0% found this document useful (0 votes)
35 views96 pages

Vendor Review Form

Uploaded by

altasbusiness1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
35 views96 pages

Vendor Review Form

Uploaded by

altasbusiness1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 96

University of California San Diego

Request for Privacy Risk Assessment

Use this form to request a privacy risk assessment of programs or


projects that involve moderate or high risk personal information. These
are defined as P-3 and P-4 information, respectively, under the
University of California BFS-IS-3 policy.

As you complete the form, please note the following:

Please download and complete this form. Do not complete this form on your
browser. Download the file to your device before starting.

Sections A and B must be completed by the UC San Diego requester; Section


C must be completed by third parties/vendors involved in the project (if any).

Attach all required documents. If required documents are not attached,


reviews may be delayed.

Email the completed form and all required attachments to the Campus
Privacy Office at for review. Incomplete forms may be returned without
review.

Email forms to: [email protected]


cc: [email protected]

Thank you!

Campus Privacy Office 9500 Gilman Dr., La Jolla, CA 92093 privacy.ucsd.edu


Personal Information/Data:

Demographics:
Information that, alone or in combination with other data, regardless of where those Data are stored or who has ac
is capable of being associated with, or could reasonably be linked, directly or indirectly, with or single out an individ
information includes, but is not limited to, the following:
- Identifiers such as a real name (legal or preferred), alias, postal address, telephone number, unique personal ide
Protocol address, MAC addresses, and other unique device identifiers, email address, account name, social security
number, insurance policy number, education, employment, employment history, bank account number, credit card
by or attributed to the individual, physical characteristics or description, or any other financial information, medical
or other similar identifiers.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search
interaction with an Internet Web site, application, or advertisement.
- Biometric and behaviometric information.
- Characteristics of protected classifications under state or federal law.
- Commercial information, including records of personal property, products or services purchased, obtained, or co
histories or tendencies.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Professional or employment-related information.
- Educational information, including uses of services and products offered in an educational setting by virtue of th
recreational facilities, basic needs).
- Inferences drawn from any of the information to create a profile about a person reflecting the person's preferen
preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Identifiable information may include data that has been stripped of direct identifiers but leads to a small population
synonymously with "personally identifiable information," "PII," or "personal data".

Data tied to a protected class under State or Federal law, or from which membership within a protected class might
not limited to race, color, religion, sex/gender identity, gender expression, sexual orientation, marital or parental sta
status, national origin, ancestry, disability, age, and genetic information. Although not considered protected class, in
background, or relationships outside of their direct educational experience should be approached with extra caution
sort individuals into educational opportunities in lieu of more direct measures of need/benefit.
The EDUCAUSE Chief Privacy Officers' Vendor Review Working Group contributed their vision and sign
of this resource.

Steering Committee
Nichole Arbino
Susan Bouregy
Jeff Gassaway
Paul Guarino
Pegah K. Parsi
Joseph Potchanant

2021-2022
Mark Cather
Brian Kelly
Jonathan Kimmitt
Doug Welch
their vision and significant talents to the conception, creation, and completion
University of California San Diego

Higher Education Data Privacy Assessment Tool


Data Privacy - Assessment Tool
DATE-01 Date mm/dd/yyyy
UC SAN DIEGO APPLICANT
Requestor Name and Title
Project Lead Name and Title
(if different than above)

Requesting Department/Unit

Phone Number

Email

Project Title
Type of Project Medical/Clinical Care Fundraising/marketing
Research Quality improvement/assessment
Outsourcing (process, University administration/operations
application/service)
Student Education Other (describe):

A. INFORMATION ABOUT THE PROJECT

1. Overview.
a. Identify all non-UC San Diego parties involved in the project. Add additional lines as necessary.
Entity Name Role (e.g., vendor, funding sponsor, business Point of Contact P-3 Data will be transferred P-4 Data will be transferred
associate, subcontractor, collaborator, technical to/accessed/collected by entity to/accessed/collected by entity
support, etc.) Yes No Yes No
Yes No Yes No

b. In layperson’s language, briefly summarize the overall project and purpose, including the contributions of all parties identified above. Explain what need you are trying to address.

c. What is the target start date for this project or this project phase What is the expected period of performance?

d. Is this a new project or an enhancement/adjustment to an existing project?


New Enhancement/Adjustment*
*If this is an enhancement/Adjustment, what is being charged?
Technology Vendor
Data Other (specify):

2. Project Funding. If this project is externally funded, provide the name of the funding source, record number, or agreement.
Name of funding source:
Is funding under federal grant or contract? Agreement #:
Project is not externally funded

3. Contracts and Other Obligations. Identify and attach any agreeements, obligations or regulatory requirements related to this project, this datset, or the third parties involved.
No known obligations UC Terms and Conditions with Appendix DS
MOUs UC Terms and Conditions WITHOUT Appendix DS
Master Agreement Non-disclosure/Confidentiality Agreement
Umbrella Agreement Sponsored Research Agreement
Business Associate Agreement (BAA) Data Use Agreement
Collaborative Agreement FIPS, FISMA, NIST requirements in contract
Statements of Work Other (explain):
Service Level Agreements (SLAs)

4. Other Involved/Interested University Entities. Identify any other University entity whom you have worked or consulted as part of this project.
Campus Counsel Integrated Procure-to-Pay Solutions (IPPS)
Office of Contracts and Grants Administration Export Control
Office of Innovation and Commercialization Advancement
Registrar Office of Risk Management
Institutional Review Board (IRB) Health Sciences Compliance and Privacy
UCOP Other University Schools or Units:
Information Technology Services

Provide the point(s) of contact for the office(s) selected above:


Name Name
Email Email

5. Access. Who at UC San Diego will have access to the data and systems involved in this project? (Specific names, roles or offices)
Name Name
Role/Office Role/Office

6. Training. Describe data management, privacy, and security trainings required for access. All UCSD workforce members with access to personal data must complete on-demand Privacy@UCSD training
through UC Learning.

B. INFORMATION ABOUT THE DATA


INVOLVED IN PROJECT
1. Data Steward Entity is: Campus UCSD Health Other (specify):

2. Data Steward is:

3. Are the Data Incoming to/Outgoing from the US? No Yes (where?)

4. Data are Accessed/Sourced From (select all that apply):


Government Records/systems ISIS
Epic or hospital medical records* Registrar
Participant Provided (e.g., surveys, Mobile apps) Activity Hubs
University email or other technical system Oracle Financials
Clinical Data Warehoue for Research (CDWR) HR Records, including UCPath
Other non-University system, database, or party Other (describe):

* If you selected Epic of hospital medical records, permission from UCSD Health Privacy Office may be required.

5. Population Size. Provide an estimate of the number of indivituals whose data will be involved in this project.
1 - 500 501 - 10,000 > 10,000
University of California San Diego

6. Population Location. Some countries have very stringent privacy laws. If the data subject population is not entirely within the United States, specify the countries/regions in which data subjects are located physically.
US only Canada Other (specify):
EU/UK Brazil
China India

7. Data Elements Involved in any part of the Project. Select all that apply and explain, where necessary. Attach a data dictionary, if available. NOTE: Most apps and websites collect IP addresses and date-time stamps.

Full preferred names (students, alumni) Images or radiology reports


Full preferred names (patients, research subjects) Genetic information/test results
Full preferred names (employees) Passport or Visa numbers
Full preferred names (all others) Employee personnel files
Legal names (any) Grades or performance (students, alumni)
Partial names (e.g., initials) Disciplinary actions or proceedings (students, alumni)
Geographic subdivisioins smaller than a state Race/ethnicity
Dates (except year) directly related to an individual Sexual orientation or gender identity
Telephone numbers Veteran status
Fax numbers Financial need/Pell Grant status
E-mail addresses Disability status
Social Security numbers Financial account numbers
Medical record numbers Financial records, including credit card or bank information
Health plan beneficiary numbers Background checks/information
Account numbers Information about crimes or criminal activity
Certificate/license numbers Donor contact and gift information
Vehicle identifiers and serial numbers, including license plate numbers Salary information
Device identifiers and serial numbers Employment benefits/beneficiaries
Web URLs Athletic performance information
IP adresses or MAC addresses Political, religious, or philosophical beliefs
Biometric identifiers, including finger and voice prints Comments, posts, survey responses, free text
Full face photographic images and any comparable images Other health, medical or physical or mental status information (describe):
Other photographic images, video or audio
University ID number (student, employee)
Lab or pathology test results Any other unique identifying numbers, characteristic, or code (describe):
Diagnoses or procedures
Psychology or mental health information
Drug use information Other:
Clinical records
Prescriptions or medications

8. Explain the need for each type of data involved. Describe efforts to ensure that only the minimum necessary data are used/processed.

