Overview of Software-as-a-Service Contracts
The specific terms and conditions that make up a software agreement can vary significantly depending on the software itself. With Software as a Service (SaaS) contracts, you are entering into an agreement to use software that is hosted on the cloud, rather than on-premises at your organization. The software is maintained by the cloud provider and licensed to you based on your consumption of the service and/or the number of users. You do not gain ownership of the underlying software and technology (or not until the end of the contract term) , and your license often terminates under certain conditions, such as if you stop making payments or the contract expires. There are also many other terms and conditions that are unique to SaaS contracts, including restrictions on the way in which the service can be used, dependence on the service provider for performance, and more.
Your business should be entering into an agreement that is unique to the service you have contracted for, and one that accounts for all costs, terms, and conditions.
Common Issues in Software-as-a-Service Contracts
The legal issues that arise in SaaS agreements are many-fold. These include data privacy concerns, security obligations, intellectual property rights and duties, and consumer protection issues. Many of these issues will be dealt with in the Vendor Terms and Conditions (sometimes also called General Terms and Conditions) of the SaaS vendor, and some will be found in the separate Notice of Privacy Practices of the vendor. Accordingly, it is important for SaaS customers to consult with their attorney in reviewing both the SaaS Vendor Terms and Conditions and the Notice of Privacy Practices of the vendor.
Many SaaS vendors impose on their customers an obligation to maintain the confidentiality of the vendor’s confidential and proprietary information. At the same time, the SaaS vendor will "carve out" from the customer’s confidentiality obligations the personal information that the customer provides to the vendor for processing by the SaaS service. If the services the customer is acquiring from the SaaS vendor involve processing personal information, the customer should consult with privacy counsel before signing the SaaS vendor’s Terms and Conditions.
Related to the obligation of the SaaS customer to maintain the confidentiality of the vendor’s confidential information is the obligation of the customer to protect financial account numbers, based on the Payment Card Industry Data Security Standards (PCI DSS) and the obligation of the customer to protect personal information under the California Confidentiality of Medical Information Act (CMIA).
Both PCI DSS and the CMIA require the implementation of detailed data protection safeguards. Failure to implement these safeguards may trigger an obligation to report to the government. Where personal information is involved a failure to provide protections required by the applicable privacy statutes and regulations can trigger a private right of action, as well as statutory civil penalties. Failure to comply with PCI DSS may result, in the case of a data breach, in contractual liability to the customer’s customers, credit monitoring costs and other direct costs, regulatory fines, and class action liability, not to mention potential harm to the customer’s reputation that may result in loss of business.
The structure of many SaaS service agreements gives the SaaS vendor control over customer data, allowing the Vendor to hold the customer hostage when the relationship sours, by tying the delivery of customer access to its data to a new purchase agreement. A careful review by an attorney experienced in negotiating SaaS service agreements can help ensure that your SaaS vendor cannot use the data against you if your relationship ends.
And, of course, if there is any third-party software involved, it is critical that the customer receives from the SaaS vendor at least a summary of the third party licensing agreements so as to clarify the use rights and limitations. A simple amended Terms and Conditions provision cannot usually fix a problem with the underlying third party software licensing agreement. The SaaS customer must get the best deal it can from the vendor with respect to all of the risks, both contractual and noncontractual, that may arise from using the software licensed by the SaaS vendor.
Contract Clauses to Watch For in Software-as-a-Service Agreements
SaaS contracts are usually long, complex documents. In order to understand their implications, you need to have a high level of technical understanding, as well as of the legal ramifications. This makes enlistment of a technology transactional attorney desirable.
Some of the key clauses of which a SaaS attorney should be particularly cognizant are those that address service levels, termination rights and limitation of liability.
Service Levels
SaaS customers should expect clearly defined services, since they are typically purchasing finite features at a defined cost. Performance metrics should be established in the contract, with recurring service credits sufficient to obtain restitution in the event of a minor breach.
Service levels should include availability and quality standards above those mandated by a particular region’s strictest IT regulations. Be wary of service credits which cannot be converted into money, as these could lead to financial loss to the customer in a worst case scenario.
Termination Rights
SaaS clients should include strong termination rights in any contract with their service provider. These rights frequently focus on remedy of breach. For instance, are warranted service levels and definitions given as part of the service? Service providers can offer a discount for a breach, but you want to make sure that your liability is capped at an appropriate discount. A warranty is not required but is highly recommended to give enforceable assurance of delivery of a promised service.
Limitation of Liability
An SaaS client should have a complete and clear understanding of the limitations of liability so that he knows what he could lose if the contract goes south. Some common limitations of liability in SaaS contracts include:
• Limitation of liability up to the fees owed to the vendor
• Specific exclusions to liability caps
• No liability for indirect damages
• Limited indemnification
• Claims based on express representations, and
• Exclusion of consequential damages and liability for loss of data
These and other contractual provisions need to be thoroughly understood by any company before it decides which SaaS suits its needs. Anything less could result in shortsighted mistakes which may be costly in the long term.
