Franklin & MarshallHeader Logo

Information Technology Policies

Home / College Policies / Technology / Franklin & Marshall – Cloud Vendor Policy

Cloud Vendor Policy

Information Technology Policies

I. Justification and Statement of Policy

此策略定义了签订合同的云供应商服务提供商的需求 with the College. This policy is considered an addendum to vendor contracts.

II. Scope

任何云供应商服务提供商将连接到学院的网络或 interacting with College information sources. This policy applies to all faculty, staff and students of F&M.

III. Definitions

“云供应商服务提供商”或“供应商”是服务提供商 College contracts with for information services. This definition includes any subcontractors or subservicers working for the vendor. Also referred to as third party vendors or contractors.

“个人信息”是指任何非公开和/或专有信息 根据本附录提交的关于任何社区成员的表格 vendor becomes aware of throughout the agreement period. The College classifies this type of information as "sensitive" per the Data Classification Policy.

“非公开个人信息”是指任何可识别个人身份的财务信息. 该定义取自联邦贸易委员会隐私规则,无论是否社区 members seek or obtain any financial product or service. The College classifies this type of information as "confidential" per the Data Classification Policy.

“社区”成员包括现任、前任或未来的教职员工、学生、 volunteers, trustees, or representatives of the College or its affiliates.

IV. Policy

卖方应提供充分的保密措施, integrity, and availability of such information. To the extent applicable under the agreement, those safeguards shall conform to the current requirements in:

  • Family Educational Rights and Privacy Act (FERPA)

  • Gramm-Leach-Bliley Act (GLBA)

  • 美国联邦贸易委员会(FTC)发布的法规包括但不限于 to, the Red Flags Rule and The Safeguards Rule

  • General Data Protection Regulation (GDPR)

  • Fair and Accurate Credit Transactions Act (FACTA)

  • Americans with Disabilities Act (ADA)

  • California Consumer Privacy Act (CCPA)

  • Personal Information Protection and Electronic Documents Act (PIPEDA)

  • Federal banking regulatory agencies

  • And other regulations that may pertain to this contract or service

Personal Information Confidentiality and Nondisclosure

  1. Personal information shall be considered property of the College.

  2. 卖方应严格保密并按照本协议的规定持有所有个人信息 遵守适用的法律法规以及学院的政策、程序、标准、 and guidelines.

  3. 卖方不得(直接或间接)获得该个人的所有权 information.

  4. 卖方不得在未经事先同意的情况下将个人信息透露给任何第三方 书面同意,除非(i)履行卖方在协议项下的义务所需 或(ii)法律要求的情况,卖方应及时通知学院 such request or requirement.

  5. 卖方仅可将该等个人信息用于促销活动 双方之间的业务关系,卖方不得进一步 use, in whole or in part, of any such personal information.

  6. 供应商进一步同意仅向其员工披露个人信息 为促进业务目标而需要提供服务的承包商 双方之间的关系,并要求其每个雇员和承包商 为了遵守本协议的条款,在向这些员工披露之前 and contractors.

  7. 在本协议期满或终止后,无论出于何种原因,卖方应 及时将所有个人资料交回学院,或按指示办理 College, securely destroy all personal information immediately.

Vendor Safeguards Statement

  1. 供应商已提交云供应商评估,该评估定义了供应商应采取的步骤 take to protect personal information and related data. This can be the Franklin & Marshall自定义云供应商评估工具或Educause高等教育云 vendor assessment tool (HECVAT).

  2. 供应商应在以下情况下修改并重新提交更新后的云供应商评估 业务操作或服务交付发生了变化,并且在更新时发生了变化 or extending a previous contract.

  3. 涉及供应商访问、创建或维护Protected的任何合同 健康信息(PHI)必须包括健康保险可移植性和问责制 Act (HIPAA) Business Associate Agreement (BAA).

  4. 任何涉及供应商提供信用卡服务的合同必须要求 承包商提供保证,所有分包商谁提供信用卡服务 根据合同将遵守支付卡行业的要求 Data Security Standard (PCI DSS) in the provisioning of the services.

  5. 学院可每年(或根据情况需要更频繁地)在学院的 judgment) conduct a review of vendor's compliance with the agreement.

Vendor Agreements, Acknowledgments, Representations and Warranties

Vendor agrees, acknowledges, represents and warrants as follows:

  1. The agreement permits vendor access to personal information.

  2. 供应商应对个人信息严格保密,并只能访问该等信息 for the explicit business purpose of the agreement.

  3. 卖方规定允许进入禁令救济而无需张贴 担保,以防止或补救违反保密义务的 agreement.

  4. 卖方规定,任何违反这些要求的行为将构成材料 违反协议,学校有权立即终止协议 without penalty to the University.

  5. 供应商应保持控制,以确保任何分包商或分包商使用 by vendor is also subject to the terms of this agreement.

  6. These requirements shall survive any termination of the agreement.

Vendor Data Protection Agreements and Acknowledgments

  1. 卖方应确保遵守…的保密和安全条件 the agreement.

  2. 供应商应根据云保护其访问的个人信息 vendor assessment submission.

  3. 供应商应通知学院任何安全事件,安全漏洞或未经授权 在实际情况下尽快查阅大学的个人信息,但不得迟于48日 hours, after discovery. Notifications shall be directed to Information Technology 学院的服务,首席信息官,首席信息安全官,和联系人在 agreement.

  4. 供应商同意不会将安全漏洞通知任何受影响的个人 或未经授权的访问没有事先咨询并获得同意 College.

  5. 供应商应立即采取措施纠正任何安全漏洞或未经授权的访问 at vendor's expense.

  6. 卖方应负责学院在回应过程中产生的实际费用 减轻因任何安全漏洞或未经授权的访问而造成的损害,包括 notification, credit monitoring, or other remediation.

-----
政策维护人员:信息技术服务部副总裁兼首席信息官 Officer
Original Effective Date: September 1, 2018
Last Reviewed: September 14, 2023