Enhanced privacy protections support the provisional recommendation to continue the use of Ans Exam

SURF and Privacy Company have completed a data protection impact assessment (DPIA) of Ans Exam B.V.’s SaaS assessment platform and API. Ans Exam is used by more than 20 Dutch educational institutions to create, deliver and grade exams. SURF’s interim recommendation is that educational institutions may continue to use Ans Exam.

Risks and mitigating measures 

The DPIA identified a total of 17 risks: 13 high risks, 3 medium risks, and 1 low risk. The concerns are about incomplete descriptions of processing activities in the Data Processing Agreement (DPA), unclear allocation of roles between parties, and insufficient transparency in sub-processor and cookie disclosures, as well as in the user interface. Additional risks relate to the use of email tracking notifications, application logging, retention periods and being able to effectively respond to data subject access requests. 

Following the DPIA, Ans Exam has committed to concrete mitigating measures that were jointly defined and agreed upon by Ans Exam, SURF and Privacy Company.  

Ans Exam has agreed to update the description of data processing in Schedule 1 of the processing agreement. This will provide clarity on all processing activities. The amended Schedule is relevant to all existing and future agreements with customers.

Ans Exam will also clarify controller/processor responsibilities in its Privacy Statement and the DPA, complete and correct its sub-processor disclosures, disable email tracking notifications, update its cookie policy, and implement additional technical and organisational safeguards agreed during the assessment. 

SURF support

SURF will continue to assist Ans Exam with updating Schedule 1 of the DPA and its privacy and cookie policy. Throughout the DPIA process, Ans Exam has demonstrated a strong commitment to resolving the identified risks and has proactively begun implementing the recommended measures. As a result, a significant number of risks have already been mitigated ahead of the DPIA’s completion. SURF is satisfied with the Ans Exam’s approach to work together towards the positive results of this DPIA. 

Follow-up

Ans Exam committed to mitigate all remaining identified risks during Q1-Q3 2026. SURF and Privacy Company will verify the vendor’s implementation of the agreed measures and publish updates to the DPIA throughout 2026.

SURF, Privacy Company and Ans Exam will continue working on developing an improved Schedule 1 of the DPA for the institutions in 2026. SURF recommends institutions to conclude an updated DPA for privacy enhanced clauses and features. SURF also recommends institutions to require single sign-on (SSO) for Ans Exam and use a dedicated custom domain, as these measures improve the platform’s overall privacy and security posture.

Full report publicly available

The full findings of the assessment can be found in the Data Protection Impact Assessment (DPIA).

Do you have any questions about this DPIA?

Please contact SURF at vendorcompliance@surf.nl.