Home Digital service topics SaaS

How to acquire SaaS

This guide explains what you need to do to comply with legislative and policy requirements, and minimize risk to the Province, when acquiring Software as a Service (SaaS) solutions. SaaS is designed for the majority of customers to purchase it without sustained one-on-one interaction with a human being.

This guide applies to you if:

  • You want to acquire SaaS from a commercial provider and your estimated procurement value, including all options for renewals, is less than $250,000
  • The software will be licensed on a subscription basis, accessed via a web browser and requires no installation, minimal management and no development
  • The SaaS solution you’re hoping to purchase is not already licensed at the enterprise level or licensed for use by your ministry or branch

If your procurement value is $75,000 or more, procurement planning will be your first step and you will need to consult a ministry procurement specialist. If your procurement value is $250,000 or more you must engage with Procurement Services Branch.

Minimizing risk

In your personal life, you have probably purchased SaaS by simply providing your billing information and quickly clicking on a box to acknowledge that you have read and agree to the provider’s terms of use.

It’s more complicated when acquiring SaaS within the BC Public Service, as the stakes are higher, with risks including:

  • The loss of control over the data if it is remotely processed or hosted
  • Binding the Province to software license terms and agreements that are inconsistent with legislation
  • Failing to meet legislative requirements for the collection, use, disclosure and retention of personal information and government records
  • Being out of compliance with trade agreements and procurement policies
  • Not having the appropriate delegated authority, including spending authority, to enter into or amend agreements on the Province’s behalf
  • Failing to meet legislative and policy requirements to complete a Privacy Impact Assessment and Security Threat and Risk Assessment and confirm the SaaS is appropriate for provincial consumption
  • Different government departments entering into license agreements with the same vendor at different times and under different terms, adding risk that government’s use of the SaaS product will be out of compliance with agreed terms

Overview of the process

Throughout the process of acquiring new SaaS solutions, you will work closely with the Legal Services Branch, Risk Management Branch and your ministry or organization’s information privacysecurity, legal and procurement specialists to ensure compliance with the government’s privacy, security and procurement policies, procedures and standards.

As described later in more detail, you must complete the following compliance steps before procuring and implementing your solution:

  • Completing a planning process to define your needs and requirements and conduct initial market research
  • Using an appropriate selection process to get quotes from at least 3 vendors (can be done by reviewing pricing information published online) capable of meeting your needs and then selecting your best fit SaaS solution
  • Completing a privacy review, by way of a Privacy Impact Assessment (PIA) of the business program that will be using the SaaS solution (or update the existing PIA), in collaboration with your Ministry Privacy Officer (MPO)
  • Conducting a security review, by way of a Security Threat and Risk Assessment (STRA), completed in collaboration with your Ministry Information Security Officer (MISO)
  • Getting the Legal Services Branch to do a legal review of the terms of use and any associated contractual documentation between the Province and the vendor, which could also include negotiating revisions to the vendor’s documentation
  • Reviewing the risks and risk allocation terms, completed by the Risk Management Branch

You must also ensure that your process complies with the procurement policies outlined in the Core Policy and Procedures Manual.

Finally, if your proposed SaaS will process any financial transactions, you will need to complete a financial risk and controls review.

Be prepared for an iterative process during the compliance reviews where the outcomes or decisions made by reviewers in one area may impact outcomes in another area. For example, you can expect that the PIA and STRA will inform the legal review.

The time required from planning to implementation depends on many factors and could take anywhere from a month to up to a year.

1. Planning

In this stage, you are doing the upfront planning to define your needs and requirements and identify potential vendors.

Steps in the planning stage

  1. Develop a use case that clearly articulates why you need a SaaS solution to meet your specific business requirements
  2. Determine the appropriate procurement process; this may require consultation with your ministry procurement expert or with Procurement Services Branch
  3. Develop the criteria you’ll use to evaluate potential SaaS solutions. Note the procurement approach you’ve been advised to use along with these evaluation criteria
  4. Conduct market research to identify at least three SaaS solutions that best fit your business need
  5. Reach out to your MPO and MISO to see if a PIA and STRA have already been prepared for any of your potential SaaS solutions. While these may not be fully transferrable to your current requirements, the information within them may be useful
Develop a use case

A use case can be as simple as a few paragraphs that describe the high-level goals of your planned initiative and who will be using the product. This background information provides useful context for staff who will be asked to review the project from privacy, security, legal and risk perspectives.

