Confidentiality Language for Penn Supplier Agreements

In collaboration with the Office of Audit & Compliance, Purchasing Services is pleased to announce the availability of new "Confidentiality Language" for any Penn supplier agreement that involves sharing personal or proprietary data and that does not incorporate our standard terms.

Please share this information with the appropriate individuals within your School or Center. Please direct all questions to Jim Graham in Purchasing Services or Lauren Steinfeld in the Office of Audit & Compliance.

Model Confidentiality Language

1. In General: Service Provider agrees to maintain strict confidentiality concerning confidential information, including but not limited to all personal information supplied by University, as well as all business planning, financial information, trade secret or other proprietary information, written, oral, acquired, shared, provided, or developed under this Agreement ("Confidential Information"). Personal information is information relating to an individual that either identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
2. Property of University: Confidential Information shall remain the sole property of University. Service Provider expressly acknowledges and agrees that Service Provider has no property right or interest whatsoever in any such data.
3. Security Safeguards: Service Provider shall maintain adequate security safeguards against unauthorized access, use, or disclosure.
4. Use and Disclosure Limitation: Service Provider shall not use, provide, trade, give away, barter, lend, sell, or otherwise disclose Confidential Information, and shall not make any copies of such data or any type whatsoever, in readable or encrypted form, or in individually identifiable or aggregate form, except
   1. as necessary for the [services / program in this agreement]; or
   2. as expressly permitted by University in a separate writing.
5. Restricted Access: Service Provider shall only permit access to personal data supplied by University to those employees, volunteers, agents and/or representatives of Service Provider and its affiliates who need such access to perform their duties under this Agreement or as required by law.
6. External Request for Confidential Information: In the event that the Service Provider receives a request for Confidential Information from a court or governmental authority, or accrediting agency, the Service Provider shall give prompt written notice to University in order to allow University the opportunity to seek the appropriate protective order to protect the Confidential Information.
7. Exclusions: This section shall not apply to any information or data which:
   1. Service Provider shall have lawfully possessed before entering into this Agreement;
   2. shall be lawfully acquired by Service Provider in circumstances or in a manner not resulting from, or related to, this Agreement or the performance of the Services;
   3. becomes part of the public domain in any manner other than the publication thereof in violation of this Agreement or otherwise unlawfully;
   4. is disclosed by Service Provider with the prior written approval of the University; or
   5. is otherwise required by applicable law to be disclosed by Service Provider (but then only to the extent that, and only to the recipient or recipients to whom or which, such disclosure is required; and only after Service Provider has given the University at least ten (10) days' advance written notice of such disclosure)