SaaS Definition

Do I need to complete a SaaS request? 

The Definition of a SaaS page outlines the requirements for a SaaS, and when the assessment process is applicable.

Please be aware that each SaaS option involves costs, and your requirements must be evaluated before moving forward with a SaaS solution.

This process is not aimed at individuals who are needing software for individual use - see below. However, it is your responsibility to review what University data you’re sharing within the software by using the Data Protection Impact Assessment (DPIA) Checklist.

Data Protection Impact Assessment (DPIA) Checklist

What is a SaaS?

Software as a Service (SaaS) is a piece of software that:

  • Is cloud-based and hosted by a vendor
  • Does not require the University to install and host the service on premises
  • The vendor is completely responsible for the maintenance and management of the software
  • The vendor rents out access to the application to multiple organisations, not just º¬Ðß²ÝÊÓƵ
  • The system does not require any additional hardware to be installed

SaaS requests are taken through the Software Risk Assessment process (SRA). The SRA process is to ensure that all software meets the Cyber Essentials security requirements and upholds the University’s IT and data standards.

If data (personal or sensitive) is going off campus, the chances are it will need to go through the SRA.

What is not considered a SaaS Solution?

Below are examples of when it will NOT need to go through the SRA?

Individual

If an Individual is signing up for something, then this process is not aimed at them. The SRA is for groups of people using a new piece of software. Generally, this process is aimed at groups of ten-plus people. So, for instance, a few academics signing up to a subscription service to access some specific journals is not something that would go through the software risk assessment.

However, it is your responsibility to review what University data you’re sharing within the software by using the Data Protection Impact Assessment (DPIA) Checklist.

Registering an account

If you are not buying a software solution but instead are registering an account as a means to access something, for example using the ‘Enterprise’ website to hire a car, then this is not a software solution and does not need to go through the software risk assessment.

Quick links