Vendor compliance
On behalf of institutions, we perform privacy and security risk analyses on vendors. In this way, we jointly fulfil statutory obligations. By combining expertise, we achieve cost savings, knowledge sharing and, on behalf of the education and research sector, we have a stronger negotiating position towards vendors.
Handen met computer met groen op de achtergrond reflecterend in het scherm

Tracks

Discover all compliance tracks regarding privacy and security risk assessments on suppliers.

Zoom

After intensive consultation with SURF, Zoom is making changes to the privacy agreements for all Education and Enterprise users in Europe. In addition to these adjustments and new contractual agreements, SURF advises institutions to implement a number of recommended measures themselves and make new agreements with Zoom. Once these are implemented, there will no longer be any high privacy risks for those involved in using Zoom video conferencing services, this also applies to highly confidential communications.

Read more about Zoom

 

Microsoft OneDrive, SharePoint and Teams

SURF, together with the Ministry of Justice and Security (Strategic Supplier Management for the Central Government), commissioned the Privacy Company to conduct a Data Protection Impact Assessment (DPIA) on Microsoft OneDrive, SharePoint and Teams. The study revealed the following:

  • 6 low risks
  • 1 high risk

The 6 low risks can only be classified as such after actions have been implemented by the institutions. SURF will come up with further information for this. The high risk concerns the use of Teams. It concerns the specific situation where special personal data is shared via pre-scheduled Teams meetings. These scheduled sessions are not end-to-end encrypted. Currently, Microsoft offers this encryption (end-to-end encryption, E2EE) only for spontaneous 1-to-1 exchanges.

Read more about Microsoft

 

Google Workspace

We reached agreement with Google on a comprehensive set of contractual, organisational and technical measures regarding the use of Workspace for Education Plus and Workspace Education Fundamentals by educational institutions in the Netherlands. Given the importance of using Google services in educational institutions, SURF and SIVON will continue to monitor Google on behalf of the education sector.

Read more about Google Workspace