9. Will data be subject to any disclosure limation methods (e.g., de-identification, anonymization, differential privacy, or other masking) at any point in the data lifecycle (by UCSD or any vendors/third pa

Yes No
If yes, describe the process, and explain who will be responsible for it (third party or UCSD)

10. How will individuals whose data are involved be made aware of this data use and UC San Diego's data practices?
Consent (attach document or language) Website notice/Statement (attach)
Opt-in Opt-out
Hard copy notice/statement
They will not be aware (explain)

11. Will other UC San Diego units have access to this information (e.g., through activity hubs, shared for administration or analytics)?
Yes No
If yes, describe who will have access and for what purpose.

12. Will this information be combined with data from other sources?
Yes No
If yes, please describe what data will be combined and for what purpose.

13. Please describe how you and any other group or entity handling the data will address any requests from the data subjects (e.g., access, deletion, or correction requests) and who will be responsible for responding.

14. How long will the data be retained by UC San Diego?

15. What is the disposition of the data at the end of this project?
Securely deleted
Masked and archived (explain where)
Masked and made available for open/public access (where)

16. Does any part of this project involve a web/app tracking component (e.g., use of web tracking pixels, cookies)?
Yes No
If yes, describe tool, data collected by the tool, and the justification and need for tracking users.
University of California San Diego

Version 1.0

GUIDANCE
Please review the data classification levels (i.e., P-levels) in BFS-IS-3 before completing this
form; data should be classified at the highest level of sensitivity applicable. If unsure of the
risk level, err on the side of the higher P-level.

Link to BFS-IS-3

A signed Appendix DS will be required, at minimum, from the third party for projects
involving P-3 and P-4 data. The Campus Privacy Office strongly suggests the this document be
provided to all vendors in advance for their review.

Link to Appendix DS

Council of Data Stewards


University of California San Diego
Higher Education Data Privacy Assessment Tool
Data Privacy - Assessment Tool
DATE-01 Date
General Information

In order to protect the institution and its systems, vendors whose products and/or services will access, collect, and/
must complete the assessment tool. Throughout this tool, anywhere the term "data" is used, this is an all-encompas
will be reviewed by the institution's office responsible for privacy. This process will help the institution protect instit
and international regulations. This is intended for use by vendors and should be completed by a vendor.

While this tool has a format similar to that of the HECVAT, it is not affiliated with the HECVAT or endorsed by the HECVAT leadership tea

GNRL-00 through GNRL-14; populated by the vendor


GNRL-00 Vendor Contact for Response Questions

GNRL-01 Vendor Name


GNRL-02 Product Name
GNRL-03 Product Description
GNRL-04 Web Link to Product Privacy Notice
Web Link to Accessibility Statement or
GNRL-05
VPAT
GNRL-06 Vendor Contact Name
GNRL-07 Vendor Contact Title
GNRL-08 Vendor Contact Email
GNRL-09 Vendor Data Privacy Contact Name
GNRL-10 Vendor Data Privacy Contact Title
GNRL-11 Vendor Data Privacy Contact Email
Vendor Data Privacy Contact Phone
GNRL-12
Number
Vendor Accessibility Contact Phone
GNRL-13
Number
GNRL-14 Vendor Hosting Regions
Instructions

Step 1: Complete the Qualifiers section. Step 2: Complete each section answering each set of questions in order, fro
Submit the completed Higher Education Data Privacy Assessment to the institution according to institutional proced

Qualifiers

The institution conducts third-party data privacy assessments on a variety of third parties. As such, not all assessme
strategy is implemented and allows for various parties to use this common documentation instrument. Responses t
questions below.
Does your product process protected
health information (PHI) or any data
QUAL-01
covered by the Health Insurance
Portability and Accountability Act?

Does your product process FERPA-


QUAL-02
related data?
Does your product process GDPR-
QUAL-03
related or PIPL-related data?
Does your product process personal
QUAL-04 data regulated by state law(s) (e.g.,
CCPA)?

Does your product process user-


QUAL-05 provided data that may contain
regulated information?

Will institutional data be shared with or


hosted by any third parties (any entity
not wholly owned by your company is
QUAL-06
considered a third party)? This includes
sharing in "de-identified" or
"anonymized" form.

Do you have a well-documented


QUAL-07 Business Continuity Plan (BCP) that is
tested annually?

Do you have a well-documented


QUAL-08 Disaster Recovery Plan (DRP) that is
tested annually?

Is the vended product designed to


QUAL-09 process or store credit card
information?

Does your company provide


QUAL-10 professional services pertaining to this
product?

QUAL-11 Select your hosting option.

Company Overview

Describe your organization’s business


background and ownership structure,
COMP-01
including all parent and subsidiary
relationships.
Have you had an unplanned disruption
COMP-02 to this product/service in the past 12
months?

Do you have a dedicated information


COMP-03
security staff or office?

Do you have a dedicated data privacy


COMP-04
staff or office?

Do you have a dedicated Software and


System Development team(s)? (e.g.,
COMP-05
Customer Support, Implementation,
Product Management, etc.)

Have you had a personal data breach in


the past 3 years that involved reporting
to a governmental agency, notice to
COMP-06
individuals (including voluntary notice),
or notice to another organization or
institution?

Have you had any data privacy policy or


COMP-07
law violations in the past 36 months?

Use this area to share information


about your privacy practices that will
COMP-08
assist those who are assessing your
company data privacy program.

Documentation

Have you undergone a SSAE 18/SOC 2


DOCU-01
audit?

If so, does your SOC 2 audit include the


DOCU-02
Privacy Trust Service Principle?
Have you completed the Cloud Security
DOCU-03
Alliance (CSA) self-assessment or CAIQ?

Have you received the Cloud Security


DOCU-04
Alliance STAR certification?

Do you conform with a specific industry


standard security framework (e.g., NIST
DOCU-05
Cybersecurity Framework, CIS Controls,
ISO 27001)?

Do you conform with a specific


industry-standard privacy framework
DOCU-06
(e.g., NIST Privacy Framework, GDPR,
ISO 27701)?

Are the systems that process the


institution's data compliant with NIST
DOCU-07
SP 800-171 and/or CMMC Level 2
standards?

Can you provide overall system and/or


application architecture diagrams,
DOCU-08
including a full description of the data
flow for all components of the system?

Do you have a documented and


DOCU-09 currently implemented employee
onboarding and offboarding policy?

Does your employee onboarding and


offboarding policy include training of
DOCU-11
employees on information security and
data privacy?

Do you have a documented change


DOCU-12
management process?
Has a VPAT or ACR been created or
updated for the product and version
DOCU-13
under consideration within the past
year?

Do you have documentation to support


DOCU-14 the accessibility features of your
product?

Assessment of Third Parties

Do you perform security assessments of


third parties with which you share
THRD-01
personal data (e.g., hosting providers,
cloud services, PaaS, IaaS, SaaS)?

Do you perform privacy impact


assesments of third parties that collect,
process, or have access to personal
THRD-02 data to ensure they meet industry and
regulatory standards and to mitigate
harmful, unethical, or discriminatory
impacts on data subjects?

Do you have contractual agreements


with third parties that require them to
maintain standards that are the same
THRD-03
as or higher than those of the
institution itself and to comply with all
regulatory requirements?

Provide a brief description for why each


THRD-04 of these third parties will have access to
institution data.

What legal agreements do you have in


place with these third parties that
THRD-05 address liability in the event of a
violation of privacy policies or data
breach?
Do you have an implemented third
THRD-06
party management strategy?

Consulting
Will the consulting take place on-
CONS-01
premises?

Will the consultant require access to


CONS-02
the institution's network resources?

Will the consultant require access to


CONS-03 hardware in the institution's data
centers?

Will the consultant require an account


CONS-04 within the institution's domain
(@*.edu)?

Has the consultant received training on


CONS-05 [sensitive, HIPAA, PCI, etc.] data
handling?
Will any data be transferred to the
CONS-06
consultant's possession?

Is the data encrypted (at rest) while in


CONS-07
the consultant's possession?

