What is a SaaS Contract?
Software as a Service (SaaS) contracts are a legal structure whereby software services are provided over the internet (the "cloud") to any computer with a browser interface. SaaS contracts eliminate the need to install and run applications on a computer system. While the software is owned by the service provider, the SaaS contract allows the customer to use the provider’s applications on a subscription basis.
A SaaS contract outlines the agreement between a business or an individual and the SaaS provider. The provider essentially offers its software via the cloud as a third-party service that eliminates the need for the customer to acquire unnecessary hardware and software, and to maintain and update the software and licensing agreement . This gives companies a competitive advantage in that they can save a great deal of money by outsourcing this task. The customer can access the SaaS application through its web browser as long as it has an internet connection.
Of great importance when it comes to negotiating a contract for SaaS is the service level agreement. This formal agreement spells out the specific services the subscriber can expect from the provider. Some of the expectations and terms are availability, response times and system requirements. A good rule of thumb is for the subscriber to always try to add items to the contract to protect itself and to negotiate the service level agreement even if it isn’t a contract term.
Essential Components of SaaS Agreements
There are many considerations that impact the scope, complexity and enforceability of your SaaS contract. The goal is to protect both Parties and ensure the legal integrity of the agreement, knowing these contracts underlie your business model. Downstream, if you’re the customer, you want to know how much control you maintain over your data and what happens should a termination situation occur. In terms of the services, you want to ensure that you will be compensated appropriately should things go wrong. These are all standard requirements and obligations you can both agree to.
In general, you want to define the service level you expect to get from the service provider. From a service provider standpoint, you want to protect your infrastructure and position, so the obligations you have to meet in terms of the service levels must be limited in scope. This is usually covered in a limited warranty section.
Data privacy is a key concern from a customer standpoint. You want to define the protection afforded to your data and whether the SaaS provider may deposit any of its own data or information into your instance. You also want to be prepared to respond to data requests or privacy requests from individuals or employees if you’re in a business such as a bank, insurance, healthcare, where those obligations are prevalent and current. Of course, ultimately, if you are coming up with what you want form the contract, this is where the service provider now has to tell you whether they can do what you’re asking.
User access and the ability of the service provider to monitor or oversee access to the system and the users of the system is another consideration. The level of access your users will have is another consideration; what type of access, multiple points of access to the system or a single point of access, and how the level of access you require limits the system functionality.
Compliance obligations under the contract will also drive a lot of the contractual requirements you have to discuss; considerations, such as protocol for meeting PCI compliance requirements and those obligations, and other industry-specific regulatory matters.
Some of the other standard provisions routinely seen in all contracts, regardless of cloud type, include: granting the service provider access to the customer’s hardware and/or software (which should be pro-rated for the duration of the contract); negotiating payment terms, including invoicing and payment procedures; addressing termination and ‘no-fault’ termination rights/obligations; indemnification obligations; warranty and non-infringement obligations; treatment of confidential information; liability limitations; insurance coverage; jurisdiction and governing law; and feedback procedures.
Legal Issues for SaaS Agreements
As the popularity of Software as a Service (SaaS) applications has grown, so has the complexity of the contracts governing them. For every subscription agreement entered into by users and providers, there’s a raft of issues lurking just beneath the surface waiting to trip things up. I’ve drafted a few of these issues below:
Intellectual Property Rights
While the vast majority of SaaS agreements clearly state that the application and all its underlying intellectual property are owned by the software provider, other issues relating to intellectual property ownership can be far less clear. For example, if a user develops an integration or plug-in, what rights does the user have to the code and what rights does the provider have to alter, delete or copy the code? Some agreements are entirely silent on this issue.
Further, many SaaS applications today leverage third party development kits or APIs (application programming interfaces), and in the age of software open source, it is often hard to identify when a developer is infringing on intellectual property rights belonging to either a third party or the provider, and if infringement occurs, who owns those rights?
