Overview

When the university or its employees license access to Software - as defined in Section VI below - it does not own the Software and must abide by the agreement that governs the Software's use. As outlined in this Policy, units have been granted limited delegation of authority to purchase Software and may only do so if the engagement is made via a Click-Through Agreement, is less than $10,000, and involves data classified as Low based on U-M Data Classification Levels. Purchases involving any other data classification, regardless of dollar value, must be submitted through Procurement Services.

Units across the university serve diverse purposes and constituencies and may define additional conditions, restrictions, or guidelines directed at their specific community so long as they are consistent with this policy and do not lower the requirements established by this SPG.

Purpose

This policy is established to ensure the protection of the university, its departments, units, and individuals. It provides guidelines for buying Software and governs the use of Click-Through Agreements in lieu of traditional or electronic signatures. 

This policy acknowledges:

1. Authority to bind the university to contracts and agreements for Software purchases or licensing is delegated to Procurement Services by The Board of Regents as outlined in SPG 507.01 Procurement General Policies and SPG 601.24 Delegation of Authority to Bind the University to External Agreements on Business and Financial Matters.
2. Limited delegation of authority is granted to department end-users to commit funds for the purchase of Software via a Click-Through Agreement, when the engagement is less than $10,000, the data classification is classified as Low, and as outlined in this policy.
3. Under that limited delegation, employees of the U-M community that use or purchase Software in compliance with this policy are accepting the terms and conditions and assume the risks and obligations that may accompany such agreement on behalf of the university.
4. It is the responsibility of Software purchasers and users to procure and use Software in a manner that strictly adheres to all applicable university policies as well as all licensing provisions, including installation, use, copying, virtualization, maintenance, service, restrictions on the permitted uses and/or the number of users, and other terms of the license.

Scope

This policy is platform and device-neutral and applies to:

1. All Software used for university business purposes, including but not limited to administrative, academic, teaching, learning, clinical, and research activities, irrespective of how it is accessed or stored.
2. All Software purchased, obtained, and/or licensed from third-party vendors, developers, or companies pursuant to the requirements of this policy irrespective of the university entity or individual that makes the purchase or enters into the license.

User and Unit Requirements

1. Due Diligence and Compliance

   1. Prior to finalizing any Software purchases, units should review the Software Acquisitions Knowledge Base Article ("KBA").
   2. Purchasers of Software are often presented with an electronic license agreement or Click-Through Agreement. These terms outline the responsibilities of the purchaser regarding the license and use of the Software. Once this electronic or Click-Through Agreement is accepted by an authorized user, a legally binding contract between the licensor and the university is established.
   3. Units and users must understand and comply with all terms and conditions of the Software agreement.
      • Common issues to examine include: non-infringement of copyright and limitations on transfer or sale when assets or equipment are divested or decommissioned.
      • Notwithstanding anything herein to the contrary, university employees do not have the authority to grant to suppliers any audit rights or rights to use any university trademarks or logos by virtue of this SPG.
   4. Users who access university-licensed Software on personally owned devices must comply with all provisions of SPG 601.33, the licensing agreement, and are further expected to comply with the provisions on the Safely Use Sensitive Data website when accessing sensitive institutional data on such devices; some licensing agreements do not permit use on personally owned devices.
   5. It is the responsibility of each unit to ensure all agreements signed or accepted, within their Delegated Authority, are documented and follow university retention requirements as outlined in SPG 604.01 - Departmental Record Retention for Business and Financial Records.

2. Software Acquisition and Procurement Restrictions

   1. Personal credit or debit cards should not be used to purchase Software for institutional use.
   2. Individuals may not procure Software, regardless of dollar value, that will be used to access, process, analyze, or maintain data classified as Moderate, High, or Restricted. Such Software may only be procured by Procurement Services. For more information about university data classification levels, visit the ITS Safe Computing website.
   3. University PCards can be used to purchase non-competitively bid Software up to $5,000 in total value. PCard purchases must comply with all terms and conditions of the PCard Cardholder Agreement.
   4. Purchase orders can be used to purchase non-competitively bid Software less than $10,000 in total value.
   5. Software purchase requests of $10,000 or more must be submitted to Procurement Services.
   6. If the Software will be used for any export-controlled activities or the purchaser has reason to believe the Software is subject to export restrictions, purchasers should request the Export Control Classification Number (ECCN) or U.S. Munitions List (USML) category for any Software they are procuring from the supplier, software developer, or manufacturer.

3. Software & Data Return and Destruction

   1. Upon termination or expiration of the Software agreement, Departments are responsible for overseeing the extraction, return, and destruction of all university data and obtaining written proof from the supplier.
   2. Units and users are contractually obligated to follow the terms and conditions relating to the disposal or return of the Software and/or data. In instances where grant terms are in conflict with SPG 601.33 - Security of Personally Owned Devices that Access or Maintain Sensitive Institutional Data and SPG 520.01 - Acquisition, Use, and Disposition of Property, the grant terms will take precedence.
   3. All Non-Transferrable Licensed Software and associated data should be permanently deleted before any electronic device or media is disposed of or transferred within the university, as outlined on the Securely Dispose of U-M Data and Devices webpage.

Violations of Software Licenses and Enforcement

Individuals at the university are ultimately responsible for knowingly violating the terms and conditions of Software purchased under the authority of this SPG. Units, where infringing copies are located or whose staff members otherwise violate licenses, are responsible for any fines or fees associated with the non-compliance of Software license agreements and legal fees.

Violations of this policy may result in appropriate sanction or disciplinary action consistent with applicable university procedures up to and including suspension or revocation of computer accounts or PCard, non-reappointment, discharge, dismissal, and/or legal action. In addition to university disciplinary actions, individuals who commit copyright infringement are personally subject to civil and/or criminal fines and sanctions under the U.S. Copyright Act.

Definitions

1. "Software" includes but is not limited to cloud-based software and solutions, Software as a Service (SaaS), on premises, stand alone, shared, or networked. This also includes free and open-source software.
2. A "Click-Through Agreement," also known as a click-wrap agreement, is a legal agreement between a user and supplier that is presented to the user in digital form. Instead of signing a physical or electronic document, users indicate their acceptance of the terms and conditions by clicking a button or checking a box typically labeled "I agree" or "Accept."
3. A "Non-Transferrable License" is a license that grants a user licensee specific rights to use a product, service, or intellectual property but explicitly prohibits the licensee from transferring those rights to another party.