Will the consultant need remote access


CONS-08
to the institution's network or systems?

Can access be restricted based on


CONS-09
source IP address?
Application/Service Security

Are access controls for institutional


accounts based on structured rules,
such as role-based access control
APPL-01
(RBAC), attribute-based access control
(ABAC), or policy-based access control
(PBAC)?
Are access controls for staff within your
APPL-02 organization based on structured rules,
such as RBAC, ABAC, or PBAC?

Does your application require access to


APPL-08
location or GPS data?

Authentication, Authorization, and Accounting

Does your solution support single sign-


AAAI-01 on (SSO) protocols for user and
administrator authentication?

Does your solution support local


AAAI-02 authentication protocols for user and
administrator authentication?

If you don't support SSO, does your


application and/or user-frontend/portal
AAAI-03
support multifactor authentication
(e.g., Duo, Google Authenticator, OTP)?

Does your application automatically


AAAI-04 lock the session or log-out an account
after a period of inactivity?

Are audit logs available that include AT


LEAST all of the following: login, logout,
AAAI-05
actions performed, and source IP
address?

Describe or provide a reference to the


retention period for those logs, how
AAAI-06 logs are protected, and whether they
are accessible to the customer (and if
so, how).

Business Continuity Plan (BCP)


Do you have a formal Business
BCPL-01 Continuity Plan and Disaster Recovery
Plan?

Is there a defined problem/issue


BCPL-02 escalation plan in your BCP for
impacted clients?

Is there a documented communication


BCPL-03
plan in your BCP for impacted clients?

Does your organization conduct an


BCPL-04 annual test of relocating to an alternate
site for business continuity purposes?

Are all services that support your


BCPL-05
product fully redundant?

Change Management

Does your change management process


minimally include authorization, impact
CHNG-01
analysis, testing, and validation before
moving changes to production?

Does your change management process


CHNG-02
include privacy review and approval?

Will the institution be notified of major


changes to your environment that
could impact the institution's data
CHNG-03 privacy posture (e.g., changes to data
collected, "de-identification"
techniques, new AI capabililities using
personal data)?
Do you have policy and procedure,
currently implemented, guiding how
CHNG-04
privacy risks are mitigated until they
can be resolved?

Data
Is sensitive data encrypted, using
DATA-01 secure protocols/algorithms, in
transport (e.g., system-to-client)?

Is sensitive data encrypted, using


secure protocols/algorithms, in storage
DATA-02
(e.g., disk encryption, at-rest, files, and
within a running database)?

At the completion of this contract, will


data be returned to the institution and
DATA-03
securely deleted from all your systems
and archives?

Will the institution's data be available


DATA-04 within the system for a period of time
at the completion of this contract?

Can the institution extract a full or


DATA-05
partial backup of data?
Are ownership rights to all data, inputs,
DATA-06 outputs, and metadata retained by the
institution?

Are these rights retained even through


DATA-07 a provider acquisition or bankruptcy
event?

In the event of imminent bankruptcy,


closing of business, or retirement of
DATA-08 service, will you provide 90 days for
customers to get their data out of the
system and migrate applications?

Are involatile backup copies made


DATA-09 according to predefined schedules and
securely stored and protected?
Do current backups include all
operating system software, utilities,
DATA-10
security software, application software,
and data files necessary for recovery?

Are you performing off-site backups


DATA-11
(i.e., digitally moved off-site)?

Are physical backups taken off-site (i.e.,


DATA-12
physically moved off-site)?

DATA-13 Are data backups encrypted?

Will you handle data in a FERPA-


DATA-14
compliant manner?

Are institutional data coming into or


going out of the United States at any
DATA-15
point during collection, processing,
storage, or archiving?

Will you handle personal data in a


manner compliant with all relevant
DATA-16
laws, regulations, and applicable
institution policies?

Do you collect, process, or store


DATA-17 demographic information (see
definitions)?

Do you capture or create genetic,


biometeric, or behaviometric
DATA-18
information (e.g., facial recognition or
fingerprints)?

Do you capture device information


DATA-19
(e.g., IP address, MAC address)?

Do you combine institutional data


(including "de-identified,"
DATA-20 "anonymized," or otherwise masked
data) with personal data from any
other sources?

Does any part of this service/project


involve a web/app tracking component
DATA-21
(e.g., use of web tracking pixels,
cookies)?
Does your staff (or third party) have
access to institutional data (e.g.,
DATA-22
financial, PHI or other sensitive
information) through any means?

Datacenter

Are you generally able to accommodate


DCTR-02 storing each institution's data within
their geographic region?

Disaster Recovery Plan (DRP)


Describe or provide a reference to your
DRPL-01
Disaster Recovery Plan (DRP).

Are any disaster recovery locations


DRPL-04 outside the institution's geographic
region?

Does your organization have a disaster


DRPL-05 recovery site or a contracted disaster
recovery provider?

Is there a documented communication


DRPL-08
plan in your DRP for impacted clients?

Has the DRP been tested in the past


DRPL-10
year?

Are all components of the DRP


DRPL-11 reviewed at least annually and updated
as needed to reflect change?

Firewalls, IDS, IPS, and Networking


Are you using a stateful packet
FIDP-01
inspection (SPI) firewall?

Is authority for firewall change approval


documented? Please list approver
FIDP-02
names or titles in Additional
Information.
Do you have a documented policy for
FIDP-03
firewall change requests?

Have you implemented an Intrusion


FIDP-04
Detection System (network-based)?

Have you implemented an Intrusion


FIDP-05
Prevention System (network-based)?

Do you monitor for intrusions on a 24 x


FIDP-06
7 x 365 basis?
Are audit logs available for all changes
FIDP-07 to the network, firewall, IDS, and IPS
systems?
Policies, Procedures, and Processes
Can you share the organization chart,
PPPR-01 mission statement, and policies for your
data privacy unit?

Do you have a documented privacy


PPPR-02
management process?

Are information security principles


PPPR-03
designed into the product life cycle?

Are privacy principles designed into the


PPPR-04 product life cycle (i.e., privacy-by-
design)?

Do you have a documented systems


PPPR-05
development life cycle (SDLC)?

Will you comply with applicable breach


PPPR-06
notification laws?

Will you comply with the institution's


PPPR-07 policies regarding user privacy and data
protection?

Is your company subject to the laws


PPPR-08 and regulations of the institution's
geographic region?
Do you have a documented information
PPPR-09
security policy?

Do you have an information security


PPPR-10
awareness program?

Is security awareness training


PPPR-11
mandatory for all employees?

Does your organization have a


PPPR-12
documented privacy policy?

Do you have a privacy


PPPR-13
awareness/training program?

Is privacy awareness training


PPPR-14
mandatory for all employees?

Do you have a documented AI


governance and ethics program?
PPPR-15

Do you have an AI-specific privacy and


ethics policy?
PPPR-16

Do you have an AI privacy and ethics


PPPR-17
awareness/training program?

Is AI privacy and ethics


PPPR-18 awareness/training required for all
employees who work with AI?

Do you have documented and currently


PPPR-19 implemented internal audit processes
and procedures?

Does your organization have physical


PPPR-20
security controls and policies in place?
Do you have any decision-making
processes that are completely
PPPR-21
automated (i.e., there is no human
involvement)?

Do you have a documented process for


managing automated processing,
PPPR-22
including validations, monitoring, and
data subject requests?

Do you have a documented policy for


PPPR-23 sharing information with law
enforcement?

Do you share any institutional data with


PPPR-24 law enforcement without a valid
warrant?
Incident Handling
Do you have a formal incident response
IH-01
plan?

Do you either have an internal incident


IH-02 response team or retain an external
team?
Does your incident response team
IH-03
include a privacy analyst/officer?

Do you have the capability to respond


IH-04
to incidents on a 24 x 7 x 365 basis?

Do you carry cyber-risk insurance that


covers events such as unforeseen
IH-05
service outages, data that is lost or
stolen, and security incidents?

Quality Assurance
Do you have a documented and
QLAS-01 currently implemented quality
assurance program?

Will your company provide quality and


performance metrics in relation to the
QLAS-03 scope of services and performance
expectations for the services you are
offering?

Do you incorporate customer feedback


QLAS-04
into privacy feature requests?
Can you provide an evaluation site to
QLAS-05
the institution for testing?

