Contractors that provide IT-related services or products to SUNY at Stony Brook (Contractors) are subject to the following requirements.  By supplying SUNY at Stony Brook, you agree to the following provisions.

1. SUNY is committed to providing an accessible, usable, and integrated experience for all its students, staff, and community.  Electronic and information technology (“EIT”) consists of information technology and any equipment or interconnected system or subsystem of equipment that is used in the creation, conversion, or duplication of data or information that will be deployed in connection with such technology, equipment, or systems. Further, EIT includes, but is not limited to, telecommunications products, information kiosks and transaction machines, Internet and Intranet websites, web-delivered content, software, electronic books and electronic book reading systems, search engines and databases, multimedia, classroom technology, and office equipment.
2. Contractor warrants that (i) Web-based EIT products provided to SUNY shall conform to Web Content Accessibility Guidelines (“WCAG”) 2.2 AA and (ii) non-web-based EIT products provided shall meet or exceed the applicable accessibility requirements of section 508 of the Rehabilitation Act of 1973, as amended (29 U.S.C. § 794d), and its implementing regulations set forth at Title 36, Code of Federal Regulations, Part 1194.
3. Contractor agrees to provide evidence of compliance with these requirements prior to supplying products/services and any other time upon reasonable request of SUNY.  Contractor will provide accessibility testing results and written documentation verifying accessibility, including, without limitation, the documentation listed in the Notice to SUNY Vendors Providing Digital Resources. In the event that EIT provided to SUNY does not fully conform to the standards set forth above, Contractor will promptly advise SUNY in writing of the non-conformance and provide detailed information regarding the plans to achieve conformance, including, but not limited to, an intended timeline.  Contractor agrees to promptly respond to and resolve any complaint regarding the accessibility of its products or services.
4. Failure to comply with these accessibility standards shall constitute a breach.  Contractor agrees to indemnify and hold harmless SUNY from any claims arising out of its failure to comply with the foregoing accessibility standards.

All information and data of any kind, provided or made available by SUNY, SUNY students, or SUNY end users to Contractor, regardless of form, format, or content, is hereinafter “SUNY Data”. When Contractor accesses, creates, receives, processes, maintains, or transmits SUNY Data, Contractor represents and warrants that Contractor will comply with the requirements to safeguard set forth herein.

1. Data Privacy: General Requirements
   1. Confidentiality: All SUNY Data shall be considered confidential and treated as such by Contractor, its employees, agents, volunteers, consultants, subcontractors, and sub-subcontractors of any level (collectively, “Authorized Representatives”). For purposes of this Section 1, references to Contractor include Contractor’s Authorized Representatives.
   2. Use of Data: Contractor will only use SUNY Data for the purpose of fulfilling Contractor’s duties for the benefit of SUNY and will not share such data with, or disclose it to, any third party without the prior written consent of SUNY, except as otherwise required by law. If Contractor is required by law or legal process to disclose any Confidential Information, it shall, unless prohibited by law:
      1. Provide SUNY with prompt written notice before making the disclosure; and
      2. Cooperate with SUNY’s efforts to limit or prevent such disclosure, including seeking protective orders or similar remedies.
   3. Ownership: All SUNY Data, including but not limited to student data, academic records, personal information, and any data provided to or made available to Contractor, and all output generated using SUNY Data through use of the Services (regardless of form, format, or content), shall remain the sole property of SUNY. Contractor shall have no title, ownership rights, or claims to any such SUNY Data.
   4. AI: To the extent any Services include the use of Artificial Intelligence (“AI”) systems and technologies:
      1. AI System shall comply with all applicable federal and state laws, regulations, and ethical guidelines.
      2. Use of SUNY Data (including anonymized or aggregated data) to develop or train AI Systems, or to build upon an AI System model, shall require the prior written consent of SUNY, which consent (if approved) may be subject to any such conditions as SUNY may determine are necessary to:
         1. Comply with current or future applicable laws, rules, regulations, guidelines, policies, and/or procedures.
         2. Protect the privacy and security of SUNY Data; and/or
         3. Manage risk, and promote accountability, safety, and fairness and equity.
      3. Use of any AI System in a manner that would authorize (or have the effect of authorizing) automatic decision-making pertaining to public assistance, civil liberties, safety, or welfare shall be prohibited.
