Cloud service contracts

The cloud service may need to be governed by a contract, depending on the information’s criticality, confidentiality and legal, regulatory, contractual and/or funding agency requirements. Review the classification of your information and other considerations to determine if a contract is required.

After the cloud vendor is selected the contract terms and conditions are negotiated to include all identified requirements:  privacy, security, legal, regulatory, contractual and/or funding agency requirements including annual security certifications and/or reviews. The University’s General Counsel, Information Security and Procurement offices must all be involved in contract reviews.

Some examples of boilerplate terms and conditions that are typically used in cloud/hosted provider contracts include, but are not limited to:

Data Definition
Confidential Information is defined as any and all information whose collection, disclosure, protection, and disposition is governed by state or federal law or regulation, particularly information subject to the Family Educational Rights and Privacy Act as set forth in 20 U.S.C. §1232g ("FERPA") This information includes, but is not limited to, names, student identification numbers, dates of birth, Social Security Numbers, student records, and other personally identifiable information identified by law.

Use of Data
The [Vendor] agrees that data provided to them during the provision of service shall be used only and exclusively to support the service and service execution, and not for any other purpose. Unless expressly permitted by the express advance written consent of an Institution official authorized to give such consent, [Vendor] and its employees, agents, contractors, and other persons associated with [Vendor] (collectively, the "[Vendor] Users") are only permitted to use, reuse, distribute, transmit, manipulate, copy, modify, access, or disclose the Institution Data to the extent necessary for [Vendor] to implement and maintain the System as set forth in this Agreement. Except as otherwise specifically provided for in this Agreement, the [Vendor] agrees that Institution data will not be shared, sold, or licensed with any third-party, with the exception of approved sub-contractors, without the express approval of the Institution through a data letter agreement. [Vendor] and the [Vendor] Users shall hold the Institution Data in confidence and protect the Institution Data to the same extent and in at least the same manner as [Vendor] protects its own data, but in no case in a lesser manner than a reasonable degree of care under the circumstances. The phrase 'Institution data' includes data uploaded by users of the service and communications between the user, the Institution, and [Vendor].

[Vendor] will be solely responsible for any unauthorized use, reuse, distribution, transmission, manipulation, copying, modification, access, or disclosure of Institution data and any non-compliance with the data privacy and security requirements by [Vendor] or [Vendor] Users.

Data Protection
The [Vendor] agrees that it will protect the Confidential Information it receives according to commercially acceptable standards and no less rigorously than it protects its own Confidential Information. Specifically, the [Vendor] shall implement, maintain, and use appropriate administrative, technical, and physical security measures to preserve the confidentially, integrity, and availability of all electronically managed Confidential Information. These measures will be extended by contract to all subcontractors used by [Vendor].

Data Protection after Contract Termination Upon termination, cancellation, expiration or other conclusion of the Agreement, [Vendor] shall return the Covered Data to Institution unless Institution requests that such data be destroyed. This provision shall also apply to all Covered Data that is in the possession of subcontractors or agents of [Vendor]. [Vendor] shall complete such return or destruction not less than thirty (30) days after the conclusion of this Agreement. Within such thirty (30) day period, [Vendor] shall certify in writing to Institution that such return or destruction has been completed.

Compliance with Federal, State, and Local Laws and Regulatory Requirements; [Vendor]'s product must be compliant with any Federal, State, and Local privacy laws or regulations applicable to the Institution, including but not limited to: the Family Educational Rights and Privacy Act (FERPA) (Pub. L. No. 93-380 (1974), codified at 20 U.S.C. § 1232g); the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub. L. No. 104-191, § 264 (1996), codified at 42 U.S.C. § 1320d; Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. § 160 (2002), 45 C.F.R. § 164 subpts. A, E (2002); the Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102 (1999), privacy protections are codified at 15 USC § 6801 et seq.).

[Vendor] agrees that it may create, have access to, or receive from or on behalf of Institution or students, or have access to, records or record systems that are subject to the Family Educational Rights and Privacy Act ("FERPA"), 20 U.S.C. Section 1232g (collectively, the "FERPA Records"). [Vendor] represents, warrants, and agrees that it will: (1) hold the FERPA Records in strict confidence and will not use or disclose the FERPA Records except as (a) permitted or required by this Agreement, (b) required by law, or (c) otherwise authorized by Institution in writing; (2) safeguard the FERPA Records according to commercially reasonable administrative, physical and technical standards that are no less rigorous than the standards by which [Vendor] protects its own Confidential Information; and (3) continually monitor its operations and take any action necessary to assure that the FERPA Records are safeguarded in accordance with the terms of this Agreement. At the request of Institution, [Vendor] agrees to provide Institution with a written summary of the procedures [Vendor] uses to safeguard the FERPA Records.

Notification of Security Incidents
[Vendor], within one day of discovery, shall report to Institution any use or disclosure of [term for sensitive data] not authorized by this Addendum or in writing by Institution. [Vendor]'s report shall identify: ( i) the nature of the unauthorized use or disclosure, (ii) the [term for sensitive data] used or disclosed, (iii) who made the unauthorized use or received the unauthorized disclosure, (iv) what [Vendor] has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure, and (v) what corrective action [Vendor] has taken or shall take to prevent future similar unauthorized use or disclosure. [Vendor] shall provide such other information, including a written report, as reasonably requested by Institution.

[Vendor] agrees to comply with all applicable laws that require the notification of individuals in the event of unauthorized release of personally-identifiable information or other event requiring notification. In the event of a breach of any of [Vendor]'s security obligations or other event requiring notification under applicable law ("Notification Event"), [Vendor] agrees to assume responsibility for informing all such individuals in accordance with applicable law and to indemnify, hold harmless and defend the Institution and its trustees, officers, and employees from and against any claims, damages, or other harm related to such Notification Event.

Intellectual Property Protection
Use of Institution name, marks, or logos: All use by [Vendor] of Institution name, marks, and content must be approved in advance and in writing by Institution. All rights to the Institution marks and content shall at all times remain the property of the [governing body of Institution] and [Vendor] shall be allowed to use them only in the performance of its obligations under the terms and conditions of the contract during the term specified in the contract. The contract does not confer upon [Vendor] any other rights, goodwill or other interest in the Institution marks or content. [Vendor]'s use of the Institution name, marks, or content under the contract must not state or imply that Institution endorses the [Vendor]'s products or services. [Vendor] has no right to use the Institution name, marks, or content to promote [Vendor]'s products and services. [Vendor]'s use of the Institution name, marks and content must comply with the rules and regulations and policies of Institution's [governing body of Institution], as well as all Institution policies.

[Vendor] shall indemnify, defend and hold Institution harmless from all lawsuits, claims, liabilities, damages, settlements, or judgments, including Institution's costs and attorney fees, which arise as a result of [Vendor]'s negligent acts, omissions or willful misconduct.

If you have any questions or if you are interested in using a cloud vendor and think you need a contract please call the IT Support Center at (302) 831-6000 or email

If you have comments or suggestions about this Web page or see any errors, contact the IT Communication Group.