Latest news
AFAS and SURF are taking the next step together following the DPIA
SURF has carried out a Data Protection Impact Assessment (DPIA) on AFAS’s Profit, an all-round HRM and payroll system.
Memo published on Pure (Elsevier): four recommendations for institutions
SURF Vendor Compliance has published a memo on Pure, Elsevier’s Research Information System.
Privacy risks Microsoft 365 Copilot remain ‘orange’ despite improvements
SURF continues to advise educational and research institutions to exercise caution when deploying Microsoft 365 Copilot.
HR2day is taking additional privacy measures following SURF’s DPIA
SURF has carried out a Data Protection Impact Assessment (DPIA) on HR2day, an all-round HRM and payroll system. The assessment identified 16 high-risk issues. HR2day has stated that it will...
Interim update memo on the Osiris DPIA | additions regarding vocational education
We would like to inform you that SURF Vendor Compliance has published an interim update memo regarding the expansion of the Osiris DPIA to include vocational education-specific scenarios. We have...
Relevant documentation Microsoft compliance assessments
On this page you will find a handy overview of the relevant documents for the Microsoft Compliance pathways.
Update Xedule DPIA
Following the DPIA on Xedule in July 2025, it is time to provide an update. Xedule has indicated that it has now implemented most of the mitigating measures. The implementation...
SURF finalizes DPIA on Adobe Creative Cloud and Document Cloud for Education
SURF and Privacy Company have conducted a Data Protection Impact Assessment (DPIA) on Adobe Creative Cloud and Document Cloud for Education. SURF confirms that institutions may continue using these products,...
TOPdesk implements privacy improvements following SURF DPIA
Institutions can continue to use TOPdesk, according to SURF's DPIA. SURF identified 9 high risks and 3 low risks. TOPdesk has already mitigated 4 of the high risks and will mitigate the remaining high risks soon. TOPdesk is a service management platform used by...
Security assessment pilot on Xedule completed
SURF Vendor Compliance has completed a security assessment pilot on Xedule. This assessment was a joint initiative that provided both parties with a great deal of relevant knowledge. Xedule Xedule...
Instructure enhances privacy features in Canvas LMS in collaboration with SURF
SURF has conducted a data protection impact assessment (DPIA) on Canvas LMS. Based on our advice, institutions can continue to use this learning management system. Mitigating measures have been agreed...
Enhanced privacy protections support the provisional recommendation to continue the use of Ans Exam
SURF and Privacy Company have completed a data protection impact assessment (DPIA) of Ans Exam B.V.’s SaaS assessment platform and API. Ans Exam is used by more than 20 Dutch...
Zoom is making progress in last mitigation steps from DPIA 2024
In April 2024, SURF published an updated DPIA on Zoom Education. The DPIA concluded that there were no more known high data protection risks. Zoom agreed to implement two extra measures...
Privacy risks in Osiris addressed in collaboration with SURF
SURF has commissioned a data protection impact assessment (DPIA) on Osiris. The preliminary advice is that institutions can continue to use this student information system as long as they take...
Privacy risks Microsoft 365 Copilot to orange
SURF advises education and research institutions to exercise caution when deploying Microsoft 365 Copilot. That is the conclusion of a new DPIA (Data Protection Impact Assessment) on Microsoft 365 Copilot....
DPIA eduGenAI - working on safe and responsible AI in education
Together with Npuls, we are working on eduGenAI: a platform that enables the safe and responsible use of generative AI in higher education. Already at this stage of development, we...
Xedule uses SURF DPIA to further strengthen its privacy policy
SURF conducted a Data Protection Impact Assessment (DPIA) on Xedule, a cloud-based solution for planning and scheduling processes in education. We identified 17 high risks and 1 medium risk. Xedule...
The DPIA on eduGenAI will be published on September 1, 2025
The use of AI in education is a current topic. In Npuls, a privacy-friendly AI solution for educational institutions is being developed as an alternative to commercial generative AI solutions:...
Update DPIA Microsoft 365 Copilot
26 June 2025 - Microsoft recently provided us with new information on how they plan to implement mitigating measures. This information is now being analysed by us and reported back...
SURF advises not to use Microsoft 365 Copilot for the time being due to privacy risks
SURF advises educational and research institutions not to use Microsoft 365 Copilot for the time being. This is because research shows that there are privacy risks associated with using the generative...
