• UT Foundation Data Confidentiality and Security Agreement

    DEMO-BIO DATA

  • Instructions

    Please begin by reviewing the UTFI Data Confidentiality and Security Agreement - Demo-Bio (PDF).

    If you ("vendor") request no changes, please select "approves of all language" at the bottom of this page.

    If you ("vendor") require amendments to any section of the agreement, please select "would like to request amendments to the language" at the bottom of this page. Note: the "Definitions" section cannot be amended. 

  •  -
  • Clear

  • Instructions

    Please select the section you would like to amend, check "would like to request an amendment to the language," and enter the requested update in the text box provided.

    Upon submission of this form, you will receive a confirmation email at the address provided on the previous page. The UTFI business office will review your requests and contact you with any questions. A final version of the agreement will then be sent to you for an electronic signature.

    • Section 1: Definitions 

    • NOTE: The language of Section 1: Definitions cannot be amended.

      For purposes of this document, the following definitions apply:

      “Brand Features” means the trade names, trademarks, service marks, logos, domain names, and other distinctive brand features of each party, respectively, as secured by such party from time to time.

      “End User” means the individuals authorized by the University of Tennessee Foundation, Inc. (UT Foundation, UTFI) to access and use the Services.

      UT Foundation uses the Federal Information Processing Standards Publication 199 to categorize systems and information. UT Foundation classifies moderate and high information as follows:

      • The potential impact is ”moderate” if the loss of confidentiality and integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. For example, the loss of confidentiality and integrity might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.
      • The potential impact is ”high” if the loss of confidentiality and integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. For example, the loss of confidentiality and integrity might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.

      The system might store, process, and transmit UT Foundation information that is classified as moderate, including Personal Information.

      Personal Information is defined by The University of Tennessee Foundation as the following: An individual's first name or first initial and last name, in combination with any one(1) or more of the following data elements:

      • Home Address
      • Email Address
      • Phone Number
      • Employment
      • Donor information
      • Partial Date of birth mm/yyyy
      • Social Network information

      Personal Information should NOT contain:

      • Social security number;
      • Driver license number;
      • Biometric data or
      • Account, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

      “Securely Destroy” means taking actions that render data written on media unrecoverable by both ordinary and extraordinary means.

      “Security Breach” means a security-relevant event in which the security of a system or procedure used to create, obtain, transmit, maintain, use, process, store or dispose of data is breached, and in which UT Foundation Data is exposed to unauthorized disclosure, access, alteration, or use.

       

    • Section 2: Rights and License in and to UT Foundation Data 

    • All rights including, all intellectual property rights, in and to UT Foundation Data remain UT Foundation’s exclusive property, and UT Foundation hereby grants Supplier a limited, nonexclusive license to use these data as provided in this agreement solely for the purpose of performing its obligations. This agreement does not give a party any rights, implied or otherwise, to the other’s data, content, or intellectual property, except as expressly stated in the agreement. If Supplier will use third parties to fulfill its obligations under this agreement, Supplier must first obtain the UT Foundation’s permission before transferring UT Foundation data to any third parties.

    • Section 3: Intellectual Property Rights and Disclosure 

    • Unless UT Foundation agrees otherwise in writing, Supplier will not disclose to any third party any materials that Supplier creates for UT Foundation under this agreement.

      Supplier states that UT Foundation will own all rights, title and interest in any and all intellectual property rights the UT Foundation creates in the performance or otherwise arising from this agreement and will have full ownership and beneficial use it, free and clear of claims of any nature by any third party including, without limitation, copyright or patent infringement claims. Supplier hereby assigns all rights, title, and interest in any and all intellectual property created in the performance or otherwise arising from this agreement, and will execute any future assignments or other documents needed for the UT Foundation to document, register, or otherwise perfect such rights.

    • Section 4: Data Security 

    • Supplier shall protect UT Foundation’s information in compliance with the controls defined in one of the following:

      • Center for Internet Security
      • ISO 27001
      • NIST SP 800-53
      • NIST Cybersecurity Framework.
    • Section 5: Data Privacy 

    • Supplier will use UT Foundation Data only for the purpose of fulfilling its duties under this agreement and will not share such data with or disclose it to any third party without the prior written consent of UT Foundation, except as required by this agreement or as otherwise required by law.

      Supplier will not store UT Foundation Data on servers located outside of the United States, unless the UT Foundation agrees in writing that Supplier may store UT Foundation Data outside of the United States.

      Supplier will provide access to UT Foundation Data only to its employees and subcontractors who need to access the data to fulfill Supplier’s obligations under this agreement. Supplier shall ensure that employees who perform work under this agreement have read, understood, and received appropriate instruction as to how to comply with the data protection provisions of this agreement.

    • Section 6: Background Checks 

    • Supplier shall ensure that its employees have undergone appropriate background screening and possess all needed qualifications to comply with the terms of this agreement including but not limited to all terms relating to data and intellectual property protection.

