As part of the University's contract review process, UAB IT is responsible for reviewing any University contract that includes an IT or IT related component prior to such contract being executed.  The information below, is provided to help facilitate the speedy processing of contracts once they are routed to IT for review. Questions on the process or requirements should be directed to UAB IT



  • Contract Owner - the person who initiates an agreement and/or purchase on behalf of a department/division
  • VPIT Contracts - the department that handles contract proparation and submission for VPIT
  • University (UAB) Contracts - includes Purchasing, Legal and CFOUAB


  1. Request an executable agreement and subordinate forms
  2. Provide a quote/invoice and/or rate sheet – as needed
  3. Complete a VPIT Routing Form that will include WHO, WHAT, WHEN, WHERE and/or WHY (see example below)
  4. Provide additional forms ( VDF, W-9, NDA/CDA, see Forms Library) – as needed
  5. Email all information to VPIT Contracts @
  6. VPIT Contracts will assess and prepare all information prior to routing an agreement though VPIT and UAB Contracts
  7. Routing an agreement takes approximately 20+ days as follows:
    1. Via DocuSign ( in-house) for review and signatures will take approximately 7 - 10 business days
    2. VPIT Contracts will email agreement over to UAB Contracts to route for review and signatures will take approximately 7 - 10 business days
  8. Contract Owner may check the UAB Contracts Dashboard for contract routing status with UAB Contracts @
  9. Copies of an executed agreements will be sent back to the Contract Owner ( see section D)
  10. Things that may delay routing an agreement (see Section B)
  11. See IT Routing Checklist
  12. Example of WHO, WHAT, WHEN, WHERE and/or WHY
    • WHO: Who is this agreement/contract for?
    • WHAT: What will this agreement/contract be used for?
    • WHEN: When will this agreement/contract be used?
    • WHERE: Where will this agreement/contract be placed (department/server/machine)?
    • WHY: Why are you using this particular agreement/contract?
    • ** These questions should be summarized into 2-3 short sentences as applicable. **


  1. An incomplete VPIT Routing Form
    1. Inadequate details in Business Purpose and Justification of Purchase details
    2. Lack of information for Impact
  2. Vendor required forms not provided or received
  3. No account numbers (for budgeting)
  4. Receipt of illegible copies of the agreement or forms
  5. Signees out of office
  6. Failure to email contract information to
  7. **Agreements with inaccurate or insufficient information will be emailed back to the contract owner**


Processing time may take up to 20+ business days as follows

  1. VPIT routing in-house via DocuSign may take 7-10 days business days for signees to review and/or sign the routing form
  2. UAB Contracts routing may take 7-10 business days for signees to review and/or sign the agreement
  3. Contract may be submitted as a RUSH , but there are no guarantees


  1. Request an executable copy of the agreement/EULA/SOW, along with any invoices or quotes, from the vendor ( agreement should include signature lines for the vendor and the customer/UAB)
  2. Provide a completed VPIT Routing Form
    1. Business Purpose and Justification of Purchase sections must have 2-3 detailed sentences of service and/or usage that include WHO, WHAT, WHEN, WHERE and/or WHY
    2. Impact if contract is not approved
  3. Request and provide any applicable forms ( VDF, W-9, NDA/CDA, etc.)
  4. Provide other required information for routing listed in Item E
  5. Email all documents listed above in 1-4 to VPIT Contracts for a review and routing
  6. Add initials to the UAB Contracts routing form via DocuSign
  7. Provide a fully executed copy of the agreement to the vendor:
    1. If the agreement was not signed by the vendor prior to routing, Contract Owner should send agreement over to have the vendor to sign and provide a copy of the fully executed copy back to us (and VPIT Contracts) for our records
    2. If the agreement was signed by the vendor prior to routing, send a copy of the executed agreement from UAB Contracts to them for their records
  8. Responsible for having the W-9 submitted to PO Help to have the new supplier code created
  9. Responsible for submitting the requisition/PO for the invoice
  10. Responsible for poviding a copy of the PO used for payment to VPIT Contracts for budgeting


