SURF Vendor Compliance

Jointly conducting overarching privacy and security risk assessments on vendors

On behalf of institutions, we conduct overarching privacy and security risk assessments on vendors/applications. As far as possible, we negotiate adjustments/contract agreements that benefit the entire education and research sector.

Communicate your wishes for compliance pathways

Advantages

Joint action

By taking up processes together, we have a strong negotiating position towards vendors; we speak on behalf of the entire research and education sector.

Pooled expertise

By pooling expertise, institutions individually save costs and time.

Support and choice

Institutions are given the building blocks they need to make their own trade-offs for the secure use of assessed applications/(cloud) software.

Do you have a question about SURF Vendor Compliance services? Get in touch.

Sandy Janssen

n.v.t.

vendorcompliance@surf.nl

What does SURF Vendor Compliance services entail?

Institutions have a legal obligation to check with vendors how they process personal data. In addition to testing, clear agreements must also be made with the vendor about processing, such as in processor agreements or other arrangements. Failure to have agreements and understanding of processing by vendors tested and in order carries risks of fines, reputational damage and liability.

Institutions now often perform this compliance work individually: the same work for the same applications, while expertise is scarce and costly. By combining knowledge and expertise, we support institutions in this work and have a stronger position on behalf of the entire education and research sector towards vendors. With the eight overarching compliance processes that SURF will carry out annually, we offer institutions the building blocks they need to arrive at their own proper assessment and risk analysis for the use of the (cloud) application.

Building blocks for our own consideration

Once we have performed a risk analysis on a vendor/application, we enter into discussions with the vendor about the measures to resolve any risks found as far as possible. Many of these agreements are laid down in, for example, a standard processing agreement. Instructions are also drawn up on how institutions can use the application in the most privacy and security-friendly way possible.

Institutions themselves determine to what extent the overarching results are applicable to their own organisation. On the basis of the building blocks we provide, your institution can make an informed decision on the secure use of the (cloud)software. The delivered results can be used by anyone, but should always be interpreted to your own situation, processes and environment.

Use the technical, organisational and legal arrangements we have arranged to carry out your own risk analysis or decide, depending on your own procurement policy, whether or not to purchase something. Even if your institution purchases (cloud) software directly from a vendor, you can use our privacy and security risk analyses and always keep in touch with the vendor yourself.

SURF takes care (in collaboration with partners) of:

the performance of risk analyses (including DPIAs and DTIAs);
the performance of security and compliance checks, including data transfers outside the EEA with legal and technical investigations;
drafting, delivering and applying assessment frameworks against which vendors are assessed;
making agreements with vendors, such as processor agreements, in which privacy risks are mitigated and agreements are made on security measures;
providing information and support on how institutions can use the assessed applications/(cloud) software as securely as possible;
monitoring vendors' compliance with agreements made.

Do you have any questions? Contact us or take a look at some frequently asked questions (pdf).