BACK-X Governance Framework
ONIZEA, as Federator/Operator of the data space, defines and enforces the rules for participation, security and regulatory compliance. No participant can access another participant’s data content without an explicit contract.
Guide to joining the space
Five structured phases, managed by ONIZEA, to join BACK-X as a verified participant.
Participation request
Any interested entityThe interested entity submits an application indicating:
- Type of organization (manufacturer, technology provider, R&D center, etc.)
- Roles it wishes to assume (Data Provider, Data Consumer, Service Provider…)
- Planned use cases and type of data to provide or consume
Preliminary assessment
ONIZEA reviews in 5–10 daysONIZEA evaluates the request according to:
- Fit of the applicant within the BACK-X value chain
- Compatibility of objectives with the data space
- High-level analysis of technical, legal and security risks
Legal and compliance verification
Required documentationThe ONIZEA team will review your request. If the preliminary assessment is favorable, you will receive access to the legal verification form and the onboarding case-tracking app. In this phase, the following information is requested:
- Legal identification data
- Name: short name.
- URL: main website of the legal entity.
- Legal name: the officially registered name.
- Legal registration number: for EU participants, the NIF or VAT number is recommended, provided it can be verified online). Other alternatives are (EUID, EORI or LEI ).
- Country subdivision code: based on ISO 3166-2 standard, which combines the country code and a subdivision code that varies by country.
- Legal address: street, postal code and locality.
- Acceptance of governance rules and terms of use
- NDA and, where applicable, DPA and DPIA impact assessment (GDPR)
- Statement of compliance with minimum security requirements
Technical onboarding on the platform
Eclipse EDC integrationFull technical integration:
- ONIZEA creates the organization tenant on the multi-tenant platform
- Roles are registered and initial permissions are assigned in the authorization system
- The participant registers its users in the BACK-X IdP (OIDC)
- The participant’s Eclipse EDC connector is registered as a technical component
Initial publication and testing
Status: ActiveControlled validation before active status:
- The participant prepares and registers its first data products
- Ingestion, query and access-policy enforcement tests
- Event auditing in the Clearing House (when available)
- Once validated, the participant moves to Active
Trust levels
Each participant has a trust level assigned by ONIZEA. Levels determine security requirements, access policies and ODRL constraints enforced by the Eclipse EDC connector.
Basic participant
Pilot phase · Aggregated data consumers
- Basic verification of the legal entity
- Signing of data space participation agreements
- Formal commitment to comply with security and data protection policies
- Access mainly to aggregated data and pilot use cases
Data and service provider
Data Provider · Service Provider
- Everything required in Level 1
- Evidence of information-security practices
- Demonstrated technical ability to operate data systems and Eclipse EDC connectors
- Explicit responsibility as Data Provider and/or Service Provider with formalized contracts
Advanced trust entities
Federator · Clearing House · Trust Provider
- Everything required in Levels 1 and 2
- High standards of security and service continuity (Federator/ONIZEA)
- Robust identity management and governance
- Neutrality, record integrity and compliance with European trust frameworks (Gaia-X, DSSC)
Trust levels are used as evaluable attributes in ODRL access policies enforced by Eclipse EDC connectors. A Level 1 participant cannot access data products requiring Level 2 or higher in its EDC contract.
Common principles and rules
General principles
No participant may exercise disproportionate control over the data, services or rules of the space.
Participants ensure that all processing respects agreed policies, contractual conditions and applicable regulations (GDPR).
Each participant appoints an official representative before ONIZEA for decision-making and coordination.
Participants commit to participating in review cycles, improvement activities and use-case validation.
Operating rules
Participation implies explicit acceptance of the terms of use, security policies, data access agreements and SLAs defined by ONIZEA.
Acceptable practices, ethical behavior, technical responsibility and respect for third-party data sovereignty.
ONIZEA monitors compliance with the policies and may request evidence, activate audits or require corrective actions.
In the event of a dispute over data use or policy interpretation, ONIZEA acts as a neutral arbiter applying the rules of the space.
GDPR y Protección de Data
Sovieweignty garantizada
Joining as a participant does not imply transfer of ownership or control over its data. Data always remains under the sovereignty of the Data Owner.
DPA y DPAI obligatorios
Los participants Nivel 2+ deben firmar Acuerdos de Tratamiento de Data (DPA) y realizar análisis de impacto (DPAI) según el GDPR cuando proceda.
No unauthorized access
ONIZEA, as Federator, never accesses participant data content except when explicitly acting as Data Consumer under a data contract.
Evidence retention
BACK-X keeps activity records and contracts for the legally required period for audits and subsequent claims.
Ready to join BACK-X?
Start the request process. The ONIZEA team will evaluate your request and contact you with the next steps.