Policy - Third Party Product Requirements

CalArts IT (CAIT) fundamentally supports the need for operational units to choose the best-of-breed products that meet their specific needs. Whether it’s functionality, ease of use, and/or cost, departments and programs should be able to choose their preferred applications. However, it is critical that these applications meet certain basic requirements for use at CalArts. The below requirements are both industry-standard and should not present a high bar for vendors. These requirements address security and accessibility, which are both keystones of CAIT and CalArts strategic priorities.

  • Single Sign-On (SSO) compatibility, supporting either SAML or CAS protocols.
  • If applicable, support secure connections to CalArts critical systems such as Colleague or Active Directory (e.g. VPN-tunnels).
  • Completed Higher Education Cloud Vendor Assessment Toolkit (HECVAT), either full or lite version, or a SOC2 report.
  • Completed Voluntary Product Accessibility Template (VPAT).
  • Data privacy document/statement/policy from the vendor that is consistent with CalArts’ values and requirements.
  • Comprehensive Multi-Factor Authentication for vendor’s system(s) as an internal control.

While CAIT requires neither a specific score on the HECVAT nor certain answers on the VPAT, failure to demonstrate adequate security and accessibility controls could jeopardize the implementation of the product.
CAIT reserves the right to reject the implementation of any product that does not meet these requirements.

Have more questions? Submit a request


Please sign in to leave a comment.