      4.  Use of any AI System in a manner that would result in (or have the effect of resulting in) any discrimination or bias, as defined under applicable New York State or federal laws, rules, and/or regulations, shall be prohibited.
      5. Use of any AI System in any manner that would authorize (or have the effect of authorizing) automatic decision-making without any human oversight shall be prohibited.
      6. SUNY may require the Contractor to provide reports that are necessary for AI auditing purposes. Reports should include how the AI system uses personally identifiable, confidential, or sensitive information to ensure such use complies with applicable laws, rules, regulations, notices, and policies. Contractor may be asked to provide a recent independent audit report or an artificial intelligence (AI) impact assessment as defined by the National Institute of Standards and Technology (NIST) if the solution incorporates AI.
      7. For purposes of these terms and conditions, “AI Systems” or an “AI System” shall include, but not be limited to: any system or technology utilizing machine learning (“ML”), large language modeling (“LLM”), natural language processing and/or computer vision technologies, including but not limited to generative AI, frontier AI, algorithms or other computational models. “AI Systems” or “AI System” shall not include basic calculations, basic automation, or pre-defined conditional If This Then That (“ITTT”) response systems.
   5. Advertising: Any use of SUNY Data for marketing or advertising purposes is strictly prohibited.
   6. Re-Identification: To the extent any SUNY Data is provided to Contractor in de-identified, anonymized, pseudonymized, or another masked or encrypted form, and except as expressly authorized by SUNY, Contractor shall be prohibited from re-identifying any SUNY Data, in whole or in part.
   7. Authorized Representatives: Contractor will provide access to SUNY Data only to its Authorized Representatives who need to access the data to fulfill Contractor’s obligations for the benefit of SUNY. Remote access for support to resources on SUNY’s premises will be granted only through methods approved by SUNY.  Contractor will ensure that its Authorized Representatives have read, understood, and received appropriate instructions as to how to comply with the data protection provisions herein. Contractor’s Authorized Representatives that access SUNY Data must have executed data protection agreements consistent with the terms and conditions herein.
   8. Location and Use of Data: SUNY Data will not be stored, processed, backed up, archived or otherwise retained on systems physically located outside the United States without prior written consent from SUNY. This requirement applies to all Authorized Representatives. For purposes of these terms and conditions, “stored” includes, but shall not be limited to, any form of housing, retention, or persistent caching of data.
   9. Federal Data Security Program (DSP) (28 C.F.R. Part 202): To the extent applicable, Contractor shall not engage in any data “transfer” or other “transaction” constituting a “covered data transaction” that allows “access” by a “country of concern” or “covered person” to “bulk U.S. sensitive personal data” or U.S. “government-related data,” as defined by the U.S. Department of Justice’s Final Rule implementing Executive Order 14117, codified at 28 C.F.R. Part 202, as it may be amended from time to time. In compliance therewith, Contractor shall not transmit to or otherwise store SUNY Data with any prohibited party and must implement and maintain security measures consistent with applicable guidance. For avoidance of doubt, Contractor shall not engage in any “restricted transaction” subject to Subpart D of 28 C.F.R. Part 202 without the prior written consent of SUNY pursuant to a written agreement signed by SUNY. Contractor must also promptly report suspected or actual violations and agrees that SUNY may audit compliance with these obligations upon reasonable written notice.
   10. FERPA Compliance: In addition to any other obligations herein, if Contractor receives Education Records or personally identifiable information (PII) from an Education Record, Contractor agrees that: (i) unless Contractor and SUNY designate another exception, any disclosure of education records and/or PII from education records is done so pursuant to the “school official” exception to FERPA, (ii) Contractor is a “school official” with a “legitimate educational interest” in any Education records and/or PII from education records disclosed, and (iii) Contractor is under the direct control of SUNY with respect to the use and maintenance of any such education records and/or PII from education records. Education Records and PII from education records are as defined in FERPA and include any and all records, data, or information related to any student or students of SUNY.
