Software as a Service (SaaS) is widely used on campus and refers to purchasing access to applications that are owned and managed by a vendor, are hosted in the cloud, and accessed by users with web-based technology such as a browser or smartphone app. Examples of SaaS include BearBuy, Google Suite (bMail, bCal, Drive), and Box.
Platform as a Service (PaaS) is a middle ground between IaaS and SaaS, providing a platform that allows technical teams to develop, run, and manage applications without the complexity of building and maintaining the infrastructure typically associated with developing and launching an app. Salesforce CRM and ServiceNow are both good examples of PaaS.
Questions When Researching Cloud Options
If you are looking (or have found) an online service or tool you would like to use at UC Berkeley, there are a few things you should consider.
Does campus already have a service or software I can use?
UC Berkeley has sitewide licenses for a number of popular services and software. Example: If you need to share files for work, instead of signing up for Dropbox, you can use Box or Google Drive for free with campus support included. You can find the services available for campus users in the service catalog.
Who is going to be using the service?
Just myself, my department, or faculty/staff/students from multiple groups? These considerations will impact what product will be best. Example: an online appointment system for your unit to use might be simple to setup and run; one that the entire department and its students needs to use will take more time and training to setup right.
What kind of information or data do I need for the service to work?
Example: Some software, such as Salesforce, requires personal information about individuals, including names, emails, phone numbers etc. Where this information is coming from and who will keep it up to date are important questions to answer. Appointment software may need access to your calendar to work properly. Having accurate data is what makes these services useful. If you are handling information that is sensitive - student personal information, research data, grades, social security numbers - contact the Information Security and Policy team before moving data to a new service. Some campus services have already been vetted with guidance on what types of data can be stored or processed in them. As an example, view the UC Berkeley Box and Google Data Use Agreement.
What does the service cost?
Many services are free, but lack the features you need. If you are going to buy a service, ask whether they charge by the user or monthly/annually or by usage/volume. Also, check if the vendor charges for service cancellation or to export/remove/archive your data. If a service asks you to sign a purchase agreement or contract terms, follow the campus supply chain process before proceeding with the vendor directly. Campus has terms that are required for agreements with vendors. Starting off on the right path can avoid re-work and delays later on.
Is the service accessible?
The University of California's Information Technology Accessibility Policy (effective August 27, 2013) states that all campus websites and web applications should be accessible to people with disabilities, including those who use assistive technologies. This means that products purchased from vendors should be accessible. You can find more information on Berkeley Web Accessibility site.
What if I'm asked to sign a Non-Disclosure Agreement (NDA)?
When asking for information about a service, a company or vendor may ask you to sign an NDA (Non-Disclosure Agreement) before giving you access to detailed information regarding their technology, procedures or security certifications. It is a common practice to sign NDAs during procurement evaluation - and your campus buyer (procurement person) is the correct person to review the terms and sign the NDA. You should not sign and return the NDA yourself. Your campus buyer will follow-up with any questions or concerns they have. Once an NDA is signed on behalf of UC Berkeley, you can then share info on the company and product with anyone at the University. Lookup your campus buyer here: Contact Your Buyer
Questions to Ask Before You Buy
Here are a few questions about software you should think about before using/buying it, especially if it will be collecting/storing or processing any kind of University data. If you are working with a vendor sales or support contact you are considering, you should ask them to respond. If the vendor can’t or will not answer the questions, this should be a red flag about the service or company.
Infrastructure |
|
What cloud services or third party providers does the <your service> use for running its platform (eg AWS, Azure, GCP, other) |
|
Is there any agreement or target uptime for the service? |
|
Is there a business continuity plan in place? |
|
Is there a security plan in place for the service? |
|
Has the security plan been externally audited? By whom? If so, can we look at review the security audit? |
|
Is our customer data in an environment mingled with other customer's data or is is segmented and separated (shared, tenant model)? |
|
Does the service support Single Sign-On (SSO)? Your vendor or service provider can check out our CalNet site for more information on SSO at UC Berkeley |
Data Use and Privacy Agreement |
|
What is their privacy agreement and data use policy for customer data? |
|
Can we see a copy of the privacy agreement and data use policy? |
|
Who has access to your data? |
|
Do third party services used adhere to your privacy policy (e.g. AWS, Azure, backup services)? |
|
What is their policy around civil and criminal subpoenas for data - specifically on customer notification |
|
Does <your service> collect any data generated for your own purposes (including de-identified analytics) |
|
Is collected data passed on or shared with other groups or companies? If so, which? |
Data Backup, Export and Deletion |
|
As the customer, what customer-facing mechanisms does the vendor provide for you to export and archive your data? Is there any extra cost for exporting or archiving of the data? |
|
What is the policy around removing your data? |
|
Is data actually deleted on disk and backups? |
|
Are backups taken of your data? If so, how frequently and where are they stored? |
|
Is a third-party service used for backups or data replication? |
|
What is the backup retention policy? |
Troubleshooting Support/Service |
|
Is there a service level agreement for support calls and service requests? |
|
What is the escalation path for urgent issues? |
|
What is the support during nights, weekends holidays? |
|
Can users contact Support staff directly? Can our on-site technical staff contact support on behalf of our users? |
