Request a security review of any vendor who will manage Level 4 information in any way through University Support Services, 617-495-7777 or ithelp@harvard.edu. 

Contracts covering the use of Level 3 or 4 confidential information must include confidentiality language approved by the Office of the General Counsel. The Personal Data Protection contract rider is acceptable to append to an existing contract and may be found at the OGC website. 

Massachusetts 201CMR requires that written contracts be enacted with vendors managing Level 4 personally identifiable information. Review contract model documents at the Office of the General Counsel website.  

Use the University Contract Rider to ensure vendor protection for confidential information. Refer to the Office of the General Counsel Model Documents for examples of approved consulting agreement, software agreement, and credit card merchant agreements. For complex or unusual agreements which may not be appropriately addressed through existing...