SaaS products have become extremely popular, however, most business folks under appreciate the complexity of the legal fine print and the legal issues behind SaaS. We want to share with you our legal checklist to help you understand the legal framework of SaaS products and solve potential legal bottlenecks.
The data collection/processing and privacy issues are usually the trigger when lawyers get involved in Saas. From a legal perspective it is crucial to understand the market roll out of SaaS product to new markets as each market has its own privacy and data protection regime. One size fits all regime for data collection really does not work in connection to SaaS products. SaaS products have to carefully tailored for each jurisdiction. In the US there is a mosaic of both federal and state law privacy laws, including Children Online Privacy Protection Act (COPA), Health Insurance Portability and Accountability Act (HIPAA), California Consumer Privacy Act (CCPA) and New York Shield Act. Another complexity for SaaS products is the cross-border storage and transfer of information that may increase the provider’s exposure to liability for non-compliance with unfamiliar regulatory laws. In particular a tricky area is data transfer between the US and the EU. This creates a need to adapt and update data privacy practices to comply with regulatory rules as how to transfer and store data across different countries.
Regardless of the jurisdictions customers need know specifically which information is collected about them. This goes for both the data they provide to you directly and the data you collect automatically on the backend. After itemizing the types of data being collected, it is necessary to describe how it is collected, whether through online forms or automated procedures. For example, per the GDPR, data subjects (people whose data is collected and processed) must be allowed to give explicit, unambiguous consent before the collection of personal data. SaaS providers operating in the EU must include this consent requirement in their SaaS agreements. Further, the agreement should address restrictions on the use of customer’s data by the provider by delineating and limiting the use of customer’s data to that required only for performance of the SaaS service for the customer. Lastly, some SaaS businesses employ the use of third-party software to perform certain services on a website or mobile app. Many such third-party affiliates will require access to your customer database to perform their services, creating potential privacy problems. Although your affiliates may have their own privacy policies in place, you will need to inform your customers of their existence to retain transparency.
A correlated issue of the data privacy laws in SaaS are security procedures and practices to protect customers’ data. This another key area where lawyers get involved and review SaaS products very extensively. As such, SaaS agreements should specifically provide for mechanisms and procedures for protecting customer’s data. Data security provisions must provide for the worst case — a data breach. These provisions should include how long the provider has to notify the customer about the breach and whether this time frame allows adequate time for the customer to meet its own breach notification obligations. Include provisions in the SaaS agreement that specify which parties are responsible for performing various breach related activities, who controls the communications and of course, who bears liability for various costs and damages. Further, in some cases, the customer’s data may be accessible to third parties. In this case, agreements need to be in place with those third parties such that the third parties have security measures/systems in place that are equal or greater to the security measures/systems of the SaaS vendor.
The SaaS agreement should specifically require providers to provide customers with audit reports prepared by third-party auditors. These reports provide customers with information about the provider’s compliance with security and/or privacy procedures, allow the customers evaluate the provider’s security standards and determine if the provider’s security and/or standards align with theirs. These reports are important as they help set reasonable expectations for the provider. Some of the reports frequently cited for use in evaluating SaaS providers security standards include: Statement on Standards for Attestation Engagements NO. 16 (SSAE 16), Serve Organization Control (SOC) reports (SOC 1, SOC 2 and SOC 3). SSAE 16 was established to verify data center operational, security excellence; SOC 1 report provides information on internal controls over financial reporting, while the SOC 2 and 3 reports focus more on predefined controls related to security, confidentiality or privacy. The specific report to be provided to the customer should be stated in the agreement. Alternatively, the agreement could permit customers to audit the providers themselves. Providers can require customers to submit an audit plan weeks in advance of the audit exercise (e.g. two weeks). Be sure to limit the time, place and frequency of the audit exercise to avoid too many interruptions with your service.
4. SERVICE LEVELS
Key area around SaaS is the service level clause. This clause stipulates the minimum performance standards for SaaS. The service level clause should address key issues like uptime, support options and escalation paths, penalties, exclusions and reporting. This section is heavily negotiated and reviewed by lawyers. A few deal terms to point out here:
· Uptime — Uptime is the amount of time that a service is online for customer’s use. The service level clause should include the provider’s commitment to uptime. The specific language can be “provider will provide customer access to the SaaS Service on a twenty-four hour, seven days a week basis at a rate of 99.9%”. The 99.9% rate is the uptime metric and the method for calculating the uptime metric should also be included.
· Customer support options and escalation path — Most providers offer basic support options for situations that do not require individual attention from the provider. For example, if a SaaS tool stops working properly. It typically does so for all customers. The provider will be aware and work to fix it system wide, so customers don’t need to alert the providers. However, if there are issues that go beyond the typical help desk ticket, an escalation clause can open communication lines between the customer and vendor. A clear procedure ensures an issue is sent to the appropriate support person.
· Penalties- Should the SaaS vendor fail to achieve the uptime requirements or guarantees, clear and specific penalties should be defined and should occur. Penalties may be credits against further payments or prorated refunds.
· Exclusions — Exclusions prevent the provider form liability for issues that are beyond the provider’s control and thus, should specifically be provided for. These issues may include periods of software maintenance, and acts of disruptions caused by the customers themselves.
