Home Cloud services SaaS delete – Under $1,000 procurement delete – Procure

SaaS procurement under $1,000 in cost

Use this guide to adopt a SaaS tool that doesn’t exist in the SaaS Directory and has an estimated annual contract value of under $1,000.

This process requires an iterative adoption approach that can take anywhere from a month to a year, depending on various factors.

To remain compliant with procurement, privacy, security and legal standards, you must follow this 6-step process.

Step 1: Develop a use case and evaluation criteria

To begin the SaaS adoption process, you’ll need to clearly define your needs and requirements for a SaaS tool.

This process has 3 purposes:

  • To help you determine what kind of SaaS tool you need
  • To help your ministry’s privacy, security, legal and risk management team evaluate your chosen SaaS tool
  • To make sure your adoption process remains compliant and competitive

Connect with the people who will be using the tool

First, speak to the tool’s future user base. Make sure you’re all in agreement about the features and functionality required for a SaaS tool to effectively meet your needs.

Things to consider:

  • The need to integrate with your current software and systems 
  • The learning curve of the tool matches the abilities of the people using it to day-to-day, or the time and capacity they can devote to training 
  • The tool has appropriate accessibility features for people using adaptive software or hardware
  • The requirement for external users, like a client group or program partners

Develop the use case

Your use case should outline how a SaaS tool would be used to solve a problem or achieve a goal.

Address these questions in your use case:

  • Why do you want to use SaaS? 
  • How do you want to use SaaS?  
  • How does your need for SaaS connect with the mandate of your branch, division or ministry? 
  • What are the objectives and outcomes for the SaaS tool?
  • How will you measure the success of your objectives and outcomes? 
  • Who will benefit from the SaaS tool? 
  • Who will use the SaaS tool? How many users do you anticipate? 
  • What features and functionality do you need the SaaS tool to have? 
  • What types of information will you be using with the SaaS tool and what are their security classifications? How will this information be used? Your Ministry Information Security Officer (MISO) and Ministry Privacy Officer (MPO) can help you with this question. In general, Protected C data should not be stored, transmitted or shared in SaaS tools
  • Who will have access to the information stored in the SaaS tool?
  • Do you have a budget? How do the SaaS costs fit into your budget? 
  • What will happen to the data stored in the SaaS tool if you stop using the tool? 

Develop the evaluation criteria

Take a look at your use case and identify the requirements that you have outlined. These requirements will form the criteria that you will use to evaluate potential SaaS tools.

Your criteria might include: 

Cost. What type of pricing model are you looking for? What is your budget? 

Location of processed or hosted information. Is the SaaS tool hosted in Canada (including all data and associated backups)? Is the data ever routed out of Canada for processing? 

Note. Sensitive data and personal information can only be hosted and processed in Canada

Access control. Which single sign-on (SSO) service will you use for users to login to the SaaS tool?

Configurability. Do you want the SaaS to support custom configurations? If so, do you control them or does the vendor? 

Encryption. How is the data secured (both in transit and at rest)? 

Exit strategy. If you stop using the SaaS tool, how will you retrieve B.C. government data? Are there any associated costs? 

Licensing. Are there any restrictions on the total number of user accounts you can have, or the number of users who can use the SaaS tool at the same time? How are new users added? How are accounts closed or transferred if someone moves to a new team or ministry? 

Privacy and security. Does the vendor and SaaS tool comply with the government’s Cloud Privacy Schedule and Cloud Security Schedule? You’ll need this information to complete your privacy impact assessment (PIA) and security threat and risk assessment (STRA) in Step 4.

You can also consider other criteria that is specific to your use case.

You may also contact your ministry procurement specialist to help with the development of your evaluation criteria. 

Step 2: Research and estimate

In this step, you’ll look for potential SaaS tools that fit the business needs you identified in your use case and evaluation criteria. This will help you make informed decisions and secure approval from your ministry Expense Authority (EA).

Explore and compare SaaS tools

Begin your research by using the SaaS Directory or researching options online. You must find at least 3 potential SaaS tools that meet your needs.

To adopt a SaaS tool, you’ll need to complete your own privacy impact assessment (PIA), security threat and risk assessment (STRA) and legal assessment. We explain this process in detail in Step 4.

