IT Cloud Vendor Security Review Request

Use this form to request a security review of new cloud services/applications prior to purchase. 

1.    Prior to completing the form, ensure the SaaS solution can meet the following security requirements:

  1. Access Control –  the application or service can integrate with the university SSO service. If the university SSO service cannot be used, two-factor authentication can be enabled.  If neither of these requirements can be fulfilled, please consult Todd Brown (
  2. Regulatory Compliance – the application or service complies with applicable regulatory data security requirements (FERPA, PCI DSS, HIPAA, GLBA, etc).

2.    The following information will be required to complete this request:

  • A functional description of the cloud service/application.
  • The data elements that will be processed/stored. 
  • The classification of the cloud service/application (based on the Data Classification Policy
  • The vendor must provide  a completed security audit report, certificate of conformance, or an industry recognized self-assessment attesting to the vendor’s key security practices and capabilities.  Preferred conformance documents include:
    • Third-party SOC2 Type II report 
    • Third-party SOC2 Type I report 
    • ISO 27001:2013 
    • HECVAT (v3 or later) - if the cloud service stores Restricted data
    • HECVAT Lite (v3 or later) – if the cloud service stores any private data other than Restricted
    • CAIQ v4 or later 

***If the vendor does not have any of the above listed documents, they must complete the appropriate HECVAT.  These can be downloaded from the EDUCAUSE website here:

Request Security Review


Service ID: 1121
Thu 9/15/22 11:04 AM
Tue 1/9/24 10:04 AM