Technology Contract Review Process
This page outlines the general contract review process for technology related contracts, including software agreements, cloud services, technology integrations, consulting services, any agreement that we give access to our network or provide data to a vendor. If you do not know if this process should be followed contact the Executive Director of Business Services & EHS . The time it takes to complete this varies based on many factors, such as the time it takes the vendor to review provided documents and furnish the documents we request. IT may also choose to do a formal security review with our data security firm Grey Castle. Please plan at least 3 weeks from start to finish, but depending on many factors it can take much longer.
All policies that pertain to contracts apply to technology contracts. Some helpful links are below:
Who can sign contracts: https://www.stlawu.edu/business/contracts-approval-authority
Purchasing procedures: https://www.stlawu.edu/business/purchasing-0
If the contract meets the threshold to require a competitive bidding process ($10,000) and you did not please complete the Waiver of Competition form and explain why you did not. https://www.stlawu.edu/business/form/waiver-competition
The person in charge of the contract must have read the entire contract, verify the language matches what the company has presented to the person in charge of the contract.
1. Enter a requisition.
2. Submit the contract using our signature request form: https://www.stlawu.edu/business/form/signature-request
3. Complete (with the help of your vendor if necessary) the Vendor Pre-Engagement Form v2.5 SLU Completes.xlsx
4. For software, cloud services, anything that you log into, or anything else that data is transferred in anyway. Request the following files and send to email@example.com
- VPAT – This shows how compliant they are with accessibility laws.
- HECVAT – This tells us how they handle data security.
- SOC2 reports – Security reports is they have one.
- A certificate of insurance that includes Cyber Liability Insurance and names St. Lawrence as additionally insured.
- They may ask for a Non-Disclosure Agreement (NDA) The Executive Director of Business Services & EHS can review and sign.
5. Once the Executive Director of Business Services & EHS receives these files he will determine if we need to ask the vendor to sign a Data Processing Agreement and a Data Security Agreement. He will also work with IT to determine if we need to do a risk assessment with our security consultant Grey Castle.