IT Standard: Use of Third-Party Technology

Ensure you are following security and accessibility rules when using university data with third party services.

What are third-party technology services?

Third-party technology services are applications, software, or other web-based technologies not created by the manufacturer of your device or operating system. They are often accessed online for free or at low cost. Examples might include Grammarly, ChatGPT, Evernote, Slack, and Dropbox. While these services can be beneficial, it is important to ensure that UC Santa Cruz data is appropriately protected before using them.

Most third-party services are non-UC technology services, which means that no agreement exists between UCSC and the service provider. Therefore, non-UC technology services may not have the appropriate security protections in place that are required for university data.

When using a non-UC technology service

Before using a non-UC technology service, it is important to:

Know your data and resource

If it is P3-P4 data and it is connecting to a P3-P4 resource, you must use a UC-approved service. Otherwise, you must purchase the service through our procurement process to guarantee inclusion of necessary security, compliance, and privacy provisions in the contract. Review the requirements for supplier access to sensitive data.

Data ownership, service levels, and legal/contract criteria

Don’t use external information services for anything that you’re not prepared to disclose or lose. It is best to assume that whatever information goes to or through the service may become public. This includes records of activities of those using the service, such as who used the service, and what they used it for. Check the company’s privacy policy and what the vendor is going to do with the information you and others provide.

Operational, Legal, and Contractual Issues: Consider the following when evaluating whether a free/low-cost service is suitable for your needs:

Contracts:

Be cautious about signing up for free/low-cost services as their terms and conditions may differ from UCSC’s or UC’s.
“Click-to-accept” agreements binds you to agreements, even with free services.
Limited recourse may be available if issues arise or the vendor’s actions conflict with your preferences in free or “click wrap” services.

Ownership:

Ensure University data ownership aligns with policy when using commercial services; consult UCSC’s Business Contracts Office for assistance.

Accessibility:

Ensure applications or services are accessible for users with disabilities, verifying Section 508 compliance; ask the vendor and conduct testing.
Web accessibility information and testing resources on UC’s Electronic Accessibility website.

Make sure it’s accessible

Applications or services that UC Santa Cruz provides must accessible, even if they are from third-parties. New services should be tested for accessibility before they are purchased. Learn more about UCSC’s Accessibility Standards.

Know the terms and conditions of use

A third-party service provider can hold you to what you agree to, even if it is just a “click-to-accept” agreement. Note that ownership of data must remain with UCSC.

Review the service’s security and privacy policies

Ensure that they align with UCSC’s policies. Check with your Unit Information Security Lead (UISL) or Unit Head for risk-based decisions before moving forward.

Security criteria

The cloud service provider may post other security information on their site as “Security” or in “Terms of Service” or in Support/FAQs. For more information, contact ispolicy@ucsc.edu.

Will the cloud service provider have non-public (P2-P4) information?
Will the cloud service provider have social security number, driver’s license, health, insurance or financial information?
Are there compliance requirements for the information, e.g. credit cards (PCI), health information (HIPAA)?
Are there export-control restrictions on the information that preclude storing it internationally?
Will student information be stored or accessed by the cloud service provider?
Does the cloud service provider have a security plan or provide information about their security controls?
Has their security plan been mapped or certified to any security frameworks?
Will the cloud service provider have non-public (P2-P4) information?
How will they contact if there is a breach of information and in what timeframe?
Does the cloud provider have a history of security breaches or other regulatory or legal findings related to security?

Answering Yes to any of these questions indicates some risk in the use of the cloud service and that a contract or another service should be considered. For more information on contracts, contact buy4me@ucsc.edu.

Privacy criteria

The cloud service provider may post other privacy information on their site as “Privacy Policy” or in “Terms of Service” or in Support/FAQs. For more information, contact privacy@ucsc.edu.

Does the provider have a privacy policy?
How might UC or individuals be harmed if the information the cloud provider was storing or had access to was compromised?
Can you as the user remove or delete your information or account with the cloud service provider?
If you delete your information, does the cloud service provider still have rights to store or use it?
How long does the information remain with the cloud service provider (in online and offline storage), including after you delete it or your account?
Under what circumstances will the cloud service provider access content or restrict service without your consent as the user?
Will your information be used by, shared with or sold to a third-party? Is that inconsistent with why you gave the information to the cloud service provider?
Will the cloud service provider respond to requests for your information from government officials or law enforcement?