Technology Contract Review Process

This page outlines the general contract review process for technology related contracts, including software agreements, cloud services, technology integrations, consulting services, any agreement that we give access to our network or provide data to a vendor.  If you do not know if this process should be followed contact the Executive Director of Business Services & EHS .  The time it takes to complete this varies based on many factors, such as the time it takes the vendor to review provided documents and furnish the documents we request.  IT may also choose to do a formal security review with our data security firm Grey Castle.  Please plan at least 3 weeks from start to finish, but depending on many factors it can take much longer.

All policies that pertain to contracts apply to technology contracts. Some helpful links are below:

Who can sign contracts: https://www.stlawu.edu/business/contracts-approval-authority

Purchasing procedures: https://www.stlawu.edu/business/purchasing-0

If the contract meets the threshold to require a competitive bidding process ($10,000) and you did not please complete the Waiver of Competition form and explain why you did not.  https://www.stlawu.edu/business/form/waiver-competition

Process

The person in charge of the contract must have read the entire contract, verify the language matches what the company has presented to the person in charge of the contract. 

1. Enter a requisition in unimarket

2. Submit the contract using our signature request form: https://www.stlawu.edu/business/form/signature-request

3. Complete (with the help of your vendor if necessary) the Vendor Pre-Engagement Form 

4. For software, cloud services, anything that you log into, or anything else that data is transferred in anyway.  Request the following files and send to nick@stlawu.edu

  • VPAT – This shows how compliant they are with accessibility laws.
  • HECVAT – This tells us how they handle data security.
  • SOC2 reports – Security reports is they have one.
  • A certificate of insurance that includes Cyber Liability Insurance and names St. Lawrence as additionally insured.
  • They may ask for a Non-Disclosure Agreement (NDA) The Executive Director of Business Services can review and sign.

5. Once the Executive Director of Business Services receives these files he will determine if we need to ask the vendor to sign a Data Processing Agreement and a Data Security Agreement. He will also work with IT to determine if we need to do a risk assessment with our security consultant.