Every time a user logs in via SURFconext, user-information is transferred from the institution, via SURFconext, to your service. Based on what you agreed, as a Service Provider you may receive data from the Identity Provider/Attribute Provider for:
- the authentication (the proof of authentication by the Identity Provider);
- attributes you as Service Provider can use for authorisation of the user;
- the group memberships of a user if such is required for cooperation and authorisation within the service provided;
- extra data from a user relevant to the service.
A contract needs to be signed (when going to production environment) in order to guarantee that the service provider will deal with this information with caution:
Template connection agreement | GDPR related questions | |
---|---|---|
Dutch | template aansluitovereenkomst SURFconext_v1.00.docx | VragenVoorSPsVoorAO2017.docx (Engels) |
English | Template Connection Agreement SURFconext_v1.00 (2)_eng-GB.docx | QuestionsForSPsForCA2017.docx |
Who needs to sign a contract?
There are different contractual basis for using SURFconext. Commercial vendors need to sign a SURFconext Connection Agreement. We consider a commercial vendor anyone who offers a services and is not a SURFnet member. Whether or not money is involved is not important. You can download the template to see in advance what the agreement entails. Send a mail to support@surfconext.nl to start the trajectory and receive a copy to sign.
SURFnet members
For SURFnet members offering a service, the procedure is as follows:
- Check if there is a relevant SURFconext contract.
If you are registered as a SURFconext Identity Provider (check here), you can assume this is done. In case of doubt, contact support@surfconext.nl. - Adhere to the SURFconext Privacy Policy.
- Inform the person in your organization responsible for SURFconext that you are going to connect a service to SURFconext. Legally he will be responsible. SURFnet needs explicit consent before your service can be connected.