GEORGETOWN UNIVERSITY
CONTRACTS DEPARTMENT
CUSTOMER INFORMATION ADDENDUM Rev. 06.04.15
This Addendum ("Addendum") amends and is hereby incorporated into the existing agreement known
as
("Agreement"), entered into by and between (hereinafter
"Service Provider") and Georgetown University on
GEORGETOWN University and Service Provider mutually agree to modify the Agreement to
incorporate the terms of this Addendum to comply with the requirements of dealing with the
confidentiality of Customer Information. If any conflict exists between the terms of the original
Agreement and this Addendum, the terms of this Addendum shall govern.
1.
Definitions:
Customer Information: Covers all data and information, whether written, verbal or electronic,
provided to a Service Provider in connection with the Agreement, including, but not limited to
data and information that may be designated as Restricted Data.
Restricted Data: Requires the highest level of protection from any unauthorized access or
tampering. It covers sensitive information about students, faculty, staff, users of University
services and facilities, and the University. Specific laws and policies may govern certain types of
information, such as the Family Educational Rights and Privacy Act (FERPA), which protects
personal information about current and former students, the Health Insurance Portability and
Accountability Act (HIPAA), which governs the use of protected health information, the
Gramm-Leach-Bliley Act (GLBA), which protects personal financial information, and the
Payment Card Industry Data Security Standards (PCI DSS), which protect credit card
information. Restricted Data also includes credentials (i.e. passwords, PKI certificates, etc.) used
to protect systems containing Customer Information.
2.
Acknowledgment of Access to Specific Customer Information: Service Provider acknowledges
that this Agreement may allow the Service Provider access to the following categories of
Restricted Data under the Agreement:
Identify specific data for each category or indicate does not apply.

Health Insurance Portability and Accountability Act (HIPAA)

Family Educational Rights and Privacy Act (FERPA)

Gramm-Leach- Bliley Act (GLBA)
37th & O Streets, NW, Box 5711984 Washington, DC 20057

Payment Card Industry Data Security Standards (PCI DSS)

