We ran a workshop sharing our principles with participants on Saturday 28th of October 2017 at the Mozilla Festival. Here is a list of principles as participants rewrote them. We will be considering how these interact with our existing principles  look forward to your feedback!

  1. A company MUST provide a product which is GDPR compliant.
  2. A company MUST provide access to the core functionality of a product through a documented API using open protocols.
  3. A company MUST either submit the hardware and software to an independant audit to verify compliance or open source or both.
  4. A company SHOULD make it visible to its customers what data channels of communication the product/service uses.
  5. A company MUST make it possible for customers to turn off the connections to a data cloud. They should make it clear what risks this presents.
  6. A company MUST offer customers the right to transfer ownership of the product.
  7. A company MUST use open protocols for the communication between a product and a cloud service and  cannot prevent changing the service provider it points to.
  8. A company MUST be clear about expected support for a product including: spare parts, repairs, updates and security.
  9. A company MUST be explicit to a customer as to whether there are secondary legal obligations.
  10. A company MUST be clear about expected lifetime of the product.
  11. A company MUST document any parts that a customer could be realistically expected to repair.
  12. A company SHOULD be able to list the countries involved in the supply chain comprising the product.
  13. A company MUST provide core functionality even when internet access is unavailable.