π
What Type of Request?
Select the category that best describes your request
π« Strictly Forbidden Applications:
File Transfer / Repository Tools used on SAX equipment are not permitted. Examples include: Google Drive, Dropbox, Box, JungleDisk, and similar file sharing services.
Remote Access Tools used to connect into client environments or allow connections to SAX equipment are strictly forbidden. Examples include: Splashtop, ScreenConnect, LogMeIn, GoToMyPC, VNC, TeamViewer, Citrix, and similar remote access software.
Requests for these categories will be automatically denied.
File Transfer / Repository Tools used on SAX equipment are not permitted. Examples include: Google Drive, Dropbox, Box, JungleDisk, and similar file sharing services.
Remote Access Tools used to connect into client environments or allow connections to SAX equipment are strictly forbidden. Examples include: Splashtop, ScreenConnect, LogMeIn, GoToMyPC, VNC, TeamViewer, Citrix, and similar remote access software.
Requests for these categories will be automatically denied.
π
Add-in to Existing Program
Plugin, extension, or add-on for software we already use
π€
Tool for Personal Use
Individual productivity tool or utility for your role
π₯
Application for Department/Group
New application for a team, department, or company-wide
π
Replacement of Existing Application
Replace a current tool with a new solution
π€
Section 1: Requestor Information
Verified from your Microsoft 365 account
β Before completing this form, please confirm with your department head that this request has been discussed and approved at the department level.
π»
Section 2: Application Overview
Provide details about the application you are requesting
Yes
No
Yes
No β Internal use only
π
Section 3: Business Justification & Existing Tools
Verify no existing application meets your needs
β Application sprawl increases security risk, licensing costs, and IT support burden. We must ensure we are not duplicating capabilities already available.
Yes
No
I'm not sure β please help determine
Yes
Scheduled
Not yet
Yes
No
π°
Section 4: Financial & Contractual Details
All cost information must be gathered from the vendor
Monthly
Annual
Multi-year
Perpetual
Usage-based
π
Section 5: Security & Authentication
Security is non-negotiable for financial advisory
β Applications that do not support SSO/MFA integration will NOT be approved. This is a firm-wide security requirement with no exceptions.
βΉ Vendor Due Diligence Required: Contact your vendor's sales or technical team for answers to these security questions. If any answer is "Unknown," you must reach out to the vendor before submitting β unknowns will delay the review and approval process.
What is SSO (Single Sign-On)? SSO allows you to log into an application using your existing Microsoft 365 / Entra ID credentials instead of creating a separate username and password. This is critical for security because it means SAX IT can manage access centrally, enforce password policies, and instantly revoke access when an employee leaves.
Yes
No
Unknown
β You need to contact the vendor and ask whether their application supports Single Sign-On (SSO) with Microsoft Entra ID / Office 365. This is a requirement for approval.
Your vendor will need to provide this information. Ask them which SSO protocol their application supports:
β’ SAML 2.0 β The most common enterprise SSO standard. Uses XML-based tokens to securely pass your identity between systems.
β’ OAuth 2.0 β An authorization framework that lets the app access resources on your behalf without sharing your password.
β’ OpenID Connect (OIDC) β Built on top of OAuth 2.0, adds identity verification. Very common with modern cloud apps.
β’ Other β Some vendors use proprietary or legacy protocols. If so, please specify below.
β’ SAML 2.0 β The most common enterprise SSO standard. Uses XML-based tokens to securely pass your identity between systems.
β’ OAuth 2.0 β An authorization framework that lets the app access resources on your behalf without sharing your password.
β’ OpenID Connect (OIDC) β Built on top of OAuth 2.0, adds identity verification. Very common with modern cloud apps.
β’ Other β Some vendors use proprietary or legacy protocols. If so, please specify below.
SAML 2.0
OAuth 2.0
OpenID Connect
Other
What is MFA (Multi-Factor Authentication)? MFA adds an extra layer of security beyond just a password. After entering your password, you must verify your identity a second way β like approving a push notification on your phone, entering a code from an authenticator app, or using a hardware key. This prevents unauthorized access even if someone steals your password.
β’ Native MFA β The application has its own built-in MFA (e.g., its own authenticator app or SMS codes).
β’ Through SSO β The application relies on Microsoftβs MFA when you sign in via SSO (this is preferred since SAX already enforces MFA through Microsoft).
β’ Native MFA β The application has its own built-in MFA (e.g., its own authenticator app or SMS codes).
β’ Through SSO β The application relies on Microsoftβs MFA when you sign in via SSO (this is preferred since SAX already enforces MFA through Microsoft).
Yes β Native
Yes β Through SSO
No
Unknown
β Contact the vendor and ask if their application supports Multi-Factor Authentication, either natively or through SSO integration with Microsoft Entra ID.
SOC 2 Type II is an independent audit that verifies a vendorβs security controls (data protection, availability, confidentiality) have been tested and proven effective over time. This is the gold standard for SaaS vendor security.
ISO 27001 is an international standard for information security management systems (ISMS). It means the vendor has a formalized, systematic approach to managing sensitive data and has been certified by an accredited body.
Encryption at rest means your data is encrypted when itβs stored on the vendorβs servers or databases. Even if someone gains unauthorized access to the physical storage, they cannot read the data without the encryption key.
Encryption in transit means your data is encrypted while itβs being sent between your computer and the vendorβs servers (like HTTPS). This prevents anyone from intercepting and reading the data as it travels over the internet.
Penetration testing (pen testing) means the vendor hires external security experts to simulate real cyberattacks against their systems to find and fix vulnerabilities before hackers do. Ask the vendor if they conduct regular pen tests.
