What is Vendor Compliance?

When personal data is breached, institutions face the risk of fines, reputational damage and liability claims. It is therefore necessary to check with suppliers how they process your data. Clear agreements must be made about this. Institutions often perform this compliance work individually: the same work for the same applications while expertise is scarce and expensive. To support institutions in these processes and take work off their hands, SURF Vendor Compliance carries out various compliance processes each year. Each year an average of eight projects are picked up. We determine which projects these are together with the members.

SURF provides (in collaboration with partners):

  • The conducting risk analyses (including DPIAs and DTIAs);
  • performing security and compliance checks, including data transfers outside the EEA, with legal and technical investigations;
  • establishing, delivering and applying review frameworks against which suppliers are reviewed;
  • making agreements with suppliers, such as processor agreements, that mitigate privacy risks and agree on security measures;
  • providing information and support on how institutions can use the assessed applications/(cloud) software as securely as possible;
  • monitoring suppliers' compliance with agreements made.

What are the benefits of Vendor Compliance?

✔︎ Acting together

By taking up assessments together, we have a strong negotiating position towards suppliers; we speak on behalf of the entire research and education sector.

✔︎ Combining expertise

By pooling expertise, institutions individually save costs and time.

✔︎ Support and choice

Institutions get the building blocks they need to make their own trade-offs for the secure use of assessed applications/(cloud) software.

Sandy Janssen
Sandy Janssen

Do you have a question or want to communicate your desire about a compliance assessment

By talking to suppliers and staying in dialogue, we agree on the best privacy and security conditions for research and education.

If you have a question about a compliance program, please contact us or send us your requirements via the button below.