Data Security Addendum

Data Security Addendum for inclusion in the Contract between  

North Iowa Area Community College (the “College”) and the Selected Firm/Vendor  

This addendum is applicable only in those situations where the Selected Firm/Vendor provides goods or services under a Contract or Purchase Order which necessitate that the Selected Firm/Vendor create, obtain, transmit, use, maintain, process, store, or dispose of Sensitive College Data (as defined in the Definitions Section of this Addendum) as part of its work under the Contract.    

This Addendum sets forth the terms and conditions pursuant to which Sensitive College Data will be protected by the Selected Firm/Vendor during the term of the Parties’ Contract and after its termination.   

Definitions  

Terms used herein shall have the same definition as stated in the Contract.  Additionally, the following definitions shall apply to this Addendum.  

1. “Personally Identifiable Information (“PII”)” means any information that can be connected to a specific person and may include but is not limited to personal identifiers such as name, address, phone, date of birth, Social Security number, student or personal identification numbers, driver’s license numbers, state or federal identification numbers, non-directory information and any other information protected by state or federal privacy laws.  
2. "College Data" includes all College owned Personally Identifiable Information and other information that is not intentionally made generally available by the College on public websites, including but not limited to business, administrative and financial data, intellectual property, and student and employee data.  
3. “Sensitive College Data” means data identified by College to Selected Firm/Vendor as Sensitive College Data and may include, but is not limited to: (1) PII; (2) credit card data; (3) financial or business data which has the potential to affect the accuracy of the College’s financial statements; (4) medical or health data; (5) sensitive or confidential business information; (6) trade secrets; (7) data which could create a security (including IT security) risk to the College; and (8) confidential student or employee data.  
4. "Securely Destroy" means taking actions that render data unrecoverable by both ordinary and extraordinary means. These actions must meet or exceed those sections of the National Institute of Standards and Technology (NIST) SP 800-88 guidelines relevant to data categorized as high security.     
5. "Security Breach" means a security-relevant event in which the security of a system or procedure used to create, obtain, transmit, maintain, use, process, store or dispose of data is breached, and in which College Data is exposed to unauthorized disclosure, access, alteration, or use.   
6. "Services" means any goods or services acquired by the College from the Selected Firm/Vendor.  

Data Security     

1. In addition to the security requirements stated in the Contract, Selected Firm/Vendor warrants that all electronic Sensitive College Data will be encrypted in transmission (including via web interface) and stored at no less than 128-bit level encryption.   Additionally, the Selected Firm/Vendor warrants that all Sensitive College Data shall be Securely Destroyed when destruction is requested by college.  Proof of destruction shall be provided by the Selected Firm/Vendor upon request of the College.  The Selected Firm/Vendor must protect Sensitive College Data from release into AI large language models.
2. If Selected Firm/Vendor’s use of Sensitive College Data includes the storage, processing or transmitting of credit card data for the College, Selected Firm/Vendor represents and warrants that for the life of the Contract and while Selected Firm/Vendor has possession of College customer cardholder data, the software and services used for processing transactions shall be compliant with standards established by the Payment Card Industry (PCI) Security Standards Council (www.pcisecuritystandards.org).  In the case of a third-party application, the application will be listed as PA-DSS compliant at the time of implementation by the College.  Selected Firm/Vendor acknowledges and agrees that it is responsible for the security of all College customer cardholder data or identity information managed, retained, or maintained by Selected Firm/Vendor, including but not limited to protecting against fraudulent or unapproved use of such credit card or identity information.  Contractor agrees to indemnify and hold College, its officers, employees, and agents, harmless for, from, and against any and all claims, causes of action, suits, judgments, assessments, costs (including reasonable attorneys' fees), and expenses arising out of or relating to any loss of College customer credit card or identity information managed, retained, or maintained by contractor, including but not limited to fraudulent or unapproved use of such credit card or identity information. The Selected Firm/Vendor shall, upon written request, furnish proof of compliance with the Payment Card Industry Data Security Standard (PCI DSS) within 10 business days of the request.  Selected Firm/Vendor agrees that, notwithstanding anything to the contrary in the Contract or the Addendum, the College may terminate the Contract immediately without penalty upon notice to the Selected Firm/Vendor in the event Selected Firm/Vendor fails to maintain compliance with the PCI DSS or fails to maintain the confidentiality or integrity of any cardholder data.  

Employee Background Checks and Qualifications 

1. In addition to the employee background checks provided for in the Contract, Selected Firm/Vendor shall perform the following background checks on all employees who have potential to access Sensitive College Data: Social Security Number trace; seven (7) year felony and misdemeanor criminal records check of federal, state, or local records (as applicable) for job related crimes. 

Security Breach    

1. .  In addition to any other remedies available to the College under law or equity, Selected Firm/Vendor will reimburse the College in full for all costs incurred by the College in investigation and remediation of any Security Breach of Sensitive College Data, including but not limited to providing notification to individuals whose Personally Identifiable Information was compromised and to regulatory agencies or other entities as required by law or contract; providing one year’s credit monitoring to the affected individuals if the Personally Identifiable Information exposed during the breach could be used to commit financial identity theft;  and the payment of legal fees, audit costs, fines, and other fees imposed by regulatory agencies or contracting partners as a result of the Security Breach.  

Audits    

1. Selected Firm/Vendor will at its expense conduct or have conducted at least annually a: security audit with audit objectives deemed sufficient by the College, which attests the Selected Firm/Vendor’s security policies, procedures and controls; ii) vulnerability scan, performed by a scanner approved by the College, of Selected Firm/Vendor’s electronic systems and facilities that are used in any way to deliver electronic services under the Contract; and iii) formal penetration test, performed by a process and qualified personnel approved by the College, of Selected Firm/Vendor’s electronic systems and facilities that are used in any way to deliver electronic services under the Contract.  
2. Additionally, the Selected Firm/Vendor will provide the College upon request the results of the above audits, scans and tests, and will promptly modify its security measures as needed based on those results in order to meet its obligations under the Contract.  The College may require, at College expense, the Selected Firm/Vendor to perform additional audits and tests, the results of which will be provided promptly to the College.  
3. AICPA SOC Report (Type II)/per SSAE18: Vendor must provide the College with its most recent Service Organization Control (SOC) audit report and that of all subservice provider(s) relevant to the contract. It is further agreed that the SOC report, which will be free of cost to the College, will be provided annually, within 30 days of its issuance by the auditor. The SOC report should be directed to the appropriate representative identified by the College.  Vendor also commits to providing the College with a designated point of contact for the SOC report, addressing issues raised in the SOC report with relevant subservice provider(s), and responding to any follow up questions posed by the College in relation to the SOC report.