Take the Employee Engagement Survey. Deadline extended through December 16.
3210 PR.03 Process for Purchase Contracts for Software, Web Development Services, Electronic Applications, and Data Use Agreements
Revision Date:
November 1, 2022
Contents
2. Preliminary Steps for Purchasing Software, Web Development Services, and Electronic Applications
4. Requirements and Process for Agreements Involving Access to Yale Data
5. Requirements and Process for Contracts Involving Payment Card Processing
6. Requirements and Process for Data Use Agreements
This procedure supports Policy 3210 Purchase Contracts. It outlines the process for contracting for software, web development services, electronic applications, and data use agreements. It supplements Procedure 3210 PR.01 Services Contracts Process with the specific steps for contracting for software, web development services, electronic applications, and data use agreements. Requestors (or designees) should begin the purchase process with Procedure 3210 PR.01 Services Contracts Process.
Upon completing the initial steps detailed in Procedure 3210 PR.01 Services Contracts Process, proceed as detailed in the following sections to contract for software, web development services, electronic applications, and data use agreements.
Requestors (or designees) should contact Procurement early in the process of procuring software, web development services, or electronic applications. Procurement can offer helpful guidance on:
- University requirements and procedures related to digital accessibility, data security, privacy, and payment card processing (“PCI”) compliance;
- existing University resources that may satisfy the Requestor’s needs;
- negotiation strategy; and
- business intelligence regarding the strengths and weaknesses of various solutions in the marketplace.
3. Requirements and Process for Purchase Contracts for Software, Web Development Services, and Electronic Applications
Yale does not currently have a mandatory contract template that must be used for all Purchase Contracts involving software, web development services, and electronic applications. For example, different templates may be appropriate for software or applications developed specifically for Yale’s specifications than would be appropriate for a license to preexisting software or applications. When purchasing licenses to existing software or electronic applications, it may be acceptable to use the Supplier’s contract template.
Requestors (or designees) should contact Procurement for guidance regarding which form to use for Purchase Contracts for software, web development services, and electronic applications. If a Supplier wishes to use its own contract template, the Requestor (or designee) must seek approval from Procurement. To meet Yale’s requirements, the template may need to be supplemented with additional Yale forms, such as the Data Addendum, Data Processing Addendum, Accessibility Addendum, or Business Associate Agreement, as necessary.
For software, web development services, and electronic applications with a user interface that will be used to conduct University business, Requestors (or designees) should contact the Procurement Department and the ITS Accessibility Office prior to selecting a Supplier to help confirm that the Supplier can comply with the University’s digital accessibility requirements. For such software, web development services, and applications, the Requestor (or designee) should also complete the following steps:
- Complete the Web or Technology Procurement Updates Form;
- Unless otherwise directed by the ITS Accessibility Office or Procurement, request that the Supplier provide an accessibility conformance report produced using the Voluntary Product Accessibility Templates (VPAT); and
- The accessibility conformance report should be submitted to the ITS Accessibility Office with a copy to Procurement. Please contact the ITS Accessibility Office if you have questions about the report.
Please note that additional requirements apply to purchases involving access to or storage of Yale Data, including a requirement to classify the risk level of the Yale Data. Please see Section 4. below.
Please review Policy 3210 Purchase Contracts, Section 3210.5, which describes the criteria for when a written Purchase Contract is required for software, web development services, or electronic applications.
Any agreement that will provide a Supplier with access to Yale Data must comply with all relevant University policies and procedures governing data storage, disclosure, access, and classification, including the University’s minimum privacy and security standards.
For all such agreements, the Requestor (or designee) must first determine the classification of the data under Policy 1604 Data Classification Policy. The Requester (or designee) must ensure that the engagement complies with the minimum security standards for each classification. Procedure 1604 PR.01 Data Classification Procedure describes the classification process for Yale Data.
If the proposed engagement involves Supplier access to Moderate or High-Risk Data, the Requestor (or designee) must notify the Information Security Office (ISO) and request a Security Planning Assessment (SPA). The engagement must comply with all requirements regarding data security safeguards and will include negotiating a Data Addendum with the Supplier and requiring the Supplier to complete a Third Party Risk Management (TPRM) Review.
A written contract is required for any engagement involving Supplier access to Moderate or High-Risk Data, regardless of the dollar value. Please contact Procurement for assistance negotiating such contracts.
Any agreement involving the acceptance or processing of Payment Card payments for University business must comply with all relevant University policies and procedures governing Payment Card acceptance and processing, including Policy 2820 Acceptance of Payment Cards. A “Payment Card” is any payment card/device that bears the logo of the founding members of the Payment Card Industry Security Standards Council, which are American Express, Discover Financial Services, JCB International, MasterCard, or Visa, Inc.
All such agreements must include terms covering compliance with the Payment Card Industry Data Security Standard.
Requestors (or designees) should contact Procurement and the University eCommerce Manager (epay@yale.edu) as early as possible if they anticipate entering into an agreement involving the acceptance or processing of Payment Card payments for University business to help ensure that the proposed Supplier can comply with the University’s requirements.
Yale requires a written Purchase Contract signed by the University and the Supplier for all Data Use Agreements (as that term is defined in Policy 3210 Purchase Contracts), regardless of their value. Data Use Agreements involve the purchase by the University of a third-party’s data. Data Use Agreements must be reviewed and approved by an appropriate Authorized University Signatory.
If the Supplier from whom Yale is purchasing data is a non-profit entity (such as a governmental entity or a research or educational institution), the Data Use Agreement should be sent to OSP for review. For such Data Use Agreements, please follow the steps described at Data Use Agreements (DUAs).
If the Supplier from whom Yale is purchasing data is a for-profit institution, the Data Use Agreement should be submitted to Procurement for review.
Requestors (or designees) should contact Procurement and/or the Office of Sponsored Projects as early as possible if they anticipate entering into a Data Use Agreement in order to help minimize delays in processing and approval.
Yale does not have a single contract template that must be used for all Data Use Agreements. Rather, Requestors (or designees) should contact Procurement or OSP for assistance in negotiating and processing Data Use Agreements.
Data Use Agreements often include detailed terms governing how the University may use third-party data and the measures the University must take to protect the data. Before submitting a Data Use Agreement to the appropriate Authorized University Signatory for review and approval, the Requestor and/or Lead Administrator must review the Data Use Agreement and confirm that the University can comply with all of its terms, and that the terms allow the University to use the data for the intended purpose. Procurement, the Office of Sponsored Projects, and the Office of General Counsel are available to answer questions about the terms or prepare summaries of them. The Requestor and/or Lead Administrator must communicate all relevant terms of the Data Use Agreement to those who will access the data.
Relevant terms that must be communicated may include:
- Restrictions on who may access the data;
- Restrictions on how the data may be used;
- Terms governing how the data must be stored;
- When the right to access the data expires; and
- Terms requiring written acknowledgments or agreements from those who will access the data.