Sourcegraph Procurement Policy
AP Policy
Policy Mission Statement
Sourcegraph employees are required to undertake an efficient, timely and cost-effective procurement process while ensuring appropriate levels of diligence and accountability in accordance with the processes outlined in this policy.
Policy Scope
This policy applies to all Sourcegraph teammates, and third party contractors acting on behalf of Sourcegraph. This policy applies to procurements above $5,000 (inclusive of all applicable taxes and charges).
Policy Objectives
The objectives of the Sourcegraph Procurement policy are as follows:
- Supporting Sourcegraph personnel in undertaking efficient, timely and cost-effective procurement processes
- Maximizing value for Sourcegraph
- Ensuring ownership, accountability and transparency in expenditure
- Ensuring appropriate levels of diligence is performed prior to expenditure
- Ensuring that the procurement process and level of effort is commensurate with the nature and value of the procurement
- Ensuring documents utilized during the simple procurement process use clear, simple and easy to understand language
Procurement Process
The procurement process should be considered in three stages:
a. Evaluation stage
b. Go-to-market stage
c. Airbase Guided Procurement: Contract Execution/Vendor Request
Evaluation stage
Best practice procurement processes should commence with the following steps:
- defining the requirement (e.g. quantity, quality, delivery, timing)
- assessing other strategies such as utilizing existing period contract arrangements
- obtaining financial & Legal approval
- obtaining Security approval to assess vendor risk, perform due diligence and be in line with our Third-party Management Policy
Go-to-market Stage
Best practice guidelines relating to the go-to-market stage of procurement includes:
- identifying how to approach the market and engage in negotiations
- determining the number of quotes to obtain
- determining the selection/evaluation process
- engaging in commercial negotiations with chosen supplier
Request for Quotes Process
Sourcegraph employees must request competitive quotes, in writing, as far as practicable, as presented in table 2 below.
| Spend (Annual Equivalent) | Quotes |
|---|---|
| $0–$10,000 | 1 |
| $10,000–$50,000 | 2 |
| $50,000 or greater | 3 |
The number of quotes sought can be restricted to less than the required number if there are legitimate reasons for limiting the number of suppliers. Such reasons might include:
- only a limited number of suppliers with the capability, experience and suitability to meet the procurement requirement
- the need for compatibility with existing equipment or services
- absence of competition due to technical reasons (e.g. exclusivity, proprietary information)
- the cost of changeover is prohibitive
- an unsolicited proposal with very advantageous conditions and appropriate approval
- time sensitive
The justification for limiting the number of suppliers must be communicated via email to ap@sourcegraph.com.
Sourcegraph employees should also inquire as to whether customer references / testimonials are available for items of expenditure greater than $10,000.
NDAs (Vendors)
The best practice is to share and sign our NDA with every vendor when you begin conversations and before you disclose confidential business information. Once you have a fully signed NDA, save a copy in our NDA folder as Vendor Name-NDA-Year-Month-Day. For NDA signatory authority, see our contract review and signature authority policy.
Is a DPA required?
If the vendor will receive any personal data from us, ask for the vendor’s DPA. Personal data includes any teammate personal data (including account login email/pw, addresses, DOB, etc.) and any customer content (such as sourcecode metadata, which contains usernames and emails). If the vendor is a SaaS solution, then yes, we need a DPA.
What if the vendor asks us to provide a DPA?
We prefer to use the vendor’s DPA, as it will be more applicable to the way they process and secure personal data. However, Sourcegraph does have a template for vendors that do not have their own.
You can let the vendor know:
Given that you will process personal data, we will require a data processing agreement (DPA). A DPA should include your organization’s technical & organizational security measures reflecting how you protect the personal data you receive from us. If you don’t have one, will you reach out to your law firm to get one?