   11. European Union (“EU”) General Data Protection Regulation (“GDPR”) and Other International Data Privacy and Security Laws and Regulations: Unless otherwise agreed in writing by both Parties, Contractor, as well as any subcontractors Contractor may engage (at any level) to perform any of Contractor’s obligations to SUNY, shall be solely responsible for compliance with the EU GDPR 2016/679 and the European Artificial Intelligence Act (Regulation (EU) 2024/1689), if applicable, and any other international data privacy and security laws and regulations that may be applicable to the proposed solution, if any (e.g. China Personal Information Protection Law or “PIPL”).
   12. Gramm-Leach-Bliley Act: Pursuant to the Gramm-Leach-Bliley Act (P.L. 106-102) and the Federal Trade Commission’s Safeguards Rule (16 CFR Part 314) (“GLBA”), and to the extent Contractor is a financial institution or service provider of SUNY under these regulations with respect to student or customer information, Contractor will comply with the Safeguards Rule including the requirement to implement and maintain a written Information Security Program (“Program”) in order to protect such nonpublic customer information (any record containing nonpublic personal information as defined in 16 CFR §313.3(n), whether in paper, electronic, or other form that is handled or maintained by or on behalf of SUNY or SUNY affiliates (16 CFR §314.2)). Examples may include, but are not limited to, name, address, phone number, Social Security Number, bank/credit account information, and student ID numbers.
   13. NYS Personal Privacy Protection Law: Contractor will comply with applicable provisions of the New York State Privacy Protection Law (NY Public Officers Law §§91-99) and SUNY’s implementing regulations under 8 NYCRR § 315. See SUNY Other Requirement 6603 Compliance with Personal Privacy Protection Law: https://www.suny.edu/sunypp/documents.cfm?doc_id=539.
   14. Physical Security: To the extent applicable, Contractor shall maintain the physical security of all equipment that contains SUNY Data, including using reputable means to transport.
2. Mandatory Data Security Requirements
   1. Contractor agrees at all times to maintain industry standard information and critical infrastructure security features and protocols, which at a minimum, include: network firewall provisioning; intrusion detection; Distributed Denial of Service (DDoS) threats; the use of network monitoring and protection tools monitored 24/7/365 by security analysts; and regular (at least annually) third-party vulnerability assessments, or equivalent, including providing SUNY a copy of the annual Attestation of Compliance (AOC) document, if requested. Further, Contractor agrees to maintain information and critical infrastructure security that conforms to generally recognized “Industry Standards” and best practices that Contractor applies to its own network, infrastructure, applications and data. Generally recognized Industry Standards include but are not limited to the current standards and benchmarks set forth and maintained by the Center for Internet Security (see http://www.cisecurity.org) or Payment Card Industry/Data Security Standards (“PCI/DSS”) (see http://www.pcisecuritystandards.org).
   2. Contractor shall implement and use network management and maintenance applications and tools, appropriate intrusion prevention and detection, and data confidentiality/protection/encryption technologies for endpoints, servers and mobile devices. This must include mechanisms to identify vulnerabilities and apply security patches. Contractor will also physically and logically separate different customers’ networks where applicable.  Contractor shall establish, maintain, and provide documentation of a continuous security program throughout the term of the Agreement. The contractor will provide information in the form requested by University, including but not limited to the completion of a security questionnaire and relevant diagrams and/or whitepapers. The security program must enable University (or its selected third party) to:
      1. Define the scope and boundaries, policies, and organizational structure of an information security management system.
      2. Conduct periodic risk assessments to identify the specific threats to and vulnerabilities of University.
      3. Implement appropriate mitigating controls and training programs, and manage resources.
      4. Monitor and test the security program to ensure its effectiveness. Contractor shall review and adjust the security program in light of any assessed risks.
