SURF Vendor Compliance

Jointly conducting privacy and security risk assessments on vendors

On behalf of institutions, we perform privacy and security risk analyses on vendors. In this way, we jointly fulfil statutory obligations. By combining expertise, we achieve cost savings, knowledge sharing and, on behalf of the education and research sector, we have a stronger negotiating position towards vendors.


Joint action

By taking up processes together, we have a strong negotiating position towards vendors; we speak on behalf of the entire research and education sector.

Pooled expertise

By pooling expertise, institutions individually save costs and time.

Support and choice

Institutions are given the building blocks they need to make their own trade-offs for the secure use of assessed applications/(cloud) software.

Do you have a question about SURF Vendor Compliance services? Get in touch.

Sandy Janssen

Sandy Janssen


What does SURF Vendor Compliance services entail?

Personal data breaches put institutions at risk of fines, reputational damage and liability claims. It is therefore necessary to check with vendors how they process institutions' data. Clear agreements must be made about this. Institutions often perform this compliance work individually: the same work for the same applications while expertise is scarce and costly.

To support institutions in these processes and take work off their hands, SURF carries out various compliance processes each year within the SURF Vendor Compliance services. Each year, an average of eight processes are picked up. We determine which processes these are together with the members.

SURF takes care (in collaboration with partners) of:

  • the performance of risk analyses (including DPIAs and DTIAs);
  • the performance of security and compliance checks, including data transfers outside the EEA with legal and technical investigations;
  • drafting, delivering and applying assessment frameworks against which vendors are assessed;
  • making agreements with vendors, such as processor agreements, in which privacy risks are mitigated and agreements are made on security measures;
  • providing information and support on how institutions can use the assessed applications/(cloud) software as securely as possible;
  • monitoring vendors' compliance with agreements made.

Read more about ongoing and completed compliance processes on our expertise page.

Do you have any questions? Contact us or take a look at some frequently asked questions (pdf).