THE LINUX FOUNDATION PROJECTS

Definition

The SPDX 3.1 Services Profile captures metadata related to online services to ensure service assurance across organizational boundaries,. covers use cases in three primary areas: Customer Data Governance (securing data), Supplier Infrastructure Governance (mitigating provider risks and ensuring availability), and Regulatory Compliance (adhering to established regulations).

Personas

This profile is designed for a variety of roles involved in the consumption, provision, and auditing of online services, including:
• End Consumers of online services and Intermediate service providers.
• Service Providers who need to disclose platform and hosting information.
• Customers seeking to understand service maintenance and license compliance.
• Compliance Auditors verifying data encryption and geographic export controls.
• Procurement professionals identifying third-party service dependencies.

Use Cases

Customer Data Governance.

Consumers and auditors use the profile to ensure data is classified appropriately and stored in authorized geographic locations.

Supplier Infrastructure Governance

Supplier Infrastructure Governance focuses on service availability (SLAs/SLOs), identifying 4th party service provider dependencies, and managing service-related vulnerability discovery to ensure reliable operation.

Regulatory Compliance

Regulatory Compliance helps verify that service providers are not violating regulations, such as geographic export restrictions on cryptography.

Service Vulnerability Discovery

Service Vulnerability Discovery Stakeholders can determine if a service is vulnerable due to software components used directly or indirectly by the provider, or due to non-software reasons like misconfigurations.

Benefits

The Services Profile allows organizations to clearly communicate service-level risks and maintenance standards. By differentiating between Internal usage (managing policy and risk) and Shared usage (exchanging data across trust boundaries), it provides a standardized way to evaluate service availability, data protection capabilities, and audit standards.

Demo

NA