First we review the company's terms of service. Of course, we also ask the company for any information it can provide on its internal data security and privacy practices. Our purchasing unit rewrites the agreement to include all of the state-required procurement language; we also add our standard contract language on data security.
All of this information is fed into some sort of risk assessment of varying degrees of formality, depending on the situation, and, frankly, the urgency. That leads to yet another round of modifications to the agreement, negotiations with the company, and, finally, if successful, circulation for signatures. After which we usually exhume the corpse of the long-deceased faculty member and give him approval to use the service in his class.
We go through this process not from misguided love of bureaucracy, but because our institutions know of no other way to manage risk. That is, we have failed to transform ourselves so we can thrive and compete in the 21st century.