Overview of SaaS Agreements
The use of online software as a service products and applications represents the next step in the evolution of software. Acceptance of the software as a service or SaaS model by consumers has spread like wildfire. In its most basic terms, the SaaS model is where a business does away with traditional software and uses a Web browser to access the software, rather than having it installed on the hard drive of an individual computer. This shift has proven to be highly beneficial for businesses for many reasons . Slow but sure, however, the legal industry and its counsel have also caught up with these trends. Much like any other contractual relationship that can form, a SaaS model can result in disputes if left unchecked. Proper drafting of the SaaS agreement is vital, and should be at the forefront of any business’s legal representation. SaaS agreements dictate the rights of both the enforcement of, and the limitations of those rights in the context of these new programs.
Definitions of Key Terms in a SaaS Agreement
Software as a Service (SaaS) agreements typically require SaaS providers to provide a number of key customer terms to customers. In addition, often enterprise customers have very specific business needs and standards, which will need to be reflected in the agreement.
Some of these key customer terms can be found in the following provisions of a SaaS agreement:
Subscription Model. A subscription agreement for an on-demand service offered via the Internet is often called Software as a Service (SaaS). For subscription based SaaS agreements, there are two (2) general types of software subscriptions; named user subscription (also known as a "seat license") and concurrent user subscription. With a named user subscription, each authorized user is assigned a unique user ID and password through which the authorized user can access the software. With the concurrent user subscription, rather than assigning user IDs, an enterprise is licensed for the concurrent access of a certain number of users and is charged a monthly (or other period) subscription/premium amount for the number of users to which it subscribes to at any given point in time. So for example, with a concurrent user solution, an enterprise could elect to pay (a premium) for at any one time, 10 concurrent users, 20 concurrent users up to the total number of concurrent users offered. The enterprise has the ability to rotate through the users and know on any given day, at any point in time it may have 1, 2, 3 or more of the same named users or individuals accessing the software platform to take advise of the software. Typically, the subscription fee will be based on a monthly or annual subscription or user fee.
Service Level Agreement. In addition to pricing and subscription model, customers may also want to include a service level agreement. A service level agreement sets forth detailed performance standards (e.g. uptime, speed of service availability, technical support) that the service provider is able to provide to the customer. This is particularly important in industries where data services are extremely sensitive and the businesses are highly regulated (e.g. banks and financial service providers, healthcare industry, pharmaceuticals, etc.).
Pricing. The pricing for a SaaS agreement is typically structured in one of three ways: (i) an initial setup fee and monthly fees based on the software service(s) selected by the customer; (ii) an initial fee and monthly subscription fee for use of the service, and (iii) a monthly subscription fee (annual fee) for a subscription service. Pricing may be based on the number of named or users, frequency (i.e., daily, weekly, monthly, annually), distribution (i.e., territory based, or geographic region based), volume, monthly flat fee per device, per license, etc.
Accessing and Using the SaaS Product
One of the fundamental components of a SaaS agreement will be the User Rights and Access issues. These particular provisions will of course also be tied into the general licensing and use provisions found in most software agreements, however, there are some additional considerations that should be addressed for most SaaS based agreements. Many times the SaaS platforms are open to multiple devices, meaning that a user can get access from their smart phone or tablet. Furthermore, an end user might have multiple accounts and be accessing the platform with more than one device at the same time. As such, this issue is worth addressing so that the licensing rights of the company and their employees are not violated. When dealing with these situations, it is best to address the issue up front. Many SaaS providers offer flexible pricing options based on the volume of users, so talk to your SaaS provider about these options to confirm that they properly fit your companies needs. Another best practices to address here is that authentication should be included in the service levels. User authentication is another way to ensure that appropriate controls are being implemented to help safeguard against unauthorized users from accessing the Company’s data. In addition to basic authentication (i.e. user name and password), multifactor authentication should also be discussed. Another option is Single Sign-On (SSO) authentication. SSO can be used to allow for seamless signatures and communications between the Company and its employees. Scale and enterprise solutions are available for these types of authentication.
Data Privacy and Security Standards
Data privacy and security obligations are a critical consideration because SaaS typically includes the processing of personal data. The parties should identify the collection, use, storage and transmission of personal data in the SaaS relationship. The customer should obligate the provider contractually to comply with applicable data protection laws and industry standards, such as the GDPR, HIPAA and PCI. The parties should agree as to which entity is the controller and the processor and document how controllers and processors should address their obligations. The customer should obligate the provider to maintain an information security management program with technical, organizational and administrative controls appropriate to the nature and sensitivity of personal data being processed. The parties should agree as to how consent, notice and deletion will occur (e.g., immediate deletion, same-day deletion, 30-day deletion) upon termination or expiration of the agreement. The customer should require the provider to provide it with a current data security audit report upon request.
Handling of Intellectual Property Rights
A SaaS agreement should set forth which party owns the output resulting from the services and how such output may be used by the customer. While the vendor will likely want to own the results in order to be able to provide services to other customers, the customer may want the right to access and use the output even after the SaaS agreement terminates. Alternatively, some SaaS vendors will permit the customer to own the results or data, especially when it concerns proprietary customer data or investments made by the customer into custom coding. Ownership of the software is also important. Many companies provide a multi-tenant product for which it licenses the service. Under this structure, multiple customers are using a single platform, but are able to customize their experience through configuration and/or customization. The SaaS vendor will want to own the underlying software and the customer will want the right to use the software for its internal business purposes. Both parties should also be cognizant of whether the customer will have the ability to reconfigure the software, whether such reconfiguring would be considered a work made for hire subject to a third party licensing right, and how the customer may use any modifications to the software, an additional service provided by the vendor. Such features can bring the value of the SaaS agreement up substantially.
