PROFESSIONAL SERVICES AGREEMENT
BETWEEN
THE TRUSTEES OF INDIANA UNIVERSITY
(ON BEHALF OF Insert University department)
AND
Insert name of Contractor
THIS PROFESSIONAL SERVICES AGREEMENT (“Agreement”) is entered into by and between
The Trustees of Indiana University ("University") and the individual [insert name of Contractor]
("Contractor") and provides as follows:
1.
Services.
a.
Contractor will provide to the University the services described in Section 1.c.
b.
Contractor is an independent contractor. This Agreement shall not be deemed to create
a relationship of employment, partnership, agency, or joint venture between Contractor
and the University. Contractor will have no authority to enter into contracts binding
upon the University.
c.
Services: Contractor will provide to the University the services listed in Exhibit A in the
country of [insert name of country]. Exhibit A constitutes a part of this Agreement and
is deemed incorporated by reference herein. In the event that there are any conflicts
between Exhibit A and the terms of this Agreement, the terms of this Agreement shall
prevail.
d.
Term of this Agreement: [insert date range]
e.
While acting as a Contractor to the University, Contractor must comply with all
University policies regarding conduct and academic ethics, including but not limited to
non- discrimination and sexual harassment. If Contractor provides any services on the
premises of the University, Contractor must comply with all University policies,
including but not limited to non-discrimination, sexual harassment, smoking, possession
of weapons, illegally possessed controlled substances, and obligations to make
notification of suspected child abuse or neglect.
f.
Contractor affirms that this Agreement was not the result of collusion with any
employee or agent of the University. Contractor agrees that no right or duty may be
delegated or assigned to another party without the University's prior approval.
g.
This Agreement is not effective until a signed Purchase Order is issued to the
Contractor by the University.
2.
Fees and Expenses.
a.
Compensation: Contractor shall be paid $_________ by the University.
b.
The University provides no benefits such as unemployment insurance, health insurance,
or worker’s compensation insurance to Contractor. Contractor is responsible for
expenses associated with vaccinations required to travel to [insert name of country].
c.
Contractor shall be responsible for providing all tools and materials required for
performance of the services listed in Exhibit A.
d.
Invoices:
1.
Invoices shall be sent by mail to Indiana University Accounts Payable,
400 E 7th Street, Room 021, Bloomington, Indiana, 47405 (telephone:
812.855.4004) or by e- mail to invoice@indiana.edu.
2.
Purchase Order Number must be included on the invoice(s).
3.
If applicable, sufficient wire transfer information must be included on
invoice(s).
e.
Payment terms:
1.
Payment Processing Time: Net 30, upon receipt of invoice.
Page 1 of 6
2.
f.
g.
h.
Payment Schedule: Payment shall be due after satisfactory completion of all
services and after delivery of all deliverables.
3.
Method: Wire Transfer (when payment is made outside of US); Contractor is
responsible for bank/wire transfer fees.
Prior to receiving any payment, Contractor is required to complete and submit all
necessary tax forms as required by the University. The Contractor’s legal name on the
tax forms must match the name of the party specified in Agreement. The name must
also match the name of the bank account to which payments are to be wired.
Contractor is responsible for obtaining the appropriate immigration status, including all
visas and/or work permits required to work legally in the country of [insert name of
country]. The University, through its contacts, will assist in providing documentation
necessary to secure such visa(s) or work permit(s), but the University will not reimburse
expenses associated with obtaining such visa(s) or work permit(s).
Contractor is responsible for payment of all applicable federal, state and local income
taxes in the U.S. and/or [insert name of country].
3.
University Representative.
The University’s authorized representative for communicating with Contractor is: [insert name,
address, phone number, and email if possible (Dept. Fiscal Officer or Faculty Project Manager
will suffice. Alternate representatives are acceptable)]. Contractor shall report to this
University representative and shall be entitled to rely upon instructions received from this
University representative.
