Which agreement sets the security controls for data exchange between two partner organizations?

• A. Interoperability Agreements
• B. Master Service Agreement (MSA)
• C. Third-Party Connection Agreement (TCA)
• D. Memorandum of Understanding (MOU)

Answer: (C)

When two organizations exchange data, the document that specifies how the connection is established and protected is the Third-Party Connection Agreement. It lays out the security controls for data exchange, including who can access the data, how authentication and authorization are handled, encryption requirements for data in transit and at rest, data handling and retention rules, auditing and monitoring expectations, and incident response or breach notification processes. It also covers how the connection will be terminated and any required assessments or audits, making the security requirements enforceable across both parties.

Interoperability agreements focus on making systems work together—data formats, interfaces, and mappings—rather than detailing the security controls for the data transfer itself. A Master Service Agreement governs the overall business relationship and service terms, not the specific technical security controls of data exchange. A Memorandum of Understanding is typically a non-binding document outlining intended collaboration or high-level roles, not enforceable security requirements for cross-organizational data transfers.