The use of Software as a Service (SaaS) applications has grown substantially in the past decade. SaaS is a delivery and licensing model in which software is accessed online, often via a subscription. The SaaS provider hosts and maintains the software, rather than the more traditional model where the customer buys the software and installs it on their own computer. SaaS products can be used by individuals and companies to improve internal business processes, such as marketing, sales, and customer service. Examples of SaaS applications include Salesforce, Slack, Google Docs and HubSpot.
What Are the Key Terms in SaaS Contracts?
Each SaaS provider typically has a standard contract that governs the details of their services. While customers who are individuals may have less leverage to change contract terms, businesses working with SaaS companies often review and negotiate the terms of the agreement as needed.
Performance and Service Availability
It is essential for the agreement to set forth the service provider’s obligations regarding performance and service availability. Typically, there are “service level requirements” which the provider must meet. For customers, there are some key terms related to performance and service availability that should be negotiated, including:
- a higher percentage “uptime” requirement (the percentage of time over each day, month or year which the provider guarantees the service will be up and running, often between 99.5% and 99.9%)
- shorter measurement period for calculating the availability percentage
- limitations on scheduled downtime for maintenance
- requirements for response and resolution time to fix a reported problem
- credits (known as “service credits”) to the customer for failure to meet response time and resolution time requirements
- hours during which support is available and requirements for online and email support during non-business hours
SaaS service providers generally prefer lower uptime percentage requirements, longer measurement periods, and exclusions from the calculation of service availability (e.g. for scheduled downtime or maintenance). Providers will also want limits on service credits to customers, such as a cap on the amount credited, or stating that service credits are the customer’s exclusive remedy if the provider fails to meet its availability requirements.
Data Security and Confidentiality
Before signing a SaaS contract, customers should conduct extensive due diligence on the provider’s security measures. However, customers must also exercise care in providing confidential information to the service provider. Customers should set forth how providers are permitted to use their data and related obligations to protect it.
In addition, data security provisions should address the following issues:
- Maintenance and conversion of data
- Data back up
- Off-site data storage
- Testing and audits of security measures
- Data security policies
- Notification and procedures in the event of security breaches
- Consequences of breach
Providers should also include a confidentiality provision protecting against the disclosure of its trade secrets and intellectual property as discussed further in the next section.
Ownership of Intellectual Property
If either party is sharing any software, services, or materials with the other party, the SaaS agreement should include provisions protecting intellectual property rights. Customers should explicitly state their ownership rights in any information given to the provider, as well as data received from or generated by the provider based on the customer’s data. The contract should also specify how providers are authorized to use the customer’s information, including the purpose the data should be used for, the time period, territory, and rights to sublicense the data.
Providers should protect their rights in any software which the customer may be exposed to. Additionally, providers should ensure that they have adequate permission under the contract to use the customer’s information and intellectual property.
Indemnification and Limitations on Liability
The use of SaaS can result in significant liability for both parties. As a result, the contract should address risk allocation. Indemnification provisions apply in the event of third-party claims. Often, these arise when there has been a security breach or a third party’s intellectual property rights have been infringed. Customers should seek indemnification from the provider in either of these cases. Similarly, providers should be indemnified for any third-party claims arising from the customer’s data.
Typically, providers also include several provisions limiting liability under the contract, such as a cap on damages and/or exclusion of indirect, consequential, and other specified damages. These should not be overly broad or too low, in order to avoid claims that these terms are unconscionable. Customers should also seek to negotiate the amount of the cap and exceptions to the limited liability.
What Are the Advantages and Disadvantages of SaaS Agreements?
SaaS is not right for every company or business need. While there are significant benefits, there may be too many risks for a particular business to take. The following issues should be considered by the parties:
Business customers can use SaaS applications to easily gain use of sophisticated technology without a large start-up expense, capital investment, or need for extensive staffing. SaaS companies can provide customers with infrastructure, data storage, IT support, global access, security, and much more at a predictable cost. Customization and scalability as the business grows may also be available.
However, SaaS has risks as customers must cede control of critical functions to a third party that may not be fully accountable in the same way as in-house staff. For example, customers may be subject to the provider’s decisions regarding which of its customers to prioritize, pricing, maintenance schedules, technology problems, upgrades, financial troubles, or other issues. Risks are particularly high for data breaches because customers can be held liable by the government as well as by individuals whose data was revealed.
In addition, customization of the software may be more limited than what could be done with an in-house team.
Contracts can be lucrative for providers; however, they must be careful about promising more than they can deliver. They must meet requirements for maintaining, support and processing data properly or face significant liability. In addition, they must make significant investments in their infrastructure, staffing, and security in order to meet customer obligations.
The key to success in any SaaS relationship is to seek legal assistance in conducting due diligence and reviewing the contract. The parties must clearly understand what the other side is offering and the benefits and risks of working together. Proper due diligence examines the reputation of the other party as well as vets their operations and policies to ensure they meet the party’s requirements. Contract review and negotiation further ensures that the agreement reflects what the parties discussed so both sides benefit.
Looking for other Business Law services?