Other Restricted Data
Service Provider agrees that it shall use this information solely for the purpose of providing services
to GEORGETOWN otherwise strictly in accordance with the laws and policies set forth above.
3.
Prohibition on Unauthorized Use or Disclosure of Customer Information: Service Provider agrees
to hold the Customer Information in strict confidence. Service Provider shall not use, disclose, transfer,
sell, rent, copy or allow third-party access to Confidential Information, or use Confidential Information for
Service Provider’s own benefit or the benefit of third parties, except as permitted or required by the
Agreement or this Addendum, as required by law, or as otherwise authorized in writing by
GEORGETOWN University.
4.
Safeguard Standard and Security Controls: Service Provider shall develop, implement, maintain
and use appropriate administrative, technical and physical security measures to preserve the
confidentiality, integrity and availability of all electronically maintained or transmitted Customer
Information received from, or on behalf of, GEORGETOWN University. Service Provider agrees that it
will protect the Customer Information it receives from or on behalf of GEORGETOWN according to
commercially acceptable standards and no less rigorously than it protects its own Customer Information.
Without limiting the generality of the foregoing, Service Provider shall develop, implement, maintain,
and use, at a minimum, the following controls to assure the confidentiality, integrity and availability of
electronically maintained or transmitted Customer Information received from, or on behalf of,
GEORGETOWN University: (a) updated anti-virus software installed on all appropriate computing
equipment, (b) updated security software patches installed on all appropriate computing equipment, (c)
firewall software installed on computing environments connected to the Internet, (d) use of encryption
software when electronically transmitting Georgetown data to external organizations (including
Georgetown), (e) appropriate access controls to restrict access to authorized individuals of Georgetown
data, materials, or computing systems or locations processing or storing Georgetown data, and (f) such
other reasonable security controls, systems, and measures as Georgetown may require during the term of
the Agreement.
Cloud Service Providers (CSPs) are subject to additional security control requirements consistent with
industry standards. CSPs shall ensure that the IT systems and applications used in providing the cloud or
IT infrastructure hosting service, including all component elements, are configured in a manner that is
consistent with the most current version of the applicable industry standards or benchmarks. CSPs also
shall to conduct periodic monitoring and implement all configuration updates as may be necessary to
ensure that such IT systems/ applications and all component elements are in compliance with all updates
to the applicable standards that become available after the effective date of the Agreement and during
the Agreement term.
37th & O Streets, NW, Box 5711984 Washington, DC 20057
GEORGETOWN University reserves the right to have its designated representative(s) visit Service
Provider’s premises in a manner that minimizes impact on Service Provider’s business operations to the
extent possible, to observe and monitor performance of the services and ensure that adequate security
controls are in place.
5. Assurance: GEORGETOWN University reserves the right, through itself or authorized parties, to
perform reasonable financial, security and performance audits of Service Provider in connection with the
Agreement. Audits may consist of examination of financial information to support contract billing and
costs as well as Service Provider’s internal controls relevant to the Agreement. Service Provider agrees
to make available for inspection and audit pertinent records for up to 60 days after termination of the
Agreement.
6.
Return or Destruction of Customer Information: Upon termination, cancellation, expiration or
other conclusion of the Agreement, or otherwise as requested by GEORGETOWN University, Service
Provider shall:
a. Return to GEORGETOWN University, or if return is not feasible then destroy, all Customer
Information in whatever form or medium that Service Provider received from or created on behalf
of GEORGETOWN University. This provision shall also apply to all Customer Information that
is in the possession of subcontractors or agents of Service Provider. In such case, Service
Provider shall retain no copies of such information, including any compilations derived from or
allowing identification of Customer Information. Service Provider shall complete such return or
destruction as promptly as possible, but no later than fifteen (15) days after the effective date of
the conclusion of this Agreement. Within such fifteen (15) day period, Service Provider shall
certify in writing to GEORGETOWN University that such return or destruction has been
completed. GEORGETOWN University will maintain audit and assurance rights to verify
compliance with this contract term.
b. If Service Provider believes that the return or destruction of Customer Information is not
feasible, Service Provider shall provide written notification of the conditions that make return or
destruction infeasible. Upon mutual agreement of the Parties that return or destruction is not
feasible, Service Provider shall extend the protections of this Addendum to Customer Information
received from or created on behalf of GEORGETOWN University, and limit further uses and
disclosures of such Customer Information, for so long as Service Provider maintains the
Customer Information.
7.
Term and Termination:
a. This Addendum shall take effect [upon execution].
37th & O Streets, NW, Box 5711984 Washington, DC 20057
b. In addition to the rights of the parties established by the Agreement, if GEORGETOWN
University reasonably determines in good faith that Service Provider has breached any of its
obligations under this Addendum, Service Provider agrees that any such breach will cause
irreparable damage to GEORGETOWN University and that GEORGETOWN University, in its
sole discretion, shall have the right to:
(i) exercise any of its rights to receive reports, or to access or inspect under this
Addendum; and/or
(ii) require Service Provider to submit to a plan of monitoring and reporting, as
GEORGETOWN University reasonably may determine is necessary to maintain
compliance with this Addendum; and/or
(iii) provide Service Provider with a fifteen (15) day period to remedy the breach; or
terminate the Agreement immediately if remediation is not possible; and/or
.
(iv) seek preliminary or permanent injunctive relief from a court of competent
jurisdiction to prevent or limit the effects of such breach or imminent breach.
c. Before exercising any of these options, GEORGETOWN University shall provide written
notice to Service Provider describing the violation and the action it intends to take.
8.
Subcontractors and Agents: If Service Provider provides any Customer Information received
from, or created for, GEORGETOWN University to a subcontractor or agent, then Service Provider
shall require such subcontractor or agent to agree to the same restrictions and conditions as are imposed
on Service Provider by this Addendum.
9.
Reporting of Unauthorized Disclosures or Misuse of Customer Information: Service Provider
shall report to GEORGETOWN University any use or disclosure of Customer Information not
authorized by this Addendum or in writing by GEORGETOWN University. Service Provider shall make
the report to GEORGETOWN University no later than one (1) business day after Service Provider
learns of such use or disclosure. Service Provider's report shall identify: (i) the nature of the
unauthorized use or disclosure, (ii) the Customer Information used or disclosed, (iii) who made the
unauthorized use or received the unauthorized disclosure, (iv) what Service Provider has done or shall
do to mitigate any deleterious effect of the unauthorized use or disclosure, and (v) what corrective action
Service Provider has taken or shall take to prevent future similar unauthorized use or disclosure. Service
Provider shall provide such other information, including a written report, as reasonably requested by
GEORGETOWN University. Service Provider agrees to make available resources and data as
37th & O Streets, NW, Box 5711984 Washington, DC 20057
reasonably requested by GEORGETOWN University for the purpose of determining the full impact and
root cause of the unauthorized use or disclosure.
10.
Indemnity. Service Provider shall defend and hold GEORGETOWN University harmless from
all claims, liabilities, damages, or judgments involving a third party, including GEORGETOWN
University's costs and attorney fees, which arise as a result of Service Provider's failure to meet any of
its obligations under this Addendum.
IN WITNESS WHEREOF, each of the undersigned has caused this Addendum to be duly executed in its
name and on its behalf.
GEORGETOWN UNIVERSITY
SERVICE PROVIDER
By: ________________________________
By: ______________________________
Title: ______________________________
Title: ____________________________
Date: _____________________________
Date: ____________________________
37th & O Streets, NW, Box 5711984 Washington, DC 20057