Re: Confidentiality Agreement with third party vendor

[Georgios Mousouros <georgios () EMAIL ARIZONA EDU>]

We have something in place. I hope it helps.

  1. *Network Security*

Vendor agrees to maintain network security at all times. At a minimum 
this includes: network firewall provisioning and intrusion detection.

  2. *Data Security*

Vendor agrees to protect and maintain the security of data. These 
security measures include maintaining secure environments that are 
patched and up-to-date with all appropriate security updates.

  3. *Data Transmission*

Vendor agrees that any and all transmission or exchange of data shall 
take place via secure means like HTTPS or FTPS.

  4. *Data Storage*

Vendor agrees that any and all data will be stored, processed and 
maintained on designated target servers and that no data at any time 
will be processed on or transferred to any portable or laptop computing 
device or any portable storage medium.

  5. *Data Encryption*

Vendor agrees to store all data as part of a designated backup and 
recovery process in encrypted form, using no less that 128 bit 
encryption key.

  6. *Data Re-use*

Vendor agrees that any and all data exchanged shall not be distributed, 
repurposed or shared across other applications, environments or business 
units. Vendor further agrees that no data of any kind shall be 
transmitted, exchanged or otherwise passed to other vendors or 
interested parties.

  7. *End of Agreement Data Handling*

Vendor agrees that upon termination of this Agreement, it shall erase, 
destroy and render all unreadable data unless otherwise specified. 
Vendor shall certify in writing that these actions have been complete 
within 30 days of the termination of this Agreement or within 7 days of 
the request of an agent, whichever comes first.

Vendor agrees to comply with all applicable laws that require the 
notification of individuals in the event of unauthorized release of 
Personal Identifiable Information (PII) or other event requiring 
notification. In the event of a breach of any of Vendor’s security 
obligations or other event requiring notification under applicable law, 
Vendor agrees to assume responsibility for informing all such individuals.



Jeff Holden wrote:
> Do any of you have a confidentiality agreement they can share with me 
> on or off list. I need one pertaining to a third party that is going 
> to convert data from one format to another. All the confidentiality 
> agreements I have found are more structured to business use or for 
> research data. I want it to include clauses that data is only to be 
> used for the intended purpose of converting formats, won't be 
> transmitted unencrypted, won't be disclosed to anyone, will be 
> disclosed to us if their security is breached, and that the data will 
> securely be deleted after the process is complete and any other 
> standard clauses needed to CMA.
>
> Thanks,
> Jeff Holden, CISSP, RHCE
> Manager, Network & Data Security
> Mt. San Antonio College
> (909) 594-5611 X5017

--
Georgios Mousouros
Support Systems Analyst, Senior
Information Security Liaison
College of Social and Behavioral Sciences
University of Arizona
University Services Building
888 N. Euclid, Room 302
Tel: (520) 621-1596
Fax: (520) 626-2959
http://www.sbs.arizona.edu/security/