Governing Agreement should at least address
Governance structure, such as advisory and audit boards
Criteria to join and stay on the network, including certification and audits (Req. D1.2-6.14-Compat)
Process for removal from the network
Process for complaints, arbitration, and disciplinary action (Req. D1.2-6.9-Complaint)
Commercial liability and its fair appropriation
Liability due to negligence in criminal cases and its fair appropriation
Privacy protection
Redress for users that have suffered unwarranted disclosure (Req. D1.2-6.10-Redress)
Minimal mandatory security practises and policies (Reqs. D1.2-6.11-Confid and D1.2-6.15-MinPolicy)
Acceptable use for Service Providers
Acceptable use for Users
Requirement to be legally bound (Reqs. D1.2-6.16-Bound and D1.2-6.17-TechBind)
Any prospective Trust Network member should document the answer to the following questions:
Are you collecting or using PII as part of the service?
Do you have a Privacy Policy that you are bound to follow?
Do you use PII for any purpose other than providing the service?
Do you get User's consent or let him opt out before his information is used for other purposes than providing the specific service?
Do you share PII beyond your company or family of companies?
Do you get user's consent or let him opt out before your share his information with any other company not needed to provide the specific service?
Do you allow user to manage these preferences over time and change my options?