Vulnerability Scanning
Are your systems and applications
VULN-01 regularly scanned externally for
vulnerabilities?

Have your systems and applications had


VULN-02 a third-party security assessment
completed in the past year?

Will you provide results of application


VULN-04 and system vulnerability scans to the
institution?

Will you allow the institution to


perform its own vulnerability testing
and/or scanning of your systems and/or
VULN-06
application, provided that testing is
performed at a mutually agreed upon
time and date?

HIPAA - Optional based on QUALIFIER response


Do your workforce members receive
regular training related to the HIPAA
Privacy and Security Rules and the
HIPA-01
Health Information Technology for
Economic and Clinical Health (HITECH)
Act?

Do you monitor or receive information


HIPA-02 regarding changes in HIPAA
regulations?

Has your organization designated


HIPA-03 HIPAA Privacy and Security officers as
required by the rules?

Do you comply with the requirements


of the Health Information Technology
HIPA-04
for Economic and Clinical Health Act
(HITECH)?

Have you conducted a risk analysis as


HIPA-05
required under the Security Rule?

HIPA-06 Have you identified areas of risks?


Have you taken actions to mitigate the
HIPA-07
identified risks?

Does your application require user and


system administrator password
HIPA-08
changes at a frequency no greater than
90 days?

Does your application require users to


set their own password after an
HIPA-09
administrator reset or on first use of
the account?

Does your application lock out an


HIPA-10 account after a number of failed login
attempts?

Does your application automatically


HIPA-11 lock or log-out an account after a
period of inactivity?

Are passwords visible in plain text,


whether when stored or entered,
HIPA-12
including service level accounts (i.e.,
database accounts, etc.)?

If the application is institution-hosted,


can all service level and administrative
HIPA-13
account passwords be changed by the
institution?

Does your application provide the


HIPA-14
ability to define user access levels?

Does your application support varying


HIPA-15 levels of access to administrative tasks
defined individually per user?

Does your application support varying


HIPA-16 levels of access to records based on
user ID?

Is there a limit to the number of groups


HIPA-17
to which a user can be assigned?

Do accounts used for vendor-supplied


remote support abide by the same
HIPA-18
authentication policies and access
logging as the rest of the system?
Does the application log record access
HIPA-19 including specific user, date/time of
access, and originating IP or device?

Does the application log administrative


activity, such user account access
HIPA-20 changes and password changes,
including specific user, date/time of
changes, and originating IP or device?

How long does the application keep


HIPA-21
access/change logs?

HIPA-22 Can the application logs be archived?

Can the application logs be saved


HIPA-23
externally?
Do your data backup and retention
HIPA-24 policies and practices meet HIPAA
requirements?

Do you have a disaster recovery plan


HIPA-25
and emergency mode operation plan?

Have the policies/plans mentioned


HIPA-26
above been tested?
Can you provide a HIPAA compliance
HIPA-27
attestation document?

Are you willing to enter into a Business


HIPA-28
Associate Agreement (BAA)?

Have you entered into a BAA with all


HIPA-29 subcontractors who may have access to
protected health information (PHI)?

GDPR and PIPL - Optional based on QUALIFIER response


Will data be collected from or
INTL-01 processed in or stored in the European
Economic Area (EEA)?
Do you have a Data Protection Officer
INTL-02
(DPO)?
Will you sign appropriate GDPR
INTL-03 Standard Contractual Clauses (SCCs)
with the institution?
Will data be collected from or
INTL-04
processed in or stored in China?
Do you comply with PIPL security,
INTL-05 privacy, and data localization
requirements?
PCI DSS - Optional based on QUALIFIER response
Do your systems or products store,
PCID-01 process, or transmit cardholder
(payment/credit/debt card) data?

Are you compliant with the Payment


PCID-02 Card Industry Data Security Standard
(PCI DSS)?

Do you have a current, executed within


the past year, Attestation of
PCID-03
Compliance (AoC) or Report on
Compliance (RoC)?

PCID-04 Are you classified as a service provider?

Are you on the list of VISA approved


PCID-05
service providers?
Are you classified as a merchant? If so,
PCID-06
what level (1, 2, 3, 4)?

Describe the architecture employed by


PCID-07 the system to verify and authorize
credit card transactions.

What payment processors/gateways


PCID-08
does the system support?

Can the application be installed in a PCI


PCID-09
DSS–compliant manner ?

Is the application listed as an approved


PCID-10 Payment Application Data Security
Standard (PA-DSS) application?

Does the system or products use a third


party to collect, store, process, or
PCID-11
transmit cardholder
(payment/credit/debt card) data?
Include documentation describing the
systems' abilities to comply with the PCI
DSS and any features or capabilities of
PCID-12
the system that must be added or
changed in order to operate in
compliance with the standards.

Data Privacy
Have you performed a Data Privacy
Impact Assesssment for the
DPRV-01 product/service/project?

Do you provide an end-user privacy


notice about privacy policies and
procedures that identify the purpose(s)
DPRV-02 for which personal information is
collected, used, retained, and
disclosed?

Do you describe the choices available


to the individual and obtain implicit or
explicit consent with respect to the
DPRV-03 collection, use, and disclosure of
personal information?

Do you collect personal information


only for the purpose(s) identified in the
agreement with the institution, or if
DPRV-04 there is none, the purpose(s) identified
in the privacy notice?

Do you have a documented list of


personal data your service maintains?
DPRV-05

Do you retain personal information for


only as long as necessary to fulfill the
stated purpose(s) or as required by law
DPRV-06 or regulation and thereafter
appropriately dispose of such
information?

Do you provide individuals with access


to their personal information for review
DPRV-07 and update (i.e., Data Subject Rights)?
Do you disclose personal information to
third parties only for the purpose(s)
identified in the agreement with the
institution, and if there is none, with
the purpose(s) identified in the privacy
DPRV-08 notice or with the implicit or explicit
consent of the individual?

Do you protect personal information


DPRV-09 against unauthorized access (both
physical and logical)?

Do you maintain accurate, complete,


and relevant personal information for
DPRV-10 the purposes identified in the notice?

Do you have procedures to address


privacy-related noncompliance
DPRV-11 complaints and disputes?

Do you "anonymize," "de-identify," or


DPRV-12 otherwise mask personal data?

Do you or your subprocessors use or


disclose "anonymized," "de-identified,"
or otherwise masked data for any
purpose other than those identified in
the agreement with the institution
(e.g., sharing with ad networks or data
DPRV-13 brokers, marketing, creation of profiles,
analytics unrelated to services provided
to institution)?

Do you certify stop-processing


requests, including any data that is
DPRV-14 processed by a third party on your
behalf?

Do you have a process to review code


DPRV-15 for ethical considerations?

Data Privacy AI
Does your service use AI for the
DPAI-01 processing of Institutional Data?
Is AI processing limited to fully licensed
DPAI-04 commercial enterprise AI services?

Will institutional data be processed


DPAI-05 through a third-party or subprocessor
that also uses AI?

Will institutional data be used or


processed by any shared AI services?

DPAI-06

Will institutional data be used to train


DPAI-07 AI?

Is any Institutional data retained in the


DPAI-08 AI processing?

Do you have safeguards in place to


protect Institutional Data and data
DPAI-09 privacy from unintended AI queries or
processing?

Do you have agreements in place with


third-parties or subprocessors
DPAI-10 regarding the protection of customer
data and use of AI?

Do you provide choice to the user to


DPAI-11 opt out of AI use?
ent Tool
mm/dd/yyyy

oducts and/or services will access, collect, and/or host personal data on behalf of or in collaboration with the institution
the term "data" is used, this is an all-encompassing term including at least data and metadata. Upon submittal, answers
his process will help the institution protect institutional data and comply with institutional policies, state and federal laws,
d should be completed by a vendor.

ted with the HECVAT or endorsed by the HECVAT leadership team. Any questions or feedback on this tool should be directed to [email protected].

Vendor contact - who filled out this form?

Vendor Name
Product Name and Version Information
Brief Description of the Product
http://www.vendor.domain/privacynotice

http://www.vendor.domain/VPAT

Vendor Contact Name


Vendor Contact Title
[email protected]
Vendor Data Privacy Contact Name
Vendor Data Prvacy Contact Title
Vendor Data Privacy Email

555-555-5555

555-555-5555

on answering each set of questions in order, from top to bottom; the built-in formatting logic relies on this order. Step 3:
the institution according to institutional procedures.

