Include IT Security and Privacy in Your Vendor Contract

If your unit is contracting for a vendor service or product that will have access to institutional data, regardless of data sensitivity, you will need to include the appropriate agreements:

Include the Data Protection Addendum

The data protection addendum (DPA) is to be a part of all contracts where a service provider has access to institutional data, regardless of data sensitivity. A DPA is required whenever university data leaves the U-M IT environment. If software is installed locally and never stores, transmits, or processes university data outside the UM IT environment, then a DPA is not required.

Procurement Services facilitates the receipt of a properly executed data protection addendum when you are working through the final stages of the vendor selection process. Additional U-M units may participate in the process as needed. Work with Procurement Services to obtain an official version of the DPA as needed.

Business Associate Agreement Needed for HIPAA Data

If Protected Health Information (PHI) regulated by HIPAA is involved, a Business Associate Agreement (BAA) is also required. Michigan Medicine Corporate Compliance serves as the U-M data steward for PHI and can help if a BAA is needed. Request help by sending email to