Google Workspace can be safely used in education
So reports the Ministry of Education, Culture and Science (OCW) based on research by SURF and SIVON to the House of Representatives today. In recent years, SURF and SIVON investigated...
Zoom’s efforts to fulfill the agreements made with SURF to deliver an even more secure digital environment to its education customers in Europe.
We are proud to announce that Zoom has reached the next milestone for enterprise and education customers in the Netherlands and all of the EEA: The long-standing close partnership with SURF...
Relevant documentation Zoom compliance assessment
On this page you will find a handy overview of the relevant documents for the Zoom compliance assessment.
Relevant documentation Google Compliance assessment
On this page we have created a handy overview of the relevant documents for the Google compliance assessment
Zoom enhances privacy functionality for education across Europe through partnership with SURF
Zoom has tightened and updated its privacy policy and implemented important privacy and security measures.
Working with the U.S.: a good conversation about data security
How do you safeguard data protection at the international level? At the end of 2022, this question was the focus of the discussion “The Dutch and American approaches to data...
Safe cloud use: Zoom and SURF together provide seat belts and airbags
Zoom is popular in the Netherlands, but still struggled with a nine privacy issues in 2020. Meanwhile, Zoom can safely be used in Dutch education and research: the Data Protection...
Changed general conditions for free services Zoom have no effect on Dutch (and European) education
Zoom updated its worldwide consumer terms and conditions (for free services) in March of this year. Those amended terms state that Zoom has the right -in the future- to analyze...
SURF, SIVON and Google reach agreement Terms of Service Google Chrome
In May 2023, SURF and SIVON reached an agreement with Google on the new Terms of Service (ToS) for the use of Chrome OS and Chrome browser for Chromebooks. After...
Privacy risks Google Workspace for Education sufficiently resolved
Google has taken steps in recent months to mitigate the remaining risks from the 2021 DPIA as agreed and within the deadline. The privacy risks from Google Workspace for Education...
Zoom introduces global improvements around personal data privacy
Ensuring privacy is critical to users' trust in technology companies. You want to use digital technologies knowing that your personal data is safe. Zoom's privacy, product and technical teams have...
Status of Google Workspace DPIA: update privacy measures
In December 2022, SIVON and SURF reported that Google delivered measures to mitigate the risks from the 2021 DPIA within the agreed timeframe. Most of the measures comply with our...
Update agreements and conversations SURF and Google
In July 2021, SURF and Google reached an important agreement on the use of Google Workspace for Education by educational institutions. It involves a set of contractual, organizational and technical...
Zoom adjusts privacy terms after intensive consultation with SURF
After intensive consultation with SURF, Zoom is making changes to the privacy agreements for all Education and Enterprise users in Europe. In addition to these changes and new contractual agreements,...
Data Protection Impact Assessment op Microsoft OneDrive, SharePoint en Teams
SURF together with the Ministry of Justice and Security (Strategic Supplier Management for the Central Government) has commissioned the Privacy Company to conduct a Data Protection Impact Assessment (DPIA) on...
Investigation into Google ChromeOS and Chrome browser
In July 2021, it was agreed with Google that an education-specific version will be available for ChromeOS and Chrome browser. Institutions will thus remain in control of the data when...
Support package Google Workspace for Education
As we previously reported, on July 8 an agreement was reached with Google on the measures aimed at the privacy risks previously identified with Google Workspace for Education. This means...
All about DPIA Google Workspace
On July 8, an agreement was reached with Google on measures aimed at the previously identified privacy risks at Google Workspace for Education. This means that schools can continue to...
Education agreement with Google over privacy risks
After intensive discussions in recent weeks, an agreement has been reached with Google to mitigate high privacy risks related to the use of Workspace for Education Plus (formerly G Suite...
AP opinion: Google Workspace in education has too many risks
The Personal Data Authority (AP) says it is unclear whether personal data in Google Workspace (formerly Google Suite for Education) is adequately protected. Educational organizations are urgently appealing to Google's...
SURF and SIVON address Google on privacy risks
In education, more and more (personal) data is being stored and exchanged digitally. It is important that this is done in a safe and responsible manner. Research commissioned by the...