Vendor Answers Additional Information

ariety of third parties. As such, not all assessment questions are relevant to each party. To alleviate complexity, a "qualifier"
mmon documentation instrument. Responses to the following questions will determine the need to answer additional
Vendor Answers Additional Information
Vendor Answers Additional Information
Vendor Answers Additional Information
Vendor Answers Additional Information

Vendor Answers Additional Information


Vendor Answers Additional Information

Vendor Answers Additional Information


Vendor Answers Additional Information
Vendor Answers Additional Information
Vendor Answers Additional Information

Vendor Answers Additional Information

Vendor Answers Additional Information


Vendor Answers Additional Information
Vendor Answers Additional Information

Vendor Answers Additional Information


Vendor Answers Additional Information

Vendor Answers Additional Information


Vendor Answers Additional Information
Vendor Answers Additional Information
Vendor Answers Additional Information
Vendor Answers Additional Information
Version 1.0

behalf of or in collaboration with the institution


ast data and metadata. Upon submittal, answers
with institutional policies, state and federal laws,

n this tool should be directed to [email protected].

ilt-in formatting logic relies on this order. Step 3:

Guidance

to each party. To alleviate complexity, a "qualifier"


ns will determine the need to answer additional

HECVAT Cross-Reference (3.05)


QUAL-01

State what data or attach a document of


data fields that a user can input in your
product or service.

State each third party with which


institutional data will be shared and/or QUAL-02
hosted by and their level of responsibility.

Provide a reference to your BCP and


supporting documentation or submit it along QUAL-03
with this fully populated assessment.

Provide a reference to your DRP and


supporting documentation or submit it along QUAL-04
with this fully populated assessment.

Answer yes if your product handles PCI


(credit card) information, either directly or
via a third party. Based on your "Yes" QUAL-05
response, you are required to fill out the PCI
DSS section.

Answer yes if you provide consulting. QUAL-06

If you are using an option not listed or a QUAL-07


combination of options, select "Other."
Guidance

Include circumstances that may involve COMP-01


offshoring or multinational agreements.
If Yes, provide a detailed summary of the COMP-02
unplanned disruption.

Describe your Information Security Office or COMP-03


plans, including size, talents, resources, etc.

Describe your Data Privacy Office or plans,


including size, talents, resources, etc.

COMP-04

If Yes, provide documentation about the


data breach and the resolution.

If Yes, provide documentation about the


data breach or privacy incident and the
resolution.

Share any details that would help data


privacy analysts assess your product.

Guidance

Provide the date of assessment and include


a SOC 2 Type 2 (preferred) or SOC 3 report.
If you have a SOC3 report, state how to DOCU-01
obtain a copy. Indicate if your hosting
provider was the subject of the audit. If No.
Provide any plans of undergoing an audit.

SOC 2 Type 2 audits can be conducted for


any or all of 5 trust principles
(confidentiality, integrity, availability,
security, and privacy). Answer Yes if your
audit included the Privacy principle.
Please include a copy with your response
and include a URL for the published DOCU-02
assessment. If No, describe any plans to
complete.

Provide date of certification, any supporting


documentation, and a URL for the DOCU-03
certification. If No, provide any plans to
obtain.

Provide documentation on how your


organization conforms to your chosen
framework and indicate current certification DOCU-04
levels, where appropriate. If No, provide any
plans to conform.

Provide documentation on how your


organization conforms to your chosen
framework and indicate current certification
levels, where appropriate. If No. Provide any
plans to conform.

If you have a third-party hosting provider,


please provide how you comply with 800-
171 where your third party uses a shared DOCU-05
responsibility mode. If No, describe any
plans to comply.

Provide your diagrams (or a valid link to it)


upon submission. If No, provide a detailed DOCU-06
summary of overall system and/or
application architecture

Provide a reference to your employee


onboarding and offboarding policy and DOCU-08
supporting documentation. If No, describe
your plans to create one, if any.

If Yes, summarize your current change DOCU-09


management process.
If your answer is "I do not know," select
"No." If the VPATs/ACR is for an older
version of the product or has not been DOCU-10
updated, its information does not accurately
reflect accessibility of the product under
consideration.

Provide examples with links where possible.


If No, provide plans for any documentation
that would make accessible content, DOCU-11
features, and functions easily knowable by
end users.

Guidance

If Yes, provide a summary of your practices


that assures that the third party will be
subject to the appropriate standards
regarding security, service recoverability, THRD-01
and confidentiality. If No, state your plans to
perform security assessments of third party
companies

If Yes, provide a summary of your practices


that assures that the third party will be
subject to the appropriate standards
regarding data privacy. If No, state your
plans to perform data privacy assessments
of third parties.

List each third party and why institutional


data is shared with them. Format example: THRD-02
[Vendor] - Reason

THRD-03
Provide additional information that may
help analysts better understand your
environment and how it relates to third THRD-04
party solutions. If No, state your plans to
implement a third party management
strategy.

Guidance
CONS-01

CONS-02

CONS-03

CONS-04

CONS-05

CONS-06

CONS-07

CONS-08

CONS-09

Guidance

This includes end users, administrators,


service accounts, etc. PBAC would include
various dynamic controls such as conditional
access, risk-based access, location-based APPL-01
access, or system activity–based access. If
Yes, describe roles. If No, describe any
limitations that prevent RBAC for
Institutional accounts.
This includes system administrators and
third-party personnel with access to the
system. PBAC would include various
dynamic controls such as conditional access, APPL-02
risk-based access, location-based access, or
system activity–based access. If No, describe
any limitations that prevent support for
RBAC.

If Yes, please describe the reasons why in


detail and state if that access can be limited APPL-08
(e.g., when the app is running). If No, are
there any plans to.

Guidance

Answer "Yes" only if user AND administrator


authentication is supported. If partially
supported, answer "No." Ensure you AAAI-01
respond to any guidance in the Additional
Information column.

AAAI-02

AAAI-12

If Yes, describe how long before the account


is logged out. If No, describe any plans to AAAI-13
enable automatic log-outs.

If No, describe any plans to enable audit logs AAAI-17


for these data elements.

Ensure that all elements of AAAI-06 are AAAI-19


clearly stated in your response.

Guidance
If Yes, provide links or attach
documentation. If No, summarize or decribe
your strategy to implement.

Summarize your defined problem/issue BCPL-02


escalation plan contained in your BCP.

If Yes, summarize your documented


communication plan contained in your BCP. BCPL-03
If No, descirbe any plans to document.

If Yes, state date of your last alternate site


relocation test. If No, describe your strategy BCPL-08
to implement.

If Yes, describe or provide references


explaining how tertiary services are BCPL-10
redundant (i.e., DNS, ISP, etc.). If No, state
plans or why not needed.

Guidance

If Yes, Indicate all procedures that are


implemented in your CMP. (a) An impact
analysis of the upgrade is performed. (b) The
change is appropriately authorized. (c)
Changes are made first in a test CHNG-01
environment. (d) The ability to implement
the upgrades/changes in the production
environment is limited to appropriate IT
personnel. If No, state your plans to
implement change management

If Yes, please describe your process for


privacy review. If No, describe any plans to
implement.

If Yes, state how and when institution will be


notified. If No, describe plans to establish a
notification mechanism for major changes.
If Yes, summarize the policy and
procedure(s) guiding privacy risk mitigation
practices until resolved. If No, state your
plans to implement.

Guidance
If Yes, summarize your transport encryption
strategy. If No, describe why sensitive data is DATA-03
not encrypted in transport.

If Yes, summarize your data encryption


strategy and state what encryption options DATA-04
are available. If No, describe why senstive
data is not encrypted in storage.

If Yes, state the length of time that the


institution's data will be available in the
system at the completion of the contract. If DATA-06
No, state plans to implement the
capabilities.

If No, describe your data export procedures. DATA-07

If Yes, summarize process. If No, state plans DATA-08


to implement capabilities.

If No, describe in detail why ownership DATA-09


rights are not retained by the institution.

If No, provide a detailed description why DATA-10


rights are not retained.

If Yes, state how the institution will be


notified of imminent termination. If No, DATA-11
provide a detail summary why.

Ensure that the response addresses DATA-12


involatile storage and lists retention periods.
If No, state plans to include the elements DATA-13
listed.

