Data security and privacy
Users of our services need to be confident that research data and other confidential information stored and processed by SURF is in safe hands. SURFsara holds an ISO 27001 certification for information security. This demonstrates that we meet strict international standards in the field of information security.
Our Data Archive service is accessible through the SSH File Transfer Protocol (SFTP) which ensures encrypted and reliable data transfer.
It is recommended to encrypt data before transfer when it still resides at your institute. This guarantees your data is encrypted when stored at the SURF data service and is unreadable and uninterpretable for service administrators. You are responsible for encryption and encryption keys. SURF cannot decrypt encrypted data!
SURF advises you to contact the privacy or security officer at your institute in advance for assessment regarding the required protection of your data.
All computer accounts at SURF are personal accounts and data stored with the data service is principally only accessible by the owner of the account. The account owner is responsible for proper management of the account and the stored data.
Service operators and administrators of the Data Archive service have administrator rights to data stored. Administrators exercise this right only for service maintenance purposes. Confidentiality and proper use of information and privacy can be expected in compliance to the SURF IT rules and ISO 27001.
The data processing role of SURF can be formalized in a written Service Level or Data Processing Agreement (SLA, DPA) on request.