A breach notification policy means the vendor is contractually committed to notifying SAX promptly if a data breach occurs that affects our data. This is critical so we can take immediate action to protect clients.
β One or more security answers are marked "Unknown." You must reach out to the vendor for this information. Submitting with unknowns will significantly delay the review and approval process.
π
Section 6: Regulatory Compliance & Data Governance
Financial industry regulatory requirements
βΉ Your vendor should be able to answer most of these questions. Ask them about their compliance certifications, data handling practices, and regulatory support. Unknowns will delay the review process.
Select all types of data this application will store, access, or process. This determines which security and compliance requirements apply.
Your vendor will need to confirm which regulatory frameworks their software supports. These are laws and industry standards that govern how client and business data must be handled:
β’ GLBA (Gramm-Leach-Bliley Act) β Federal law requiring financial institutions to protect the privacy and security of client financial information. This applies to most of what SAX does.
β’ GDPR (General Data Protection Regulation) β EU regulation for protecting personal data of EU citizens. Applies if the software handles any data from EU-based clients.
β’ SEC / FINRA β Securities and Exchange Commission and Financial Industry Regulatory Authority rules for recordkeeping, supervision, and data protection in wealth management.
β’ SOX (Sarbanes-Oxley) β Federal law governing financial recordkeeping and reporting. Relevant if the software handles accounting or financial reporting data.
β’ IRS Publication 4557 β IRS guidelines for safeguarding taxpayer data. Critical for any software handling tax return information.
β’ GLBA (Gramm-Leach-Bliley Act) β Federal law requiring financial institutions to protect the privacy and security of client financial information. This applies to most of what SAX does.
β’ GDPR (General Data Protection Regulation) β EU regulation for protecting personal data of EU citizens. Applies if the software handles any data from EU-based clients.
β’ SEC / FINRA β Securities and Exchange Commission and Financial Industry Regulatory Authority rules for recordkeeping, supervision, and data protection in wealth management.
β’ SOX (Sarbanes-Oxley) β Federal law governing financial recordkeeping and reporting. Relevant if the software handles accounting or financial reporting data.
β’ IRS Publication 4557 β IRS guidelines for safeguarding taxpayer data. Critical for any software handling tax return information.
What is Data Residency? This refers to the physical location where the vendor runs their application servers and stores your data (e.g., data centers in the US, Europe, etc.). For financial advisory firms, itβs important to know where client data physically resides because different countries have different data protection laws. US-only data residency is strongly preferred.
US only
US + other countries
Outside US
Unknown
β You need to ask the vendor where their data centers are located and where your data will be stored. This is critical for compliance β if data is stored outside the US, additional legal and regulatory review is required.
What does this mean? Some vendors include clauses in their terms of service that allow them to sell, share, or monetize the data you store in their system β including aggregated or anonymized versions of your data. This is a serious concern for a financial advisory firm handling confidential client information. Ask the vendor directly: "Do you sell, share, or monetize any of the data we store in your platform?"
What does this mean? Many software vendors now use Artificial Intelligence (AI) and Machine Learning (ML) tools. We need to know: Does the vendor use your data to train their AI/ML models? Do they share data or results with other users or third parties? What type of AI/ML technology are they using? The vendor can provide this information β check their privacy policy or ask their sales team directly.
DPA = Data Processing Agreement β a legal contract between SAX and the vendor that defines how the vendor will handle, protect, and process our data. Required for GDPR compliance and best practice for all vendors handling client data.
BAA = Business Associate Agreement β required by HIPAA when a vendor handles Protected Health Information (PHI). If this software touches any health-related data, a BAA is legally required.
The vendor must provide these documents β ask their sales or legal team.
BAA = Business Associate Agreement β required by HIPAA when a vendor handles Protected Health Information (PHI). If this software touches any health-related data, a BAA is legally required.
The vendor must provide these documents β ask their sales or legal team.
Why is this important? When you stop using a vendorβs software, you need to ensure you can get your data out (export) and that the vendor permanently deletes your data from their systems. Without this, your confidential client data could remain on a former vendorβs servers indefinitely, creating ongoing security and compliance risk.
β One or more compliance answers are marked "Unknown." You must reach out to the vendor for this information. Submitting with unknowns will significantly delay the review and approval process.
ποΈ
Section 7: Technical Architecture & Integration
How the application fits into our infrastructure
SaaS β Web only
SaaS + Desktop app
SaaS + Browser extension
SaaS + Mobile app
On-premises
Since this access method requires installing software (browser extension, mobile app, or desktop app), please provide the minimum system requirements for installation (e.g., OS version, disk space, RAM, browser version, mobile OS version, etc.).
Select all SAX systems this application needs to connect or share data with. If any integrations are selected, please describe how they will integrate below.
What is an API? An API (Application Programming Interface) is a way for different software systems to talk to each other automatically. We ask this because if the application has an API, SAX IT can potentially automate workflows, connect it with other systems, and build custom integrations β making it more useful and secure.
What is RBAC (Role-Based Access Control)? RBAC means the application lets administrators control what different users can see and do based on their role. For example, a manager might have access to reports that a regular user cannot see. We ask this because SAX needs to ensure that employees only have access to the data and features appropriate for their job function β this is a key security and compliance requirement.
β Contact the vendor and ask if their application requires any firewall rules, port openings, IP whitelisting, or other network configuration changes to function properly.
π€
Section 8-10: Vendor, Agreements & Acknowledgment
Support details, documentation, and sign-off
Documents Provided (check all attached)
β Do NOT sign any vendor agreements before IT and Legal review. All agreements must be approved by the CIO.
π Upload Documents
Click or drag files here to upload
PDF, DOCX, XLSX β Max 25MB per file
