Vendor compliance

On behalf of institutions, we perform privacy and security risk analyses on vendors. In this way, we jointly fulfil statutory obligations. By combining expertise, we achieve cost savings, knowledge sharing and, on behalf of the education and research sector, we have a stronger negotiating position towards vendors.

Handen met computer met groen op de achtergrond reflecterend in het scherm

Privacy risks Microsoft 365 Copilot remain ‘orange’ despite improvements

News

SURF continues to advise educational and research institutions to exercise caution when deploying Microsoft 365 Copilot. Although Microsoft has made improvements to the AI assistant since SURF first…

News

HR2day is taking additional privacy measures following SURF’s DPIA

News

SURF has carried out a Data Protection Impact Assessment (DPIA) on HR2day, an all-round HRM and payroll system. The assessment identified 16 high-risk issues. HR2day has stated that it will implement…

News

SURF completes DPIA for Adobe Creative Cloud and Document Cloud for Education

SURF and Privacy Company have conducted a Data Protection Impact Assessment (DPIA) on Adobe Creative Cloud and Document Cloud for Education. SURF confirms that institutions may continue using these…

News 16 February 2026

SURFshort

What you need to know about... DPIAs

Listen to the SURFshort podcast with privacy lawyer Sophia Gelpke on DPIAs, vendor compliance and privacy law in a geopolitical context.

SURFshort 16 minutes

podcast recording with Sophia Gelpke and Sanne Koenen

TOPdesk implements privacy improvements following SURF DPIA

Institutions can continue to use TOPdesk, according to SURF's DPIA. SURF identified 9 high risks and 3 low risks. TOPdesk has already mitigated 4 of the high risks and will mitigate the remaining…

News 15 January 2026

three students are sitting on the floor and engaged in conversation.

DPIA eduGenAI

Working on safe and responsible AI in education

Together with Npuls, we are working on eduGenAI: a platform that enables the safe and responsible use of generative AI in higher education. We commissioned a data protection impact assessment (DPIA)…

News 01 September 2025

Vrouw met koptelefoon gefotografeerd op haar achterhoofd kijkt naar laptop waarvan het scherm onscherp is

SURF advises not to use Microsoft 365 Copilot for the time being due to privacy risks

We advise educational and research institutions not to use Microsoft 365 Copilot for the time being. This is because research shows that there are privacy risks associated with using the generative…

News 18 December 2024

jongen met bril zit op de trap en werkt op een laptop.

''We'd love to hear which compliance pathways you think are important''.
Sandy Janssen

Tell us your wishes for the pathways here

SURF Inkoop Connect

Conference

Gooiland, Emmastraat 2, 1211 NG Hilversum

27 Oct

Frequently asked questions