The contract language in this table draws upon language from model licenses and existing vendor contracts. The language examples have been modified to remove individual names of businesses and libraries.
| Exceeds Minimum Viable Privacy | Meets Minimum Viable Privacy | Does Not Meet Minimum Viable Privacy |
| Use of the service does not require the entering or capturing of personally identifiable user information. | We may collect anonymized information related to your use of our products, services and data. |
| Exceeds Minimum Viable Privacy | Meets Minimum Viable Privacy | Does Not Meet Minimum Viable Privacy |
| The Licensor agrees that no personally identifiable information, including but not limited to log-ins recorded in system logs IP addresses of patrons accessing the system, saved searches, usernames and passwords, will be shared with third parties, except in response to a subpoena, court order, or other legal requirement. If Licensor is compelled by law or court order to disclose personally identifiable information of Authorized Users of patterns of use, Licensor shall provide the Licensee with adequate prior written notice as soon as is practicable, so that Licensee or Authorized Users may seek protective orders or other remedies. | The Licensor shall not, without the prior written consent of Subscriber, transfer any personal information of any Authorized User to any third party or use it for any purpose other than as described in this Agreement and in the online privacy policy for the relevant online service. | We shall not provide your usage statistics in any form to any third party without your written authorization, unless the third party owns rights in the products and services. |
| Raw usage data relating to the identity of specific users and/or uses shall not be provided to any third party. | The Licensor shall not disclose or sell usage data or information about the Licensee or its Authorized Users without the Licensee’s written permission.
|
We may use this information to test and improve our products and services and to protect and enforce our rights under the agreement and may pass this information to our third party providers for the same purposes. |
| Raw usage data, including but not limited to information relating to the identity of specific users and/or uses, shall not be provided or sold to any third party. | Licensor shall not, without the prior written consent of the Licensee(s) transfer any personal information of any Authorized Users to any affiliated and/or non-affiliated third party or use it for any purpose except as is necessary to perform the Services in compliance with applicable State & Federal laws and institutional regulations, including the Family Educational Rights and Privacy Act (“FERPA”). |
| Exceeds Minimum Viable Privacy | Meets Minimum Viable Privacy | Does Not Meet Minimum Viable Privacy |
| Vendor shall not use the Personal Information for any purpose except in the performance of this Agreement and to provide Support Services to the Participating Institutions and their respective permitted users. Vendor will not use the Customer Data (including metadata) for advertising or marketing purposes unless such use is specifically authorized by the applicable Participating Institution. Vendor is prohibited from Mining Customer Data for any purposes other than as part of the normal functioning of the Service for the benefit of Participating Institution and the operation of the Services environment by Vendor or those otherwise agreed to by the applicable Participating Institution. | Such usage data shall be compiled in a manner consistent with applicable privacy and data protection laws, and the anonymity of individual users and the confidentiality of their searches shall be fully protected. | For the sake of clarity, the storage of personal data in a third-party environment will not be deemed “sharing” for the purposes of this section. |
| Exceeds Minimum Viable Privacy | Meets Minimum Viable Privacy | Does Not Meet Minimum Viable Privacy |
| Except as otherwise expressly provided for in this Agreement, our Service is subject to [vendor] Privacy Policy, which is expressly made a part of this Agreement as Appendix A. | In the event that Licensor requires Authorized Users to agree to terms relating to the use of the Licensed Materials before permitting Authorized Users to gain access to the Licensed Materials (commonly referred to as “click-through” licenses), or otherwise attempts to impose such terms on Authorized Users through mere use or viewing of the Authorized Materials, Licensor shall provide Licensee with notice of and an opportunity to comment on such terms prior to their implementation. In no event shall such terms materially differ from the provisions of this Agreement. | Our products and services may include data, software and services from third parties. Some third party providers require us to pass additional terms through to you. The third party providers change their terms occasionally and new third party providers are added from time to time. To see the current third party additional terms for our products and services visit [URL]. |
| Vendor agrees not to cause authorized users to enter into a potentially binding agreement with the publisher (e.g., a “click-through” license) independent of the institutional agreement with the Licensee as a condition use of its product. | This Agreement is comprised of General Terms and Conditions, the Terms of Use (available at [URL/terms]…), the Privacy Policy (located at [URL/privacy], which governs the registration data and other information [vendor] collects)… Notwithstanding the foregoing, to the extent of any conflict or inconsistency between this Agreement and [vendor] Privacy Policy and Terms of Use for the Website and URL through which Institution accesses the Products and Institution Content, the terms of [vendor] Privacy Policy and Terms of Use shall prevail for the subject matter covered therein. |
| Exceeds Minimum Viable Privacy | Meets Minimum Viable Privacy | Does Not Meet Minimum Viable Privacy |
| Participating Institutions retain ownership of the Personal Information of each and may, at any time during the term of this Subscription Agreement, access, review, modify and delete Personal Information that Vendor is storing. | Licensor does not own any data, information or material that you submit to the Software (“Customer Data”).
