Software Purchases | It's Your Yale

Definition

Software purchases are electronic platforms or programs that can be cloud-based, web enabled, or on premises. Software can be a stand-alone service, or part of a hardware package.

Software purchases are a subset of the overall sourcing process. Visit the Sourcing toolkit chapter for complete information on the process.

Key Information

Software purchases have unique considerations including:
- Risk associated with the data the software houses which can include personal, identifiable data, data associated with health and medical information (HIPAA, Health Insurance Portability and Accountability Act), PCI (Payment Card Industry) data, etc.
- Risk exposure from IP Indemnification (e.g., if a Supplier is using a code that they do not own, Yale University can be included in a lawsuit for theft of the code).
- Risk of audit or litigation resulting from improper use of a license, or the Supplier’s code.
Engage with the Sourcing Team before any substantial negotiations have taken place. Reach out to the Sourcing Team via the Purchasing Intake Portal.
Similar, or the same software may be already used in separate parts of The University. Sourcing Managers can assist in connecting with other technology owners to leverage total spend and existing contracts to deliver better value for departments.

To Start

Order of Work	Action to Take	Essential Process Details/Helpful Tips
1	Read and understand policies	Policy 3201 General Purchasing Policy 3210 Purchase Contracts Procedure 3210 PR.03 Policy 1605 Web Accessibility Procedure 1605 PR.01 Refer policy support questions to the Purchasing Intake Portal, select “Policy, Procedure, Forms”.
2	Read and follow all guidance provided in the Procurement Toolkit Source a Good/Service chapter.	Sourcing Toolkit Chapter
3	Gather critical information regarding the purchase(s).	Critical information may include: What is your intended use of the software? Historical background/has software been previously purchased? Are other University departments using the software or similar software? What is the functionality of the software? How long do you anticipate using the software? Do you want to maintain access to the most current version(s) offered, or is only a fixed version needed? What level of technical support is required? (5x7, 7x24, etc.) How many people will use the software? Do you anticipate the number of people using the software to increase or decrease over the lifecycle of the contract? Is there another unit of measure of use that makes better sense than per user? Do you expect users who are not Yale employees or students to use the software? Is the purchase federally sponsored? Is sensitive data involved such as health or personal data (HIPAA or PII). If so, additional assessments or documentation such as a Business Associate Agreement (BAA) and Data Addendum (DA) may be needed. Note: Sourcing Managers can help support departments with the BAA. What is the desired timeline for the purchase? If moving from existing software, what time & effort needed to move to new software? Do you expect the software to run on a single platform or are multiple platforms (mobile, cloud, etc.) required? Do you expect to use only in the United States, or will international rights be required? Are there any specific requirements for interoperability (i.e. the ability for the software to exchange and make use of information)? Justification for supplier selection (criteria). Additional key decision makers, project team members.

Conduct Information Security Assessment:

Order of Work	Action to Take	Essential Process Details/Helpful Tips
1	Classify Risk	Risk Classification Contact information.security@yale.edu if you have specific questions regarding the classification. Data classified as high or moderate will require a Data Addendum (DA) as part of the contract package that Procurement will provide to the vendor for signature. Contact information.security@yale.edu to obtain the most recent version of the DA.
2	Confirm Supplier Compliance with Minimum Security Standards (MMS)	Minimum Security Standards (MSS) Contact information.security@yale.edu if you have specific questions regarding MMS.
3	Determine if a Security Planning Assessment (SPA) is required.	Security Planning Assessment (SPA) Contact information.security@yale.edu if you have specific questions regarding the SPA/SPA process.

Conduct Accessibility Assessment

Order of Work	Action to Take	Essential Process Details/Helpful Tips
1	Review Yale’s Web Accessibility Policy	Policy 1605 Web Accessibility. Complete Accessibility’s Web/Technology Procurement Update Form Contact the ITS Digital Accessibility team at accessibility@yale.edu if you have specific questions regarding accessibility.

Policies and Procedures

Forms

Training Guides and Tools

Accessibility’s Web or Technology Procurement Updates Form
Purchasing Intake Portal Interactive Guide
Purchasing Intake Portal User Guide
Purchasing Intake Portal Infosession Guide
Purchasing Intake Portal FAQs
3201 General Purchasing Policy FAQs
SPA Security Planning Assessment (yale.edu)
Working with Vendors | Usability & Web Accessibility (yale.edu)
Minimum Security Standards (MSS)
Risk Classification
Purchasing Code of Ethics