Vendor compliance

On behalf of institutions, we perform privacy and security risk analyses on vendors. In this way, we jointly fulfil statutory obligations. By combining expertise, we achieve cost savings, knowledge sharing and, on behalf of the education and research sector, we have a stronger negotiating position towards vendors.

Handen met computer met groen op de achtergrond reflecterend in het scherm

HR2day is taking additional privacy measures following SURF’s DPIA

News

SURF has carried out a Data Protection Impact Assessment (DPIA) on HR2day, an all-round HRM and payroll system. The assessment identified 16 high-risk issues. HR2day has stated that it will implement…

News

SURF completes DPIA for Adobe Creative Cloud and Document Cloud for Education

News

SURF and Privacy Company have conducted a Data Protection Impact Assessment (DPIA) on Adobe Creative Cloud and Document Cloud for Education. SURF confirms that institutions may continue using these…

News

SURFshort

What you need to know about... DPIAs

Listen to the SURFshort podcast with privacy lawyer Sophia Gelpke on DPIAs, vendor compliance and privacy law in a geopolitical context.

SURFshort 16 minutes

podcast recording with Sophia Gelpke and Sanne Koenen

TOPdesk implements privacy improvements following SURF DPIA

Institutions can continue to use TOPdesk, according to SURF's DPIA. SURF identified 9 high risks and 3 low risks. TOPdesk has already mitigated 4 of the high risks and will mitigate the remaining…

News 15 January 2026

three students are sitting on the floor and engaged in conversation.

DPIA eduGenAI

Working on safe and responsible AI in education

Together with Npuls, we are working on eduGenAI: a platform that enables the safe and responsible use of generative AI in higher education. We commissioned a data protection impact assessment (DPIA)…

News 01 September 2025

Vrouw met koptelefoon gefotografeerd op haar achterhoofd kijkt naar laptop waarvan het scherm onscherp is

SURF advises not to use Microsoft 365 Copilot for the time being due to privacy risks

We advise educational and research institutions not to use Microsoft 365 Copilot for the time being. This is because research shows that there are privacy risks associated with using the generative…

News 18 December 2024

jongen met bril zit op de trap en werkt op een laptop.

Safe cloud use: Zoom and SURF together provide seatbelts and airbags

Zoom is popular in the Netherlands, but still struggled with a nine privacy issues in 2020. Zoom can now be safely used in Dutch education and research: the Data Protection Impact Assessment (DPIA) on Zoom indicated that using Zoom's video conferencing services no longer poses high risks to users.

Article

''We'd love to hear which compliance pathways you think are important''.
Sandy Janssen

Tell us your wishes for the pathways here

HR2day is taking additional privacy measures following SURF’s DPIA

SURF completes DPIA for Adobe Creative Cloud and Document Cloud for Education

What you need to know about... DPIAs

TOPdesk implements privacy improvements following SURF DPIA

Working on safe and responsible AI in education

SURF advises not to use Microsoft 365 Copilot for the time being due to privacy risks

Safe cloud use: Zoom and SURF together provide seatbelts and airbags

Frequently asked questions