· Reporting — The service level clause should also stipulate that providers provide monthly/and/or weekly reports on key availability, continuity and performance metrics. This ensures the customer that expectations are being met.
Many SaaS providers use a subscription-based approach where traditional licensing and maintenance fees are consolidated into a single subscription fee. The payment process has to comply with applicable legal rules. Under the subscription pricing model, the provider provides a bundle of cloud computing services for a fixed monthly or yearly price that the customer must commit to using for a defined period. The customer then receives a fixed quantity of services for a defined period. Also, customers may be required to register debit cards on the provider’s platform and either activate automatic payments or pay manually monthly or yearly. All this must be indicated in the payment clause. Further, the refund information should also be provided for in the clause. The clause should indicate under what circumstances refunds will be paid to customers, procedures to demand refunds and how much of the purchase price will be refunded.
6. TERM, RENEWAL, AND TERMINATION
Term, renewal and termination are key features of SaaS products that require complince with applicable contract law rules. Lawyer input here is crucial. The duration of SaaS is based on a defined term and not a perpetual license. For certain services, the term may be month to month, while for other more complex services a minimum period may apply (one year or four years). The term of the agreement should be specifically stated in the agreement. Also, the agreement should provide for renewal procedures. Many SaaS agreements provide for an evergreen renewal which means that the customer’s term will be automatically renewed at the end. On the issue of termination, the agreement should provide for mutual termination rights which give the provider and customer the right to terminate the agreement on certain conditions. Typical SaaS agreements permit the provider to terminate for convenience, upon notice to the customer, if the service is discontinued. The provider may also terminate the agreement for non-payment, and for material breach (material breach can include breach-of use policies or allegation of infringement of a third party’s intellectual property rights). If any of these are included in the agreement, they must be clearly defined. Further, the agreement should provide for prior notice and an opportunity to cure any issue prior to a provider’s exercise of termination rights.
As stated above, customers should also have standard termination rights, upon notice to the provider, such as for provider breach, change of control, or violation of intellectual property rights. The agreement should provide procedures for the immediate return of customer’s data upon termination of the agreement by the provider or customer, and for assistance in transitioning customer’s data to a new provider. Transition provisions should spell out for the format for return of data, the assistance to be provided by the provider, and the timeline for a return of data-post termination.
7. REPRESENTATIONS, WARRANTIES AND DISCLAIMERS
Warranties and representations include promises SaaS providers make about the efficiency of their services, their rights to grant and maintain licenses, and their compliance with applicable laws. Be sure to fence-in any potential liability claims by stating what specific recourse can be had if representations and warranties are breached. also, a broad disclaimer of all other warranties not included in the clause should be provided for. This key provision helps close off common ways that providers have been found to have provided unintended warranties.
8. INTELLECTUAL PROPERTY OWNERSHIP
When negotiating a SaaS agreement, you will come across the term intellectual property rights (IPR). Intellectual property rights are legal rights that provide SaaS providers protection for their software. It is important to protect your IPRs in the SaaS agreement to prevent any transfer of ownership in your IPR and to limit the use of your IPRs by a SaaS customer. Basically, the agreement should contain a specific provision under which the customer acknowledges that the provider is merely granting a license to use the software and that the provider retains ownership of its intellectual property rights in the software, services and systems to be provided. Further, the agreement should enumerate the limitations of the license and provide that any use of the intellectual property in a manner inconsistent with those limitations is unauthorized and amounts to a breach of the agreement. Also, depending on how your product works, the customer may need to grant you a license to use the data or content. Most data and content are subject to copyright protection, meaning that the SaaS provider could be infringing customer’s own copyright without a license to use it. It is wise to provide a license provision stating what you can do with what types of user content.
9. LIMITATIONS OF LIABILITY
In SaaS businesses, there is a possibility that the services fail to meet agreed upon performance levels in ways that may be beyond the provider’s control. A limitation of liability clause can help limit the provider’s liability towards the customer in such instances. Depending on how it is drafted, the clause can limit losses to certain types of specified “direct” losses, with a cap on liability based on the total amounts paid by the customer over some period of time (for example, 100% of the total amount paid for services over the previous twelve months) can ban certain types of claims or place a cap on liability. Further, limitation of liability clauses may often provide a separate dollar-value cap for indemnification claims (see below) or exclude them altogether. Finally, common exclusions from limitation of liability include breach security/privacy, breach of intellectual property rights, willful misconduct, and gross misconduct.
Indemnification provisions allocate the risk of losses between the provider and the customer. It is critical for the parties to understand when they will be required to indemnify the other party and whether the limitations of liability will apply to an indemnification claim. Be sure to limit indemnification triggers in the agreement so you are not faced with a string of indemnification claims. The most common indemnification triggers are data and security breaches as well as intellectual property infringement. Finally, ensure that the agreement protects you from third party claims against the customer. To ensure fairness and uniformity, both parties should be indemnified for the same types of claims.
All these terms are critical, and they vary from product to product; SaaS providers can tailor the clauses to meet their needs and the needs of their customers. In any event, when providing SaaS services, SaaS providers should consider the above-listed terms, among others. Without doing so, SaaS providers may find themselves in unfavorable arrangements, or even subject to a high degree of liability.