For now, check the SaaS Directory to see if a PIA, STRA or legal assessment has already been prepared for any of the SaaS tools you’re interested in.

Existing PIAs, STRAs and legal assessments aren’t fully transferrable to your own assessments, but they can provide useful information that you can use to speed up your own assessment process.

Contact your Ministry Privacy Officer (MPO)Ministry Information Security Officer (MISO) or Legal Services Branch representative if you have any questions about finding or using existing assessments.

Estimate costs

Once you have a list of 3 potential SaaS tools, you’ll need to estimate and document how much it would cost to adopt any of these tools.

Plan for SaaS expenses accurately

Your estimated costs should represent the entire amount of time you expect to subscribe to a SaaS tool.

For example, if you want to use a SaaS tool for the next two years, the cost estimate should include the total price for the two-year subscription, along with any additional expenses for upgrades or add-ons.

Accurate cost estimates are important because:

  • The adoption process varies based on the expected expenses for a SaaS tool
  • Your ministry Expense Authority (EA) must approve your cost estimates before you can proceed with the SaaS adoption process

How to estimate costs

Contact SaaS vendors or do online research to find information about costs.

Consider:

  • How much is the subscription fee?
  • How long do you plan to have the subscription?
  • Do you plan to renew the prescription?
  • Are there any add-on features you need to pay for?
  • Do you need to pay more to add additional users to a subscription?
  • Do you think you may upgrade to a more expensive subscription?

Document your estimation process

Keep a record of your analysis to show what steps you took to find and estimate the costs for the 3 different SaaS tools.

Get expense authority approval

After estimating your costs, reach out to your ministry’s Expense Authority (EA) to obtain approval for your budget.

Send them your estimates and the documentation you collected that shows the steps you took to find and estimate the costs.

Step 3: Collect a quote

Once you’ve received expense authority approval for your estimated costs, it’s time to gather a quote from a vendor.

How to collect a quote

You’ll now need to gather quotes for potential SaaS tools that meet your use case needs and evaluation criteria. Contact your ministry’s Procurement Specialist for more information on how many quotes you should collect.

Obtaining quotes can be done through vendor websites or by directly contacting vendors through phone or email.

The quotes should cover the total cost of the tool for the entire duration of your intended subscription. Make sure you mention specific services and functionality requirements in your request to receive an accurate quote. This can include details such as how many people require access and any extra features you want to incorporate into the subscription.

In many cases, the quotes you receive will closely resemble or match the estimates gathered in Step 2.

The final cost of a SaaS tool may sometimes exceed the initial quote you received. If your quote is under, but close to $1,000, proceed with the $1,000-$75,000 procurement process instead. This ensures that if the cost of your SaaS exceeds the $1,000 threshold due to unexpected fees, you are following the correct adoption process.

Document your collection process

You must document how you gathered the quotes and keep a record of the steps you took to find and collect them.

Choose your tool

If you have collected more than one quote, select and adopt the tool with the lowest quoted cost.

Get expense authority approval

After selecting your SaaS tool, reach out to your ministry’s Expense Authority (EA) to obtain approval for the quote. Send them the documentation you collected that shows the steps you took to find and collect the chosen tool.

Step 4: Complete compliance assessments

Your chosen SaaS tool must now undergo mandatory compliance assessments. To do this, you’ll work closely with your ministry’s privacy, security, legal and procurement specialists.

You may begin the privacy, security and legal assessment processes at the same time.

If your selected SaaS tool doesn’t pass the compliance assessments, you may not continue the adoption process with that tool. You’ll need to return to your list of potential SaaS tools from Step 2 and restart the SaaS adoption process from there.  

Privacy assessment

Privacy Impact Assessment (PIA) is a step-by-step review process to make sure that any personal information collected, used, stored or shared through your chosen SaaS tool is protected as required by the Freedom of Information and Protection of Privacy Act (FOIPPA).

Completing a PIA involves working with privacy experts to identify, evaluate and manage privacy risks.

Privacy impact assessment process

Each ministry is responsible for completing their own PIA, either for a SaaS tool or for a specific use case (how they plan to use the SaaS tool).

For example, if Ministry A has completed a PIA on a SaaS tool and you are from Ministry B, you may need to do a PIA for Ministry B. How a SaaS tool is being used may also need to be assessed separately.

