Every time a user logs in via SURFconext, user-information is transferred form the institution to your service. Service Provider receives data from the Identity Provider/Attribute Provider for:
- the authentication (the proof of authentication by the Identity Provider);
- the authorisation of a user that desires to obtain access to the service provided by the Service Provider;
- the group memberships of a user if such is required for cooperation and authorisation within the service provided;
- extra data from a user relevant to its service.
A contract needs to be signed (when going to production environment) in order to guarantee that the service provider will deal with this information with caution:
| Template connection agreement | GDPR related questions | |
|---|---|---|
| Dutch | template aansluitovereenkomst SURFconext_v1.00.docx | VragenVoorSPsVoorAO2017.docx (Engels) |
| English | Follows | QuestionsForSPsForCA2017.docx |
Who needs to sign a contract?
Commercial vendors: we consider a commercial vendor anyone who offers a services and is not a SURFnet member. Whether or not money is involved is not important. You can download the template to see in advance what the agreement entails. Send a mail to support@surfconext.nl to start the trajectory and receive a copy to sign.
SURFnet members
For SURFnet members offering a service, the procedure is as follows:
- Check if there is a relevant SURFconext contract.
If you are registered as a SURFconext Identity Provider (check here), you can assume this is done. In case of doubt, contact support@surfconext.nl. - Adhere to the SURFconext Privacy Policy.
- Inform the person in your organization responsible for SURFconext that you are going to connect a service to SURFconext. Legally he will be responsible. SURFnet needs explicit consent before your service can be connected.