
DPIA on Nextcloud Enterprise software: 15 low or solved risks
SURF and Privacy Company have jointly conducted an umbrella Data Protection Impact Assessment (DPIA) on self-hosted Nextcloud Enterprise, open-source collaboration software. After negotiating an amended Data Processing Agreement for the sector and agreeing on mitigating measures by Nextcloud, SURF positively recommends the use of Nextcloud Enterprise.
Nextcloud Enterprise is open-source office productivity and collaboration software, developed by the German-based Nextcloud GmbH. The assessment initially identified 15 data protection risks. These risks were related to the processing of Admin and Commercial Contact Data; Support Data; the limited Diagnostic Data administrators can choose to share with Nextcloud; and Website data. There were no risks found related to Content Data.
Based on the amended Data Processing Agreement (DPA) – which SURF negotiated on behalf of the Dutch education and research sector – and the mitigating measures already taken or announced by Nextcloud GmbH, the assessment concludes that all identified risks are, or will be, resolved or low.
Amended DPA for the Dutch education sector
Nextcloud does not host customers’ Content Data and has no access to any data in the customer environment, not even for support purposes. The company processes only a minimal amount of personal data through its software and services, such as the contact details of administrators or procurement officers. The amended Data Processing Agreement (DPA) for the Dutch education and research sector adds contractual and organisational safeguards for the limited personal data processed by Nextcloud. The DPA limits the processing by Nextcloud as a processor to 4 specific and legitimate purposes. For certain personal data, Nextcloud is authorised in the DPA to act as authorised controller for 7 compatible further processing purposes.
The amended DPA also ensures that the education institutions are in full control of the purposes of the processing and the engagement of sub-processors. They can rely on EU-exclusive data processing if they choose the new Nextcloud Office powered by Euro-Office. However, for the DPIA SURF tested with the previous Nextcloud Office, based on Collabora Online, where support tickets could be processed by employees in the UK.
Retention periods are limited to what is strictly necessary, institutions can expect that Nextcloud sets only strictly necessary cookies, and they can rely on SURF to exercise its audit rights to verify compliance with the agreed data protection clauses and measures. Unlike vendors headquartered in the USA, Nextcloud offers a hard guarantee that it will never disclose any personal data to authorities outside of the EU.
Security assessment
The DPIA also includes a separate security assessment with a positive outcome. Nextcloud recently obtained the CSPN certification, a security certification framework defined by the French National Agency for Security of Information Systems, ANSSI. Although the CSPN certification focuses on secure storage, the auditors also evaluated the software’s authentication, access control rules, and secure communication features.
Recommendations for institutions
Education institutions can host Nextcloud software themselves or choose a third-party hosting provider. The DPIA contains a provisional list of essential security measures to prevent data protection risks, as well as a table with measures that institutions must take to prevent any high data protection risks. These complement the measures implemented or announced by Nextcloud. Institutions must instruct administrators to further minimise data sharing with Nextcloud. Institutions must also prevent the abuse of internal audit logs for employee and student surveillance.
Positive recommendation
SURF gives a positive recommendation for the use of the Nextcloud Enterprise software under the conditions set out in the amended DPA for the Dutch education and research sector.
Read the full report
Read the full findings of the study in the DPIA and the Tech Appendix.
Any questions?
Please contact us via vendorcompliance@surf.nl.