Liability
Liability limitations are a common feature of software licensing agreements and have become all but a necessity for SaaS applications today. Unfortunately, due to the complaint-based nature of U.S. statutory law, liability limitations are often cited by plaintiffs looking for money and/or notoriety generated from a successful settlement. In practical terms, every plaintiff’s attorney should be aware of a recent federal appellate decision from the First Circuit Court of Appeals, AirTouch Communs., Inc. v. Accessline Communs. Corp., 319 F.3d 159 (1st Cir. 2003). In AirTouch, the court held that when waiving the ability to recover incidental and consequential damages through a carefully and unambiguously worded limitation of liability clause, limitation of liability disclaimers constitute a valid and binding element of the parties’ agreement. In practice, this means that even if the parties have agreed to disclaiming liability for certain categories of damages, a plaintiff asserting a cause of action under a contract should always check to see whether liability is limited by contract and if so, ensure that the language of the contract appropriately and narrowly disclaims the recovery of such damages.
Function of a SaaS Contracts Lawyer
For businesses in every industry, the use of software is vital to ensure good functioning in the operation field. Software as a Service (SaaS) is changing the way people use software and increasing efficiency so that problems can be addressed and resolved more quickly and trends analyzed and understood more readily.
Where a company enters into an agreement to obtain a SaaS, certain safeguards and contractual protections need to be put in place to protect the parties to the contract .
The role of the SaaS contracts lawyer is to assist in drafting, reviewing and negotiating the agreement for the proper acquisition and implementation of the SaaS, and will often include some or all of the following contractual protections:
SaaS contracts lawyers will often review contractual software agreements secured by their clients for the adequacy of the above clauses. The protection and security these clauses afford are important matters to consider whenever you enter into an agreement with a SaaS provider.
Negotiation of SaaS Agreements
An effective way to negotiate SaaS agreements is to review a client’s issues with these agreements, and then provide a checklist of things to ask for. Some of the issues we see often with SaaS agreements are the following:
Data Ownership. When customer data is stored in a SaaS vendor’s cloud environment, how is customer data protected? Can the customer access it? What happens if the customer wants to leave the SaaS arrangement? Who owns the data? How can the data be mined? What happens if the data is compromised? Who is responsible for the data?
Service Level Agreements (SLAs). What happens if the service isn’t working? How much notice will a company get? How are disputes resolved? Can the customer terminate the contract?
Compliance. If the SaaS provider is transferring data out of the EU, is the company’s SaaS provider compliant with the EU Data Protection Directive?
Limitation of Liability. Does the SaaS vendor limit its liability? Can damages received be covered?
Indemnification. Are indemnifications reciprocal?
Scope of Work. Has the work been defined so that the company isn’t surprised by what work is included in the SaaS offering?
Trends Ahead for SaaS Contracts
The trends in SaaS basic contract terms are continuing to evolve, as are the regulatory requirements around the broader use of cloud-based solutions. These include but are not limited to:
Release of the California Consumer Privacy Act (CCPA) – There is a steady increase in the industry understanding and acceptance of privacy as a concept that must be built into all systems, including the development of the system but also in how the system is fitted into existing company processes. It has been a slow evolution from "one-size-fits-all" policies, which have created unexpectedly high costs to businesses for data breaches, to more customized policies driven by the idea that companies are accountable for user information and must be transparent to users in the collection and tracking of their privacy preferences. With CCPA and future state and federal laws expected to follow, compliance mandates are forcing businesses to comply with standards they may not have otherwise adopted voluntarily, and to consider privacy throughout the life cycle of their software applications. Budget/Cost concerns – Implementing a SaaS solution appears simple, but there is a complex decision making process which is dependent on the size of the business, the complexity of the SaaS solution, the access required to sensitive information, the requirements for customization, and the company’s current infrastructure. SaaS solutions are being embraced by businesses across the full spectrum , however implementation often requires a steep learning curve in determining the right solutions for the internal business needs. Complicated industry standards – Industry standards are emerging for many industries, and like the privacy-related standards requiring companies to consider the life cycle of their application, SaaS solutions are now being anticipated to accommodate the full range of industry-specific regulations. For example, in the healthcare industry, additional standards (including meaningful use, MIPS, quality payments and value-based services) are adding pressure for SaaS solutions in that industry to meet the full spectrum of regulations. Integration of SaaS into existing infrastructure – More and more businesses have, at least one or more SaaS solutions on the market, and many are exploring multiple solutions to determine which will yield the highest productivity or other efficiency gains. Businesses are increasingly looking for SaaS solutions that can accommodate or be integrated into their current infrastructure. For example, analytics tools are now expected to integrate with various data sources and applications, and companies are seeking providers that will integrate with popular applications such as Microsoft Excel, Salesforce.com, and other productivity tools. Solutions that do not require additional time and resources can create additional cost efficiencies.