SURF Framework of Legal Standards for (Cloud) Services(Publicatie)The SURF Legal Standards Framework for (Cloud) Services describes the standards with regard to confidentiality, privacy, property and availability when concluding contracts with (cloud) suppliers. It includes standard provisions and processing agreement that offer institutions a solid basis for contracts with suppliers.
Content of Legal Framework
An important part of the SURF Legal Standards Framework (Cloud)services is the Processors Agreement. In October 2017, this Agreement was brought into line with the General Data Protection Regulation (GDPR). The SURF Legal Committee advised SURF that this version should be included in the Legal Standards Framework. SURF's Executive Committee took a positive decision on this in November 2017.
New processors agreement 2017
The Word versions of these documents can be obtained at SCIPR's private wiki.
The Legal Committee plays an important role in the drafting of the Processors' Agreement. More information on the role and composition of the Committee on Legal Affairs can be found in this document (in Dutch)
In addition to the Processors' Agreement, the Appendix B (Instructional Instruction), C (Guidelines Security Measures) and D (Guidelines Audit Obligation) will also be adapted to the new Processors' Agreement.
Processor agreement 2016
The versions from 2016 can be found here:
The Framework also has the following annexes:
- A. Processor Agreement (PDF): this is an example for making arrangements with suppliers (as processors). This version was updated in October 2016. You can request the Word version from SCIPR.
- B. Instructions with the Processor Agreement (PDF): practical instructions and explanation in terms of the provisions and annexes of the Processing Agreement.
- C. Guidelines for Security Measures (PDF): this document explains the so-called 'suitable security measures' addressed by the Framework and Processing Agreement.
- D. Guidelines for Audit Obligations (PDF): the Processing Agreement discusses an audit obligation. This is explained further in this document.
- SURF and the GDPR (in Dutch)
- Wiki' Principles of the AVG' wiki (in Dutch)
- Document' About SURFconext, service providers and processor agreements' (in Dutch, pdf)
- See the 25 most common ways of processing personal data with CIA triad classification (in Dutch) (PDF)
- Acceptable Use Policy for staff and for students (in Dutch)
- CIA triad data classification, Higher Education Reference Architecture, reference models
- If you would like to use the 2014 Standards Framework, please get in touch with the contact persons shown at the bottom of this page.
- Number of times shown:
- Number of times downloaded: