Contracts covering the use of Level 3 or 4 confidential information must include confidentiality language approved by the Office of the General Counsel. The Personal Data Protection contract rider is acceptable to append to an existing contract and may be found at the OGC website.
Massachusetts 201CMR requires that written contracts be enacted with vendors managing Level 4 personally identifiable information. Review contract model documents at the Office of the General Counsel website.
V3: The security design, policies, and procedures of vendors and parties who will collect, process, host or store Level 4 information must be reviewed by a University Information Security Officer. Find out more about appropriate Contract Riders for Vendors.
V2: Contracts with vendors managing Level 3 or Level 4 information must contain specific confidentiality language approved by the Office of General Counsel (OGC), or be reviewed by the OGC. Find out more about appropriate Contract Riders for Vendors.