SURF Framework of Legal Standards for (Cloud) Services
Would you like to enter into a contract with (cloud) suppliers? SURF's Framework of Legal Standards for cloud and other services sets the rules governing confidentiality, privacy, ownership, and availability. It contains standard provisions and a model processor agreement that provide institutions with a solid basis for contracts with suppliers.
Legal Standards Framework
If you wish to establish a sound legal basis for making agreements with (cloud) providers for your institution, you can use the SURF Framework of Legal Standards for (cloud) services (PDF, version September 2018). The standards framework also contains a number of important appendices that will help you use and apply the standards framework.
The main annex to the Framework of Standards is the Model Processing Agreement (pdf, version January 2019). You can use this model to draw up your own processor agreements. Because we made a number of changes to the previous version, we have indicated the changes in a document (pdf).
You can still use the old version. Please contact SCIPR for more information.
In addition to the processor agreement, the following appendices are available:
- B: Instruction (pdf): practical instruction and explanation of the provisions and appendices of the Model Processing Agreement.
- C. Security measures guide (pdf) (in Dutch): this document explains the so-called 'appropriate security measures', which are discussed in the Framework of Standards and the Model Processing Contract.
- D. Audit Commitment Guide (pdf) (in Dutch): the Model Processing Agreement refers to an audit commitment. This document provides further explanation of this.
SURF's Legal Committee (pdf) (in Dutch) plays an important role in drawing up the processor agreement.
In addition to the handouts, the following two documents are available:
- Model Joint Controllership Agreement (pdf)
This document is a model for parties within a joint venture, in which the various parties act as joint processing supervisors within the meaning of the AVG.
- In addition, a comparison is available between the 'Generic Model Processing Agreement 3.0 Framework ibp in MBO' (pdf) (in Dutch) and the SURF Processing Agreement.
- SURF and the GDPR (in Dutch)
- Wiki' Principles of the AVG' wiki (in Dutch)
- See the 25 most common ways of processing personal data with CIA triad classification (in Dutch) (PDF)
- Acceptable Use Policy for staff and for students (in Dutch)
- CIA triad data classification, Higher Education Reference Architecture, reference models