FundSvcs Community

Last year my org started requiring any vendors who will handle our donor data to complete a 20-page data security questionnaire that is reviewed alongside their MSAs/agreements. Most vendors have been accommodating but in the past 2 weeks two vendors have declined to complete them.

One was a lockbox company that would only complete it if we paid a $3k (minimum) fee for them to do so, saying no other clients have ever asked this of them, even clients with millions of pieces of mail a year (way more than us). The other tech vendor yesterday said they will only complete a security questionnaire if the purchased services would be at minimum threshold of $30k (which our purchase will not reach), but that they are happy to share a number of security documents/audits in lieu of the form.

Our gift team decided to go with another lockbox. For the tech vendor, they were one of two finalists and their tool is significantly cheaper than the other. I've gathered their MSA and security documents and will try to figure out if our legal team would make an exception if we wanted to go with them. 

If you have any experience navigating this at your institution, I'd love to hear from you. My boss and I are trying to ascertain if the questionnaire is way outside of the norm of what other orgs are asking of their vendors so we can share feedback. Obviously the more vendors that decline this requirement means the less options our team has if our legal team won't budge on this requirement, which is concerning.

Thanks in advance,
-Tracey

------------------------------
Tracey Mullane
Director, CRM Strategy and Operations
Partners In Health
tmullane@pih.org
------------------------------

Original Message:
Sent: 7/15/2022 12:52:00 PM
From: Tracey Mullane
Subject: Data Security Questionnaires for Vendors

Last year my org started requiring any vendors who will handle our donor data to complete a 20-page data security questionnaire that is reviewed alongside their MSAs/agreements. Most vendors have been accommodating but in the past 2 weeks two vendors have declined to complete them.

One was a lockbox company that would only complete it if we paid a $3k (minimum) fee for them to do so, saying no other clients have ever asked this of them, even clients with millions of pieces of mail a year (way more than us). The other tech vendor yesterday said they will only complete a security questionnaire if the purchased services would be at minimum threshold of $30k (which our purchase will not reach), but that they are happy to share a number of security documents/audits in lieu of the form.

Our gift team decided to go with another lockbox. For the tech vendor, they were one of two finalists and their tool is significantly cheaper than the other. I've gathered their MSA and security documents and will try to figure out if our legal team would make an exception if we wanted to go with them. 

If you have any experience navigating this at your institution, I'd love to hear from you. My boss and I are trying to ascertain if the questionnaire is way outside of the norm of what other orgs are asking of their vendors so we can share feedback. Obviously the more vendors that decline this requirement means the less options our team has if our legal team won't budge on this requirement, which is concerning.

Thanks in advance,
-Tracey

------------------------------
Tracey Mullane
Director, CRM Strategy and Operations
Partners In Health
tmullane@pih.org
------------------------------

Original Message:
Sent: 7/15/2022 12:52:00 PM
From: Tracey Mullane
Subject: Data Security Questionnaires for Vendors

Last year my org started requiring any vendors who will handle our donor data to complete a 20-page data security questionnaire that is reviewed alongside their MSAs/agreements. Most vendors have been accommodating but in the past 2 weeks two vendors have declined to complete them.

One was a lockbox company that would only complete it if we paid a $3k (minimum) fee for them to do so, saying no other clients have ever asked this of them, even clients with millions of pieces of mail a year (way more than us). The other tech vendor yesterday said they will only complete a security questionnaire if the purchased services would be at minimum threshold of $30k (which our purchase will not reach), but that they are happy to share a number of security documents/audits in lieu of the form.

Our gift team decided to go with another lockbox. For the tech vendor, they were one of two finalists and their tool is significantly cheaper than the other. I've gathered their MSA and security documents and will try to figure out if our legal team would make an exception if we wanted to go with them. 

If you have any experience navigating this at your institution, I'd love to hear from you. My boss and I are trying to ascertain if the questionnaire is way outside of the norm of what other orgs are asking of their vendors so we can share feedback. Obviously the more vendors that decline this requirement means the less options our team has if our legal team won't budge on this requirement, which is concerning.

Thanks in advance,
-Tracey

------------------------------
Tracey Mullane
Director, CRM Strategy and Operations
Partners In Health
tmullane@pih.org
------------------------------

Original Message:
Sent: 7/15/2022 1:04:00 PM
From: John H. Taylor
Subject: RE: Data Security Questionnaires for Vendors

I cannot say that I have worked with any institution that has required such a lengthy questionnaire - this includes healthcare clients.

However, I also do not get involved in data services vendor contract negotiations.

What I do hear about are shorter confidentiality agreements that include protections and legal rights of the client to seek restitution should the vendor violate the terms of the confidentiality agreement.

