Vendor Contracts: Privacy Considerations, Security Review, and NDA

Privacy Considerations for  UNH IT Vendor Contracts

Contracts for information technology services establish important expectations and requirements and must include assurances on the appropriate levels of protection of information and privacy. The UNH Guidelines for Safeguarding Privacy When Sharing Data with Third Parties will  help guide you during this process and should be used when developing, reviewing and/or updating a contract.   

Contact ISS to obtain the most recent version of these guidelines

Security Assessment Review (Application Service Provider Contracts Security Questionnaire)

Technology vendors which would host UNH information on non-UNH servers must demonstrate compliance with UNH’s Application and/or Service Provider Standards by responding in writing to the appropriate security review questionnaire.   Different versions of the questionnaire are available for confidential and public-only information.  Vendors which provide applications that would be installed on UNH servers so that all data remains hosted at UNH are not required to undergo a security review.

To determine if a review is required, please contact ISS.

In order to facilitate a review in a timely and controlled manner, ISS recommends the UNH person or department interested in the vendor's technology services review the  Security Assessment Review process document  and takes the following actions:

  1. Ensure that the vendor understands the review requirement and instruct the vendor to fill out the questionnaire responses as completely as possible. Incomplete or missing responses will cause delays in the review. 
  2. Ask the vendor to provide as much supporting documentation as possible, examples include copies of the vendor's security program, business continuity plan, certifications or audit results, and user agreement.
  3. Ask the vendor for explicit target dates for when they will submit the answers and notify ISS.
  4. If clarifications are necessary, agree with the vendor on at least two additional dates for when UNH will return clarification questions and when the vendor will return updated answers. The agreed on dates should give the vendor two weeks for each update; give those dates to ISS well in advance so that we can schedule the additional reviews. Allow one week for each ISS review.

Contact ISS to obtain the most recent version of the questionnaire

Vendor Non-Disclosure Agreement (NDA)

Technology vendors are required to complete and return an NDA prior to pre-contract negotiations with the university and/or if the vendor will be provided access to UNH data, for example, to facilitate application configuration or installation.  

Contact ISS to obtain the most recent version of the NDA


Return to ISS Homepage

Custom Fields
  • Department: Information Security Services
Attached Files
There are no attachments for this article.
Related Articles RSS Feed
Using Facebook, Google or other Social Login Services
Viewed 873 times since Fri, Aug 26, 2016
SEED: Safe Electronic Equipment Disposal Instructions
Viewed 2292 times since Mon, Apr 27, 2015
How to Spot a “Phishing” Email
Viewed 1438 times since Tue, Feb 2, 2016
Should you send or receive UNH personally identifiable information by email?
Viewed 1005 times since Thu, Jun 9, 2016
Good Security Practices to Adopt at Work/School, and at Home
Viewed 558 times since Fri, Jul 14, 2017
Why Can’t I Forward Emails to
Viewed 205 times since Thu, Feb 22, 2018
Tips to Avoid Malware
Viewed 1003 times since Thu, May 7, 2015
UNH Server Best Practices
Viewed 1332 times since Fri, Jun 12, 2015
System Center 2012 Endpoint Protection Windows Usage Instructions
Viewed 3022 times since Wed, Aug 12, 2015
File-Sharing Policy
Viewed 787 times since Tue, Jun 2, 2015