Guidelines for Websites

Campus website owners must comply with campus and systemwide policies in order to use a domain. These policies include (but are not limited to):

  • Privacy

  • Brand protection

  • Security

  • Accessibility


Campus website owners must identify a Security Contact who will receive notifications of any security issues. If the website is hosted on a third-party hosting service, the site owner must also identify a Resource Proprietor who takes responsibility for ensuring that the site meets campus IT policy requirements and includes a privacy statement, which indicates what personal data the website collects from visitors and how that information is used. This is done through the Socreg asset registration portal

Campus website owners should also ensure that their data collection practices align with the UC Statement of Privacy Values. For example, campus websites should not engage in prohibited activities such as the use of third-party advertisements or analytics that track and provide users’ personal data to third parties.

Third-party "no-code" web hosting services are not suitable for domains because they do not make it possible to comply with Privacy, Brand Protection, Security, Accessibility, and other applicable policies. Examples of these services include Squarespace, Weebly, Wix, and Webflow.

Below is an outline of the requirements and processes for setting up a "hostname" for a website. Note: The word "domain" is often used in this context; however, "hostname" is the correct term, and will be used on the rest of this page.

 Requirements and Guidelines

Campus departments must receive approval from the Information Security Office (ISO) to use a hostname with an offsite hosting service. Additionally, any new hostname within the top-level zone must be approved by the Domain Approval committee.

Security Contact and Socreg

To complete the offsite hostname registration process in Socreg, the campus department must choose a "Security Contact" for the offsite hostname. A Security Contact is a role used by authorized members to register IT Resources in Socreg and to receive security notices involving those resources. If others in your department have a Security Contact role in Socreg, ask them to request the offsite hostname.

If you do not know your department's Security Contact, you can begin the registration process by logging into Socreg and creating a new offsite hostname registration. ISO staff will help you find your department's Security Contact as part of the registration and approval process.

The Security Contact will need to know the following information in order to register an offsite hostname:

  • Offsite hostname: The requested hostname.

  • Hosting Service: The offsite hosting service.

  • Data Protection Level: Select the approved Data Protection Level

  •  for the service; for example, sites on Pantheon are only approved for Protection Level P1.

  • Description: Simple description of website.

  • Additional notes to DNS Administrator: The DNS (Domain Name System) information provided by the offsite hosting service. The DNS Administrator needs this information in order to point the hostname to the hosting service in the campus DNS.

Domain Approval

Once a top level hostname has been approved to be used with an offsite hosting service, that hostname will also need to be approved by the Domain Approval committee. For each hostname, the DNS Administrator will need answers to the following prompts as a part of the Domain Approval process:

  1. The purpose of the hostname, who will be using it, and its relationship to the university's mission.
  2. A responsible contact for the hostname.
  3. Acknowledgment that all relevant university policies will be followed, including those on campus website accessibility.

The campus department will be informed accordingly once their hostname has been approved or if their proposed hostname does not align with the Domain Approval requirements.

Web Accessibility Resources

Onsite Hosting Resources

Terms & Definitions

  • Domain: A top-level name in the Domain Name System (DNS)
    • Examples:, 
  • Subdomain: A lower level domain, which may contain other DNS names
    • Examples:, 
  • Hostname: An individual name within a domain or subdomain. Typically points to a web site or the IP address of an individual device.
  • DNS: Domain Name System
  • DNS Administrator: Domain Name System Administrator
  • Security Contact: A role used by authorized members to register IT Resources in Socreg and to receive security notices involving those resources. 
  • Socreg: Campus self-service asset registration portal, which includes registration for offsite hostnames. 
  • ISO: Information Security Office