SURF Vendor Compliance

Together we ensure the best privacy and security terms for education and research

What is Vendor Compliance?

When personal data is breached, institutions face the risk of fines, reputational damage and liability claims. It is therefore necessary to check with suppliers how they process your data. Clear agreements must be made about this. Institutions often perform this compliance work individually: the same work for the same applications while expertise is scarce and expensive. To support institutions in these processes and take work off their hands, SURF Vendor Compliance carries out various compliance processes each year. Each year an average of eight projects are picked up. We determine which projects these are together with the members.

Latest news

Update Xedule DPIA

Following the DPIA on Xedule in July 2025, it is...

Updated on
March 31, 2026

Xedule

Read more articles

Latest compliance assessments

Adobe

Read all about the compliance assessment on Adobe

Updated on
February 16, 2026

Canvas

Read all about the compliance assessment on Canvas LMS

Updated on
December 18, 2025

Ans Exam

Read all about the compliance assessment on Ans Exam

Updated on
December 15, 2025
View all compliance assessments

SURF provides (in collaboration with partners):

  • The conducting risk analyses (including DPIAs and DTIAs);
  • performing security and compliance checks, including data transfers outside the EEA, with legal and technical investigations;
  • establishing, delivering and applying review frameworks against which suppliers are reviewed;
  • making agreements with suppliers, such as processor agreements, that mitigate privacy risks and agree on security measures;
  • providing information and support on how institutions can use the assessed applications/(cloud) software as securely as possible;
  • monitoring suppliers' compliance with agreements made.

What are the benefits of Vendor Compliance?

✔︎ Acting together

By taking up assessments together, we have a strong negotiating position towards suppliers; we speak on behalf of the entire research and education sector.

✔︎ Combining expertise

By pooling expertise, institutions individually save costs and time.

✔︎ Support and choice

Institutions get the building blocks they need to make their own trade-offs for the secure use of assessed applications/(cloud) software.

Do you have a question or want to communicate your desire about a compliance assessment

By talking to suppliers and staying in dialogue, we agree on the best privacy and security conditions for research and education.

If you have a question about a compliance program, please contact us or send us your requirements via the button below.

Pass on your wishes