In other words, instead of asking a vendor precisely how they go about doing whatever it is they do, the vendor is put on notice that you expect them to adhere to every known federal and state data security and individual privacy law on the books now or in the future.  That could also include additional internal policies you have implemented.  And that failure to follow those rules and regulations is subject to legal and financial actions against them.

John

John H. Taylor

Principal

John H. Taylor Consulting, LLC

2604 Sevier St.

Durham, NC   27705

johntaylorconsulting@gmail.com

919.816.5903 (cell/text)

Serving the Advancement Community Since 1987

Original Message:
Sent: 7/15/2022 12:52:00 PM
From: Tracey Mullane
Subject: Data Security Questionnaires for Vendors

Last year my org started requiring any vendors who will handle our donor data to complete a 20-page data security questionnaire that is reviewed alongside their MSAs/agreements. Most vendors have been accommodating but in the past 2 weeks two vendors have declined to complete them.

One was a lockbox company that would only complete it if we paid a $3k (minimum) fee for them to do so, saying no other clients have ever asked this of them, even clients with millions of pieces of mail a year (way more than us). The other tech vendor yesterday said they will only complete a security questionnaire if the purchased services would be at minimum threshold of $30k (which our purchase will not reach), but that they are happy to share a number of security documents/audits in lieu of the form.

Our gift team decided to go with another lockbox. For the tech vendor, they were one of two finalists and their tool is significantly cheaper than the other. I've gathered their MSA and security documents and will try to figure out if our legal team would make an exception if we wanted to go with them. 

If you have any experience navigating this at your institution, I'd love to hear from you. My boss and I are trying to ascertain if the questionnaire is way outside of the norm of what other orgs are asking of their vendors so we can share feedback. Obviously the more vendors that decline this requirement means the less options our team has if our legal team won't budge on this requirement, which is concerning.

Thanks in advance,
-Tracey

------------------------------
Tracey Mullane
Director, CRM Strategy and Operations
Partners In Health
tmullane@pih.org
------------------------------

We have a list of question that we (the dept. buying the software) fill out based on our own reading of the contract/interaction with the vendor. Those include things like:

• Does Lehigh retain all rights to our and our customer data?
• Can we access and remove all of our data?
• Is FERPA in scope?
• Is HIPAA in scope?
• Is GLBA in scope
• Are they willing to submit a HECVAT survey?
• Does the data leave the United States?
• Is encryption enforced at rest and in transit?
• Are data security controls spelled out in the contract? SOC2?
• Do we have the ability to audit or view an independent audit of these controls?
• Are are they required in contract to follow their security policy?

So, our legal/IT folks certainly ask for specific information, but none of these things are required for every piece of software we buy/vendor we use. It really comes down to risk assessment. We'd be (and have been) a lot more strenuous on a full CRM system handling all donor data/financials then we would be a system that was just meant to hold constituent emails/names.

So, in short, we certainly try to get ask much security info as we can, but it's not a requirement, just a part of the decision making process.

I see that you're not in HE, but it still may be worth looking into something like HECVAT that's kind of a standard survey a vendor could use across many clients, rather than having them fill out a bespoke survey for each client.

Good luck.

Sean

------------------------------
Sean Shappell
Asst. Vice President, Information Services
Lehigh University
ses211@lehigh.edu
------------------------------

Original Message:
Sent: 07-15-2022 11:51 AM
From: Tracey Mullane
Subject: Data Security Questionnaires for Vendors

Last year my org started requiring any vendors who will handle our donor data to complete a 20-page data security questionnaire that is reviewed alongside their MSAs/agreements. Most vendors have been accommodating but in the past 2 weeks two vendors have declined to complete them.

One was a lockbox company that would only complete it if we paid a $3k (minimum) fee for them to do so, saying no other clients have ever asked this of them, even clients with millions of pieces of mail a year (way more than us). The other tech vendor yesterday said they will only complete a security questionnaire if the purchased services would be at minimum threshold of $30k (which our purchase will not reach), but that they are happy to share a number of security documents/audits in lieu of the form.

Our gift team decided to go with another lockbox. For the tech vendor, they were one of two finalists and their tool is significantly cheaper than the other. I've gathered their MSA and security documents and will try to figure out if our legal team would make an exception if we wanted to go with them. 

If you have any experience navigating this at your institution, I'd love to hear from you. My boss and I are trying to ascertain if the questionnaire is way outside of the norm of what other orgs are asking of their vendors so we can share feedback. Obviously the more vendors that decline this requirement means the less options our team has if our legal team won't budge on this requirement, which is concerning.

Thanks in advance,
-Tracey

------------------------------
Tracey Mullane
Director, CRM Strategy and Operations
Partners In Health
tmullane@pih.org
------------------------------