4.
Applicable Law.
This Agreement shall be governed by the laws of the State of Indiana. Contractor shall at all
times comply with and observe all applicable laws and regulations which are in effect
during the period of this Agreement and which in any manner affect the work or its conduct.
5.
Designation of Forum.
Any party bringing a legal action or proceeding against any other party arising out of or relating
to this Agreement may only bring the legal action or proceeding in the United States District
Court for the Southern District of Indiana or in the Monroe Circuit Court in Monroe County,
Indiana.
6.
Headings: Interpretation.
When used in this Agreement, "University" includes all segments of the institution including
all, athletic and academic departments, as defined in the legal entity "The Trustees of
Indiana University."
7.
Limitation on Damages.
Neither party shall be liable to the other or to any third party for any consequential or
incidental damages, including lost profits, alleged to arise out of the material breach of this
Agreement.
8.
Indemnification and Hold Harmless.
Contractor shall indemnify and save harmless The Trustees of Indiana University, its
officers, agents and employees from any and all claims, losses, costs, damages, liability and
expenses (including costs of defense, settlement, and reasonable attorney's fees) in
connection with claims or suits for damage to property and/or injury to persons, including
death, alleged or claimed to have been caused, by or as a result of Contractor performing
services under this Agreement, whether through Contractor’s negligence or willful act.
Page 2 of 6
9.
Termination.
This Agreement may be terminated by either party with [insert number of days, e.g., 30 or
60] days’ notice. Notice must be made by certified mail to the signatories listed in Section
11 of this Agreement.
10.
Confidentiality of Data:
Contractor shall treat all data that it receives from University, is otherwise exposed to within UNIVERSITY data systems, or that is
provided by an individual user of Contractor’s service under this Agreement (collectively, “UNIVERSITY data”), with the highest
degree of confidentiality and in compliance with all applicable federal and state laws and regulations and UNIVERSITY policies.
Contractor shall employ commercial best practices for ensuring the security of all UNIVERSITY data, whether in electronic or paper
form, which it accesses, uses, creates, maintains, disposes of, or otherwise handles (hereafter “data activities”) in the course of
Contractor’s performance under this Agreement. Contractor’s responsibility for ensuring the security of UNIVERSITY data in the
course of its data activities extends to any subcontractors or other contractors, including but not limited to web hosts or other service
providers, who may, in the course of such data activities, view, process, or otherwise have access to UNIVERSITY data. Without
limiting the foregoing, Contractor represents and warrants that all machines, systems, and networking equipment that receive, process,
interact with, transmit, or store UNIVERSITY data shall meet or exceed the physical, network, and system security requirements
specified in UNIVERSITY’s University-wide IT Policies: IT-12, Security of IT Resources; IT-12.1, Mobile Device Security
Standard; and DM-01, the Data Management Policy for Management of Institutional Data
(http://protect.iu.edu/cybersecurity/policies); or otherwise conform to the standards identified by the National Institute of Standards
and Technology (NIST) applicable to the type of data and activities covered by the Agreement (available at
http://csrc.nist.gov/publications/PubsByLR.html). In the event of conflict between the requirements of UNIVERSITY’s policies and
NIST’s standards, Contractor agrees to comply with UNIVERSITY’s requirements. Significant deviation from these standards or
requirements must be approved by UNIVERSITY’s University Information Security Office. Contractor will notify UNIVERSITY
promptly of any nonconformity of its machines, systems, or networking equipment to applicable standards and requirements, whether
such nonconformity exists at the time of execution of this Agreement or arises thereafter.
