Furman University Policy 077.3 requires all University contracts for information technology hardware, software, or services be approved by the Chief Information Officer. Offices considering information technology hardware, software, or services should consult with Information Technology Services (ITS) before getting to the contract stage. ITS can help you determine whether your need can be met by existing ITS services, or whether an outside service would be a better approach.

The Information Technology Services Contract Review Form (pdf) should be completed when outside services are needed.

When you need to contract for information technology, University Policy 370.1 designates ITS as the purchasing agent for technology hardware, software, and services. ITS staff review contracts to ensure that the solution will work with the University technology services, and that the contract terms comply with appropriate University policies and guidelines.

The review process pays particular attention to legal, privacy/security, and business requirements of the contract:

Legal Terms

Privacy/security

Business

Additional explanations, and sample terms, are listed below. All items may not be appropriate for all contracts, but are expected for most contracts.

 

Governing Law: All contracts include a clause that says under which state’s governing laws apply to the contract. This should always be South Carolina.

Terms in Writing: The University requires that allcontract terms be included within the written contract. Terms incorporated by a web link are not acceptable.

Reciprocity of terms: Contracts are typically written by vendors to protect themselves. Consequently, the contract may contain clauses that gives the vendor some benefit. If a clause in a contract gives the vendor a benefit, then we expect the contract to also allow Furman to receive a corresponding benefit.An example of a reciprocity term is indemnity. If the vendor asks Furman to indemnify them against certain risks, we also ask them to indemnify Furman (typically around things like intellectual property disputes.) Another term to be careful about are disclaimers. We want the vendor to stand behind the product or service they are selling. We have had some success getting vendors to modify their disclaimers to better protect the University.

Termination & renewal The termination clause of a contract should allow either party to terminate the contract without cause by providing written notice. This type of termination is usually valid within a given number of days of the other party receiving the notice. The termination term must be reasonable and fair to both parties. At the end of the contract involving Furman data, we want to be sure we get our data back, in a format we can use. There should not be a charge for getting our data back.

Privacy and security: Furman is beginning to contract for many technology services hosted off site, and many of these services store University data on their systems. University data needs to be protected, and comply with expectations outlined in University policy 071.11. If student data is involved then we need additional assurances that the vendor complies with FERPA regulations. The contract needs to state that the vendors systems are regularly audited by a 3rd party. That the auditors report is available to Furman and that the vendor has responded successfully to anything found in such an audit. Here is an example of such privacy language from a recent contract:

“Vendor and Furman agree that student and prospective student records, information, and data are confidential, regardless of whether they are designated as confidential in writing. Vendor further agrees to abide by all requirements of the Family Education Rights and Privacy Act (“FERPA”) with respect to all such student and prospective student records, information, and data. Vendor agrees to accept all financial responsibility for any data breach of its systems related to Furman data and will notify Furman University of such a breach within 24 hours of discovering said breach. Furthermore, vendor will provide upon request evidence of having had a party security audit conducted by a 3rd party within the past year. Vendor will also provide evidence of having successfully satisfied all findings from said security audit.”

Contracts may also require insurance and other compliance terms, especially if the contract involves health or credit card data. In addition, ITS may ask to see evidence of appropriate backup and recovery processes, as well as provisions for data encryption and other relevant security methods.

Single Sign-On: Service contracts that require a student, faculty, or staff login must work with the University’s NetID and support one of our secure single sign-on methods. Vendors that use our single sign-on never see Furman passwords. If the vendor is breached, our single sign-on passwords are not compromised.

Access to Furman’s Network: Any contract that allows a vendor to access Furman’s campus network must include Furman’s network access terms.

Statement of Work: The contract should include a Statement of Work. The statement of work needs to identify what each party expects from the contract. When can we expect things to happen? Are we getting a license to use software? If they’re creating something for Furman is it a “work for hire” that we will own the rights to? What other work do we need to do that will add costs? What measures will be use to demonstrate success beyond getting the solution started? Contracts typically reference, or include, payment schedules within a Statement of Work. Scheduled payment should be after we accept the work as complete.

Cap on increases: Service contracts may be renewable, but there needs to be a caps on future price increases. For example, if there are annual maintenance fees, the contract needs to include a reasonable cap limiting how much these increases can be. We prefer that such increases be not more than 3% per year.

Service levels: We require a service level agreement (SLA) for all contracts for services that are hosted offsite. This is to insure that we are not paying for a service when it is not available. We generally are looking for a 99.9% uptime with some type of refund structure if that level is not met. Here is a pdf example of a representative SLA.

Bid ProcessUniversity policy 370.2 requires that contracts valued at $5000 or more need three competitive quotes, or provide documentation explaining why it was impossible to get three quotes. For contracts valued at more than $10,000 we need three formal competitive written quotations, and unsuccessful bidders must be notified of Furman’s decision.

Budget Office approval: Information Technology Services will check with the budget office to ensure there is adequate funding.

 

If you have questions about a contract for information technology, please contact the IT Service Center.