SURF Framework of Legal Standards for (Cloud) Services
Would you like to enter into a contract with (cloud) suppliers? SURF's Framework of Legal Standards for cloud and other services sets the rules governing confidentiality, privacy, ownership, and availability. It contains standard provisions and a model processor agreement that provide institutions with a solid basis for contracts with suppliers.
SURF Framework of Legal Standards
If you wish to establish a sound legal basis for making agreements with (cloud) providers for your institution, you can use the SURF Framework of Legal Standards for Cloud Services (PDF, version September 2018).
Appendices to the Framework
The standards framework also contains a number of important appendices that will help you use and apply the standards framework.
| Document | Description |
|---|---|
| Model Processing Agreement (PDF, version January 2019) | You can use this model to draw up your own processor agreements. The Legal Committee plays an important role in drawing up the processor agreement. You can still use the old version. Please contact SCIPR for more information. |
| Changes document (PDF) | Overview of changes compared to the previous version of the Model Processing Agreement. |
| Instruction (PDF) | Practical instruction and explanation of the provisions and appendices of the Model Processing Agreement. |
| Safety Measures Guide (PDF, in Dutch) | This document explains the so-called 'appropriate security measures', which are discussed in the Framework of Standards and the Model Processing Contract. |
| Audit Commitment Guide (PDF, in Dutch) | The Model Processing Agreement refers to an audit commitment. This document provides further explanation of this. |
Members of SCIPR can request the Word versions of these documents via the SCIPR private wiki.
Other useful documents
In addition to the Framework and its appendices, the following 2 documents are available:
| Document | Description |
|---|---|
| Model Joint Controllership Agreement (PDF) | This document is a model for parties within a joint venture, in which the various parties act as joint processing supervisors within the meaning of the GDPR. |
| Comparison (PDF, in Dutch) | Comparison between the 'Generic model processing agreement 3.0 framework ibp in mbo (vocational secondary education) and the SURF Processing Agreement. |
| Comparison (PDF, in Dutch) | Comparison between SURF's Framework of Legal Standards (Cloud) Services and NLdigital's Data Pro Code |
More information
- SURF and the GDPR (in Dutch)
- Wiki' Principles of the AVG' wiki (in Dutch)
- See the 25 most common ways of processing personal data with CIA triad classification (in Dutch) (PDF)
- Acceptable Use Policy for employees (PDF, in Dutch) and for students (PDF, in Dutch)
- BIV Data Classification (in Dutch), Higher Education Reference Architecture, reference models