Table of Contents

Risks and Considerations of Cloud Services

Approved Services

This table indicates which data categories (Published, Controlled, and Confidential) are allowed on a selection of common IT services.

Published Data -----> Generally Low Risk
Controlled Data ----->  Generally Presents a Moderate Risk
Confidential Data -----> Can be High to Very High Risk Depending on the Type of Data and the Compliance Framework it Falls Under

For more information on data classification, please see UT's Data Classification Standard.

The cloud services below have color coded checkboxes below to help you know which types of university data is authorized to be used.

Some data types require additional steps to process and store securely. Additional information can be found in the linked footnotes. For products displaying "Contact the ISO", please reach out at security@utexas.edu.    

Back to top

 

Cloud Collaboration Services

Cloud Collaboration ServicesPublishedControlledConfidential
   HIPAA1FERPASSNs11PCI2ITAR6IRBCUI
Cisco Spark/Webex TeamsYESYESNONONONONONONO
Slack (slack.com)3YESYESNOYESNONONONONO
Microsoft 365 Platform (e.g, OneDrive, Sharepoint, Teams, Forms)4YESYESYESYESNONONOYESNO
ZoomYESYESYESYESNONONONONO
PanoptoYESYESNOYESNONONONONO
Canvas10YESYESNOYESNONONONONO

Back to top

 

Cloud Document Services

Cloud Document ServicesPublishedControlledConfidential
   HIPAA1FERPASSNs11PCI2ITAR6IRBCUI
Apple iCloud 5YESNONONONONONONONO
Google Suite for Education 8YESYESNOYESNONONONONO
DocusignYESYESYESYESYESNONOYESNO
SmartsheetYESYESNO*YESNONONONONO

Back to top

 

Cloud Email Services

Cloud Email ServicesPublishedControlledConfidential
   HIPAA1FERPASSNs11PCI2ITAR6IRBCUI
Apple iCloud 5YESNONONONONONONONO
UTmail 8YESYESNONONONONONONO
UT Outlook 365 4YESYESYESNONONONONONO

Back to top

 

Cloud Infrastructure Services (IaaS)

Cloud Infrastructure Services (IaaS)PublishedControlledConfidential
   HIPAA1FERPASSNs11PCI2ITAR6IRBCUI
Google GCP 9YESYESYESYESContact the ISOContact the ISONOYESNO
Amazon (AWS)9YESYESYESYESContact the ISONONOYESNO
MS Azure 4YESYESYESYESNONONOYESNO

Back to top

 

Cloud Storage Services

Cloud Storage ServicesPublishedControlledConfidential
   HIPAA1FERPASSNs11PCI2ITAR6IRBCUI
Apple iCloud 5YESNONONONONONONONO
BoxYESYESYESYESContact the ISOContact the ISOContact the ISOYESNO
DropBox 5YESNONONONONONONONO
Google Suite for Education (utmail.utexas.edu)8YESYESNOYESNONONONONO
Microsoft 365 Platform (e.g, OneDrive, Sharepoint, Teams, Forms)4YESYESYESYESContact the ISOContact the ISOContact the ISOYESNO
UT Backup (e.g., Code42/Crashplan)YESYESYESYESContact the ISONONOYESNO

Back to top

 

Cloud Survey Services

Cloud Survey ServicesPublishedControlledConfidential
   HIPAA1FERPASSNs11PCI2ITAR6IRBCUI
QualtricsYESYESYESYESNONONOYESNO
Microsoft 365 Platform (e.g, OneDrive, Sharepoint, Teams, Forms)4YESYESYESYESNONONOYESNO

Back to top

 

Cloud Web Hosting Services

Cloud Web Hosting ServicesPublishedControlledConfidential
   HIPAA1FERPASSNs11PCI2ITAR6IRBCUI
Content Management: UT Drupal Kit - ManagedPantheon Web Hosting (Drupal, WordPress, etc.)YESYESNOYESNONONONONO

Back to top

 

Cloud Workflow Platforms

Cloud Workflow PlatformsPublishedControlledConfidential
   HIPAA1FERPASSNs11PCI2ITAR6IRBCUI
SalesforceYESYESYESYESNONONONONO
ServiceNowYESYESYESNONONONONONO

 

Back to top

 

AI Services

AI ServicesPublishedControlledConfidential
   HIPAA1FERPASSNs11PCI2ITAR6IRBCUI
OpenAI ChatGPT (free) 7YESNONONONONONONONO
OpenAI ChatGPT Teams 7YESNONONONONONONONO
OpenAI ChatGPT Enterprise YESYESYESYESNONONONONO
Microsoft Copilot (free) 7YESYESNONONONONONONO
Microsoft Copilot for M365 (paid) 7YESYESYESYESNONONONONO
Microsoft Azure OpenAI API 7YESYESYESYESNONONONONO
Google Gemini 7YESNONONONONONONONO
AWS Bedrock and AI Services 7 YESYESYESYESNONONONONO

Back to top

 

Local Services

For comparison purposes, select services run by ITS and offered to campus are listed below with the types of data that are approved for use with each. Use of locally hosted services is encouraged over cloud services when possible. This table is not intended to be a comprehensive list of all ITS offered services.

