A "vendor" or "3rd-party service provider" is an entity (e.g., a person or a company), separate from the University, that offers something for sale. The typical types of vendor services that require an ISP vendor security assessment are technologies used to store, process, and/or transport covered data on behalf of the University, such as:
- Software as a Service (SaaS) providers - companies that provide hosted application services (e.g., Google bmail)
- Infrastructure as a Service (IaaS) providers - companies that provide hosted data storage or processing services (e.g., Amazon AWS)
These types of vendors are required to meet the same campus policy standards for the protection of covered data that is required for applications and services that are managed by internal campus IT resources.