A Procurement Checklist for LaTeX Software in EU Institutions
Buying software for a public institution is not like buying it for yourself. There is a tender, a data protection officer, a security review, an accessibility requirement, and an invoicing process that does not accept a credit card on a webpage. EU software procurement for something as everyday as a LaTeX editor can still take months, because the questions you have to answer are the same whether the contract is for a CRM or a writing tool. This is a practical checklist for the people who actually have to sign off.
The aim here is not to sell you on any one product. It is to give IT, procurement, and DPO teams a single list they can run against any collaborative LaTeX editor, score honestly, and defend in an audit. Where inscrive.io is relevant, we say so plainly and explain why.
Why LaTeX procurement trips people up
LaTeX editors feel low-stakes. They are not. A collaborative editor holds unpublished theses, draft grant applications, manuscripts under embargo, and the personal data of every student and researcher who logs in. The moment student names, email addresses, and login records sit on a vendor’s servers, you have a data processor relationship and a set of GDPR obligations that do not care how cheap the tool is.
The other trap is the free tier. A department adopts a free online editor organically, no one signs anything, and now hundreds of students’ work and personal data sit with a vendor you have no contract with. That is a procurement and compliance gap that surfaces during an audit, usually at the worst possible time. Better to choose deliberately.
The checklist
Run each item against every candidate. Score it pass, fail, or needs clarification. The order roughly follows how blocking each issue tends to be.
1. Data residency
Where is the data physically stored? You want a written answer, not marketing language. For an EU institution the clean answer is “all data stored in the EU, always.” Ask which data centres and which country.
inscrive hosts entirely in the EU, on Hetzner infrastructure in Germany and Finland. There are no third-country transfers, which removes the Schrems II question for this tool before it starts. Many US-hosted editors cannot say the same without invoking transfer mechanisms you then have to assess.
2. Data Processing Agreement
Is there a signed DPA, and does it name the sub-processors? A DPA is not optional under Article 28 of the GDPR when a vendor processes personal data on your behalf. Check that it lists sub-processors, sets retention and deletion terms, and commits the vendor to assist with data subject requests. A vague “we are GDPR compliant” badge on a homepage is not a DPA. inscrive provides a signed DPA at the Organizations tier, with an independent inspection report behind it.
3. Third-country transfers and Schrems II
If any data leaves the EU, what is the legal basis? Standard Contractual Clauses plus a Transfer Impact Assessment is the usual route, and it is real work that has to be maintained, not a one-time form. The simplest way to pass this line is to pick a tool that does not transfer data outside the EU at all. The European Data Protection Board guidance is the reference your DPO will reach for.
4. AI and training data
Does the vendor use your content to train AI models? This question is newer and often missed. If the editor has AI features, read the terms carefully. Unpublished research being fed into a training set is a genuine intellectual-property and confidentiality problem. inscrive offers AI assistance for fixing compile errors on its Pro tier and never uses your documents or data to train models. Get that commitment in writing from any vendor.
5. Authentication and access control
Does it support SSO through your identity provider (SAML or OIDC)? Central provisioning and deprovisioning is what keeps your offboarding clean. When a student leaves, their access should leave with them, automatically. inscrive Organizations includes SSO and central user management.
6. Exit and data portability
Can you get everything out, in an open format, with no friction? LaTeX has a quiet advantage here: source files are plain .tex and .bib. There is no proprietary binary to be trapped in. Confirm the vendor lets you export full projects and offers Git integration so you always hold a copy. inscrive’s Git integration is provider-agnostic, so you can mirror to a self-hosted GitLab if your institution requires it.
7. Invoicing and contracting
Does the commercial model fit public procurement? Per-seat credit-card billing does not. You need annual invoicing, a quote you can put through a tender, and volume licensing. inscrive Organizations is priced custom with annual invoicing designed for exactly this.
8. Accessibility and security certification
Ask for the security posture in writing. ISO 27001 certification of the hosting is a reasonable baseline (inscrive’s data centres are ISO 27001 certified). For public bodies, also check accessibility obligations under the EU Web Accessibility Directive against the editor’s interface.
9. Reliability and continuity
What is the uptime commitment, and what is your fallback if the service is unavailable the week theses are due? Even a great tool has outages. A sensible institution keeps an exit-ready posture, which loops back to portability at item 6.
Scoring it in practice
Here is how the common options tend to land against the checklist. This is a shape, not a scoreboard, and you should verify each cell for your own candidates.
| Checklist item | US-hosted commercial editor | Self-hosted deployment | inscrive Organizations |
|---|---|---|---|
| EU data residency | Often no, transfers apply | Yes, your servers | Yes, Germany and Finland |
| Signed DPA with sub-processors | Varies | N/A, you are controller | Yes |
| No third-country transfers | Usually no | Yes | Yes |
| No AI training on your data | Check terms | N/A | Yes |
| SSO and central management | Often yes | You build it | Yes |
| Open-format exit | Yes (LaTeX) | Yes | Yes (LaTeX + agnostic Git) |
| Procurement-friendly invoicing | Sometimes | N/A | Yes |
The self-hosted column passes on residency but moves the entire operational and security burden onto your team. The hosted-commercial column is easy to run but tends to stumble on residency and transfers. An EU-built managed editor is the option that aims to pass the data lines and the operational lines at once.
A note on proportionality
Do not over-engineer this. A free LaTeX editor for undergraduate problem sets does not need the same scrutiny as a system holding patient data. But the moment personal data and unpublished research are involved, the checklist above is proportionate, and skipping it is the thing that gets flagged later. For the GDPR specifics on student work, the piece on student data protection in writing tools goes deeper, and the Overleaf for universities article covers the licensing side.
The short version
EU software procurement for a LaTeX editor comes down to nine questions: residency, DPA, transfers, AI training, SSO, exit, invoicing, certification, and continuity. Score every candidate against all nine, get the answers in writing, and prefer the tool that keeps data in the EU so you skip the transfer paperwork entirely.
inscrive.io is built in the EU for exactly this kind of review. The free tier needs no contract to try, and Organizations gives procurement the SSO, signed DPA, EU residency, and annual invoicing the checklist asks for. See the details on the GDPR and security page.
