Software procurement – customer checklist

This checklist sets out the key issues which should be considered by anyone thinking of procuring software for use in their business.

  • Ensure that you have clearly identified what your business needs and constraints are before you look for a software product or decide to engage a software developer.
  • Identify potential vendors and products which may be suitable for your needs.
  • If the software you need will be business critical or won’t be “off-the-shelf” consider engaging a specialist consultant to help you understand what you need and what is out there.
  • Carry out due diligence on the vendors including: company checks; financial checks; and product reviews. Ask for details of their insurance cover.  If this is a big project, consider a tender type process.
  • Speak to other customers who have used the vendor / product to understand their experiences.
  • Consider cyber security risks. This may involve: checking whether the vendor holds any certifications; performing penetration testing; carrying out site visits to assess physical security; and requiring the vendor to complete a security questionnaire.
  • Decide whether you want to buy an off-the-shelf product or whether a bespoke or customised product will be better for your needs.
  • If the software will be bespoke, make sure you understand the development process see our guides on the Software Development Process and Engaging Developers.
  • Check that the software licence covers all the users who might reasonably be expected to use the software – now and in the future (for example, subsidiaries, associated companies, contractors etc.)
  • Consider whether the licence restrictions are acceptable. For example, is the licence only for the benefit of a named company or is it restricted to use on a particular computer or at a particular site? Can it be transferred if you sell your business?
  • Identify whether the licence is a perpetual (i.e. lasts forever) or subscription licence and consider if the term and termination provisions give you what you need. Remember, flexibility works two ways.
  • Does the product rely on code or tech from another source? If so, the vendor’s continuing access to this will need to be assured.
  • Ensure that the licence fees are clearly defined. If the fees are linked to usage, is it clear how the fees will be adjusted in the event of an increase / decrease in usage?
  • If the vendor has agreed a fixed fee or discounted fee for an initial period, check it is clear what will happen when that initial period expires.
  • Check whether the maintenance fees are included in the licence fee or whether these are an additional cost. If third-party maintenance is available, consider whether that would offer better value.
  • Check that the vendor warrants (confirms) its right to grant the licence and agrees to indemnify you against infringement of any third party’s rights (so hopefully the vendor would have to compensate you if you get sued by another company claiming they actually owned the software making your use/licence of the software unauthorised).
  • Review the performance warranties. Does the vendor warrant that the software will perform certain required functions or comply with a certain specifications? Are these functions / specifications appropriately documented?
  • What are the exclusions and limitations on the vendor’s liability? Are these acceptable? For example, can you recover your losses in full in the event of a default by the vendor or is your remedy limited to a refund of the purchase price?
  • If you use the software to provide services, rather than for internal purposes, work through the scenario where the software didn’t perform as it should – will you be in breach of your customer contracts?
  • Consider whether specific warranties are needed for example, in relation to cybersecurity or data protection.
  • Ensure it is clear in what form the software is to be delivered (for example, on disc, CD-ROM or electronically) and when delivery will occur.
  • Make sure it is clear which party will be responsible for installation and ensuring successful integration and interoperability with other systems.
  • If there will be a period of installation and testing before you can use the software in a live environment, consider whether you need to pay the full licence fee prior to go-live.
  • If the software will be tested before acceptance, is it clear what will constitute success? Ensure that the testing regime will accurately demonstrate the way the software will perform in a live environment (including with the volumes the software is intended to handle).
  • If interoperability with other systems is required, ensure this forms part of the acceptance testing.
  • Check that the vendor’s maintenance obligations are clearly defined. If different priority is to be given to different categories of fault (P1 / P2 / P3), ensure that the prioritisation reflects the commercial significance of the faults to your business.
  • Consider whether the proposed ‘response’ and ‘fix’ times are satisfactory and what escalation and remedy provisions apply if those times are missed.
  • Check whether the maintenance obligations are reactionary (i.e. they only cover the fixing of functional defaults) or whether the vendor also provides regular patching and other proactive maintenance.
  • Check whether software maintenance can be provided by a third party if the vendor is unable / unwilling to provide maintenance or if you wish to switch to a different provider for commercial / business reasons.
  • If the licence includes the right for your employees and contractors to alter or maintain the software, check that they will have access to the necessary tools and source code.
  • Check whether upgrades are included in the licence / maintenance package and how many versions of the software the vendor will continue to support.
  • Consider how future interoperability issues will be handled. Will the vendor be required to ensure the software is continually updated to keep pace with other system changes? Will this be included in the support cost?
  • Consider whether the licence allows you to make copies of the software for back-up and testing purposes. Are there restrictions on the number of copies which can be made / how they can be used?

If the software is being used for a business critical function or if it will be difficult for you to obtain a replacement product, consider whether the source code should be held with an escrow agent (for more information on escrow see here)

  • If the vendor will have access to confidential information, personal data or commercially sensitive data, ensure that there is a NDA in place with the vendor or suitable confidentiality provisions in the software licence.
  • If the vendor will have access to personal data and will be acting as your data processor, check that the contract contains suitable data processing provisions as required by GDPR Article 28 (for more information on this requirement see here.
  • Check it is clear in which circumstances the contract can be terminated and how notice to terminate should be served.
  • Make sure you are clear what termination actually means. Will termination end all of your access to the software or just terminate the support and maintenance obligations, leaving you with an ongoing (perpetual) right to use the software unsupported.
  • Ensure it is clearly set out in the contract what obligations there are on the vendor for returning customer data and other confidential information, including time limits for compliance and the format in which the data is to be returned.
  • Consider whether the you will need assistance in transferring your data from the vendor to your systems or another supplier. Ensure it is clear whether such assistance is included in the licence fees or an additional cost.