CU Boulder requires the following accessibility and security compliance provisions to be included in all acquisitions of digital goods or services. It is highly recommended that the required contract language be provided to prospective suppliers before negotiations begin.
Standard ICT Accessibility Provision:
The university affords equal opportunity to individuals in its employment, services, programs, and activities in accordance with federal and state laws. This includes effective communication and access to electronic and information communication technology resources for individuals with disabilities. [Supplier] shall: (1) deliver all applicable services and products in reasonable compliance with applicable university standards (for example, Web Content Accessibility Guidelines, Level AA or Section 508 Standards for Electronic and Information Technology as applicable); (2) upon request, provide the university with its accessibility testing results and written documentation verifying accessibility; (3) promptly respond to and resolve accessibility complaints; and (4) indemnify and hold the university harmless in the event of claims arising from inaccessibility.
Custom Web Content/Software Development Accessibility Provision
The university affords equal opportunity to individuals in its employment, services, programs, and activities in accordance with the laws. This includes effective communication and access to electronic and information communication technology resources for individuals with disabilities pursuant to CU-Boulder’s Accessibility of Information and Communication Technology Policy (“Policy”) and CU-Boulder Campus Standards for the Accessibility of Information and Communication (“Standards”). To this end, [Software Developer] shall: (1) read, review, and understand the Policy and Standards; (2) develop software with intent to comply with the Policy and Standards (which currently require compliance with WCAG 2.0 Level AA); (3) prior to delivery of any software, test it for compliance with the applicable Standards and report testing results to university in a VPAT or other format specified by the university; (4) use best commercial efforts to modify the software to maximize accessibility compliance and otherwise resolve any identified accessibility compliance issues; and (5) ultimately deliver software that complies with the Policy and Standards, to the extent feasible as determined by the university. Pending verification of compliance with this provision, the University is authorized, but not required, to withhold any payment to [Software Developer] pursuant to this agreement. [Software shall not be considered in compliance with this provision unless or until the university Chief Digital Accessibility Officer, the ICT Accessibility Program Manager, or designee has approved.]
Standard ICT Security Provision:
“In providing services hereunder, Contractor agrees to comply with all applicable requirements of the Family Educational Rights and Privacy Act (“FERPA”), Gramm-Leach-Bliley Act (“GLBA”) and the Health Insurance Portability and Accountability Act (“HIPAA”), together hereinafter the “Acts”, and guarantees that all information covered by the Acts and provided to Contractor by the University (“University Information”) will be used only in conjunction with the product or service being provided, that it will not be used for any other purpose, or be released by Contractor or copied in any manner for any other use and will be promptly returned or destroyed upon termination of this Agreement. Contractor shall use commercially reasonable efforts to notify all of its foreseeable agents, employees, subcontractors and assigns who will come into contact with University Information that they shall comply with, and are subject to the confidentiality requirements set forth in the Acts and shall provide each with a written explanation of the Acts’ requirements for confidentiality before they are permitted to access the University Information. Contractor shall provide and maintain a secure environment that ensures confidentiality of all University Information wherever located. No University Information shall be distributed or sold to any third party or used by Contractor or its agents in any way, except as authorized by the Agreement and as approved by the University. Contractor agrees to notify the University, within seventy-two (72) hours, of any security breach that could result in the unauthorized disclosure of University Information. University Information shall not be retained in any files or otherwise by Contractor or its agents, except as set forth in this Agreement and approved by the University. Disclosure of University Information may be cause for legal action against Contractor or its agents. Defense of any such action shall be the sole responsibility of Contractor.”
Ownership of Data
All data and/or content collected, created or prepared by the University and provided to Contractor in the performance of its obligations under the Agreement shall be the exclusive property of the University. Contractor shall not use, willingly allow or cause to have such data used for any purpose other than the performance of the University’s obligations under the Agreement without the prior written consent of the University. This provision shall survive the termination of this agreement.
Data Security and Control
- Contractor attests that it has implemented administrative, physical and technical safeguards for its data security that at a minimum meet industry best practices. Contractor shall ensure that all such safeguards, including the manner in which data is collected, accessed, used, stored, processed, disposed of and disclosed, comply with applicable data protection and privacy laws, as well as the terms and conditions of this Agreement. Contractor further attests that all University data shall be stored in the United States.
- Contractor shall timely notify University of any data breach whether or not it is University data, including a data breach involving any of Contractor third-party service providers that process, store or transmit data.
- Contractor grants permission to University to perform an assessment, audit, examination or review of all controls in Contractor’s physical and/or technical environment in relation to all data being handled and/or services being provided to University pursuant to this Agreement. Contractor shall fully cooperate with such assessment by providing access to knowledgeable personnel, physical premises, documentation, infrastructure and application software that processes, stores or transmits data pursuant to this Agreement.
- If at any time, University wants to change or remove data and/or content on the website, University shall notify Contractor. Contractor will use its best efforts to immediately respond to the request and at a minimum change or remove data and/or content within 24 hours.