Software Purchase Guide
Before purchasing software, review and consider the following guidance
Is software already available?
First, search the Software at Stanford website. A comprehensive selection of software is available for use or purchase through several campus providers, including University IT, Stanford University Libraries, Stanford SmartMart, and the Stanford Bookstore.
If you can't find the software, review the next sections with other important considerations before purchasing outside of Stanford providers.
Does the software comply with data risk requirements?
If the desired software is not found on Software at Stanford, departments may consider consulting with their local IT team or department administrator to complete a data risk assessment (DRA) in OneTrust before purchasing. Important: If you will be sending or receiving High Risk Data to or from a non-Stanford entity, completing a DRA is a university requirement.
The DRA asks a series of questions about how Stanford data may be used. Once you submit the DRA form, the system auto-generates a report that indicates whether the proposed data use results in Low, Moderate, or High Risk to the university.
- Those that present Low (blue or no flags) to Moderate Risk (yellow flags) may be purchased with a PCard as long as the transaction is in accordance with PCard policy, (i.e., $4,999 or less).
- Those that present High Risk (red flags) must complete the DRA process, which would involve taking action on the recommended risk mitigation steps provided with the DRA results. The completed DRA report would then be attached to the SmartMart contract request.
For more information about DRAs, the process, and OneTrust, go to dra.stanford.edu.
In addition to data risk considerations, the local IT team or department administrator should consider assessing compliance with any local business unit requirements or restrictions. For example, some units may altogether prohibit the use of PCards to purchase software.
Does the software conform with accessibility standards?
Evaluating accessibility of a software product to ensure compliance with Stanford’s digital accessibility policy is another important consideration. Regardless of the method in which software and services are purchased (contract, PCard, etc.) consult with your local IT team or department administrator to conduct an Accessibility Risk Assessment pre-screening.
- If the screening confirms software or services identified as Low Risk, these may be purchased without an accessibility review from the Office of Digital Accessibility (ODA).
- If software or services are identified as Medium or High Risk, it will need to undergo an accessibility review by ODA, regardless of the form of payment. If the software or service does not meet Stanford's accessibility standards, a temporary exception must be obtained from ODA before purchasing. ODA recommends requesting a Voluntary Product Accessibility Report (VPAT) or other accessibility documentation from the vendor. Such information should include how the software or service conforms, at a minimum, with the Web Content Accessibility Guidelines 2.0 (WCAG 2.0), Level A and Level AA standard.
For more details about requesting vendor accessibility documentation, refer to procurement guidance on the ODA website.
Is the purchase a cloud computing solution?
For Infrastructure-as-a-Service Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure cloud accounts, Stanford does not permit the use of PCards, personal credit card reimbursements, and direct invoicing to pay for cloud services. All cloud computing accounts used for any Stanford-related activities — including development, student work, testing, learning and building production-ready solutions — should be part of Cardinal Cloud.
More resources
Purchasing resources
- Fingate: Stanford PCard policy
- Fingate: Purchase Services
- Fingate: How to Submit a Contract Request
