DATA-20

Are ownership rights to all data, inputs, outputs, and metadata retained by the institution?

Explanation

This question is asking whether your institution maintains legal ownership of all data that enters, exists within, or is generated by the vendor's system. Specifically: - Inputs: Data you provide to the system - Outputs: Results or processed information the system produces - Metadata: Information about your data (like when it was created, modified, accessed, etc.) This question is critical in security assessments because data ownership directly impacts: 1. Legal rights and responsibilities: If you don't own your data, the vendor might have rights to use it in ways you don't anticipate 2. Compliance requirements: Many regulations (GDPR, HIPAA, etc.) require organizations to maintain control over their data 3. Business continuity: If ownership is unclear, you might lose access to critical data if the vendor relationship ends 4. Data governance: Proper ownership ensures you can enforce your security policies on the data When answering this question, you should review your contract with the vendor and understand their terms of service regarding data ownership. The ideal answer confirms that your institution retains full ownership rights to all data, even when processed or stored by the vendor. If there are any exceptions or limitations to ownership, these should be clearly disclosed.

Example Responses

Example Response 1

Yes, our institution retains complete ownership rights to all data, inputs, outputs, and metadata processed or stored within the vendor's system This is explicitly stated in section 4.2 of our Master Service Agreement with the vendor The vendor acts solely as a data processor and makes no claims of ownership to any institutional data Upon contract termination, all data will be returned to us in a standard format and permanently deleted from the vendor's systems within 30 days.

Example Response 2

Yes, our institution maintains ownership rights to all data, inputs, outputs, and metadata The vendor's Terms of Service (last updated March 2023) specifically states: 'Customer retains all right, title, and interest in and to Customer Data, including all intellectual property rights therein.' The vendor is contractually prohibited from using our data for any purpose other than providing the contracted services We have also negotiated additional contractual protections that require the vendor to implement technical controls preventing unauthorized access or use of our data.

Example Response 3

No, our current agreement with the vendor includes some limitations on data ownership While we retain ownership of the raw data we input into the system, the vendor claims joint ownership rights to derived analytics and certain metadata generated through their proprietary algorithms This arrangement was accepted as part of our negotiated terms because the vendor's machine learning systems require training data retention We've mitigated risks by ensuring the vendor cannot use our identifiable data for purposes outside our agreement, and we've implemented additional contractual safeguards limiting how they can use the jointly-owned analytics outputs We're currently reviewing this arrangement as part of our next contract renewal.

Context

Tab
Product
Category
Data

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron