Continuity plans
Is there a continuity plan and when was the last one adopted by management?
