Trust Service Practice Statement

Clause 1

Scope

This TSPS covers the proposed Qualified Time-Stamping Service (QTimestamp, ETSI service-type identifier http://uri.etsi.org/TrstSvc/Svctype/TSA/QTST) and, in a future revision, the Qualified Electronic Seal Service (QESeal) used by QENEX to seal evidence bundles and legal documents on behalf of the legal entity QENEX Trust Services OÜ.

Out of scope: qualified electronic signatures issued to natural persons (QES); qualified preservation services (QPreS); qualified e-delivery (REM).

Clause 2

References

• Regulation (EU) No 910/2014 (eIDAS) and its 2024 revision (eIDAS 2)
• Commission Implementing Regulation (EU) 2015/1502 and 2015/1505
• ETSI EN 319 401 v3.1.1 — General Policy Requirements for TSPs
• ETSI EN 319 421 v1.2.1 — Policy and Security Requirements for TSPs issuing time-stamps
• ETSI EN 319 422 v1.1.1 — Time-stamping protocol and profiles
• ETSI TS 119 312 v1.5.1 — Cryptographic Suites
• RFC 3161 (Time-Stamp Protocol), RFC 5816 (ESS Update for RFC 3161)
• ETSI TS 119 612 v2.4.1 — Trusted Lists (TLv6 format)

Clause 3

TSP Identification

Legal name (planned): QENEX Trust Services OÜ
Registration country: Estonia
Parent company: QENEX LTD · Companies House 16523814 · 20 Wenlock Road, London N1 7GU, United Kingdom
Trust Service Provider type: Qualified TSP (subject to grant by Estonian supervisor RIA)
Supervisory body (planned): Information System Authority (Riigi Infosüsteemi Amet, RIA), Tallinn, Estonia
Conformity Assessment Body (under selection): LSTI / TUV Trust IT / CIS Italy

Clause 4

Service Description — QTimestamp

What: Issuance of qualified electronic time-stamps per ETSI EN 319 421 over the RFC 3161 Time-Stamp Protocol.
How: An RFC 3161 TimeStampReq is received via HTTPS POST. The TSA returns a TimeStampResp containing a TSTInfo signed by the Qualified TSA signing certificate, which chains to an Estonian Trusted-List-listed Issuer CA. Tokens carry the ESS-signing-cert-v2 attribute per RFC 5816.
Time source: Stratum-1 GPS-disciplined NTP (planned: Meinberg LANTIME M200 in the EU production rack), with NTP failover to two public stratum-1 servers. Time accuracy SHALL be within ±1 second of UTC at all times, with cryptographically-attested clock- drift records.
Cryptographic Suite: Per ETSI TS 119 312; ECDSA P-256 (or higher) for signing, SHA-256 (or higher) for hashing. The TSA certificate is RSA-3072 or ECDSA P-256; renewal at minimum every 5 years.

Clause 5

Trustworthy System (ETSI EN 319 421 §7.2)

Cryptographic operations are performed inside a FIPS 140-2 Level 3 validated Hardware Security Module (currently: YubiHSM 2 FIPS, cert #4046). Key generation is performed via a documented key ceremony with split-knowledge / dual-control by at least two cleared trust- service roles. Keys never leave the HSM in cleartext. Private-key backup is performed via the HSM’s vendor-prescribed encrypted- export procedure to an offline, fire-rated safe.

Clause 6

Organisation & Roles (ETSI EN 319 401 §6.4)

The minimum trust-service roles to be maintained:

• Security Officer — overall responsibility for security policy administration. Cannot be the same person as any operational role.
• System Administrator — installs, configures, maintains trustworthy systems.
• System Operator — daily operation; backup, recovery.
• System Auditor — reviews logs and operational records.

Personnel are vetted by background check; sign confidentiality undertakings; receive documented training on trust-service security before being granted operational access.

Clause 7

Risk Management (ETSI EN 319 401 §5)

Annual documented risk assessment using ISO/IEC 27005. Residual risks reviewed by the Security Officer and accepted in writing. Critical-vulnerability response time: 24 hours for triage, 72 hours for emergency patch, 7 days for full remediation.

Clause 8

Termination Plan (ETSI EN 319 401 §7.12)

Should QENEX Trust Services OÜ cease to operate as a QTSP, the following obligations are funded in advance through an irrevocable termination-funding agreement with an Estonian escrow agent:

• Notification to the supervisory body (RIA) and all customers at least 90 days before termination.
• Revocation of TSA signing certificates on the termination date.
• Retention of issued-token logs and verification material for at least 10 years post-termination, hosted at a successor TSP or in escrow.
• Publication of a termination notice on the EU LOTL via the national supervisor.

Clause 9

Insurance (eIDAS Art. 13)

Civil liability insurance covering damages arising from breach of the obligations imposed by eIDAS Title III. Minimum cover: EUR 1,500,000 per occurrence; EUR 5,000,000 aggregate per annum. Insurer: to be selected from the Estonian Insurance Association membership list.

Clause 10

Audit Log Retention

Every issued time-stamp token is logged with: issuance serial, request hash, response hash, signing certificate identifier, time- source attestation, requesting IP address. Logs are written append-only, signed daily with the operator Ed25519 key, pinned to IPFS, and anchored to the public Bitcoin timechain via OpenTimestamps. Retention: 10 years minimum from issuance.

Clause 11

Subject Population (who may use the service)

The qualified time-stamping service will be offered to QENEX Pulse Compliance-tier customers and to third-party clients via a standard online contract. Non-discriminatory access per eIDAS Art. 24(2)(g).

Clause 12

Disclaimer & Legal Effect

Until this document is in force (see opening paragraph), time-stamps issued by any QENEX surface are not qualified within the meaning of eIDAS Art. 41 and carry no statutory presumption. The current QENEX cryptographic evidence chain (Ed25519 + IPFS + OpenTimestamps) is jurisdiction-neutral evidence but is not self-proving in EU courts.

Contact

Comments on this draft

Send to legal@qenex.ai with subject TSPS v0.1 comment.