Contact your Ministry Privacy Officer (MPO) if you have questions about PIA requirements.

  1. Start by checking to see if a PIA has already been completed and is listed in the SaaS Directory for your chosen SaaS tool. You may be able to use existing PIAs to help you complete your own PIA
  2. Start drafting your PIA in the Digital PIA application
  3. Contact your MPO and ask them to work with you to complete the PIA process. You may need to reach out to the SaaS vendor, your Ministry Information Security Officer (MISO) or other subject matter experts to answer questions in the PIA
  4. Once the PIA template is complete, your MPO will contact a privacy analyst from the Privacy, Compliance and Training (PCT) Branch to review and finalize the assessment
  5. After the Privacy, Compliance and Training Branch has completed their review of the PIA, it will be returned to you for ministry or program area signing. The individuals who provide these signatures vary by use case. Contact your MPO to determine who will be required to sign

Learn more about the PIA process

Security assessment

You must complete a Security Threat and Risk Assessment (STRA) for your SaaS tool.

The outcome of the security assessment is a Statement of Acceptable Risk (SOAR) that identifies the potential security risks of the proposed tool and how those risks will be mitigated.  

Security assessment process

  1. Contact your Ministry Information Security Officer (MISO) and ask for a SOAR template.
  2. Work with your MISO to complete the template for your SaaS tool. Depending on the risks identified during this step, your MISO may also require the completion of a more comprehensive STRA
  3. Follow the instructions on the template for signing and submitting the completed SOAR

Learn more about the STRA and SOAR process

The Legal Services Branch must review your chosen SaaS tool’s terms of use to ensure they are acceptable to the Province. 

Terms of use contracts

A “terms of use,” “terms and conditions” or “terms of service” contract is a legal agreement between a vendor and customer.

It defines: 

  • User rights and responsibilities 
  • Use of personal data 
  • Liability for damages 
  • Payment details 
  • Opt-out policies 
  • Security policies 

Most SaaS vendors will want you to follow their terms of use contract.

Ask the Legal Services Branch to review the vendor’s terms of use and if required, help you negotiate terms that are acceptable to the Province. The vendor may require a certain level of spending before they are willing to open negotiations.

  1. Contact your Legal Services Branch and schedule a meeting to discuss your chosen SaaS tool. Before the meeting, send them your use case and a link to your chosen SaaS tool
  2. Wait for Legal Services to review the material you have provided. They will probably need to ask you some questions to complete their review. You may need to reach out to other stakeholders or the vendor to help answer these questions
  3. Work with the Legal Services Branch to address any concerns with the SaaS tool’s terms of use. They will advise you on whether additional risk assessment is necessary

Ideally you’ll be able to adopt the SaaS tool you chose using the vendor’s terms of use. But if the terms are not appropriate, you may need to discuss the risks identified by Legal Services with your executive leadership or choose a different SaaS tool.

Risk management assessment

If Legal Services believes a risk management assessment is required, they will tell you to contact the Risk Management Branch.

A risk management assessment determines whether the risks associated with the SaaS tool are acceptable to the Province. If they are not, you may need to choose a different SaaS tool with terms of use that are more acceptable.

Step 5: Purchase a license

Once your chosen SaaS tool has successfully passed the mandatory compliance assessments, you can begin the process of purchasing a license for the tool.

What licensing means

SaaS tools are licensed through the purchase of a subscription. What this means is that usually, to get a license to use a SaaS tool, you pay for a subscription that allows you to use the tool for a set period of time.

After that period is over, you must renew your subscription (but only if renewal was indicated in your use case when you initially procured the tool). Keep in mind that many SaaS tools will renew your subscription automatically.

How to purchase a license

Follow the purchasing procedure used in your ministry. Refer to the guidance for online purchases in the B.C. government’s Purchase Card Manual.

When licensing your SaaS tool, pay attention to: 

  • Which product tier or version you’re licensing
  • The billing cycle you choose (monthly, quarterly or yearly billing) 
  • The number of user accounts you need  

Step 6: Implement

After subscribing to your SaaS tool, it’s time to integrate it into workflows and systems.

Contribute to the SaaS Directory

Update the SaaS directory to include all relevant information about your adoption process.  

This information helps other B.C. public service teams learn more about the SaaS tool you’re using and helps them find and adopt their own SaaS.

