SURF Framework of Legal Standards for (Cloud) Services
The SURF Legal Standards Framework for (Cloud) Services describes the standards with regard to confidentiality, privacy, property and availability when concluding contracts with (cloud) suppliers. It includes standard provisions and processing agreement that offer institutions a solid basis for contracts with suppliers.
Content of Legal Framework
An important part of the SURF Legal Standards Framework (Cloud)services is the Processors Agreement. In September 2018, this Agreement was brought into line with the General Data Protection Regulation (GDPR and was updated).
New processors agreement 2019
The new Processor Agreement (PDF) is a new fully updated version of the previous version. There is also a Dutch version (PDF) available.
The Word versions, including previous versions of the documents, can be obtained at SCIPR's private wiki.
The Legal Committee plays an important role in the drafting of the Processors' Agreement. More information on the role and composition of the Committee on Legal Affairs can be found in this document (in Dutch)
In addition to the Processors' Agreement, the Appendix B (Instructional Instruction), C (Guidelines Security Measures) and D (Guidelines Audit Obligation) will also be adapted to the new Processors' Agreement.
Processor agreement 2016
The versions from 2016 can be found here:
The Framework also has the following annexes:
- A. Processor Agreement (PDF): this is an example for making arrangements with suppliers (as processors). This version was updated in October 2016.
- B. Instructions with the Processor Agreement (PDF): practical instructions and explanation in terms of the provisions and annexes of the Processing Agreement.
- C. Guidelines for Security Measures (PDF): this document explains the so-called 'suitable security measures' addressed by the Framework and Processing Agreement.
- D. Guidelines for Audit Obligations (PDF): the Processing Agreement discusses an audit obligation. This is explained further in this document.
More information
- SURF and the GDPR (in Dutch)
- Wiki' Principles of the AVG' wiki (in Dutch)
- See the 25 most common ways of processing personal data with CIA triad classification (in Dutch) (PDF)
- Acceptable Use Policy for staff and for students (in Dutch)
- CIA triad data classification, Higher Education Reference Architecture, reference models
- If you would like to use the 2014 Standards Framework, please get in touch with the contact persons shown at the bottom of this page.