If Yes, provide summary of off-site backup DATA-14


strategy

If Yes, state distance in miles between DATA-15


primary site and off-site location

If Yes, summarize the encryption


algorithm/strategy you are using to secure DATA-17
backups. If No, detail why backups are not
encrypted.

If Yes, describe how FERPA compliance is


integrated into your process and DATA-22
procedures. If No, state plans to handle data
in a FERPA complaint manner.

If Yes, describe where and whether you


comply with the laws of that jurisdiction.

Please indicate which regulatory


requirements apply and how you comply.

Consult the definition tab for guidance. If


Yes, describe what demographic information
you handle.

If Yes, briefly summarize your use of such


informatoin and the protection thereof.

If Yes, describe what other sources and


provide list of elements, including any keys
that connect the datasets.

If Yes, describe the tracking component and


what is done with the information.
If Yes, summarize what access staff (or third DATA-23
parties) have to institutional data.

Guidance

If Yes, please indicate which geographic


regions you can provide storage in the
Additional Information column. If No, under DCTR-02
what circumstances would institutional data
leave a designated region.

Guidance
Provide a valid URL to your current DRP or
submit it along with this fully populated DRPL-01
assessment.

Include the geographic region for DR site. DRPL-04

If Yes, summarize your disaster recovery


strategy. If No, describe your recovery plans DRPL-05
if your primary location is unavailable.

If Yes, summarize your documented


communication plan in your DRP. If No, DRPL-08
describe your plans to implement.

If Yes, please provide a summary of the


results in Additional Information (including DRPL-10
actual recovery time). If No, state the date
of your next planned DRP test.

If Yes, summarize your DRP review and


update processes and/or procedures. If No, DRPL-11
state plans to implement annual testing.

Guidance
If No, state any plans to implement. FIDP-01

If Yes, list name and title of authority. If No, FIDP-02


describe how firewall changes are approved.
If Yes, describe your documented firewall
change request policy. If No, state plan to FIDP-03
implement.

If Yes, describe the currently implemented FIDP-04


IDS. If No, state plan to implement.

If Yes, describe the currently implemented FIDP-05


IPS. If No, state plan to implement.

Provide a brief summary of this activity. FIDP-09

If Yes, describe your current network


systems logging strategy. If No, state plans FIDP-11
to implement capabilities.
Guidance
Provide links to these documents in
Additional Information or attach them with
your submission.

If Yes, describe privacy management process


or provide links or attach documentation. If
No, are there plans to implement.

If Yes, summarize the information security


principles designed into the product PPPR-04
lifecycle. If No, state why principles are not
designed into the product lifecycle.

If Yes, summarize the privacy principles


designed into the product lifecycle. If No,
state why principles are not designed into
the product lifecycle.

If Yes, briefly summarize your SDLC or


provide a link or attachment. If No, state any PPPR-05
plans to implement.

If Yes, state how quickly the institution will


be notified. If No, provide reason for not
complying.

If No, provide reason for not complying.

State the country that governs and regulates


your company.
If Yes, provide a reference to your
information security policy or submit PPPR-11
documentation. If No, state plans to
implement policy at your company.

Summarize your information security PPPR-12


awareness program.

If Yes, summarize your security awareness


training content and state how frequently
employees are required to undergo security PPPR-13
awareness training. If No, state plans to
require.

If Yes, provide a link to your privacy policy or


submit documentation. If No, state plans to DOCU-07
implement policy at your company.

If No, state plans to include data privacy


training.

If Yes, summarize your privacy awareness


training content and state how frequently
employees are required to undergo privacy
awareness training. If No, state plans to
require.

If Yes, please provide links or attach


documents. If No, state your plans to
implement AI governance and ethics
program.

If Yes, please provide links or attach


documents. If No, state your plans to
implement AI specific data and privacy
policies.

If Yes, please provide links or attach


documents. If No, state your plans to
implement AI specific data and privacy
policies.

If No, state plans to include AI training.

Summarize your internal audit processes PPPR-15


and procedures.

If Yes, provide a copy of your physical


security controls and policies along with this PPPR-16
document (link or attached). If No, state
your intent to implement.
If Yes, provide list of all fully automated
decision-making processes.

If Yes, provide documentation describing


management processes.

If Yes, provide a copy of the policy (link or


attached). If No, state intent to implement.

If Yes, describe the circumstances in which


you share with law enforcement.

Guidance
If Yes, provide links to these documents or IH-01
attach. If No, state any plans to implement.

If Yes, summarize your incident response


and reporting processes. If No, state plan to IH-02
implement.

If Yes, summarize your internal approach or


reference your third-party contractor. If No, IH-03
state plan to implement capability.

If Yes, state coverage. If No, state plans to


implement coverage in the future or how IH-04
you can provide breach/liabilty coverage to
the institution without it.

Guidance
Provide a valid URL to your Quality
Assurance program or submit QLAS-01
documentation.

If Yes, provide references to quality and QLAS-03


performance metrics documentation.

If Yes, provide process of how privacy


feature request are incorporated. If No, are
there plans to implement.
If Yes, summarize your evaluation site or QLAS-05
provide a link. If No, state plans to provide.

Guidance
If Yes, decribe your external application VULN-01
vulnerability scanning strategy.

If Yes, provide the results with this


document (link or attached), if possible. VULN-02
State the date of the last completed third-
party security assessment.

If Yes, provide a reference to security scan VULN-04


documentation. If No, state why.

If Yes, provide reference to the process or


procedure to setup security testing times VULN-06
and scopes. If No, provide a response why.

Guidance

Refere to HIPAA regulation documentation HIPA-01


for guidance on all HIPAA related questions

HIPA-02

HIPA-03

HIPA-04

HIPA-05

HIPA-06
HIPA-07

HIPA-08

HIPA-09

HIPA-10

HIPA-11

HIPA-12

HIPA-13

HIPA-14

HIPA-15

HIPA-16

HIPA-17

HIPA-18
HIPA-19

HIPA-20

HIPA-21

HIPA-22

HIPA-23

HIPA-24

HIPA-25

HIPA-26

HIPA-27

HIPA-28

HIPA-29

Guidance
If Yes, describe where and what activities
will take place in the EEA.

If Yes, provide the name and contact


information for the DPO.

If No, explain why.

If Yes, describe where and what activities


will take place in China.
If No, explain why.

Guidance
Refer to PCI-DSS Security Standards for PCID-01
guidance on all PCI-DSS related questions.

PCID-02

PCID-03

PCID-04

PCID-05

PCID-06

PCID-07

PCID-08

PCID-09

PCID-10

PCID-11
PCID-12

Guidance
If Yes, please indicate specific privacy
standard, last date performed and provide
documentation. If No, state any plans to
perform and time frame.

If Yes, provide link to privacy notice or


attach. If No, state reason for not providing.

If Yes, provide link to Choice and Consent or


attach. If No, state reason for not making
avaialble.

If No, provide purposes for collecting


personal information beyond those
identified your Privacy Notice.

If Yes, provide a link to or attach document.


If No, describe in detail the Privacy Data
your service maintans or process on behalf
of the Institution.

If Yes, provide link to policy or procedure of


retention, use and disposal or attach
documents. If No, describe in detail why you
do not.

If Yes, summarize how access is provided. If


No, state any plans to implement.
If Yes, provide link or attach document of
disclosure notice.

If Yes, summarize how you protect. If No,


provide the reason for not protecting.

If Yes, discribe your process to maintain data


integrity. If No, state your plans to
implmement data integrity.

If Yes, provide supporting documentation of


your process. IF No, summarize your
response.

If Yes, describe the process or provide


documentation and/or links.

If Yes, describe the uses and disclosures and


purposes.

If Yes, summarize the process of stop-


processing or provide documentation and or
links. If No, summarize your response.

If Yes, provide supporting documentation of


your process. IF No, summarize your
response.
Guidance
If Yes, list all AI processing providers used in
providing the service to the Instituition.
If No, provide list of all AI services and
supporting documentation or links to AI data
privacy policies.

If Yes, list all third-parties that will use AI for


processing of Institutional Data.

If Yes, list the shared AI services and if they


are directly licensed by you or your
subprocessor. This could apply to a single
institution with multiple products where
information is shared across those modules.
This could also apply to multiple institutions
where information is shared by the platform
across those institutions.

If Yes, state the options for Institutional Data


not to be used to train AI.

If Yes, how long is data retained and state


the option for the Institution to not have
data retained.

If Yes, summarize the safeguards, or provide


links or attach documents. If No, state plans
to implement safeguards.

