Third Party Vendor Security & Compliance

Whether you conduct a full Request for Proposals (RFP) or plan to use an open source product, you need to understand how potential vendors will protect university data before selecting a vendor. If your unit uses a non-university product or service to store, process, or transmit university data, you must ensure adequate data protection.

Evaluate and classify the Data

Evaluate the data that will be shared with the vendor and determine its data classification.

This evaluation process is governed by the Third Party Vendor Security and Compliance Standard (DS-20) and is required whenever university data leaves the U-M IT environment.

If software is installed locally and never stores, transmits, or processes university data outside the U-M IT environment, this process does not apply. Instead, follow the guidance in Information Security Risk Management Standard (DS-13).

Follow Vendor Selection Process

Once the data classification is determined, follow this process:

  1. Engage Procurement Services. The easiest way to ensure a vendor meets U-M security and compliance requirements is to involve Procurement Services. They can help make sure that the appropriate legal documentation and review/assessment processes are completed.
  2. Include IT security and privacy in your vendor contract. Include the appropriate agreements to protect university data, usually starting with the U-M Data Protection Addendum (DPA). The DPA is required if a service provider will create, process, maintain, transmit, or store sensitive institutional data classified as Restricted, High, or Moderate. Specified alternatives to the DPA may be an option for data classified as Moderate. Additional agreements may be needed for specific data types.
  3. Use the UMSPSCQ to ensure vendors meet compliance requirements. The U-M Service Provider Security-Compliance Questionnaire (UMSPSCQ) is required whenever a service provider will create, process, maintain, transmit, or store sensitive institutional data classified as Restricted or High.

Ongoing Compliance


Applicable University Policies