Commercial Negotiations
The table below highlights different commercial terms of a procurement negotiation, in order of importance to Sourcegraph. Buyers are encouraged to consult with the Finance team if they require support during commercial negotiations with suppliers.
| Area | Sourcegraph Procurement Policy Considerations |
|---|---|
| Price | New contracts: Requesting quotes / pricing - Communicate that we are requesting quotes from other suppliers and considering the supplier with the best pricing / fit for our needs - Can we obtain a new customer discount for the first year? New contracts: One-time vs recurring fees - Best practice is to negotiate discounts on the recurring cost as that will generate greater savings for Sourcegraph over a 2/3 year period. - If we can not negotiate better pricing on recurring fees, can we ask to have setup fees /on-board Sourcegraph fees waived? Renewals - What is the % increase from prior year and what justifies this increase? - Were there any service issues in the prior year? If so, we should communicate to the vendor and explain such issues warrant a discount for renewal period. - If the supplier explains price increases are due to new features, we should consider if we are using these features? If not, we should ask the vendor why we need to pay for these features? - Are we at Sourcegraph adding more volume? If so, is there a discount for every new user added? What is the trend of the cost per unit compared to last year? |
| Value | - If we cannot negotiate better pricing, can we negotiate to receive additional services for the same price (i.e., achieve better value)? For example, could we ask for extra training days for free or a one/ two/ three month free period at the end of the term? - For vendors with engineering teams, would the vendor contact be willing to connect our sales team for a product demonstration? |
| Negotiation Tactics | - Check if any Sourcegraph teammates know people at the vendor company that they can connect us with (i.e. LinkedIn connections) - For larger items of spend it may be worth scheduling a face-to-face meeting with the supplier. - Partnering – if we provide a customer testimonial / case study, could it result in better pricing? |
| Payment terms | - Our standard payment terms are net 30. Can we negotiate longer payment terms (for example 60 days) or a discount if we pay invoices early (for example 5% discount if we pay within 10 days)? |
Airbase Guided Procurement: Contract Execution/Vendor Request
When should I use this process?
Airbase will guide you through the required fields and approval necessary depending on your purchase inputs. Before creating an Airbase request, take a look at the table below to determine if this is needed.
- If cost = 0 and classification is PUBLIC or INTERNAL -> no ticket needs to be raised
- If cost = 0 and classification is PRIVATE or RESTRICTED but LOCALLY* -> no ticket needs to be raised
- If cost = 0 and classification is PRIVATE or RESTRICTED but ONLINE* -> raise a ticket
- If cost >0 and classification is PUBLIC or INTERNAL or PRIVATE or RESTRICTED -> raise a ticket
*Locally - meaning the data is not leaving your laptop (for instance text editor)
*Online - data is shared with 3rd party (browser extensions that access private or restricted data and are shared back with the service provider)
What counts as a vendor?
We categorize our vendors into the following groups:
-
Software: this can be SaaS or non-SaaS products
-
Services: Consulting services; any company that is commissioned to perform knowledge enhancing project-based work for Sourcegraph. Examples of this include any work that concludes with a report issued to the company, product development work, training development, sales & marketing projects and regulatory consulting work.
-
Temporary contractors : Individuals that have been contracted for a limited amount of time to enhance/assist/deliver project base work (they are a separate group since their access level to data will most likely be different to a ‘Service’ engagement)
How do I submit a request in Airbase?
You can find a how to video here and for existing vendors missing a PO here.
Step 1: Visit Airbase
- Click “Request Purchase” from your dashboard and in the dropdown select “Purchase”
Step 2: Enter your Purchase Request Details (note these may change order depending on input details in 01. and .02)
- Primary Information: Select your type of purchase category
- Software Subscription
- Individual (i.e. a single ChatGPT subscription for yourself)
- Org Level New
- Org Level Renewal
- Hire a Contractor (temporary contractor)
- Sales/Marketing events (sponsorships, event space, etc)
- Hardware (computers, servers, peripherals)
- Vendor and Budget Details
- Vendor name
- Description of services
- Vendor website
- TCV (total contract value) of goods or services being purchased
- Attach a copy of the MSA, Order form/SOW that has the amounts included
- Data Classification
- Select the correct data management security which will route to Security team for review depending on answer.
- Has this vendor gone through JIRA review previously?
- If yes is selected, the request will move directly to Manager and Finance approval (and Exec approval if over 50K USD). Please only select this option if you have previously
completed a full vendor review in JIRA. - If no is selected, process will continue as normal.
- Contractor Prerequisite Questions (applicable only if requesting a temporary contractor)
- Save and next step!
Step 3: Notification that your manager will be sent your request for approval.