      Supplier shall perform the following background checks on all employees who have potential to access UT Foundation Data in accordance with the Fair Credit Reporting Act: Social Security Number trace; 7-year felony and misdemeanor criminal records check of federal, state, or local records (as applicable) for job related crimes; Office of Foreign Assets Control List (OFAC) check; Bureau of Industry and Security List (BIS) check; and Office of Defense Trade Controls Debarred Persons List (DDTC).

    • Section 7: Data Authenticity and Integrity 

    • Supplier will take reasonable measures, including audit trails, to protect the confidentiality, integrity, and availability of the UT Foundation’s Data against deterioration or degradation of data quality and authenticity. Supplier shall ensure that UT Foundation Data is preserved, maintained, and accessible throughout their lifecycle, including converting and migrating electronic data as often as necessary so that information is not lost due to hardware, software, or media obsolescence or deterioration.

    • Section 8: Security Breach 

    • Response

      Immediately upon becoming aware of a Security Breach of Moderate or High information, or of circumstances that could have resulted in unauthorized access to or disclosure or use of UT Foundation Data, Supplier will notify UT Foundation, fully investigate the incident. Supplier will cooperate fully with the UT Foundation’s investigation of and response to the incident, including providing UT Foundation or its agents, or both, with access (physical and logical) to Supplier’s related documents and facilities. Except as otherwise required by law, Supplier will not provide notice of the incident directly to individuals whose Personal Information was involved, regulatory agencies, or other entities, without UT Foundation’s prior written permission.

      Liability

      In addition to any other remedies available to UT Foundation under law or equity, Supplier will reimburse UT Foundation in full for all costs incurred by the UT Foundation in investigation and remediation of such Security Breach, including but not limited to providing notification to individuals or entities whose Personal Information was compromised and to regulatory agencies or other entities as required by law or contract; and the payment of legal fees, audit costs, fines, and other fees imposed by regulatory agencies or contracting partners as a result of the Security Breach.

    • Section 9: Response to Legal Orders, Demands, or Requests for Data 

    • Except as otherwise expressly prohibited by law, Supplier will:

      • immediately notify UT Foundation of any subpoenas, warrants, or other legal orders, demands or requests received by Supplier seeking UT Foundation Data;
      • consult with UT Foundation regarding its response;
      • cooperate with UT Foundation’s reasonable requests in connection with efforts by UT Foundation to intervene and quash or modify the legal order, demand or request; and
      • upon UT Foundation’s request, provide the UT Foundation with a copy of its response

      If UT Foundation receives a subpoena, warrant, or other legal order, demand (including request pursuant to the Tennessee Public Records Act) or request seeking UT Foundation Data maintained by Supplier, UT Foundation will promptly provide a copy to Supplier. Supplier will promptly supply the UT Foundation with copies of data required for UT Foundation to respond, and will cooperate with UT Foundation’s reasonable requests in connection with its response.

    • Section 10: Data Transfer Upon Termination or Expiration 

    • Upon termination or expiration of this agreement, Supplier will ensure that all UT Foundation Data are securely returned or destroyed as directed by UT Foundation in its sole discretion. Transfer to UT Foundation or a third party designated by UT Foundation shall occur within a reasonable period of time, and without significant interruption in service. Supplier shall ensure that such transfer/migration uses facilities and methods that are compatible with the relevant systems of UT Foundation or its transferee, and to the extent technologically feasible, that UT Foundation will have reasonable access to UT Foundation Data during the transition. In the event that UT Foundation requests destruction of its data, Supplier agrees to Securely Destroy all data in its possession and in the possession of any subcontractors or agents to which the Supplier might have transferred UT Foundation data. Supplier agrees to provide documentation of data destruction to UT Foundation.

      Fees:

      • Destruction: Supplier will not charge UT Foundation any fees for Securely Destroying UT Foundation data.
      • Return: Supplier will not charge UT Foundation any fees for returning UT Foundation data.

      Supplier will notify the UT Foundation of impending cessation of its business and any contingency plans. This includes immediate transfer of any previously escrowed assets and data and providing the UT Foundation access to Supplier’s facilities to remove and destroy UT Foundation-owned assets and data. Supplier shall implement its exit plan and take all necessary actions to ensure a smooth transition of service with minimal disruption to UT Foundation.

    • Section 11: Technology Professional Liability/Cyber Liability Insurance 

    • Supplier shall maintain technology professional liability (errors & omissions)/cyber liability insurance appropriate to Supplier’s profession in an amount not less than $2,000,000 per occurrence or claim, and $2,000,000 annual aggregate, covering all acts, errors, omissions, negligence, infringement of intellectual property (except patent and trade secret); network security and privacy risks, including but not limited to unauthorized access, failure of security, information theft, damage to destruction of or alteration of electronic information, breach of privacy perils, wrongful disclosure and release of private information, collection, or other negligence in the handling of confidential information, and including coverage for related regulatory fines, defenses, and penalties. Such coverage must include data breach response expenses, in an amount not less than $2,000,000 and payable whether incurred by UT Foundation or Supplier, including but not limited to consumer notification, whether or not required by law, computer forensic investigations, public relations and crisis management firm fees, credit file or identity monitoring or remediation services and expenses in the performance of services for UT Foundation or on behalf of UT Foundation.

    •  
    • Should be Empty: