Contracts covering the use of Level 3 or 4 confidential information must include confidentiality language approved by the Office of the General Counsel. The Personal Data Protection contract rider is acceptable to append to an existing contract and may be found at the OGC website.
Massachusetts 201CMR requires that written contracts be enacted with vendors managing Level 4 personally identifiable information. Review contract model documents at the Office of the General Counsel website.
V3: The security design, policies, and procedures of vendors and other third parties who will collect, process, host or store Level 4 information or manage Harvard critical systems must be reviewed by a University Information Security Officer. Find out more about Vendor Reviews.