No-one should overlook legal issues. The SaaS business model is relatively new, but most of the legal considerations are well recognised, albeit that some aspects have developed from consumer services, which were far less likely to be challenged by the customers.
The table below identifies some of the principal legal issues that you should consider.
|Method of contracting||If the contract value is significant for your organisation then you should ensure that the terms and conditions proposed by the vendor are fully reviewed by a suitably qualified lawyer, and ensure that non-authorised employees do not commit the organisation to services, or service terms, you do not want to be bound to. The vendor will offer a hard copy agreement or website terms and conditions. If the latter be sure that the terms are easily accessible early on in the sign up process and, ideally, expressly accepted.|
|Software licensing||Licensing practices vary. Some SaaS vendors do not grant the customer a license to the software at all, as the customer receives a service where it has the right to access software. Other models grant a license to access and use the software for the purpose of receiving the service. Ensure the licence, or grant of access rights, are wide enough for your requirements in purchasing SaaS (including any jurisdictional requirements). Additionally, consider whether an intellectual property rights indemnity should be sought against intellectual property rights infringement by the vendor (including patent infringement and copyright infringement).|
|Service levels||You need to be clear as to exactly what service levels (if any) are being offered by the vendor and the potential remedies for failure. Matters to consider include: how availability will be measured and over what period; whether availability should apply to all applications comprising a SaaS offering or just individual components; system response times; service response times; and helpdesk response times. One feature of SaaS is the ability to rapidly scale up and down the level of usage – ensure that all relevant metrics and limits are clearly agreed. Customers should seek regular and transparent reports.|
|Service credits||Service credits will generally be offered as the customer’s primary or sole financial remedy for the vendor’s failure to meet its service levels. Note that the wording of service credit clauses can have a significant bearing on whether service credits are seen by a court as ‘liquidated damages’ for breach of contract or a contractual mechanism setting out a price payable for a particular level of service. You should consider whether the service credits on offer are adequate and whether an exclusive remedy provision is acceptable. You also need to consider including a right to terminate for consistently poor service or a major outage. Your vendor should be aware that attempts to limit the customer’s remedy to just service credits in a standard form terms of business agreement will need to be ‘reasonable’ under the Unfair Contract Terms Act 1977.|
|Business continuity||Both parties need to consider what contingency plans are offered or should be sought in the event of a disaster or the vendor’s insolvency. You also need to consider back up arrangements for your data. It is unusual for escrow solutions to be offered in pure SaaS contracts.|
|Security||It is important that any security requirements are clearly set out in the contract. The vendor should additionally include acceptable use, user password provisions and additions on each party’s liability in relation to the introduction of viruses/harmful code. Vendors will be looking for liability limitations and exclusions for failure to achieve specified security requirements (e.g. loss of data). In particular they will be considering whether to exclude consequential losses and include an overall cap on liability in the contract. You need to consider encryption of data prior to transmission, customer-specific hardware, specified levels of security at the vendor’s physical premises, minimum-vetting requirements for vendor personnel that have access to infrastructure, and back up requirements.|
|Data protection||If the SaaS is hosted in the UK or EU the customer (as data controller) will need to comply with the Data Protection Act 1998 if any of the customer’s personal data is to be transferred to the vendor’s servers. The vendor typically acts as data processor and contractual provisions must be included to comply with the Data Protection Act. Your compliance obligations will include ensuring that the vendor provides appropriate technological measures against unauthorised disclosure of personal data. Additional factors will apply if the SaaS is hosted outside of the EEA, particularly if sensitive personal data is to be transferred.|
|Ownership of data||You should seek an express provision that all data (and rights in such data) belong to your organisation. Also consider what rights, if any, the vendor has to such data.|
|Other regulatory issues||You may have additional regulatory concerns (such as compliance with MIFID, the material outsourcer provisions in the FSA handbook), that should be raised as necessary with vendors to ensure that the vendor is able to comply.|
|Exit/migration||Most SaaS contracts do not contain detailed exit provisions in certain circumstances, eg, where data access and migration is necessary. You need to know what’s involved before committing your organisation’s data to the service.|
|Other clauses||For the sake of contractual certainty both parties should ensure that contracts contain choice of law and jurisdiction provisions (with local law advice being sought as necessary), clearly drafted payment provisions (and mechanism for working out cost), and provisions dealing with third party rights, waiver, severance, duration and termination rights for each party. You should also consider seeking a right to terminate on the change of control of a vendor.|
Next article Software as a Service checklist After finding the SaaS application that meets functional requirements, an organisation should check that the supplier’s legal, pricing and support arrangements are acceptable before committing to use the system…