Step 4: Budget approval
Step 5: Legal review questions (if applicable, review happens in tandem with TechOps and Security reviews)
Step 6: TechOps review questions (if applicable, review happens in tandem with Legal and Security reviews)
Step 7: Security review questions (if applicable, review happens in tandem with TechOps and Legal reviews)
Step 8: Notification that your exec lead will be sent your request for approval if the amount is greater than or equal to 50K.
Step 9: Select how you want to pay your vendor
- If the vendor will be sending us an invoice rather than you paying for this on a virual credit card, please select “Purchase Order” or if you have already completed the vendor review and Finance has requested you enter a PO.3
- Services start/end date - this would be the start/end of your software or contractor services
- Select spend categories (i.e. Software, Consultants and other Professional Services, Events)
- Update cost center if applicable. This will default to the requestors cost center.
Step 10: Submit for approval!
You can watch the linked Loom videos for additional help/clarification or reach out in #discuss-finance.
SLA
Requests are approved within 10 business days. Please ensure you are requesting your spend as soon as you decide on a vendor. You can view the progress of your request at anytime in Airbase under “Requests”.
What are the reviewers looking for?
Security
- What type of information is being shared with the vendor: customer data, sourcegraph data, both?
- Security compliance certifications like ISO27001 or SOC 2.
- Encryption standards of data at rest and in transit (transport layer security).
- Clear measures around confidentiality, integrity, availability, and resilience of processing systems and services.
- Clear process in case of a security incident and the reporting to Sourcegraph.
- Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- Periodic testing on security, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Legal
- MSA, DPA, Order form or SOW
- Review when annual spend is over $100,000, or annual spend is over $1,000 and vendor receives (a) customer data or (b) teammate personal data
- Typical customer data includes customer source code, repo names, support tickets, customer logs, incident data, etc.
- Typical teammate personal data includes login information, username, email, name, address, etc.
TechOps
- Okta provisioning and/or SAML available?
- If no, how is access protected
Finance/Budget
- Amount
- Contract and Commercial Terms
System/Relationship Owner Responsibilities
Every vendor we use at Sourcegraph has an internal system/relationship owner assigned to them. By assigning a Sourcegraph system owner, we have a designated point of contact for all communication with the vendor, which will facilitate turnaround times on any matters during our engagement with the vendor as well as any internal process that require vendor input/output.
The system/relationship owner is typically the person who initiates the engagement with the vendor (i.e. vendor onboarding requestor), however, in certain cases the vendor request might have been delegated to a team member but the ongoing system owner duties will be taken on by a team lead (please make sure to discuss system/relationship ownership with your team/prospective users before logging a vendor request).
Please see below the responsibilities of a system/relationship owner:
- Liaise with the vendor as the main point of contact for any engagement/partnership matters
- Working with finance to ensure the product or service is accurately budgeted for
- Keeping billing information up to date and uploading receipts as needed into Airbase
- Negotiate and request contracts/upgrades/renewals
- Onboarding and offboarding of users if not behind Okta or supported by Tech Ops (including annual access reviews for systems)
- Produce usage guidance for tool to users (please reach out to compliance about security and compliance guidance on usage)
- Help provide/extract data from vendor when requested (for instance compliance reasons (evidence), security reviews, and other data collection efforts)
Logo Rights or Case Study
Must be approved by the business champion and marketing.
Contract Renewals
For all contracts, designated buyers (employees who are responsible for the spend) should monitor contract end dates or renewal dates to ensure that:
- Renegotiations can commence in a timely manner, in advance of cessation or renewal
- Sourcegraph employees can go to market to request additional quotes from alternative suppliers (if required)
- If desired, that a vendor / contractor can be terminated by Sourcegraph allowing for any required notice period
Purchase Order Process
For procurement that exceeds the equivalent of 5,000 USD, a Purchase Order (PO) will be required in Airbase. Please attach the quote, estimate, or contractual draft to the PO prior to finalizing an agreement. The Finance team can be reached via ap@sourcegraph.com or the #finance Slack channel. For contract review, see the Contractual Execution section below.
POs are not required for our FT international teammates, but will be required for any temporary contractors.
Managing Conflicts of Interest
Any actual, potential or perceived conflict of interest that has the potential to unfairly affect or influence the proper outcome of the procurement process, must be identified and documented in the purchase order requisition.