Vendor Privacy Agreement - Northern Michigan University

NMU Vendor Privacy Agreement

This Vendor Privacy Agreement (“Agreement”) is incorporated into, amends and supersedes the contract for services (“Contract”) between Northern Michigan University (“NMU”) and Vendor. If Vendor or Vendor’s system stores, processes or transmits “confidential data” (as defined in NMU’s Policies, described further below), then as a condition of doing business, or continuing to do business, with NMU and in consideration for payments under the Contract and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, Vendor agrees to be bound by the following terms and conditions:

1. Compliance. Vendor acknowledges that NMU has adopted an Acceptable Use Policy, a Vendor Privacy Policy, and a Data Classification Policy, copies of which are set forth in Attachment A (collectively, “Policies”). Vendor agrees to abide by NMU’s Policies, as may be amended from time to time, and to cause its employees, agents and subcontractors to abide by the Policies, in connection with the Contract and their provision of services thereunder. In the event of a conflict between the terms of this Agreement and any provision in any of the Policies, the terms of this Agreement shall prevail. Additionally, Vendor shall comply with all applicable Michigan and federal laws, including those regarding access to and protection of personal and electronic data.  Vendor specifically acknowledges its responsibility to understand and comply with all privacy laws as may be applicable to the Contract, including but not limited to the Gramm-Leach-Bliley Act, the Family Educational Rights and Privacy Act and the Health Insurance Portability and Accountability Act.
2. Confidential Information. Vendor agrees that business and other proprietary information of any type, which is generated in connection with work related to NMU’s operations and is not generally known to the public, is confidential. Such information may include student education records, treatment records, personnel information, business deliberations, compliance-related information, notes, minutes, documents, network transmissions or electronically or magnetically stored data/records, including IT Data, as defined further below (collectively, “Confidential Information”). Such information shall not be accessed, directly or indirectly disclosed, used, copied, distributed or republished for any reason other than to perform services under the Contract. Vendor shall not allow any third party to have access to any Confidential Information unless otherwise approved by NMU in writing. Confidential Information learned or created during the course of Vendor’s relationship with NMU shall not be used or disclosed by Vendor after termination of the relationship.  Confidential Information does not include information that: (a) is readily available to the public, but not due to a data breach, or fault of Vendor; (b) was independently obtained by Vendor from a third party who is lawfully in possession of such information and not bound by a non-disclosure obligation with respect to such information; or (c) was already in Vendor’s possession for reasons unrelated to the Contract or an existing agreement with NMU.
3. Access to Information and IT Assets. Vendor acknowledges and agrees that NMU’s computers, applications, information storage, networks and telecommunications systems, (“IT Assets”) are NMU’s property. The IT Assets will be used only by properly identified, authenticated and authorized individuals and shall be used solely for NMU’s business. NMU retains all ownership, title, rights and control over all messages, content, data, information and files composed, stored, sent or received on IT Assets (“IT Data”). Vendor shall not access Confidential Information or NMU data, files or any other stored information not necessary for Vendor’s performance under the Contract. Vendor acknowledges and agrees that Vendor has no expectation of privacy with respect to use of the IT Assets.
4. Vendor Employees, Agents and Subcontractors. Vendor shall require its employees, agents and subcontractors to observe and comply with this Agreement. To the extent necessary, Vendor shall provide training to such employees, agents and subcontractors to promote compliance with this Agreement. Vendor agrees that NMU has the right to request and review the most current, annual third party audit report.
5. Safeguard Standard. Vendor agrees to use reasonable care to protect the privacy and security of Confidential Information by commercially acceptable standards and no less rigorously than it protects its own confidential information. Vendor shall implement, maintain and use appropriate administrative, technical and physical security measures to preserve the confidentiality, integrity and availability of the Confidential Information. If Vendor stores Confidential Information on portable devices or media, such devices or media must be encrypted in accordance with the Federal Information Processing Standards (FIPS) Publication 140-2, as may be amended or superseded. Vendor shall ensure that security measures are regularly reviewed and revised to address evolving threats and vulnerabilities while Vendor has responsibility for the Confidential Information under the terms of this Agreement.
6. Reporting Instances of Noncompliance. Vendor agrees to report immediately any violations of the requirements of this Agreement, violations of the Policies or breaches (or potential breaches) of network security to NMU’s Internal Auditor, by email auditor@nmu.edu AND phone (906) 227-2375.
