What does SURF Vendor Compliance services entail?
Personal data breaches put institutions at risk of fines, reputational damage and liability claims. It is therefore necessary to check with vendors how they process institutions' data. Clear agreements must be made about this. Institutions often perform this compliance work individually: the same work for the same applications while expertise is scarce and costly.
To support institutions in these processes and take work off their hands, SURF carries out various compliance processes each year within the SURF Vendor Compliance services. Each year, an average of eight processes are picked up. We determine which processes these are together with the members.
SURF takes care (in collaboration with partners) of:
- the performance of risk analyses (including DPIAs and DTIAs);
- the performance of security and compliance checks, including data transfers outside the EEA with legal and technical investigations;
- drafting, delivering and applying assessment frameworks against which vendors are assessed;
- making agreements with vendors, such as processor agreements, in which privacy risks are mitigated and agreements are made on security measures;
- providing information and support on how institutions can use the assessed applications/(cloud) software as securely as possible;
- monitoring vendors' compliance with agreements made.
Do you have any questions? Contact us or take a look at some frequently asked questions (pdf).