3.4 Contracts for Software, Cloud-based Solutions and Websites

Overview

The purchase of software follows the same dollar thresholds as other purchases, however, there are generally additional review and approval requirements that must be completed. These requirements apply regardless of the dollar value of the purchase. Thus for purchases less than $15,000 departments must assure that the requirements have been satisfied prior to issuance of a purchase order. Requisition workflow has a step that routes to Contracts and Procurement for approval prior to final approval by the department. The routing is based on the commodity code which was put in place to stop a process in order for any additional requirement to be addressed.

Additional Requirements

Accessibility

Accessibility refers to the design of products, devices and services for use by people who have disabilities. With regard to software this generally allows individuals with audio, visual, or motor impairments to utilize the software effectively. The accessibility status of a product must be reviewed and approved prior to the purchase of any software or cloud-based software solution regardless of value.

Department/Departmental Contract Administrator (DCA) Responsibility:

Information Security

The Information Security Office (ISO) establishes and maintains a security program that reduces risk and secures the information assets under its stewardship against unauthorized use, disclosure, modification, damage or loss.  Software and cloud-based solutions contain University information and as such ISO must conduct a thorough review prior to issuing purchase orders or entering into contracts for these products regardless of the value.

Department/DCA Responsibility:

Privacy

Often software or cloud-based solutions house protected health information, student information or other personally identifiable information which often require specialized contractual language and agreements with the software provider. These include, but are not limited to:

  • Health Insurance Portability and Accountability Act (HIPAA) requirements regarding protected health information (PHI)
    • Contracts subject to HIPAA require the execution of a Business Associates Agreement as part of the contract
  • The Family Educational Rights and Privacy Act (FERPA) requirements regarding student date
    • Contracts subject to FERPA require a specific confidentiality agreement

Department/DCA Responsibility:

  • If sensitive data will be accessed, contact the U. T. System Privacy Officer for review and approval

Ordering and Contracting

Department/DCAs should not:

  • Use procurement cards for the purchase of software unless reviewed and approved by Contracts and Procurement
  • Not accept “click thru” terms and conditions
  • Not sign any form of agreement with a software provider

Departments/DCAs should:

  • Be aware that Contracts and Procurement should review any documents, agreements, order forms, etc. related provided by a software provider
  • Be aware that purchase of software or cloud-based solutions through a reseller will always require some type of license agreement with the software provider
  • Be aware that the cycle time to complete a software or cloud-based solution procurement can be lengthy based upon negotiation of terms and conditions that are required to protect the University
  • Be aware that accessibility, information security and privacy issues may need to be addressed even for renewals and maintenance agreements if those reviews were not completed at the time of the original purchase or if those reviews need to be updated