Vendor compliance

On behalf of institutions, we perform privacy and security risk analyses on vendors. In this way, we jointly fulfil statutory obligations. By combining expertise, we achieve cost savings, knowledge sharing and, on behalf of the education and research sector, we have a stronger negotiating position towards vendors.

Handen met computer met groen op de achtergrond reflecterend in het scherm

International attention

SURF and the educational institutions consider secure education that meets our public values very important. That is why we join forces in the Netherlands and SURF, in collaboration with partners or otherwise, enters into discussions with large and small vendors, within and outside Europe, to reach sound agreements.

Protection of user data

Through SURF, the members make joint agreements with IT and content vendors regarding the supply and purchase of products and services. Conducting Data Protection Impact Assessments (DPIAs) is part of this.

It follows from laws and regulations in Europe that vendors must take measures to protect users' data. From the GDPR, a DPIA is necessary to identify privacy risks to users. Those DPIAs may reveal risks that need to be resolved before safe use of products and services can be made. In such a case, we engage with the vendor to see if we can come to a solution together.

Talking to vendors gets results

By joining forces in the sector, (large) tech companies are willing to sit down with us, improve and adapt their products to remove risks. This proves that you can achieve great results with cooperation. By doing so, we ensure that Dutch education and research can make the best and safest possible use of IT solutions that meet our public values.

Proud of collaboration

SURF is proud of the fact that we achieve good results in this field. And our approach is noticed internationally. The New York Times even published an article about it on 18 January (behind login).