      5. Have an integrated continuous security testing into its code and build development process, including the following processes:
         1. Static Application Security Testing (SAST): Analysis of source code and binaries to identify security vulnerabilities;
         2. Dynamic Application Security Testing (DAST): The execution of simulated attacks on live applications to detect runtime vulnerabilities; and
         3. Software Composition Analysis (SCA)
   3. Contractor agrees to provide evidence of compliance with these requirements before providing services and at any other time upon reasonable request of SUNY. The following report(s) and/or certification(s) shall be prepared by Contractor and made available to SUNY:
      1. A Higher Education Community Vendor Assessment Tool (HECVAT)* spreadsheet report completed by Contractor and provided to the SUNY Chief Information Security Officer (CISO), and:
      2. Either:
         1. A completed up-to-date SOC 2 Type 2 report* pursuant to Statement on Standards for Attestation Engagements (SSAE) 18, and issued by an independent third-party auditor, that includes the Security, Availability, Confidentiality, and Privacy of all SUNY Data and the technology solution comprising the Services provided by Contractor to SUNY pursuant to this Agreement, or:
         2. An up-to-date ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) certification* from an accredited body, prepared pursuant to ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements, and accompanied by the Statement of Applicability (SoA) showing which controls are in scope, and covering all people, systems, and locations involved in delivering the product and/or services to SUNY, and:
      3. Contractor agrees to address the ability to provide the same levels and types of security through multiple data access methods (e.g., Web, mobile devices, or network), and:
      4. Required Time Periods
         1. 1. Each reporting or certification period shall cover the previous twelve (12) consecutive months.
            2.  Report(s) and/or certification(s) shall be provided to SUNY annually and within fifteen (15) days of final issuance by Contractor (HECVAT), independent third-party auditor (SOC 2), and/or independent third-party accredited body (ISO/IEC certification).
            3. Report(s) and/or certification(s) shall be provided to SUNY no later than fifteen (15) months after the end date of the previous annual report.
            4. For report(s) and/or certification(s) with an end date of greater than ninety (90) days from the date of receipt by SUNY, Contractor shall provide a bridge letter signed by executive management attesting: (i) that no material changes have occurred which would adversely affect the report and/or certification’s conclusions; and (ii) that any new high-severity control deficiencies discovered since the report or certification end date are disclosed and accompanied by a remediation plan and/or corrective action plan.
               
               *The HECVAT and the SOC 2 Type 2 report or ISO/IEC certification must be completed by the appropriate experts in these areas.
3. Other Mandatory Information Security and Service Requirements
   1. Compliance With Breach Notification and Data Security Laws: Contractor shall comply with all applicable federal and state data protection and breach notification laws, including the New York State Information Security Breach and Notification Act (General Business Law § 899-aa; State Technology Law § 208) (“ISBNA”), the Stop Hacks and Improve Electronic Data Security Act (General Business Law § 899-bb) (“SHIELD Act”), and the Gramm-Leach-Bliley Act (“GLBA”). Contractor shall implement and maintain appropriate administrative, physical, and technical safeguards to protect the security, confidentiality, and integrity of any private information (as defined by ISBNA) and other SUNY Data to which it has access.
       
      In the event that Contractor becomes aware of or reasonably suspects any actual or suspected unauthorized acquisition, access, use, or disclosure of SUNY Data (“Security Incident”), Contractor shall:
      1. Notify SUNY in writing without unreasonable delay, and in no event later than two (2) business days after discovery of the Security Incident
      2. Take all reasonable measures to investigate, contain, and remediate the Security Incident
      3. Cooperate fully with SUNY, including providing access to relevant records, personnel, and systems as necessary to support SUNY’s investigation and response
      4. Keep SUNY apprised of all remediation efforts
      5. Comply with all applicable legal requirements concerning breach notification and mitigation.
         
         SUNY shall have the sole discretion to determine the content, method, and recipients of any required notifications to affected individuals or government agencies. If the Security Incident is caused by the negligent or willful acts or omissions of Contractor or its Authorized Representatives, Contractor shall be responsible for all reasonable costs and expenses incurred by SUNY in connection with the Security Incident, including investigation, remediation, notification, and credit monitoring services, if applicable.
   2. Return/Destruction of SUNY Data: Upon the expiration or termination of services to SUNY, and at any other time at the written request of SUNY, Contractor shall promptly return to SUNY all SUNY Data (and all copies of this information) that is in Contractor’s or its Authorized Representatives' possession or control, in a form useable and agreeable to SUNY.  If the return of SUNY Data is not feasible, Contractor may, subject to the University’s written consent, destroy such information provided Contractor provides the University with a certificate confirming the date of destruction of such data.