Contractor represents and warrants that it shall only use UNIVERSITY data for the purpose of fulfilling its duties under this
Agreement and shall not further disclose UNIVERSITY data to any third party without the prior written consent of UNIVERSITY or
as otherwise required by law. Contractor shall not use UNIVERSITY data provided or made available to Contractor in the course of
its data activities under this Agreement for targeted marketing purposes; however, Contractor may use aggregated and anonymized
data that it derives from UNIVERSITY data within the course and scope of its data activities to enhance the quality of its performance
under this Agreement or the functionality of the service Contractor provides, provided that such UNIVERSITY data does not
constitute protected health information (“PHI”), as that term is defined and used in the Health Insurance Portability and
Accountability Act (“HIPAA”). Contractor acknowledges and agrees that all UNIVERSITY data provided or made available to it by
UNIVERSITY or individual users of Contractor’s service under this Agreement is and remains the property of UNIVERSITY or the
individual user, as determined by law and UNIVERSITY policy.
Upon termination or expiration of the contract, Contractor will either return or confirm the destruction of all UNIVERSITY data
provided or made available to Contractor under this Agreement, at UNIVERSITY’s election and in accordance with specifications for
return or destruction that UNIVERSITY shall provide at the time.
Without limiting the foregoing, in the course of performing its duties under this Agreement, Contractor may engage in data activities
involving the following types of UNIVERSITY data: student education records; financial information as that term is defined and
used in the Financial Modernization Act of 1999; protected health information as that term is defined and used in the Health Insurance
Portability and Accountability Act; genetic information as that term is defined and used in the Genetic Information Nondiscrimination
Act of 2008; and various items of personal identifying information, including but not limited to Social Security Numbers, payment
card numbers, financial account numbers and corresponding security or access codes and passwords, drivers license numbers, and
Indiana state identification card numbers. Contractor represents and warrants that it shall employ sufficient administrative, physical,
and technical data security measures to meet the requirements under the specific federal and state laws and credit card industry
standards applicable to all such types of UNIVERSITY data that Contractor receives, which may include but are not limited to:
a.
b.
c.
Student Education Records: The Family Education Rights and Privacy Act (FERPA), 20 USC 1232g et seq., and related
regulations at 34 CFR Part 99;
Financial Information, including payment card and financial account numbers: The Financial Modernization Act of 1999,
15 USC 1681 et seq.; the Safeguards Rule at 16 CFR Part 314; and Indiana Code 4-1-11 and 24-4-9;
Protected Health Information (PHI): The Health Insurance Portability and Accountability Act (HIPAA), 42 USC 1320d-2
(note); implementing privacy and security regulations at 45 CFR Parts 160 and 164, and related agency guidance. If
Contractor will access PHI to perform a service on behalf of UNIVERSITY under this Agreement, then Contractor and
UNIVERSITY must also enter into a Business Associate Agreement (BAA) in a form approved by UNIVERSITY. In the
event of any conflict between the BAA and this Addendum with respect to the security or privacy of data that contains PHI,
the terms of the BAA shall control;
Page 3 of 6
d.
e.
f.
g.
Genetic Information: The Genetic Information Nondiscrimination Act of 2008 (GINA), 42 USC 2000ff and implementing
regulations. Contractor must not collect any genetic information unless otherwise permitted by GINA and must otherwise
comply with its terms and regulations promulgated pursuant to GINA;
Nonpublic Personal and Financial Information: Gramm-Leach-Bliley Act (Title 15, USC, Sections 6801(b) and
6805(b)(2));
Social Security Numbers: Indiana Code 4-1-10, 4-1-11, and 24-4-9; and
Payment Card Numbers: Indiana Code 4-1-11 and 24-4-9, as well as the Payment Card Industry Data Security Standards.
If receiving payment card numbers, Contractor shall be PCI-DSS compliant as per the requirements indicated according to
the PC Security Standards Council, which can be found at https://www.pcisecuritystandards.org/, and shall provide to
UNIVERSITY annually a certificate of compliance from a PCI-DSS Qualified Security Assessor (QSA).
As applicable, Contractor shall also have a program in place, documented in writing, to identify, detect, and address warning signs of
identity theft, pursuant to the FACT Act, 15 USC 1681 et seq., and corresponding “Red Flag Rules.”
