3rd Party Apps: Can you trust them with sensitive data?

July 26, 2023

3rd Party Apps: Can you trust them with sensitive data

Third party applications can make our lives easier by streamlining processes, automatically completing tasks, and connecting with other services, but at what cost? When you give these services access to your data, what can they do with it? The answer is different for every application and it's important to know their answers before handing over sensitive data.

Know the Terminology

A third party app is an application or software not created by the same manufacturer as your device or operating system. Some examples include Grammarly, ChatGPT, and Evernote.

Non-UC technology services are third party applications offered online, often for free or at low cost, for which there is no UCSC or UC system-wide agreement. These services can take many forms, including, click-through agreements or Google marketplace apps.

Protecting UCSC Data

The first step in protecting data is knowing what type of data you are sharing with the application. Visit Protection Levels for UC Institutional Information to determine what level of data you are working with. Do not share P3-P4 data with non-UC technology services.

It is best practice to review the application’s privacy and security policies before use. Non-UC technology services may not have the appropriate security protections in place that are required for university data. All employees are responsible to take privacy and security into consideration when it is (or is not) appropriate to use non-UC technology services. Check with your appointed Unit Information Security Lead (UISL) or Unit Head for risk based decisions before moving forward. 

There are services and software with a UCSC or UC-wide agreement. This means they are approved for use but the locations/departments are responsible for paying the licenses. When paying for a license, if there is a current UCSC or UC-wide agreement, units should make purchases through CruzBuy. Using a procurement card (procard) does not automatically imply that the purchasing units are covered by the UCSC or UC-wide agreement. To ensure UC data is protected under the contract, units must submit a requisition for their purchases. A UC-approved service agreement is required for non-UC systems that store, receive, process, or publish P3-P4 information or are used for essential university business processes. Installing or allowing unapproved third party applications privately through Google Chrome or some other means to access University data puts the University at risk.

UCSC approved services and software:

Important Things to Remember

  • Free isn’t free. If their service is free of cost most likely they are using your data to make money.
  • Using a campus procard does not imply the services are covered by UCSC or UC-wide agreement.
  • If you want to use an app for P3-P4 UC institutional data, you must submit a requisition.

Additional Resources

Learn more about Use of Third Party and Cloud Services

Contract Language for Third Party Access to Sensitive Data (P3-P4)

UC technology, products, and services

UC Gets 5 Agreements for Assistive Technologies 

Get Help