Sharing institutional data with third parties

Protect data shared with cloud services and other third parties.

IU Policy DM-02 “Disclosing Institutional Information to Third Parties” requires that a department take proactive steps when using a third party to share, collect, or access IU institutional data. These steps must allow all parties involved to be aware of and reduce the risks associated with sharing the information. IU offers a pair of services which evaluate software and services and provide an assessment prior to sharing institutional data with that service. To take advantage of this service and remain in compliance with IU policy, please review the request forms below.

Submit the Software & Services Selection Process (SSSP) form

If your request is associated with a new purchase, you must first submit a Software & Services Selection Process (SSSP) form. Requesters may be asked to submit additional information to the Data Stewards for a third-party assessment. For questions related to this process, contact

Submit the Third-Party Assessment (3PA) request form

To request an assessment, submit a third-party assessment (3PA) formThis allows the appropriate Data Steward(s) to review and determine whether a security review is required prior to releasing any IU data to the service.  After you submit the request, a Data Steward will contact you with questions and issue a data decision with any conditions associated with the approval. For questions related to the third-party assessment, contact

Please note: If you need to release institutional data that does not involve a purchase or renewal, please start with a third-party assessment (3PA) request form rather than the SSSP form.