Skip to content Skip to site navigation Skip to service navigation

Third Party Security Requirements

Stanford takes seriously its commitment to respect and protect the privacy of its students, alumni, faculty, and staff, as well as to protect the confidentiality of information important to the University's academic and research mission.

For that reason, Stanford has identified three categories of non-public information for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect the information against unauthorized access. The categories are listed in this table.

Stanford expects all partners, consultants, and vendors to abide by Stanford's Risk Classifications ("Guidelines"). Prior to performing services that require access to, transmission of, and/or storage of the university's moderate or high risk data, vendors should provide a third party attestation verifying their ability to comply with Stanford guidelines.

Third party attestation examples include: PCI DSS certification; ISO 27002 certification; OWASP Application Security Verification Standard certification; SAS 70 Type II; or its successor, the SSAE-16. Depending on the type of data, provisions must be in place for encryption during transport to and from the ASP. Additionally, if Stanford information is to be accessed or shared with these third parties, the contract with the agent must include the elements in this clause:

  • 1.1.1 Contractor agrees to implement and maintain commercially reasonable administrative, physical, and technical safeguards to protect data and other information (“Data”) from unauthorized access, use, disclosure, alteration, or destruction.
  • 1.1.2 Prior to performing Services which require access to, transmission of, and/or storage of Stanford's Moderate or High Risk Data, Contractor will provide a third party certification verifying its data security safeguards .
  • 1.1.3 Contractor will not copy, cause to be copied, use or disclose Data received from or on behalf of Stanford except as permitted or required by this Agreement, as required by law, or as otherwise authorized by Stanford in writing.
  • 1.1.4 Contractor will promptly notify Stanford of any actual or suspected unauthorized disclosure of, access to or other breach of the Data. In the event of actual or suspected unauthorized disclosure of, access to, or other breach of the Data, Contractor will comply with all state and federal laws and regulations related to such breach, and will cooperate with Stanford in fulfilling its legal obligations.
  • 1.1.5 Contractor will indemnify Stanford for its violation of these Data Security provisions, including but not limited to the cost of providing appropriate notice to all required parties and credit monitoring, credit rehabilitation, or other credit support services to individuals with information impacted by the actual or suspected breach.
  • 1.1.6 Upon termination or expiration of this Agreement, Contractor will return or, at Stanford's election, destroy, all Data (including all PHI) within 30 days from the conclusion of this Agreement. The obligations related to data security and indemnity will survive the termination of this Agreement.

If a third-party vendor will be engaging in financial services on behalf of Stanford University or on the Stanford campus, the contract must also include the elements in this clause:

  • 1.1 Contractor shall, throughout out the term of this Agreement, handle data and other information generated from financial transactions stored, processed and/or transmitted by or for it under this Agreement ("Cardholder Data") in compliance with the then current Payment Card Industry Data Security Standards (PCI DSS) and all applicable laws and regulations.
  • 1.2 Contractor hereby certifies its PCI DSS compliance as of the Effective Date, and shall maintain its certification throughout the term of this Agreement. Without limiting the foregoing, Contractor hereby acknowledges that it is responsible for (i) the security of Cardholder Data that it possesses or otherwise stores, processes or transmits on behalf of Stanford, or to the extent that it could impact the security of Stanford’s cardholder data environment; and (ii) managing and maintaining all PCI DSS requirements.
  • 1.3 Contractor will provide a list of payment applications that Contractor will use to conduct financial transactions under this Agreement. Payment applications must meet Stanford’s published requirements. Contractor will provide 30 days-notice prior to adding or removing any payment applications.
  • 1.4 Upon execution of this Agreement, Contractor will provide Stanford with annual documentation signed by a certified PCI Qualified Security Auditor verifying that Contractor, and each of its subcontractors is PCI DSS compliant. Such documentation will be sent to Stanford reserves the right, at any time during the term of this Agreement, to request updated documentation of such compliance.
  • 1.5 If Contractor becomes non-compliant with PCI DSS, it will immediately notify Stanford and provide its plan to remediate the non-compliance. In no event will Contractor’s notification to Stanford be later than seven (7) calendar days after Contractor discovers its non-compliance.
  • 1.6 Contractor will give immediate notice to Stanford of any actual or suspected unauthorized disclosure of, access to or other breach of Cardholder Data.
  • 1.7 Notwithstanding the foregoing sections (i.e. Sections 1.5 and Section 1.6), Stanford may terminate the Agreement immediately in the event Contractor fails to maintain compliance with PCI DSS or otherwise fails to maintain confidentiality of any Cardholder Data.
  • 1.8 Contractor acknowledges that the indemnification provisions of this Agreement apply to any failure to maintain PCI DSS compliance or confidentiality of any Cardholder Data.

Please contact your manager and/or the University Privacy Office with any questions about the appropriate classification of information. Please contact Purchasing with questions about contract requirements. Please contact the Information Security Office with any questions about appropriate protection of information.

Last modified March 6, 2024