If Yes, provide or summarize language


regarding the protection of customer data
and use of AI. If No, state any plans to
implement

If Yes, provide documentation on how the


choice is exercised.
Higher Education Data Privacy Assessment Tool
Data Privacy - Assessment Tool
DATE-01 Date
General Information

In order to protect the institution and its systems, vendors whose products and/or services will access, collect, and/
must complete the assessment tool. Throughout this tool, anywhere the term "data" is used, this is an all-encompas
will be reviewed by the institution's office responsible for privacy. This process will help the institution protect instit
and international regulations. This is intended for use by vendors and should be completed by a vendor.

While this tool has a format similar to that of the HECVAT, it is not affiliated with the HECVAT or endorsed by the HECVAT leadership tea

GNRL-00 through GNRL-14; populated by the vendor


GNRL-00 Vendor Contact for Response Questions

GNRL-01 Vendor Name


GNRL-02 Product Name
GNRL-03 Product Description
GNRL-04 Web Link to Product Privacy Notice
Web Link to Accessibility Statement or
GNRL-05
VPAT
GNRL-06 Vendor Contact Name
GNRL-07 Vendor Contact Title
GNRL-08 Vendor Contact Email
GNRL-09 Vendor Data Privacy Contact Name
GNRL-10 Vendor Data Privacy Contact Title
GNRL-11 Vendor Data Privacy Contact Email
Vendor Data Privacy Contact Phone
GNRL-12
Number
Vendor Accessibility Contact Phone
GNRL-13
Number
GNRL-14 Vendor Hosting Regions
Instructions

Step 1: Complete the Qualifiers section. Step 2: Complete each section answering each set of questions in order, fro
Submit the completed Higher Education Data Privacy Assessment to the institution according to institutional proced

Qualifiers

The institution conducts third-party data privacy assessments on a variety of third parties. As such, not all assessme
strategy is implemented and allows for various parties to use this common documentation instrument. Responses t
questions below.
Does your product process FERPA-
QUAL-02
related data?
Does your product process GDPR-
QUAL-03
related or PIPL-related data?
Does your product process personal
QUAL-04 data regulated by state law(s) (e.g.,
CCPA)?

Does your product process user-


QUAL-05 provided data that may contain
regulated information?
Company Overview
Do you have a dedicated data privacy
COMP-04
staff or office?

Have you had a personal data breach in


the past 3 years that involved reporting
to a governmental agency, notice to
COMP-06
individuals (including voluntary notice),
or notice to another organization or
institution?

Have you had any data privacy policy or


COMP-07
law violations in the past 36 months?

Use this area to share information


about your privacy practices that will
COMP-08
assist those who are assessing your
company data privacy program.

Documentation

If so, does your SOC 2 audit include the


DOCU-02
Privacy Trust Service Principle?

Do you conform with a specific


industry-standard privacy framework
DOCU-06
(e.g., NIST Privacy Framework, GDPR,
ISO 27701)?

Does your employee onboarding and


offboarding policy include training of
DOCU-11
employees on information security and
data privacy?
Assessment of Third Parties

Do you perform privacy impact


assesments of third parties that collect,
process, or have access to personal
THRD-02 data to ensure they meet industry and
regulatory standards and to mitigate
harmful, unethical, or discriminatory
impacts on data subjects?

Do you have contractual agreements


with third parties that require them to
maintain standards that are the same
THRD-03
as or higher than those of the
institution itself and to comply with all
regulatory requirements?

Business Continuity Plan (BCP)

Do you have a formal Business


BCPL-01 Continuity Plan and Disaster Recovery
Plan?

Change Management
Does your change management process
CHNG-02
include privacy review and approval?

Will the institution be notified of major


changes to your environment that
could impact the institution's data
CHNG-03 privacy posture (e.g., changes to data
collected, "de-identification"
techniques, new AI capabililities using
personal data)?

Do you have policy and procedure,


currently implemented, guiding how
CHNG-04
privacy risks are mitigated until they
can be resolved?

Data
Are institutional data coming into or
going out of the United States at any
DATA-15
point during collection, processing,
storage, or archiving?
Will you handle personal data in a
manner compliant with all relevant
DATA-16
laws, regulations, and applicable
institution policies?

Do you collect, process, or store


DATA-17 demographic information (see
definitions)?

Do you capture or create genetic,


biometeric, or behaviometric
DATA-18
information (e.g., facial recognition or
fingerprints)?

Do you capture device information


DATA-19
(e.g., IP address, MAC address)?

Do you combine institutional data


(including "de-identified,"
DATA-20 "anonymized," or otherwise masked
data) with personal data from any
other sources?

Does any part of this service/project


involve a web/app tracking component
DATA-21
(e.g., use of web tracking pixels,
cookies)?

Policies, Procedures, and Processes


Can you share the organization chart,
PPPR-01 mission statement, and policies for your
data privacy unit?

Do you have a documented privacy


PPPR-02
management process?

Are privacy principles designed into the


PPPR-04 product life cycle (i.e., privacy-by-
design)?

Will you comply with applicable breach


PPPR-06
notification laws?

Will you comply with the institution's


PPPR-07 policies regarding user privacy and data
protection?

Is your company subject to the laws


PPPR-08 and regulations of the institution's
geographic region?
Do you have a privacy
PPPR-13
awareness/training program?
Is privacy awareness training
PPPR-14
mandatory for all employees?

Do you have a documented AI


governance and ethics program?
PPPR-15

Do you have an AI-specific privacy and


ethics policy?
PPPR-16

Do you have an AI privacy and ethics


PPPR-17
awareness/training program?

Is AI privacy and ethics


PPPR-18 awareness/training required for all
employees who work with AI?

Do you have any decision-making


processes that are completely
PPPR-21
automated (i.e., there is no human
involvement)?

Do you have a documented process for


managing automated processing,
PPPR-22
including validations, monitoring, and
data subject requests?

Do you have a documented policy for


PPPR-23 sharing information with law
enforcement?

Do you share any institutional data with


PPPR-24 law enforcement without a valid
warrant?
Incident Handling
Does your incident response team
IH-03
include a privacy analyst/officer?
Quality Assurance
Do you incorporate customer feedback
QLAS-04
into privacy feature requests?

GDPR and PIPL - Optional based on QUALIFIER response


Will data be collected from or
INTL-01 processed in or stored in the European
Economic Area (EEA)?
Do you have a Data Protection Officer
INTL-02
(DPO)?
Will you sign appropriate GDPR
INTL-03 Standard Contractual Clauses (SCCs)
with the institution?
Will data be collected from or
INTL-04
processed in or stored in China?
Do you comply with PIPL security,
INTL-05 privacy, and data localization
requirements?
Data Privacy
Have you performed a Data Privacy
Impact Assesssment for the
DPRV-01 product/service/project?

Do you provide an end-user privacy


notice about privacy policies and
procedures that identify the purpose(s)
DPRV-02 for which personal information is
collected, used, retained, and
disclosed?

Do you describe the choices available


to the individual and obtain implicit or
explicit consent with respect to the
DPRV-03 collection, use, and disclosure of
personal information?

Do you collect personal information


only for the purpose(s) identified in the
agreement with the institution, or if
DPRV-04 there is none, the purpose(s) identified
in the privacy notice?

Do you have a documented list of


personal data your service maintains?
DPRV-05
Do you retain personal information for
only as long as necessary to fulfill the
stated purpose(s) or as required by law
DPRV-06 or regulation and thereafter
appropriately dispose of such
information?

Do you provide individuals with access


to their personal information for review
DPRV-07 and update (i.e., Data Subject Rights)?

Do you disclose personal information to


third parties only for the purpose(s)
identified in the agreement with the
institution, and if there is none, with
the purpose(s) identified in the privacy
DPRV-08 notice or with the implicit or explicit
consent of the individual?

Do you protect personal information


DPRV-09 against unauthorized access (both
physical and logical)?

Do you maintain accurate, complete,


and relevant personal information for
DPRV-10 the purposes identified in the notice?

Do you have procedures to address


privacy-related noncompliance
DPRV-11 complaints and disputes?

Do you "anonymize," "de-identify," or


DPRV-12 otherwise mask personal data?

