Will there be additional information or documents I need to provide when requesting a VSA?

Yes, the Requester will be responsible for providing the following information when requesting a VSA:

  • Vendor primary point of contact (name, title, phone number, and email address)

  • Vendor name and product/service being purchased

  • A description of the Vendor product/service and how it will be used on campus

  • A completed UC Appendix DS Exhibit 1 form

Additionally, the following security documents will speed up the assessment process:

  • SOC 2 Type II report

    • If available, include the Vendor’s SOC 2 Type II report. NOTE: Venminder will need the Vendor’s own report and not the report of the Vendor’s hosting provider such as AWS, Azure, GCP, etc.

  • PCI DSS compliance documentation for Vendors that accept payment card data on behalf of UC.

    • Please include the vendor’s PCI DSS Self-Assessment Questionnaire (SAQ), Attestation of Compliance (AOC), and any other supporting policies or PCI compliance documentation.

ISO will no longer ask for the statement of work, contract/agreement, or the Vendor’s security plan.