7. Data Breach Response. If the nature of Vendor’s business involves Vendor’s equipment, software, products, hosts, networks or environments that may expose NMU IT Data or Confidential Information to a potential data breach, then Vendor shall have in place at all times a commercially reasonable incident response plan, which shall be made available to NMU for review upon request. If Vendor has any reason to believe that a data breach may have occurred on any of Vendor’s equipment, software, products, hosts, networks or environments, Vendor shall immediately provide notice to NMU of all pertinent details related to the same while also taking such immediate actions as may be necessary to preserve relevant evidence, identify the nature of the event and contain any data breach. If it appears to NMU, in its sole discretion, that services or technology provided by Vendor are a source of the data breach and present an unreasonable risk, then, in addition to any other remedies, NMU may opt to discontinue use of that source of the data breach and NMU’s corresponding payment obligations under the Contract shall be adjusted equitably. NMU shall have full control over determining notification requirements in the event of a potential or actual data breach affecting any of its Confidential Information or IT Data.
8. Termination of Access and Procedures. Vendor’s access to NMU IT Assets and IT Data is subject to Vendor’s continuing compliance with this Agreement, and NMU may suspend or revoke such access at any time and for any reason. Within 30 days of the termination, cancellation, expiration or other conclusion of the Contract or this Agreement, or if otherwise requested by NMU, Vendor shall return the IT Data to NMU, unless NMU requests in writing that such data be destroyed. Such destruction will be accomplished by “purging” or “physical destruction,” in accordance with National Institute of Standards and Technology (NIST) Special Publication 800-88, as may be amended or superseded. Vendor shall certify in writing to NMU that such return or destruction has been completed.
9. Notice and Approval of Offshoring. Vendor represents and warrants to NMU that Vendor shall not, without NMU’s prior written consent: (a) perform any of its obligations under this Agreement or the Contract from locations or using employees, contractors and/or agents, situated outside the United States; (b) directly  or indirectly (including through the use of subcontractors) transmit or store any IT Data outside the United States; or (c) allow any IT Data to be accessed by Vendor employees, contractors and/or agents from locations outside the United States.
10. Idemnity. Vendor shall indemnify, hold harmless and defend NMU from and against any and all claims, losses, liabilities, costs and other expenses incurred as a result of, or arising directly or indirectly out of or in connection with, any unauthorized use of or access to the Confidential Information or any data or security breach that results from the acts or omissions of Vendor; except to the extent caused by NMU’s negligence or misconduct.
11. Additional Insurance. Unless otherwise agreed in writing by NMU, Vendor at its sole cost and expense shall obtain and maintain insurance coverage for internet professional liability, cyber liability and social engineering liability, include coverage for privacy and data security breaches and reasonable costs in investigating and responding to the breaches. Each policy shall provide minimum coverage of at least $2 million per occurrence and shall name Northern Michigan University as an additional insured, with proof of coverage provided to NMU upon request.
12. Governing Law; Jurisdiction. This Agreement shall be governed by Michigan law, without regard to conflicts of laws principles. Vendor consents to the exclusive jurisdiction of the Michigan Court of Claims and the state and federal courts in Marquette County, Michigan with respect to any matters arising under this Agreement.
13. Remedies. Vendor agrees that money damages would not be a sufficient remedy for any breach or potential breach of this Agreement by Vendor and that without limiting any other rights and in addition to all other remedies, NMU shall be entitled to seek specific performance and injunctive or other equitable relief without proof of damages and without the necessity of posting any bond or other security as a remedy for any such breach or potential breach. In the event NMU institutes any legal suit, action or proceeding against Vendor arising out of or relating to this Agreement, NMU shall be entitled to receive in addition to all other damages to which it may be entitled, the costs incurred by NMU in conducting the suit, action or proceeding, including reasonable attorneys’ fees and expenses and court costs.
14. Miscellaneous. This Agreement may not be amended except by a writing signed by the parties. If any provision of this Agreement is held to be invalid, illegal or otherwise unenforceable, the holding shall not affect the remaining provisions. The waiver of any breach of this Agreement by either party hereto shall not constitute a continuing waiver or a waiver of any subsequent breach of either the same or any other provision. The covenants and obligations set forth in this Agreement that are intended to continue in effect after termination of any agreement with NMU shall survive termination and shall remain in effect and enforceable by NMU.

Vendor:
Company Name: 
Address: 
By: 
Print Name:
Title:
Date:

Northern Michigan University:
By: 
Print Name:
Title:
Date:

Attachments: 
NMU Acceptable Use Policy
NMU Vendor Privacy Policy
NMU Data Classification Policy