Overview

Leagues may choose to work with a third-party contractor, consultant, or vendor for website or the Member Essentials member portal support. The use of third parties for portal or website support is not encouraged as a first step. Leagues should first contact AJLI for guidance before engaging outside support, as these needs may inform future service offerings AJLI could provide. Before granting access to League systems or information, Leagues should make sure there are clear agreements, defined responsibilities, and appropriate data protections in place.


Why This Matters

When a third party is involved in portal or website work, they may need access to League systems, member information, or administrative settings. Without clear boundaries and safeguards, this can create risks related to:

  • Data security
  • Confidentiality
  • Governance
  • Improper use of League information
  • Excessive or unmanaged system access


Policy Guidance

If your League uses a third party for the member portal or website support, the following safeguards should be in place before work begins.

1. Use a Written Agreement

The League should have a written agreement in place, such as a Memorandum of Understanding (MOU) or contract, that clearly defines:

  • The purpose of the engagement
  • The services being provided
  • The duration of the work
  • The responsibilities of the third party
  • The League’s ownership of its data and information

2. Include Data Security and Confidentiality Terms

The agreement should specify that the third party:

  • May only access data necessary to perform the agreed-upon work
  • Must protect League and member information from unauthorized access or misuse
  • May not retain, reuse, sell, share, mine, or repurpose League data outside the scope of the work
  • Must return or destroy League data, as appropriate, at the end of the engagement

3. Include Anti-Solicitation and Restricted Use Language

The agreement should make clear that League data, member data, and contact information may not be used for:

  • Marketing
  • Independent outreach
  • Solicitation of additional business
  • Any purpose unrelated to the approved work

4. Assign Access Carefully

If the third party needs system access, the League should ensure:

  • Access is appropriate for the role
  • Permissions are limited to only what is necessary
  • Shared member credentials are not used
  • Access is reviewed and removed when the work is complete

5. Define Role Boundaries

The League should document:

  • What the third party is authorized to do
  • What systems or data they may access
  • Any restrictions on administrative activity
  • The limits of their authority on behalf of the League

6. Maintain League Oversight

Even when using outside support, the League remains responsible for:

  • Approving access
  • Confirming that agreements are in place
  • Monitoring what access has been granted
  • Protecting League governance, privacy, and data practices


Best Practices

Before engaging a third party, consider these best practices:

  • Confirm whether portal access, website access, or both are actually needed
  • Grant the minimum level of access required
  • Document approvals internally
  • Review access regularly
  • Remove access promptly when the work is finished


Key Takeaway

Using a third party for portal or website support is allowed, but it should be managed with care. Written agreements, strong data protection language, limited permissions, and clear boundaries help protect the League and its members.


Need More Help?

If your League is considering third-party support and is unsure how to structure access or safeguards, review your agreement language carefully and confirm expectations before work begins.