This privacy policy is based on the Elixir AAI privacy policy and the eduTEAMS privacy policy.

SRAM Privacy Policy, Version February 26, 2020

Name of the serviceSRAM - SURF Research Access Management
Description of the service

SRAM helps Dutch led (international) research collaborations and research infrastructure providers to (register and) manage users, groups, roles and rights and connect to services. It saves time on managing infrastructure and builds on the valuable institutional identity/user account. It prevents having to resort to 'zero hour contracts' (nulurencontract) etc. It builds upon standing research practices to gain access to resources. The services is based on the international AARC blueprint.

The SRAM service allows data subjects (researchers, scientists - users) to participate in virtual organizations (VO, also known as CO, collaborative organisation) and access external services based on the membership with the virtual organization.

This privacy notice describes how we process the personal data of you – user – when you use SRAM.

This privacy policy does not cover how data is processed by any service you use via SRAM.

Data processor and contact person

SURFnet B.V.
Raoul Teeuwen,
JurisdictionNL Netherlands
Personal data processed

SRAM may process the following data:

A) Profile information

  • Honorific
  • Given Name
  • Middle Name
  • Family Name
  • Suffix
  • Email
  • Telephone number
  • Postal addresses
  • Language Preference
  • Affiliation
  • Username
  • SSH public key(s)

B) Information for your virtual organisation

  • The virtual organisation that you have created or joined
  • Group and memberships you may have in the context of your virtual organisation
  • Roles and rights you may have in the context of your virtual organisation

C) External Identity Provider Institution information

For authentication to the SRAM platform we may request from your home institution or another identity provider of your choice:

  • Given Name
  • Middle Name
  • Family Name
  • Email
  • Affiliation

D) Identifiers

  • Identifiers, as provided by identity providers like e.g. a Home Institution or
  • Identifiers from third parties, for example an ORCID

The actual data collected by your virtual organisation may differ. You can consult this at any time by visiting the [User profile Page].

Additionally, during activity on SRAM we keep technical logs consisting of the following data:

  • Actions on the platform along with timestamps
  • External services that someone accessed through SRAM
  • IP address of any actor on the platform
  • The Identity Provider used to gain access

Purpose of the processing of personal data

The SRAM service processes personal data to identify, authenticate and authorize someone as a member of one or more virtual organisations who have chosen to use the SRAM service to register and manage their members. Based on the information provided someone may gain access to external services that are available in the context of the virtual organisation they are member of.

When you are added as member of a CO, your personal information will be shared with services connected to the CO, in order to allow you to access and use those services. The CO is responsible for checking whether data is passed to services that have proper data protection measures.

We process limited personal information (email address, name, possibly telephone number) of contact persons for services connected to SRAM to contact them for support, connecting services, forwarding requests tot connect from CO's etc.

We process limited personal information (email address, name, possibly telephone number) of contact persons for organisations (mostly institutions) which in SRAM can configure certain 'organisational level SRAM options', like who from that organisation/institution is allowed to create CO.

To be able to provide support, we process limited personal information (email address, name, possibly telephone number) to reply to requests and support calls.

Technical log files produced by SRAM components will be used only for administrative, operational, accounting, monitoring and security purposes.

Legal basis of processing The legal basis for processing personal data is 'Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract'. SURF offers the SRAM service to Dutch led research collaborations. Dutch Institutions can configure if and who from an institution is allowed to create a VO in SRAM. Such a VO falls under the responsibility of the Institution that managed the account the person initially creating the VO logged in with (the underlying assumption being that the VO is created as part of a research collaboration the institition is (jointly) responsible for).


The SRAM service may reveal personal data to other members of the virtual organization you have chosen to join. By joining a virtual organisation that is using SRAM, you agree that the recorded information may be disclosed to other authorized participants of the virtual organisation via secured mechanisms, but only for the same purposes and only as far as necessary to provide the services.

The SRAM service will release your personal data to services available to the virtual organisation you choose to become a member of. Data release will be done via secured mechanisms and according to the sections 2.f and 2.l of the Data Protection Code of Conduct [Code of Conduct].

The current listing of associated services for your virtual organisation which are enabled to receive personal data is available at the [User profile Page]. Statistical data is gathered based on the technical logs. This data is anonymized and does not contain any personal data. Statistical anonymized data may be made publicly available by SRAM.

Data storage

All data processed by the SRAM service is stored within the EU/EEA.

The services are operated under the jurisdiction of the Data Controller, which are the Organisations (mostly Dutch Insittutions) that have been defined in SRAM.

External services that you choose to join may receive your personal data – those maybe based in the EU/EEA, or in countries with less adequate data protection provisions. The CO-admin is responsible for taking any necessary measures regarding privacy, data security etc of the external services personal data of VO members is being shared with.

Data retention

Personal data associated with an account is kept as long as someone is active in the SRAM service and can be deactivated earlier on request. In case that a researcher has not logged in to SRAM for 37 consecutive months their account will be deactivated. Information from contact persons at institutions/organisations and Service Providers are stored indefinitely or shorter if it is absolutely clear they are no longer needed.

The technical logs and related information are kept independently in order to guarantee the security of the infrastructure and its optimization and will be retained no longer than 6 months.


SURFnet takes the confidentiality, integrity and availability of your personal data very seriously. We take appropriate security precautions to protect your personal data from loss, misuse and unauthorised access, disclosure, alteration and destruction. In particular: access to technical log data is restricted and can only be accessed in a secure way by the service staff.

When accessing a service provided we will have adequate security controls in place to keep your personal data safe in accordance with the classification of the personal data we have collected from you.

Although we endeavour to ensure your personal data remains secure, there is no absolute guarantee of security when using services online. While we strive to protect your personal data, you acknowledge that:

  • There are security and privacy limitations on the internet which are beyond our control and what can have negative impact on the confidentiality, integrity and availability of the information.
  • We cannot be held accountable for activity that results from your own neglect to safeguard the security of your log on credentials and equipment which results in a loss of your personal data. If you feel this not enough, then please do not provide any personal data.
Your Rights
  • To access, rectify the data released by your Home Organisation (e.g. your university or research institute), contact your Home Organisation's IT helpdesk. You may object to processing of your personal data by deactivating your account in the SRAM service at any time by sending email to .
  • To access your data, go to the [User profile Page].  You may access and rectify your personal data or deactivate your account by visiting the [User profile Page]. If you have any additional questions connected with your data protection rights contact .

Moreover, you have the right to file a complaint to the Dutch Data Protection Authority [Autoriteit Persoonsgegevens].

Data Protection Code of Conduct

Your personal data, for the part where it is stored in SRAM, will be protected according to the GÉANT Data Protection Code of Conduct for Service Providers [Code of Conduct], a common standard for the research and higher education sector to protect your privacy.

References [User Profile Page] - the profile page you can access when you log in to the SRAM service,
[Autoriteit Persoonsgegevens] - 
[GÉANT Data Protection Code of Conduct] -
ContactPlease contact our support desk at for any further information.