Search This Site


Main menu

Data Protection and Purchasing

I am interested in a new product or service.  Does UVA Information Security need to review it?

According to the University Data Protection Standards 3.0, all suppliers handling sensitive or highly sensitive data must be reviewed by UVA Information Security before the product or service is purchased and/or used.  

How do I know if the data is Sensitive Data or Highly Sensitive Data?

You can find specific examples of the data classifications in the University Data Protection Standards 3.0.  If you are unsure about how to classify a particular data set, reach out to and we can assist you in making that determination.  Full definitions for UVA's data classifications are available in the University's Data Protection policy

I need to have an Information Security review of my purchase.  How do I request a review?

Visit our review request webpage for details on how to submit a request in OneTrust.  This will create a ticket in our system and will also ensure that our entire team of analysts can see and respond to your request.

NOTE: Do not submit a purchase requisition to Procurement and Supplier Diversity Services (PSDS) until after the UVA Information Security review.

What will I need to give to Information Security for their review?

Information Security will always ask for a document called a "SOC 2", and the supplier will know what that means.  It will save you some time if you go ahead and ask the supplier to provide this and have it ready when asked.  This is particularly critical for products or services that will receive Highly Sensitive Data (see the Vendor Security Review standard).

How long do reviews typically take?

This can vary depending on the responsiveness of the supplier.  If a supplier is responsive and replies to requests for information and documentation in a timely fashion, then a review can take as little as five business days.  On the other hand, if a supplier takes multiple weeks to reply to questions, a review could take much longer.  Information Security reviews often require extensive back-and-forth, so the responsiveness of a supplier has a significant impact on the overall time it takes to perform a review.  If you are working on narrow project timelines, then reach out to as soon as you know the product or service you plan to buy.

Do I need to submit any documents to Procurement and Supplier Diversity Services (PSDS) when I submit the requisition?

Yes, you will need to submit the Information Security approval document when submitting your requisition to indicate to PSDS that Information Security has already done the review. This document will also be used for auditing purposes.

What is the Data Protection Addendum and does it need to be part of the contract?

The Data Protection Addendum (DPA) was created by University Information Security (InfoSec) in partnership with UVA Audit, University Procurement Services, Medical Center Procurement, University Counsel, and Health System Computing Services to develop a standard set of data security, privacy and audit terms and conditions for University contracts with firms that must create, obtain, transmit, use, maintain, process, or dispose of University data.  The IT Compliance team in collaboration with University Procurement Services can help determine if this addendum is needed for your purchase.  This addendum insures that suppliers fulfill their contractual obligations in accordance with University policy and local, state, and federal laws and regulations. Inquiries about the DPA may be sent to the IT Compliance team of the University Information Security office at


Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form