Your use case might answer some of the following questions (your MISO and MPO can help you with this step):

  • What are the high-level goals and objectives of your planned initiative?
  • How does it relate to the mandate of your branch, division or ministry?
  • What are the objectives and outcomes (such as cost savings, improved customer service, faster turnaround time, etc.)?
  • Who will benefit from this project?
  • Who will be using the product? How many users to you anticipate?
  • Where will the product be used?
  • What minimum functionality and service levels are required?
  • What types of information are you collecting and what is its security classification (see the Information Security Classification Standard)?
  • How will this data be used?
  • What is your general budget?
Develop your evaluation criteria

Building on your use case, list out the most important evaluation criteria – the product’s must-have requirements. This list will help you evaluate potential SaaS solutions as part of your market research and will make it easier for you to efficiently procure your desired solution. Again, your MISO, MPO and/or IT support team may be able to help you to develop these evaluation criteria

Your evaluation criteria might include:

  • Cost: Does the system have a fixed or variable pricing model? Is it within your budget?
  • Location of processed and/or hosted data (if data is sensitive and/or contains PI): Is the SaaS hosted in Canada, including all data (and associated backups)? Is the data ever routed out of Canada for processing?
  • Access control: Do you need the proposed solution to integrate with the BC Government’s common logon services for user identity and access management?
  • Configurability: Can the system support custom configurations? If so, do you control them or does the vendor?
  • Encryption: How is the data secured (both in transit and at rest)?
  • Exit strategy: What is the mechanism for retrieving the data? Are there any associated costs?
  • Licensing: Are there any restrictions on the total number of users, concurrent users, data volume, etc. that would increase the licensing cost? Does the solution support the licensing requirements you developed in your use case?
  • Privacy and security compliance: Do the vendor and solution comply with the government’s Cloud Privacy Schedule and Cloud Security Schedule?

Other criteria might be important to you, depending on your use case. You will use these criteria in your market research to evaluate which SaaS products might fit your requirements.

Conduct market research

You should identify at least three potential SaaS solutions to ensure diligence in selecting a best-fit solution from those available in the market. If you can’t identify three viable candidate solutions, keep a record of your analysis. You may use a Request for Information or Request for Expression of Interest posted to BC Bid to assess if there is a competitive market. You’ll use your use case and evaluation criteria to research potential SaaS products and identify those that might meet your needs.

Find out if a PIA, STRA and legal review have already been completed

Reach out to your MPO and MISO to find out a PIA and STRA have already been done for any of your SaaS solution candidates. These reviews may have been completed by your ministry or a business area in another ministry.

Even if a PIA and STRA have already been completed, you will still need to update the program-level PIA and complete a new STRA for your proposed use of SaaS product(s). The content in an existing PIA or STRA can give you and the other stakeholders in this process useful information for preparing the updated versions.

Contact your Legal Service Branch representative to ask if a legal review has been completed for any of your SaaS solution candidates.

2. Selection

Once you have completed your planning process, you are ready to select the best-fit SaaS solution by evaluating potential options against your use case and evaluation criteria. Ideally, you want to obtain quotes from at least three potential vendors for the SaaS solution.

If your estimated contract value (including all options for renewals) is less than $75,000, obtain three quotes through online searches or requesting quotes from vendors by telephone, email, etc. Regardless of which procurement process you choose, be sure to document your approach to support compliance with the required competitive process.

If it’s not possible to obtain three quotes, document the circumstances that prevented you from receiving three quotes, including all quote attempts. In this case, you may need to use a non-competitive approach and issue a direct award.

Even if the total procurement value is under the posting threshold, ministries can still use BC Bid to get quotes from potential vendors.

Contracts can only be directly awarded without a competitive process in the exceptional circumstances specifically outlined in policy. If a direct award is unavoidable, you will need to make sure you have appropriate documentation to justify the direct award decision.

Before directly awarding a contract, consider whether a Notice Of Intent (NOI) should be posted on BC Bid. A NOI discloses that a direct award is being contemplated, why the direct award is justified and provides vendors with the opportunity to challenge the potential direct award. Should a challenge to a NOI be received, the challenge must be assessed to determine if it is justified and whether a competitive process should be undertaken.

Direct awards are publicly disclosed, including contract details and the justification for the direct award.