Local ServicesPublishedControlledConfidential
   HIPAA1FERPASSNs11PCI2ITAR6IRBCUI
Database Hosting: ITS-Supported MySQL, SQLServer, OracleYESYES3YESYESYESNOYESNO
File Storage: Austin DiskYESYESNOYESYESYESNOYESNO
UT WikisYESYESNONONONONONONO
UT Backup (e.g., Code42/Crashplan) - see above - The cloud option is the only available option. YESYESYESYESYESYESNOYESNO
Virtual Servers (UT VMG)YESYESYESYESYESYESNOYESNO
REDCap (instance maintained by VP Research)YESYESNOYESNONONOYESNO
REDCap (instance maintained by Dell Medical School)YESYESYESYESYESNONOYESNO
On Premise GitHubYESYESNOYESYESYESNOYESNO

 

Footnotes

1 HIPAA data has special regulatory requirements; read this for more info. If you have any questions about storing/procesing HIPAA data, reach out to the Information Security Office (security@utexas.edu). 
2 Payment Card Industry (PCI) data has special regulatory requirements; read this for more info. It may be necessary to store PCI data but faculty/staff must consult with the Information Security Office to determine how to do so securely. 
3 No enterprise contract currently; each department must go through the Contracts Office for their own contract with a FERPA agreement.
 4 Authorized usage is limited to Microsoft services provided under the ITS-managed vendor contract to remain compliant. Any use of the standard consumer-grade offerings of these products is not approved. Emailing FERPA protected information via O365 is not acceptable and such correspondence should be limited to Canvas or other university approved services to ensure compliance with https://provost.utexas.edu/the-office/academic-affairs/canvas-adoption-policy/. HIPAA protected information may only be emailed via O365 if the data is encrypted in transit and only decrypted by the intended recipient.
As there is no university contract in place for this vendor, no usage involving protected or restricted university data is permitted. Use of this vendor product with Confidential data is a violation of Section 2 of the IRUSP.
6 It may be possible to store ITAR protected data if properly encrypted prior to being uploaded, but staff/faculty must
consult with the Information Security Office (security@utexas.edu) prior to storing/processing ITAR data.
7 AI products must have been an active university contract in place and have a vendor security assessment completed to be considered compliant with state requirements if confidential university data is to be involved. Please see the Acceptable Use of AI Tools for more details. For ChatGPT-specific services, approved usage only applies to the dedicated UT instances of ChatGPT Enterprise covered by UT Austin contracts. For the Microsoft-specific services, approved usage only applies to the dedicated UT instances covered by UT System contracts. If you aren't sure if your use case is covered please contact ISO (security@utexas.edu). 

For information on obtaining ChatGPT Enterprise licenses, please email: security@utexas.edu.

For information on obtaining Microsoft CoPilot for M365 licenses, please email: microsoft365@utexas.edu
8 Authorized storage of FERPA protected data is limited to the Google Drive service of the UTmail offering. Emailing FERPA protected information via UTmail is not acceptable and such correspondence should be limited to Canvas or other university approved services to ensure compliance with https://provost.utexas.edu/the-office/academic-affairs/canvas-adoption-policy/.
9 Authorized usage of Google GCP or AWS is limited to services provided under the ITS-managed vendor contract to remain compliant. Any use of the standard consumer-grade offerings of these products is not approved. Also, depending on the associated university data for certain cloud infrastructure it may be necessary to implement additional security monitoring. Please consult with the Information Security Officer to determine if monitoring is needed and to understand how we can assist you.
10 Canvas Conversations/Inbox are not approved for FERPA protected communications since copies of the message are forwarded to email addresses that are often not in a protected university service and thereby not encrypted.
11 SSN data has special risks and requirements; read this for more info. If SSNs must be stored/processed, reach out to the Information Security Office (security@utexas.edu) to request an exception. 

Security Review for New Services

Departments evaluating the purchase and/or use of a cloud service not covered on this page with any Confidential university data must request a security review of that service by sending a written description of the proposed implementation to the Information Security Office. During service selection, departments should inform vendors that security testing (either performed by the Information Security Office or a qualified third party to the vendor) is mandatory for the university purchasing process.

Non-Compliance and Exceptions

If, for any purpose, a non-approved cloud service is used with any Confidential university data, an Exception Process must be initiated that includes reporting the non-compliance to the Information Security Office, along with a plan for risk assessment and management. (See Security Exception Report) Non-compliance with these standards may result in revocation of system or network access, notification of supervisors, and reporting to the Office of Internal Audit.

University of Texas at Austin employees are required to comply with institutional rules and regulations, applicable UT System rules and regulations, state laws and regulations, and federal laws and regulations.

Related UT Austin Policies

The policies and practices listed here inform the system hardening procedures described in this document and with which you should be familiar. (This is not an all-inclusive list of policies and procedures that affect information technology resources.)

Revision History
VersionDateNewOriginal