This data also helps us identify opportunities for organization-wide agreements and better pricing with vendors.  

Establish ownership of the SaaS tool

When you add your information to the SaaS Directory, you must identify who is taking responsibility for managing the SaaS tool.  

The individual you identify should become familiar with using the tool and will be the main point of contact with the SaaS vendor. Their responsibilities may also include managing the SaaS contract, adding or removing users from the account and managing use of the tool. For larger SaaS adoptions (for example at a departmental or organizational scale), this role may be filled by a product owner. 

It may also be useful to identify someone who will lead training initiatives and help new team members get started with using the tool.

You may also need a developer to coordinate any integrations with existing infrastructure or to fulfill any minor development requirements for the SaaS. 

Create an implementation plan

Clearly set out a process to deliver the SaaS and provide training to users. 

You should identify: 

  • Which people or roles should adopt the SaaS 
  • Projects or work that should be done using the new SaaS 
  • The level of skill users should have to use the SaaS
  • What training is available to users 

For larger adoption projects, you may also want to identify which teams or departments will be implementing the SaaS solution first, if you are delivering the tool to users in phases.

Provide guidelines for appropriate use

Give the people who will be using the SaaS tool instructions on how it should be used.

This may include information about: 

  • Which activities or tasks can be done using the SaaS
  • Which types of data can be used or stored in the SaaS (based on the data’s information security classification or other criteria) 
  • Any features or functionality that can’t be used (for example, for security, privacy or legal reasons) 
  • How records and information will be organized within the SaaS

Encourage employee adoption

Introducing a new SaaS tool may be destabilizing for some users.

You can encourage and support employees as they adapt to the new SaaS tool by:

  • Embracing change management techniques and adult education principles
  • Explaining the reasons for choosing the new SaaS, its importance and why now is the best time to make the switch
  • Highlighting the benefits and functionality to show how it can help them in their work

Track SaaS adoption success

Tracking SaaS adoption will help you understand how the SaaS is being used and whether there are individuals who need more support.

Identify metrics that you can use to track how successfully the SaaS tool is being adopted.

Key metrics might include: 

  • How many users have adopted the SaaS 
  • How many training sessions have been delivered to users
  • How many technical issues were reported and how many were resolved
  • How has work or team morale been impacted by the SaaS 

Set deadlines for when you want to reach specific milestones in your metrics. Consider the short and long-term future of your SaaS solution. How do you want people to use it six months, one year and two years from now? 

Encourage learning and discovery

Learning how to use a new SaaS tool takes time. Some people enjoy the process of learning how to use a new tool and they’ll be your early adopters. Others may be intimidated by the idea or may feel like they don’t have the time, energy or capacity to learn something new. 

Support users with their learning process by:

  • Helping them find their learning style and providing them with training resources that match it
  • Giving users time to explore the layout and functionality
  • Creating communication channels for users to ask questions and troubleshoot problems
  • Providing practice assignments that teach basic features and build user confidence
  • Leveraging vendor resources such as virtual demonstrations, training materials and support

Join the SaaS Community of Practice

The SaaS Community of Practice is a growing community of B.C government employees who are passionate about promoting SaaS adoption and compliance.

Being involved in this community offers the opportunity to ask questions, share knowledge and talk to other SaaS users about your experiences finding, procuring and implementing SaaS.

Future considerations

Monitor the SaaS tool’s performance and user experience to ensure its long-term success and effectiveness within your organization by:

  • Overseeing ongoing contract management to develop a clear understanding of what’s working and what isn’t
  • Reviewing the SaaS tool’s terms of use to determine if it still meets your business needs. In some cases, you may identify an opportunity to upgrade to a higher tier or Enterprise agreement
  • Reviewing the security, privacy and legal compliance assessments of your SaaS solution to ensure that the SaaS still meets the Province’s requirements
  • Gathering user feedback to understand how the tool is being used in day-to-day work and whether there are any issues that need to be addressed. Consider scheduling check-ins at the 2 week, 1 month and 3 month mark after implementation to maintain open communication and address any concerns

Help us improve this guidance

This content was designed based on research completed with public service employees and written in collaboration with subject matter experts.

If you have ideas for how we can make it better, or if you see information that needs to be added or corrected, email us.