28 CFR §202.210

1. (a)Definition. A covered data transaction is any transaction that involves any access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data and that involves:
   1. (1)Data brokerage;
   2. (2)A vendor agreement;
   3. (3)An employment agreement; or
   4. (4)An investment agreement.
2. (b)Examples—(1) Example 1. A U.S. institution conducts medical research at its own laboratory in a country of concern, including sending several U.S.-citizen employees to that laboratory to perform and assist with the research. The U.S. institution does not engage in data brokerage or a vendor, employment, or investment agreement that gives a covered person or country of concern access to government-related data or bulk U.S. sensitive personal data. Because the U.S. institution does not engage in any data brokerage or enter into a vendor, employment, or investment agreement, the U.S. institution's research activity is not a covered data transaction.
   1. (2)Example 2. A U.S. person engages in a vendor agreement with a covered person involving access to bulk U.S. sensitive personal data. The vendor agreement is a restricted transaction. To comply with the CISA security requirements, the U.S. person, among other things, uses data-level requirements to mitigate the risk that the covered person could access the data. The vendor agreement remains a covered data transaction subject to the requirements of this part.
   2. (3)Example 3. A covered person engages in a vendor agreement with a U.S. person involving the U.S. person accessing bulk U.S. sensitive personal data already possessed by the covered person. The vendor agreement is not a covered data transaction because the transaction does not involve access by the covered person.