Every time a user logs in via SURFconext, user-information is transferred from the institution, via SURFconext, to your service. Based on what you agreed, as a Service Provider you may receive data from the Identity Provider/Attribute Provider:
- for the authentication (the proof of authentication by the Identity Provider);
- for authorisation decisions within your service;
- about the group memberships of a user if such is required for cooperation and authorisation within the service provided;
- extra data from a user relevant to the service.
A contract needs to be signed (when going to production environment) in order to guarantee that the service provider will deal with this information with caution:
Don't sign the contract below. Please let us know if you like to receive a copy to sign.
| Template connection agreement | GDPR related questions | |
|---|---|---|
| Dutch | Template aansluitovereenkomst SURFconext_v1.00.docx (en de aanbiedingsbrief) | VragenVoorSPsVoorAO2017.docx (Engels) |
| English | Template Connection Agreement SURFconext_v1.00_eng-GB.docx (accompanying letter) | QuestionsForSPsForCA2017.docx |
Who needs to sign a contract?
There are different contractual basis for using SURFconext. Commercial vendors need to sign a SURFconext Connection Agreement. We consider a commercial vendor anyone who offers a services and is not a SURFnet member. Whether or not money is involved is not important. You can download the template to see in advance what the agreement entails. Send a mail to support@surfconext.nl to start the trajectory and receive a copy to sign.
SURFnet members
For SURFnet members offering a service, the procedure is as follows:
- Check if there is a relevant SURFconext contract.
If you are registered as a SURFconext Identity Provider (check here), you can assume this is done. In case of doubt, contact support@surfconext.nl. - Adhere to the SURFconext Privacy Policy.
- Inform the person in your organization responsible for SURFconext that you are going to connect a service to SURFconext. Legally he will be responsible. SURFnet needs explicit consent before your service can be connected.