At the end of this step, you will have selected your preferred SaaS solution. As described below, before you can procure and implement your solution, you will need to work closely with your Legal Services Branch, Risk Management Branch and your ministry or organization’s information privacysecurity and procurement specialists to ensure compliance with the government’s privacy, security and procurement policies, procedures and standards. In the unlikely event that your first choice SaaS solution can’t pass these compliance reviews, you’ll need to try again with the next best option.

3. Privacy review

You must update the program-level PIA to ensure that any personal information collected, used, stored or shared through the SaaS solution is protected as per the legislated requirements of the Freedom of Information and Protection of Privacy Act. You will work with your MPO to complete this process. Start this review in parallel with the STRA process.

Steps in the privacy review process

  1. If there is an existing PIA for the business program then start with that, otherwise download the PIA template for a new project or program
  2. Contact your MPO and ask them to work with you to update the existing PIA (or complete the template if no existing PIA is available) for the proposed use of the best fit SaaS solution. You may need to reach out to the vendor, your MISO or other subject matter experts to answer the questions within the template
  3. Email the completed templates to a privacy analyst for their review (pia.intake@gov.bc.ca)
  4. Finalize the PIA with your MPO and the privacy analyst, who may recommend changes to the content
  5. Get sign-off on the PIA

The Privacy Impact Assessments page is a useful resource for understanding the PIA review process.

4. Security review


Depending on the nature of the data collected by your SaaS solution, you may need to conduct a “light” or a “comprehensive” Security Threat and Risk Assessment (STRA). The outcome of this process is a Statement of Acceptable Risk (SOAR) that identifies the potential security risks of the proposed solutions and how these risks will be mitigated. You will work with your MISO to complete this process. As mentioned above, the PIA and STRA can proceed in parallel, and your MISO and MPO will likely be able to advise on when you have enough information to start the legal review.

Steps in the security review process

  1. Download the SOAR template
  2. Contact your MISO and ask them to work with you to complete the template for each of your three potential vendors. Depending on the identified risks and their risk levels, your MISO may also require the completion of a STRA
  3. Follow the instructions on the form for signing and submitting the completed templates

The Security Threat and Risk Assessments page is a useful resource for understanding the SOAR review process.

It is most likely that your SaaS vendor will want to use their own terms of use contract as a starting point and you must then ask the Legal Services Branch to review the vendor’s terms of use and, if required, help you negotiate terms that are acceptable to the Province.

A terms of use, terms of conditions or terms of service contract is a legal agreement between a vendor and customer (in this case, the Province) that defines, among other things, user rights and responsibilities, use of personal data, liability for damages, payment details, opt-out policies, security policies and more.

Steps in the legal review process

  1. Email your use case and top SaaS option to your Legal Services representative and schedule a call to discuss
  2. Ask your Legal Services representative to review the terms of use for your top SaaS product, in the context of the use case. Ask them if there’s anything else you can provide to help with this review, including when and if you need to contact the Risk Management Branch
  3. Legal Services will review the material you have provided. They will likely come back to you with questions about elements in the terms of use, and you may need to reach out to other stakeholders or the vendor for clarification or more information
  4. Legal Services will provide advice and guidance on elements in the terms of use that need to be changed (or may be prudent to change) to meet legislative obligations or business requirements, and on whether to open negotiations on such changes. Under appropriate circumstances, Legal Services will negotiate directly with the vendor’s legal counsel to propose amendments to the contract language to ensure the contract is in compliance with legislation and protects the Province’s interests

6. Risk management review

The Risk Management Branch will determine whether the terms relating to risk allocations are adequate for the Province or whether changes need to be negotiated with the SaaS vendor. Your Legal Services representative will likely lead the discussion with the Risk Management Branch.

7. Procurement and implementation

Once you’ve notified the successful vendor that you have selected their solution, you will move to the purchase and implementation phase. The steps in this phase may include:

  1. Documenting the evaluation process that led to the selection of the SaaS product you’re purchasing
  2. Completing a contract pre-approval process and contract checklist
  3. Obtaining an authorized signature, most likely from your Assistant Deputy Minister, on the SaaS Master Services Agreement, Terms of Use, Additional Terms (as applicable) with terms negotiated to meet B.C. requirements
  4. Sending the agreement to the SaaS vendor for their signature
  5. Sending the signed copy of the agreement to your finance team so they can set up the contract in CAS

Ongoing contract management is particularly important for SaaS solutions. This can include ensuring the vendor completes any annual reporting requirements relative to security certifications and audits.