Do you or your subprocessors use or


disclose "anonymized," "de-identified,"
or otherwise masked data for any
purpose other than those identified in
the agreement with the institution
(e.g., sharing with ad networks or data
DPRV-13 brokers, marketing, creation of profiles,
analytics unrelated to services provided
to institution)?
Do you certify stop-processing
requests, including any data that is
DPRV-14 processed by a third party on your
behalf?

Do you have a process to review code


DPRV-15 for ethical considerations?

Data Privacy AI
Does your service use AI for the
DPAI-01 processing of Institutional Data?

Is AI processing limited to fully licensed


DPAI-04 commercial enterprise AI services?

Will institutional data be processed


DPAI-05 through a third-party or subprocessor
that also uses AI?

Will institutional data be used or


processed by any shared AI services?

DPAI-06

Will institutional data be used to train


DPAI-07 AI?

Is any Institutional data retained in the


DPAI-08 AI processing?

Do you have safeguards in place to


protect Institutional Data and data
DPAI-09 privacy from unintended AI queries or
processing?

Do you have agreements in place with


third-parties or subprocessors
DPAI-10 regarding the protection of customer
data and use of AI?

Do you provide choice to the user to


DPAI-11 opt out of AI use?
ent Tool
mm/dd/yyyy

oducts and/or services will access, collect, and/or host personal data on behalf of or in collaboration with the institution
the term "data" is used, this is an all-encompassing term including at least data and metadata. Upon submittal, answers
his process will help the institution protect institutional data and comply with institutional policies, state and federal laws,
d should be completed by a vendor.

ted with the HECVAT or endorsed by the HECVAT leadership team. Any questions or feedback on this tool should be directed to [email protected].

Vendor contact - who filled out this form?

Vendor Name
Product Name and Version Information
Brief Description of the Product
http://www.vendor.domain/privacynotice

http://www.vendor.domain/VPAT

Vendor Contact Name


Vendor Contact Title
[email protected]
Vendor Data Privacy Contact Name
Vendor Data Prvacy Contact Title
Vendor Data Privacy Email

555-555-5555

555-555-5555

on answering each set of questions in order, from top to bottom; the built-in formatting logic relies on this order. Step 3:
the institution according to institutional procedures.

Vendor Answers Additional Information

ariety of third parties. As such, not all assessment questions are relevant to each party. To alleviate complexity, a "qualifier"
mmon documentation instrument. Responses to the following questions will determine the need to answer additional
Vendor Answers Additional Information

Vendor Answers Additional Information


Vendor Answers Additional Information

Vendor Answers Additional Information

Vendor Answers Additional Information

Vendor Answers Additional Information


Vendor Answers Additional Information
Vendor Answers Additional Information

Vendor Answers Additional Information

Vendor Answers Additional Information


Vendor Answers Additional Information
Vendor Answers Additional Information
Version 1.0

behalf of or in collaboration with the institution


ast data and metadata. Upon submittal, answers
with institutional policies, state and federal laws,

n this tool should be directed to [email protected].

ilt-in formatting logic relies on this order. Step 3:

Guidance

to each party. To alleviate complexity, a "qualifier"


ns will determine the need to answer additional

HECVAT Cross-Reference (3.05)


State what data or attach a document of
data fields that a user can input in your
product or service.
Guidance
Describe your Data Privacy Office or plans,
including size, talents, resources, etc.

If Yes, provide documentation about the


data breach and the resolution.

If Yes, provide documentation about the


data breach or privacy incident and the
resolution.

Share any details that would help data


privacy analysts assess your product.

Guidance

SOC 2 Type 2 audits can be conducted for


any or all of 5 trust principles
(confidentiality, integrity, availability,
security, and privacy). Answer Yes if your
audit included the Privacy principle.

Provide documentation on how your


organization conforms to your chosen
framework and indicate current certification
levels, where appropriate. If No. Provide any
plans to conform.
Guidance

If Yes, provide a summary of your practices


that assures that the third party will be
subject to the appropriate standards
regarding data privacy. If No, state your
plans to perform data privacy assessments
of third parties.

Guidance

If Yes, provide links or attach


documentation. If No, summarize or decribe
your strategy to implement.

Guidance
If Yes, please describe your process for
privacy review. If No, describe any plans to
implement.

If Yes, state how and when institution will be


notified. If No, describe plans to establish a
notification mechanism for major changes.

If Yes, summarize the policy and


procedure(s) guiding privacy risk mitigation
practices until resolved. If No, state your
plans to implement.

Guidance

If Yes, describe where and whether you


comply with the laws of that jurisdiction.
Please indicate which regulatory
requirements apply and how you comply.

Consult the definition tab for guidance. If


Yes, describe what demographic information
you handle.

If Yes, briefly summarize your use of such


informatoin and the protection thereof.

If Yes, describe what other sources and


provide list of elements, including any keys
that connect the datasets.

If Yes, describe the tracking component and


what is done with the information.

Guidance
Provide links to these documents in
Additional Information or attach them with
your submission.

If Yes, describe privacy management process


or provide links or attach documentation. If
No, are there plans to implement.

If Yes, summarize the privacy principles


designed into the product lifecycle. If No,
state why principles are not designed into
the product lifecycle.

If Yes, state how quickly the institution will


be notified. If No, provide reason for not
complying.

If No, provide reason for not complying.

State the country that governs and regulates


your company.

If No, state plans to include data privacy


training.
If Yes, summarize your privacy awareness
training content and state how frequently
employees are required to undergo privacy
awareness training. If No, state plans to
require.

If Yes, please provide links or attach


documents. If No, state your plans to
implement AI governance and ethics
program.

If Yes, please provide links or attach


documents. If No, state your plans to
implement AI specific data and privacy
policies.

If Yes, please provide links or attach


documents. If No, state your plans to
implement AI specific data and privacy
policies.

If No, state plans to include AI training.

If Yes, provide list of all fully automated


decision-making processes.

If Yes, provide documentation describing


management processes.

If Yes, provide a copy of the policy (link or


attached). If No, state intent to implement.

If Yes, describe the circumstances in which


you share with law enforcement.

Guidance

Guidance
If Yes, provide process of how privacy
feature request are incorporated. If No, are
there plans to implement.
Guidance
If Yes, describe where and what activities
will take place in the EEA.

If Yes, provide the name and contact


information for the DPO.

If No, explain why.

If Yes, describe where and what activities


will take place in China.

If No, explain why.

Guidance
If Yes, please indicate specific privacy
standard, last date performed and provide
documentation. If No, state any plans to
perform and time frame.

If Yes, provide link to privacy notice or


attach. If No, state reason for not providing.

If Yes, provide link to Choice and Consent or


attach. If No, state reason for not making
avaialble.

If No, provide purposes for collecting


personal information beyond those
identified your Privacy Notice.

If Yes, provide a link to or attach document.


If No, describe in detail the Privacy Data
your service maintans or process on behalf
of the Institution.
If Yes, provide link to policy or procedure of
retention, use and disposal or attach
documents. If No, describe in detail why you
do not.

If Yes, summarize how access is provided. If


No, state any plans to implement.

If Yes, provide link or attach document of


disclosure notice.

If Yes, summarize how you protect. If No,


provide the reason for not protecting.

If Yes, discribe your process to maintain data


integrity. If No, state your plans to
implmement data integrity.

If Yes, provide supporting documentation of


your process. IF No, summarize your
response.

If Yes, describe the process or provide


documentation and/or links.

If Yes, describe the uses and disclosures and


purposes.
If Yes, summarize the process of stop-
processing or provide documentation and or
links. If No, summarize your response.

If Yes, provide supporting documentation of


your process. IF No, summarize your
response.
Guidance
If Yes, list all AI processing providers used in
providing the service to the Instituition.

If No, provide list of all AI services and


supporting documentation or links to AI data
privacy policies.

If Yes, list all third-parties that will use AI for


processing of Institutional Data.

If Yes, list the shared AI services and if they


are directly licensed by you or your
subprocessor. This could apply to a single
institution with multiple products where
information is shared across those modules.
This could also apply to multiple institutions
where information is shared by the platform
across those institutions.

If Yes, state the options for Institutional Data


not to be used to train AI.

If Yes, how long is data retained and state


the option for the Institution to not have
data retained.

If Yes, summarize the safeguards, or provide


links or attach documents. If No, state plans
to implement safeguards.

If Yes, provide or summarize language


regarding the protection of customer data
and use of AI. If No, state any plans to
implement

If Yes, provide documentation on how the


choice is exercised.

You might also like