  1. Review overall agreements and forms received from Contract Owner
  2. Review legal language - within our realm of knowledge
  3. Liaison between Contract Owner and Legal / Purchasing / CFOUAB / vendor
    **VPIT Contracts does not take the place of UAB Legal Counsel**
  4. Apply or suggest applicable forms for routing a successful agreement
  5. Create the routing form and document number for UAB Contracts
  6. Submit prepared agreement/contract for routing in-house and UAB Contracts
  7. Follow agreement thru to completion/execution
  8. VPIT Contracts will send 2 copies of the executed agreement to the Contract Owner as follows:
    1. 1st attachment should be used when submitting a requisition/PO with UAB’s Contract Summary information
    2. 2nd attachment should be used to forward a copy to the vendor to fully execute the agreement (if not previous signed), or for documentation ( with out UAB’s Contract Summary information). Return a copy back to VPIT Contracts for our records.
  9. Maintain database for all completed agreements and budgeting


These forms must be completed and signed as follows

  1. Vendor Disclosure Statement ( VDS) - for agreements over $5,000
    • One form may be used for the same vendor within a calendar year
    • A newly signed VDS is required every year for each vendor
    • Should be completed by the contract owner
  2. Sole Source Justification - for agreements over $15K+
    • completed by the contract owner
  3. Heightened Review Form - for agreements over $250K+
    • completed by the contract owner
  4. W-9 – tax form for new vendors/suppliers to create a supplier number
    • completed by the vendor
  5. BAA – for agreements that included HIPAA related information
    • completed by Privacy Dept or VPIT
  6. NDA/CDA – a confidentiality agreement that outlines material, knowledge, processes, etc., that may be confidential – that parties wish to share
    • completed by the vendor
  7. Fee for Service – UAB providing a service or UAB receiving a service
  8. Addendums – for confidentiality, hosting of UAB data, web language, etc.
    • completed by VPIT Contracts
  9. Consulting Agreement Forms
  10. Rate sheet – when hiring paid contractors
    • completed by the vendor
  11. After initial review, VPIT Contracts may request or apply additional forms (i.e. IT Addendums, etc.)

G. WHERE IT GOES – when routing for review and/or signatures

  1. VPIT In-house Routing via DocuSign
    1. The contract owner ( initials required on the UAB Contracts routing form)
    2. The Chief Technology Officer (CTO), Chief Information Security Officer (CISO), and/or Chief Data Officer (CDO) ( signature required on the VPIT Routing)
    3. The Deputy Chief Information Officer (DCIO) ( signature required on the VPIT Routing Form)
    4. The Chief Information Officer ( initials required on the UAB Contracts routing form)
  2. UAB Contracts Routing via email:
    1. UAB’s Contracts Office (Purchasing)
    2. UAB’s Legal Counsel Office
    3. UAB’s Chief Financial Officer (CFOUAB)
    4. Back to VPIT Contracts
  3. VPIT Contracts Route Agreement to Contract Owner
    1. Contract owner will receive an email with two attachments as follows
      • 1st attachment can be used when submitting any purchase orders after the agreement has been fully executed by UAB and the vendor ( with UAB’s Contract Summary information)
      • 2nd attachment has been sent to the vendor ( without UAB’s Contract Summary information)
  4. See attached VPIT Contracts Routing Process w/Timeline (see attached & add)

DocuSign In-house Signing Process

  1. Email notification for signing/initialing the agreement
  2. Email notification that all signatures have been received in-house
  3. Once DocuSign is in a signee’s queue, the signee will receive a notification every day until the signature or initials have been received, or if the agreement is rejected.



  • Contracts* for software, subscriptions, or services (including software maintenance) that include
    • Hosting/processing/transmission of UAB data external to UAB
    • PCI (Payment Card Industry) acceptance/processing of credit card transactions
    • Design, creation, maintenance, support, and/or hosting of any website/webpage
    • Personally identifiable information (PII) or personal health information (PHI) - does not include Health System Agreements which are managed by HSIS
    • Audit language
    • Custom software development
    • Agreements for products where a similiar product or standard is already available/supported at UAB
    • Hardware purchase with embedded software with any of the above
  • *NOTE: For agreements that include the type of information listed above, documents/agreements must be executable, meaning they have signature lines for both UAB and the vendor. Printing a 'click-agreement' or printing language from a website and submitting as an 'agreement' for review does not guarantee that the vendor will ever see changes/addendums that UAB may make or add to the agreement.


