Data Management Questions for User

  • Name and contact of the vendor and product
  • What is the problem/objective trying to be solved or addressed
  • Does this solution solve the issue fully? (explain)
  • Are there current contracts with a similar solution?
  • If so, why is this software being considered now?
  • Does the university have to send data to use this solution?
  • If so, to what systems and how often?
  • How will the data be used by the vendor? By university staff?
  • What is the level of data sensitivity (public, private, restricted)
  • Will Personally Identifiable Information (PII) or sensitive data be stored on the system? 
  • If so, what data (a list is provided)
  • What is the data retention timeframe?
  • Will you be using any AI features of this solution?
  • If so, describe the features and how they will be used
  • Who will have access to the solution (students, faculty/staff, alumni, other)
  • How will inactive users be blocked?
  • Do you know what regulations might apply to the data being collected?
  • Does this solution meet legal, policy, and regulatory requirements?
  • What is the post-implementation review process?
  • Has funding been secured?

Data Management Questions for Vendor

  • What SSO authentication options are supported?
  • What are the password complexity rules that are actually enforced?
  • How are accounts provisioned? (examples with yes/no options provided)
  • Is any AI used maintained by your company or by an external ("third party") source?
  • If external, who maintains it?
  • Does your AI utilize the Deepseek model?
  • Are there any data that needs to be uploaded in a bulk load or ongoing process?
  • Describe the type of data that will be stored, both in initial setup and typical use
  • Is the application hosted in data centers in the United States?
  • Specifically, where is the hosting located?
  • Will this data ever be transferred from your system to a thrid party such as cloud services or other services? Explain.
  • Outline backup and retention policies surrounding this hosted application. Be specific and detailed.
  • Will this system be used to make payments of any kind? Describe.
  • How will the university receive any stored data when the contract ends
  • How will university data be destroyed/erased when the contract ends
  • Has your organization completed a VPAT? Provide
  • Does your organization have a privacy policy or notice? Provide
  • How will updates to the privacy policy be communicated to the university?
  • Do you have an updated version of the HIgher Education Community Vendor Assessment Toolkit (HECVAT) filled out? Provide
  • Denote all certificates and attestations held by this company (list provided with levels of holding indicated)
  • Attestations are requested as appropriate for compliance with ITAR, FERPA, HIPPA, GDPR, PCI, and Other as needed.
  • Attestation for legal compliance required