Include IT Security and Privacy in Your Vendor Contract

When contracting for a third-party service or product, appropriate IT security and privacy assessments need to take place, depending on the classification level of the institutional data the service or product will access.

Low Sensitivity Data

No security review is needed. Data classified as Low is generally publicly available, and unauthorized disclosure poses little to no risk to the university.

Moderate Sensitivity Data

Units should make every effort to obtain a signed U-M Data Protection Agreement (DPA), or include its equivalent in the vendor agreement. Procurement Services coordinates getting the DPA in place with the vendor, and works with the unit, Office of the General Counsel (OGC), and ITS Information Assurance (IA) as needed. The final copy, once approved and signed, is maintained by Procurement.

  • Vendor agrees to DPA as is. If the vendor agrees to the DPA or its equivalent, no additional review is necessary.
  • Vendor edits (redlines) DPA. If the vendor redlines the DPA, the unit should complete Section I of the Request for Third Party Vendor Data Protection Review and coordinate with Procurement to have it sent to IA and OGC for review, along with the redlined DPA.
  • Vendor refuses to agree to DPA and/or equivalent terms. If the vendor will not sign a DPA in any form, the unit should complete the full Request for Third Party Vendor Data Protection Review, documenting the security capabilities and commitments included in other vendor documentation (see Conduct Security Screening of Vendors for other sources of acceptable documentation). IA can review and approve this documentation or determine that it is insufficient and withhold approval based on the risks associated with the vendor.
  • Unit accepts risk. If IA determines that the requirements of the U-M DPA are not adequately addressed and there is unacceptable level of risk associated with using this vendor, the unit can choose to accept the risk and move forward with signoff by unit senior leadership (typically a dean or associate dean, or a delegated authority). If a unit chooses to accept the risk without IA approval, the unit’s key administrator and Security Unit Liaison are responsible for maintaining documentation of its decision. A Third Party Vendor Unit Risk Acceptance Form should be completed, a copy should be sent to the Procurement agent handling the vendor relationship, and a copy should be maintained by the unit for future reference.
  • FERPA Acknowledgement. A U-M FERPA Acknowledgement is an acceptable alternative to the standard DPA for any vendor that will collect, process, or store only student educational records (no other sensitive data).

Vendors are not required to complete the Vendor Security Questionnaire for access to sensitive data classified as Moderate.

High or Restricted Sensitivity Data

The vendor must sign the U-M Data Protection Agreement (DPA), or have equivalent terms in its agreement.

The vendor must also complete a Vendor Security Questionnaire or equivalent. Evidence of ISO or FEDRAMP certification is acceptable as an alternative to the questionnaire. A vendor may choose to provide a SOC2, HECVAT, BTAA, or other similar security questionnaire in place of the Vendor Security Questionnaire, as long as the documentation addresses the same risk factors and compliance requirements. Please note - documentation must address the security of the vendor’s offerings as a whole. Documentation that only focuses on the underlying cloud hosting infrastructure is not acceptable.

Procurement Services coordinates with the vendor to complete the Vendor Security Questionnaire and works with the unit, OGC, and IA on any DPA review. Procurement coordinates getting the DPA in place with the vendor. The final copy, once approved and signed, is maintained by Procurement.

  • No change to DPA. If the vendor agrees to the DPA as is or its equivalent is included in the vendor agreement, no review is necessary. The Vendor Security Questionnaire should be reviewed by IA.
  • Vendor edits (redlines) DPA. If the vendor redlines the DPA, the unit should complete Section I of the Request for Third Party Vendor Data Protection Review and send it to IA and OGC for review, along with the redlined DPA and Vendor Security Questionnaire.
  • Vendor refuses to agree to DPA and/or equivalent terms. If the vendor will not sign a DPA in any form, the unit should complete the full Request for Third Party Vendor Data Protection Review, documenting the security capabilities and commitments included in other vendor documentation (see Conduct Security Screening of Vendors for other sources of acceptable documentation). IA will review to determine if the requirements of the U-M DPA are satisfactorily addressed in the vendor’s documentation (including the Vendor Security Questionnaire).
  • Vendor does not meet DPA requirements. If IA determines that the requirements of the U-M DPA are not adequately addressed and there is a high risk associated with using this vendor, the unit is NOT authorized to accept the risk on behalf of the university.

If Protected Health Information (regulated by HIPAA) data is involved, a Business Associate Agreement (BAA) is also required.

For data classified as Restricted, additional agreements may be needed to ensure compliance with applicable requirements and statutes. Please contact IA through the ITS Service Center for more information.