Working with an outside IT vendor? Start here.
This request is for new contracts and renewals with outside information technology (IT) vendors, such as software, cloud services, online platforms, hardware, and other technology products or services in alignment with Administrative Procedure 3910.1.
To begin, click the Request Service button in the upper-right corner of this page and complete the short form.
What you'll need to provide
Have a few basics handy before you start:
- The vendor's name and a contact at the company (name, email, phone).
- What the vendor will do for the District, a short plain-language description of the technology product or service.
- Who owns the relationship, the business or contract owner at the District.
- A few yes/no screening questions about whether the vendor will handle sensitive data or connect to the District's systems. Don't worry if you're unsure. Answer your best, and our team confirms the details.
- Any documents you already have (optional but helpful), such as the proposed contract or the vendor's security report (for example, a SOC 2 Type 2 report or a HECVAT). If you don't have these, that's okay. Just note it and we'll follow up.
About the security documents (SOC 2 Type 2 and HECVAT)
If your vendor will handle sensitive data or connect to the District's systems, two documents help us complete the review faster. You don't create these. You request them from the vendor:
- SOC 2 Type 2 report (preferred). An independent report, prepared by an outside auditor, that shows how well a company protects the information it handles over a period of time. Think of it as a vendor's security report card from a neutral third party.
- HECVAT (accepted alternative). Short for Higher Education Community Vendor Assessment Toolkit. It's a standard security questionnaire that the vendor fills out, designed specifically for colleges and universities. If a vendor doesn't have a SOC 2 Type 2 report, a completed HECVAT is a good substitute.
Tip: If you already know the vendor will handle sensitive student or employee data, or connect to the District's systems, ask them for their SOC 2 Type 2 report or HECVAT up front. Having one of these ready is the single biggest thing that speeds up the review.
Ready to begin?
Click the Request Service button in the upper-right corner of this page to start your IT vendor review.