The Need for a Software-as-a-Service Contracts Attorney
SaaS deals require sophisticated legal review. They involve complex technical issues and an attorney must be knowledgeable about licensing, intellectual property, because SaaS providers are extremely protective of their intellectual property, and many other legal issues. An attorney experienced with SaaS contracts will also find important issues in the TOS, SLA, EULA and other documents that a company may sign during the sales cycle.
Let’s look at some of the major issues that a SaaS attorney can help you with:
Intellectual Property. Subscription models. The SaaS provider’s intellectual property rights. Hosting Intellectual Property. Because you’re hosted, who owns the hosting facilities and does the SaaS company allow you to move your application from their hosting facility if you want to? Is the application (or your data) portable? Whether or not there is an SLA document or TOS, SaaS companies usually have their own terms of service located on their website. Issues such as password requirements, access levels, when you can use the software, acceptable usage, and other terms should be considered. Your attorneys should be able to provide you with advice on how to assess whether these terms work for you .
Privacy and Security Your company’s privacy policies need to be reviewed and compared to the SaaS company’s TOS, SLA, EULA and other documents that the company may be signing. For example, what will happen if the software is down or if it becomes unworkable; does the provider offer any kind of credit or refund for this downtime? Sometimes there are back out periods, so that the company can terminate the relationship easily if the software isn’t working for them. Will the SaaS provider offer backup, disaster recovery and business continuity services? Are they GDPR compliant, HIPPA compliant, and are they certified under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks? There may be a host of other issues, depending on your business.
Software Integration How the current software will integrate with your systems?
Liability Limitation of liability clauses should be reviewed. Liability will often be limited to only certain kinds of damages and sometimes to a specific monetary amount. It’s important to ensure that the liability limitations are fair and that they are not unduly burdensome to your own company.
Confidentiality SaaS contracts will oftentime have provisions that limit the use and disclosure of confidential information by the other party. Review these provisions carefully to ensure that your trade secrets are protected.
Retaining a Software-as-a-Service Contracts Lawyer
Simply put, you want an attorney who has specific knowledge of the SaaS industry and cloud-based products. Attorneys who work with tech companies have a greater familiarity with not just SaaS contracts but also common negotiating strategy and hot button issues – both for buyers and sellers.
Why does this matter? It matters because it can save you time and money as the attorney can quickly and accurately hone in on the key issues in your contracts.
Another reason to work with an attorney who specializes in the SaaS industry is because your attorney may have had experience with issues you have never even thought of before. For example, your SaaS may be used by other companies to provide their SaaS products or it may be configured in a way that will give your customers some unexpected tax liability (cloud computing is a hot topic in the tax world). These are issues that have not come up in every SaaS provider’s contract, but they are places where you want to secure the responsibility for managing the risk in order to protect your own company.
When it comes to negotiating skills, neither side wants to leak out all of their negotiating strategy or wishes to obtain too much information about the other side’s goals. Most companies have some level of cover person – someone who cannot negotiate on her own behalf because she does not have full authority from her employer. So, you also want your attorney to have good negotiating skills in order to dispense with the other side’s cover person without being rude.
The best way to do this is through collection of "clean concessions." To use this strategy, you and your attorney will identify concessions that do not cost either side any money. For example, most of the time, subscription software is sold on an annual basis and is always paid in advance. Usually, with your customers, you will not provide any discounts for early renewal. You could agree to reduce the discount for early renewal. This cuts into your income only slightly but should be in high demand by your customers.
A good attorney will often know the types of clean concessions that are in high demand by your industry’s constituents and will be well positioned to offer them up. You may be able to contract out the negotiations for the less important issues in order to concentrate on the more important ones.
Previous Cases Successfully Navigated WRegading Software-as-a-Service Contracts
The importance of having a specialized attorney in navigating the murky waters of SaaS agreements can be gleaned from the case studies below:
Case Study One
A medium-sized law firm turned to us when they were facing a situation where their outside providers were working on SaaS agreements without a unified strategy. When it came to the survival of the business, lack of collaboration, lack of focus and disparate strategies could prove fatal. We were able to provide them with a clear, unified approach and strategy for negotiating agreements. At the same time, we prepared a risk analysis and contingency plan to cover the worst case scenario. In the end the hard work of the entire team brought success and survival to the business.
Case Study Two
We helped a Cloud Service Provider (CSP) who had been acquired by a larger , cloud-based technology company. Our client didn’t realize that their existing SaaS agreements weren’t going to support their new owner until the deal was almost done. By the time we met, they only had a few days to renegotiate their existing agreements. The problem was that they were being asked to provide "unreasonable" concessions while the timeframe for negotiating the "unreasonable" terms was less than ideal. Our cloud attorney was able to quickly identify the key business objectives involved to make changes and provided a strategy that helped push through the modifications without costing the parties more.