Sign up for free for our Privacy & Security event on 28 May

DPIA on Nextcloud Enterprise software: 15 low or solved risks

July 17, 2026
Privacy Company and SURF have jointly performed a DPIA (Data Protection Impact Assessment) on Nextcloud Enterprise software. Nextcloud has already taken measures and will take additional measures to solve or mitigate the identified 15 data protection risks. Based on the negotiated new Data Processing Agreement, SURF positively recommends the use of Nextcloud Enterprise for education organisations in the Netherlands.

Privacy Company publishes this blog about the findings with permission from SURF. See the press release, and DPIA on the website of SURF.

The DPIA concerns the open-source Nextcloud Enterprise Office and collaboration software, an alternative for the productivity cloud services from Microsoft and Google. Organisations can host this software from the German company Nextcloud GmbH themselves, or engage a hosting partner to provide the software as managed cloud service. SURF, the collaborative organisation for IT in Dutch higher education and research, performed the technical and security research, while Privacy Company performed the legal analysis and authored the report.

Outcome: 15 low data protection risks

The outcome of this DPIA is that there are 15 low or solved data protection risks. The risks and mitigating measures are shown in more detail in the table in the DPIA. Additionally, the DPIA contains a provisional list of essential security measures organisations must take to prevent data protection risks when they decide to host the software themselves (Section C.1.1.1).

Scope of the DPIA

This  DPIA contains a technical analysis and legal assessment of the (very limited) data processing through 4 Nextcloud Enterprise software packages: Nextcloud Files (filesharing), Groupware (email, calendar, contacts and deck), Talk (videoconferencing and chat) and Nextcloud Office. SURF tested Nextcloud Office with Collabora Online, but Nextcloud now offers Euro-Office, based on a fork of Only Office. Additionally SURF tested the generative AI transcription facility for video calls in Talk. End users can access the different Nextcloud tools via a web interface. SURF also tested with Files and Talk installed on Windows and on MacOS.

Personal data

This DPIA assesses the data protection risks for 5 categories of personal data:

  1. Content Data (only available to customers, inside the self-hosted Nextcloud software)
  2. Account Data, in two types:
    a. admin Account Data
    b. Contact Data from procurement officers
  3. Diagnostic Data, in three types:
    a. Logs only available to customers
    b. Logs optionally shared by customers with Nextcloud GmbH
    c. Logs created by Nextcloud GmbH
  4. Support Data (both the contents of support tickets and metadata)
  5. Website Data, in two types:  
    a. the restricted access websites, i.e. the Nextcloud admin and support portal, and
    b. the publicly available nextcloud.com pages with relevant technical documentation, the form to request data subject access, and legal information.

A key difference with cloud providers of productivity software is that the company Nextcloud collects very little personal data. Nextcloud for example has not programmed the software applications to automatically send Telemetry Data to the company and cannot access any data processed in the customer environment, not even for support purposes.  

GDPR roles of Nextcloud and the education organisations

Initially, Nextcloud took the position that it only was a data processor for the content of the support tickets. The technical analysis showed that Nextcloud processed more categories of personal data. As a result of the negotiations with SURF, Nextcloud has agreed to also become a data processor for the limited personal data it collects as admin Account, Diagnostic and restricted access Website Data. Nextcloud can process these personal data for 4 specific purposes, namely to technically provide the software, provide third level support, send update notifications and newsletters to admins and to technically improve the software for all customers by using the aggregated Support and voluntarily provided Diagnostic Data.

Additionally Nextcloud agreed to include an exhaustive list of compatible purposes in the amended DPA for which Nextcloud is authorised to further process some personal data for its own legitimate business purposes, when strictly necessary and proportionate. Such purposes include billing, aggregating data for Nextcloud’s internal management reports, and complying with legal obligations resting on Nextcloud. When processing some (pseudonymised) personal data for these purposes, Nextcloud qualifies as authorised data controller. Unlike vendors headquartered in the USA, Nextcloud offers a hard guarantee that it will never disclose any personal data to authorities outside of the EU.

Mitigating measures Nextcloud

To mitigate the 15 identified data protection risks, Nextcloud has already taken contractual and technical measures and has committed to take some other measures in Q3 2026 and some before the end of 2026. The measures are described in full in the table in the DPIA.

Mitigating measures education organisations

The DPIA identifies measures education organisations must take to prevent high data protection risks, and provides a provisional list of security measures organisations are advised to take when they decide to host the software themselves. Organisations can use the umbrella DPIA to inform admins and end users about the nature of both the internal data processing, and processing by Nextcloud.

Conclusion

Based on the amended DPA for the Dutch education sector, the education organisations are in control of the limited data processing by Nextcloud, including via its sub processors. They can rely on EU-exclusive data processing if they choose the new Nextcloud Office empowered by Euro-Office. However, for the DPIA SURF tested with the previous Nextcloud Office based on Collabora Online where support tickets could be processed by employees in the UK. Retention periods are limited to what is strictly necessary, institutions can expect that Nextcloud sets only strictly necessary cookies, and they can rely on SURF to exercise its audit rights to verify compliance with the agreed data protection clauses and measures. Provided both the education organisations and Nextcloud apply the mitigating measures, there are no known high data protection risks, only 15 low or solved risks.

Read more

Download
Sjoera
Consultant