Vendor Contracts: Privacy, Security Review and NDA

Privacy Considerations for  UNH IT Vendor Contracts

Contracts for information technology services establish important expectation and requirements. Included in these must be appropriate levels of protection of information and privacy. The UNH IT Vendor Contracts Guidelines help you ask important questions and should be used when developing, reviewing and/or updating a contract.    Read  UNH Guidelines for Safeguarding Privacy When Sharing Data With Third Parties      


Technology Vendor Security Review (Vendor Contracts Questionnaire)

Technology vendors which would host UNH information on non-UNH servers must demonstrate compliance with UNH’s Application and/or Service Provider Standards by responding in writing to the appropriate security review questionnaire.   Different versions of the questionnaire are available for confidential and public-only information.  Vendors which provide applications that would be installed on UNH servers so that all data remains hosted at UNH are not required to undergo a security review.

To determine if a review is required, please  contact ISS .

In order to facilitate a review in a timely and controlled manner, ISS recommends the UNH person or department interested in the vendor's technology services review the  Vendor Contracts Security Review process document  and takes the following actions:

  1. Ensure that the vendor understands the review requirement and instruct the vendor to fill out the questionnaire responses as completely as possible. Incomplete or missing responses will cause delays in the review. 
  2. Ask the vendor to provide as much supporting documentation as possible, including (for example) copies of the vendor's security program, business continuity plan, certifications or audit results, or user agreement.
  3. Ask the vendor for explicit target dates for when they will submit the answers and notify ISS.
  4. If clarifications are necessary, agree with the vendor on at least two additional dates for when UNH will return clarification questions and when the vendor will return updated answers. The agreed on dates should give the vendor two weeks for each update; give those dates to ISS well in advance so that we can schedule the additional reviews. Allow one week for each ISS review.

Please contact ISS to obtain the most recent version of the questionnaire


Vendor Non-Disclosure Agreement (NDA)

Technology vendors are required to complete and return an NDA prior to pre-contract negotiations with the university and/or if the vendor will be provided access to UNH data, for example, to facilitate application configuration or installation.  

Download the NDA:  PDF Version  or  Document (Editable) Version .


Return to ISS Homepage

Custom Fields
  • Department: Information Security Services
Attached Files (5)
Related Articles RSS Feed
Mobile Device Health and Security
Viewed 280 times since Fri, Jul 10, 2015
Antivirus Software for Windows
Viewed 2668 times since Wed, Aug 12, 2015
Policies on IT resources
Viewed 634 times since Wed, Mar 25, 2015
The Fake Speeding Ticket Scam - What Will Hackers Think of Next?
Viewed 262 times since Mon, Apr 4, 2016
System Center 2012 Endpoint Protection Windows Installation
Viewed 2303 times since Wed, Aug 12, 2015
Antivirus Software for Mac
Viewed 2169 times since Wed, Aug 12, 2015
PCI DSS - Payment Card Security
Viewed 407 times since Thu, May 7, 2015
Find sensitive data before the bad folks do!
Viewed 210 times since Mon, Jun 27, 2016
Network Registration & Vulnerability Scans
Viewed 370 times since Wed, Apr 29, 2015
Storing Restricted and Sensitive Data in Box @ UNH
Viewed 367 times since Thu, May 28, 2015