If a vendor representative will be providing support services in connection with the product, the provision of such services normally will have an impact on who owns the underlying technology. If the vendor will develop new technologies incident to providing support services, even if the technology is only necessary for the product being used, the vendor will want ownership rights to the developed technology. Conversely, the customer would want all developments to be owned by the customer to avoid problems with the termination of the agreement and the vendor no longer maintaining the functionality of the technology. The ability to retain ownership of source code is often a primary concern of both the vendor and the customer. The customer typically will not want to own the source code licensing the right to use the source code exclusively for its benefit, while there would be pressure on the vendor to retain ownership in all other situations. If there is a need for periodic upgrades and patches, the customer should have the right to receive and test such source code in advance of the installation. The source code may also be incorporated into an escrow arrangement to provide the customer access to the source code upon the occurrence of a release condition such as bankruptcy or insolvency.
SaaS Agreement Termination and Renewal Provisions
Every SaaS agreement should clearly define your termination rights, the notice you need to provide to exercise such rights, and whether you can restrict or continue a subscription following termination. It should address the impact of any auto-renewals upon termination, and it should clearly address the duration of any continued use. Without the proper balance between the duration of the obligations, the notice required to address the termination and any continued rights, the SaaS agreement could be even more binding than a typical multi-year term license.
The SaaS agreement should also define the duration of any post-termination obligations, including, for example payment obligations , and the timeframe for obligations regarding the return or destruction of data. A SaaS provider that has access to sensitive data for a long duration following termination may make it more difficult for you to rebuild your infrastructure and can significantly increase the risk of unauthorized disclosure or use.
Further, if auto-renew is a part of your SaaS agreement be sure to confirm that you have a right to terminate upon an auto-renewal event. Watch for clauses that limit your rights to terminate unless you provide a notice within a limited time period and if you would like to provide a longer notice period, you may not need to accept such a restriction.
Limitation of Liability and Indemnification Terms
Liability and indemnification clauses are typically found in every SaaS agreement, but the respective liabilities of the parties in those clauses are very often heavily one-sided, to the detriment of the customer. For that reason, customers should pay particular attention to this provision, to understand its risks and potential liability to the vendor. One of the most common pitfalls we see is where both the customer and the vendor have liability caps, but the vendor’s cap is the amount of fees paid by the customer to the vendor in the previous 12 months. Thus, in cases of a fixed fee arrangement (e.g. $1,500.00 per month), the liability cap in any given year is $18,000. In the event of a security breach or other incident that results from a failure to comply with applicable laws, the costs of informing customers of a breach can be quite high – tens of thousands of dollars – as are associated with personal threats to individuals whose data was exposed. In addition to having a 12 month cap set at a dollar amount that is much less than the damages, it is also common for the vendor to disclaim all liability for lost revenue or revenue damages, cost of recovery, lost profits, loss, damage or destruction to data, among other losses.
From the vendor’s perspective, the liability and indemnification clauses are equally important. If the software contains external content (like images), the customer could be liable for use of content that may be considered infringing, even though the vendor assured them it was not. In addition, if a third party brings a lawsuit against the vendor alleging that the vendor’s service breached copyright or a third party claiming that it should be compensated for use of its content, the customer could be jointly liable with the vendor. Typically, an indemnification clause does not require the customer to reimburse the vendor for legal fees incurred in defending a lawsuit, even if the litigation directly involves the customer’s actions.
Dispute Resolution Procedures
Although some SaaS providers tend to focus on the business relationship with customers, a SaaS agreement, like any other commercial contract, may involve a dispute requiring resolution. Early on in negotiating a SaaS agreement, consider inserting a dispute resolution clause that specifies how disputes will be resolved, including whether either party is entitled to a jury trial (or whether to waive the right to trial by jury). An overwhelming majority of SaaS providers will include a dispute resolution clause requiring arbitration because arbitration can be quicker, less expensive, and less formal than litigation in state or federal court. Generally, the Federal Arbitration Act governs the arbitration of commercial disputes, although some courts will still apply state law if they deem its rules appropriate.
Another important aspect of a dispute resolution clause is the venue or jurisdiction in which the dispute is to be resolved. In the event of a dispute, an arbitration will be conducted by one or three arbitrators depending on the dispute amount. In light of the location of the arbitration, arbitrator selection opportunities, and other factors, the venue listed in the contract can lead to difficulties for one party or the other. For example, if a customer’s premises are located in California and the service provider has a datacenter in California, they may agree to resolve disputes in California only to find out later that the customer has a significant presence in Canada and wants the award modified or set aside there.
The parties must also agree on the governing law applicable to the contract and any disputes. Such choice of law clauses are typically enforced as long as the chosen law bears a reasonable relationship to the transaction and application of the law would not be against public policy.
Negotiation of a SaaS Agreement
When negotiating a SaaS agreement, the fundamental question for both the client and the vendor is how to share or apportion risk. In practice, this means that each party has to consider the other’s requirements, then work out which contract terms are fair and appropriate based on those requirements.
Risk apportionment is particularly important in areas of the contract such as: Any contract term that one party tries to push through without taking into account the other party’s needs could be considered a "deal breaker" to the other party . Evidence of flexible and sensible negotiation should be built up over the process, leading to a bespoke agreement that fairly balances the risks involved in the particular SaaS arrangement.
If neither party makes a reasonable effort to compromise and modify the contract terms in order to reach a position that suits them both, the SaaS project may fail even before it gets going. This is because, in the event of a dispute, the party that could have negotiated more reasonably (and some may be legally bound to do so) will be in breach of that contract. If either party is prepared from the outset to exploit its negotiating muscle, there is a good chance that no SaaS agreement will ever come to pass.