|
Vendor may derive insights from its processing, aggregation, and analysis of data submitted by Client. The parties hereby agree that Vendor shall have the right to use, apply, and disseminate any such insights as it sees fit. |
| In the case that the Publisher assigns its rights to another party, the Licensee may at its discretion require the assignee either to keep such usage information confidential or to destroy it.
|
||
| After termination and upon request, Vendor will promptly return or destroy all applicable Institution Data, except however, Vendor may retain Institution Data in back-up files provided that the confidentiality and security obligations contained herein shall apply. |
| Exceeds Minimum Viable Privacy | Meets Minimum Viable Privacy | Does Not Meet Minimum Viable Privacy |
| This licensor shall not require the use of an authentication system that creates an unnecessary barrier to authorized access by users. | Vendor may derive insights from its processing, aggregation, and analysis of data submitted by Client. The parties hereby agree that Vendor shall have the right to use, apply, and disseminate any such insights as it sees fit. |
| Exceeds Minimum Viable Privacy | Meets Minimum Viable Privacy | Does Not Meet Minimum Viable Privacy |
| Vendor will promptly notify Institution in the event of a verified breach of non-public personal data unless such breach is unlikely to result in material harm to Institution or the data subject, or as otherwise provided by law. Institution agrees that it shall be Institution’s sole responsibility to determine whether a breach is subject to state, federal or national breach notification laws and requires breach notification (“Breach Notification”). In the event that Institution determines that a breach requires Breach Notification, Vendor agrees that it will reasonably cooperate with Institution in regards to Institution’s Breach Notification obligations as specified in the applicable law, including Institution’s investigation, enforcement, monitoring, document preparation, Breach Notification requirements, and reporting. | Licensor will notify Licensee and Authorized Users as soon as is practicable if the Licensor’s systems are breached and the confidentiality of personally identifiable information is compromised. | In no event shall Vendor or its suppliers be liable for any incidental or consequential damages, lost profits or lost data, or any other indirect damages caused by Vendor performance or nonperformance of this Agreement, except where such damages arise through Vendor failure to take reasonable precautions. |
| Vendor publishes or makes available its information security procedures (“Information Security Plan”) to Licensee and its other customers and regularly reviews its Information Security Plan and updates and revises from time to time as necessary. Vendor shall perform an annual audit by a third-party independent auditor of its compliance with the ISO-27001 (or comparable industry) standard. | Vendor will maintain current data security management practices that follow established standards and will notify Licensee in the event of any data breach occurring. | |
| Vendor will (i) implement administrative, physical, and technical safeguards in accordance with accepted industry practices including conducting audits in accordance with the ISO/I EC 27001 standard (or subsequent comparable standard) and (ii) as reasonably requested by Institution, provide Institution with a copy of the certificate of registration for such standard along with any relevant reported deficiencies regarding non-compliance together with corrective action plans for addressing such deficiencies identified in the report. |