Immediately upon becoming aware of an exposure of University Data, Contractor shall notify UNIVERSITY at IT-Incident@iu.edu
and shall cooperate fully with UNIVERSITY’s investigation of and response to the incident. Except as otherwise required by law,
Contractor shall not provide notice of the incident directly to the persons whose UNIVERSITY data were involved without prior
written permission from UNIVERSITY.
To facilitate the investigation of security incidents, Contractor will retain and provide to UNIVERSITY, upon request, all
authentication and other relevant system logs, including relevant logs from any contractors or subcontractors, for a minimum of 60
days from the creation of such logs.
Contractor acknowledges and agrees that UNIVERSITY is subject to Indiana’s Access to Public Records Act (APRA), I.C. 5-14-3 et
seq., and that disclosure of some or all confidential information provided pursuant to this Agreement, or the Agreement itself, may be
compelled pursuant to that law. University agrees that, upon receipt of a request for confidential information made pursuant to
APRA, it shall a) promptly notify Contractor of the fact and content of the request, b) consult with Contractor regarding any
legitimate basis on which it might resist or narrow its response to the request, and c) disclose only information that the University, in
the opinion of its legal counsel, is legally compelled to disclose.
Notwithstanding any other provision of this Agreement, and provided that the University has not modified the Contractor’s software
in any manner, Contractor shall reimburse the University in full for all direct costs, expenses, and liabilities incurred by the University
as a result of Contractor’s failure to comply with the above data confidentiality and security requirements. This obligation shall
include reimbursing the costs or expenses incurred by University in providing any notices to parties whose data may have been
subject to unauthorized access as a result of Contractor’s failure to comply with the above data confidentiality and security
requirements, as well as defending, indemnifying, and holding the University harmless from any third-party claims or causes of action
of any kind arising from or relating to the Contractor’s use, maintenance, or handling of UNIVERSITY data received in connection
with its performance under this Agreement. These remedies shall be in addition to any other remedies provided within this
Agreement or otherwise available under law.
Contractor will ensure that employees who perform work under this Agreement have read, understood, and received appropriate
instruction to as to comply with the foregoing data protection provisions of this Agreement. Any subcontractors used by Contractor to
perform work under this Agreement that involves access to or use, processing, maintenance, transmission, storage, or disposal of
UNIVERSITY data, must be approved in advance by UNIVERSITY, and their subcontracts must contain the same data protection
provisions for UNIVERSITY data specified above.
UNIVERSITY reserves the right to require the Contractor to provide the results of:
a.
b.
c.
an audit of security policies, practices, and procedures on an annual or biennial basis, to be performed by a third party
approved by UNIVERSITY;
a vulnerability scan, performed by a scanner approved by UNIVERSITY, of the Contractor’s systems that are used in any
way, or that interact with systems used in any way, to provide service(s) under this Agreement and/or receive, use, process,
maintain, transmit, store, or dispose of UNIVERSITY data;
a formal penetration test, performed by a process and qualified personnel approved by UNIVERSITY, of the Contractor’s
systems that are used in any way, or that interact with systems used in any way, to provide service(s) under this Agreement
and/or receive, use, process, maintain, transmit, store, or dispose of UNIVERSITY data.
Page 4 of 6
11
Signatures.
University
Contractor
Signature:
Signature:
Printed Name: Matt Estell
Title: Purchasing Contract Manager
e-Mail: mestell@iu.edu
Phone: 812.855.4284
Date: (included in digital signature)
Printed Name:
Title:
e-Mail:
Phone:
Date:
Page 5 of 6
EXHIBIT A
Statement of Work
Please provide a detailed description of services to be performed. List specific tasks to be performed
by Contractor, deliverables, and any applicable deadlines for completion of the work. Do not address
payment terms here. Payment terms will be address in Section 2 of the agreement.
Page 6 of 6