  • The primary goal is to minimize risk to you and UAB. New agreements are normally subject to a more detailed review than renewal agreements. IT will review the checklist (see the FORMS section below) that you submit with your agreement for a quick determination of what review may be needed.
      • As necessary:
        • Confidentiality and Information Security provisions are reviewed to ensure appropriate confidentiality language is present, provisions to follow UAB on-site rules are present (if applicable), and the the vendor performs background checks on their employees. For agreemnts that include HIPAA or PHI a Business Associate Agreement (BAA) will also be required. The BAA is handled by the UAB Legal and/or Privacy office and not by UAB IT.
        • For agreements where the vendor is hosting/processing/or transmitting UAB information additional language is needed: appropriate vendor controls are in place to protect UAB's data and that such controls are audited appropriately; that provisions are included for the return of UAB data at the end of the agreement; and that the vendor will notify UAB in the event of any security event involving UAB data. If the vendor is processing payment transactions language supporting the PCI (payment card industry) standards are required.
        • Indemnification and Liability provisions are reviewed to ensure that the vendor indemnifies UAB from any claims that their product breaches any copyright, trademark, or patents and that they will defend any such claim at their expense. In addition, most vendors limit any claims for any breach to a small dollar amount...IT adds language removing that limitation when the breach is for confidentiality or information security claims.
        • Web/website development agreements are reviewed to ensure the vendor is aware of and will follow UAB branding requirements, security standards, and 508 compliance requirments.
        • Audit language is reviewed and modified if needed (vendor's right to come on site at-will to audit);
        • Language is added that the "Written Agreement Governs". This is to prevent a conflict when a 'click' agreement may have to be accepted by a UAB employee to actually download, run, or maintain the product.
      • IT will aslo look to see if a similar service/product is already in place at UAB. If so, IT will work with the requesting department to understand and document the justification/business case for going outside the standard service/product.

      *Please refer to Step A for what is needed to route your “new” agreement”

    • For renewals:
      • If the renewal inidicates it is governed by an existing agreement and that existing agreement was reviewed by IT initially, then the only IT review is to ensure no changes to any language are being requested by the vendor and that the renewal is consistent with the underlying agreement.
      • If the renewal is for an agreement that was not reviewed by IT initially, then IT will need to review the underlying agreement and work with the department on what options may be available to make modifications based on the criteria above for new agreements. Modifications to existing agreements may take more time and may ultimately result in modifications not being possible...potentially increasing the risk to UAB.
    • Language to cover all of the items above are is provided in the applicable IT Addendum (see the FORMS LIBRARY section). The addendum can be printed and submitted to the vendor for signagure prior to routing that agreement for signature at UAB. This will greatly speed up the review process in IT.


  • Complete the IT Checklist and attach it to your contract when routing (see the FORMS LIBRARY section);
  • If any of the items 'checked' on the list indicate an IT addendum is needed, go ahead and send the addendum to the vendor for signature prior to routing for UAB review/signature (see the FORMS LIBRARY section).
  • UAB Contracts/Procurement also require a generic addendum be added in most cases. If you send the vendor an IT addendum, also include the UAB addendum. (See the FORMS LIBRARY section).
  • Provide any backup information such as master agreements, statements of work, etc.
  • Submit agreements that are 'executable'...(signature lines for both parties and are not simply printed off of a website).


Below are some items that should be considered when negotiating any agreement, not just IT related agreements.

  • Don't base fees/costs on FTE numbers as these numbers can change each year;
  • No annual escalators;
  • Include vendor service level expectations with remedies if they are not met/maintained;
  • Include 'piggyback clauses' where the agreement can be used by other institutions in the UA System;
  • If the vendor holds/processes any UAB data, make sure the agreement contains a data exit clause that ensures UAB data is returned at no cost to UAB and in a timely manner;
  • For agreements with professional services:
    • clearly define responsibilities and expectations of each party
    • limit travel costs for any on-site work to actual costs and to no more than 15% of the actual professional services you pay
    • include language indicating the vendor will follow UAB on-site rules if working on UAB property (see the FORMS LIBRARY SECTION)
    • include language indicating the vendor must be aware of and follow UAB's Acceptable Use of Computer policy (see the FORMS LIBRARY SECTION) when connecting devices to the UAB network
    • Don't agree to pay for services/products up front. Base payment on milestones or completion and UAB written acceptance;
  • In most cases agreements should renew annually upon mutual agreement and with issuance of a UAB PO. Agreements should not renew automatically or where you are required to notify the vendor 60 days prior to the renewal date.
  • For contracts that IT intiates a standard agreement review template is used to evaluate risk. You can download a copy of that template here for your own use.