$145.5 billion U.S. Dollars. That’s how much the software-as-a-service (SaaS) market was recently estimated to be worth. Companies are relying on cloud services more than ever, which means that in-house lawyers and contracts professionals are reviewing more software-as-a-service (SaaS) agreements than ever.
But SaaS agreements are also one of the most complex deal types because they present various risks from both a legal and a business standpoint. While there are many important factors to keep in mind when reviewing SaaS agreements, this article provides an overview of my top three legal and top three business considerations that contracts professionals representing the SaaS buyer should take into account.
Top Three Legal Considerations
1. Data Privacy and Security
Data privacy law has become one of the most important fields today, with states and countries continuously passing new regulations or bringing down heavy enforcements. Each time a SaaS solution is considered, an analysis should be done to determine the impact of data privacy laws with use of the solution.
First, ask is personal data involved? Broadly, personal data is any information which can be related to an identified or identifiable person. Most of the time, the answer is yes because systems can rarely (if ever) run on zero personal data. At a minimum, the SaaS buyer will be providing their users’ names and work email addresses in order to create login IDs. These could be considered personal data as they can be related back to a specific person.
Second, ask whose personal data is involved? Determining the who will determine which laws or regulations impact the SaaS agreement. Think about this broadly, where are the individuals located and whose data is implicated? Where will other individuals see this data? As you represent a SaaS buyer, these questions are critical and must be answered before entering into an agreement to purchase a SaaS solution.
Once you have determined what laws or regulations are impacted, then determine what types of clauses and attachments the SaaS agreement needs meet regulatory requirements and internal business or compliance requirements. These may include a Data Protection Agreement (DPA), Standard Contractual Clauses (SCCs) (required under the EU GDPR), the vendor’s Privacy Policy, etc. Further, make sure the SaaS agreement has adequate provisions regarding information security. Examples of just a few concerns these provisions would address are a breach of the vendor’s system, measures the vendor takes to around security of the data, and an outline of their internal information security program. An important provision to include is the vendor’s obligation to notify your client in case of a breach. Your client’s information security team can assist you in creating a standard for the minimum you require from a SaaS vendor regarding these terms.
2. Web Terms and Notice of Modifications
SaaS vendors love to link to web terms so that they can update and change terms at any time without having to execute new terms with all their customers. But SaaS buyers need to watch out for these because the terms that are reviewed when you purchase the solution may change. It is nearly impossible to comply with terms if you don’t know what they are.
Further, changing certain terms, like support clauses, liability cap, indemnification obligations (just to name a few), can cause critical impact to your client. Try negotiating the terms to be attached as an exhibit rather than linked. This ensures that the terms you agree to at the time of signature are always in place unless you execute new terms with the vendor. If that doesn’t work, then you should attempt to add a clause stating that the SaaS vendor is required to provide prior written notice of material changes. After all, it’s the substantive changes that we really care about because they could potentially impact your client’s legal obligations or their business. If the vendor still won’t budge, then be sure your client has an easy way to exit or terminate the SaaS agreement if the vendor makes an unfavorable to your client or a change that your client doesn’t like.
3. Third-Party Intellectual Property (IP) Indemnification
When a SaaS buyer purchases a SaaS product, they are accessing the software and SaaS services that make up the platform. One of the risks faced by a SaaS buyer (especially if there are components of the SaaS product that are installed on the buyer’s systems) is that the SaaS product infringes on a third party’s IP, resulting in a lawsuit against the buyer. It is extremely important that the agreement therefore include a third-party intellectual property indemnification clause whereby the SaaS vendor takes on any liability related to a third-party claim against the buyer asserting intellectual property infringement. The buyer purchases the SaaS solution relying on the vendor to have the proper authority to give them the right to use the solution. Thus, a SaaS vendor should stand behind their product if a third party sues the buyer for IP infringement.
Once you have identified that the provision is included, dive further to determine what it covers. Are there exclusions or carve-outs to the SaaS vendor’s indemnity obligations? What damages and costs does the provision cover? What parties are covered? All of these details are important to review and consider as sufficient diligence to ensure your client is adequately protected.
Sadly, blogs can only contain so much good information for you so here’s a few other provisions that deserve some extra consideration: limitation of liability (heads up, you’ll likely see a low cap for the SaaS vendor and no cap for the buyer; you may even see a super cap for data breach damages), warranties, license grant and restrictions, and force majeure.
Top Three Business Considerations
1. Suspension of Services
Contract professionals frequently rely on their clients to review business terms, such as suspension and termination rights. Each business has their own requirements regarding such terms. In SaaS agreements, it is common for the vendor to have the right to suspend service without notice if there is a late payment. Suspension of service may be a big concern, especially if the SaaS solution is critical to the client’s business operations or their end customer. The vendor’s concern is being paid and they want to have a recourse against the buyer if they are not paid. The most effective way to get a SaaS vendor to not have the right to suspend service without notice is to agree upon an alternative recourse for non-payment. The business may consider whether the payment terms are long enough to allow their billing department to successfully issue payment. Alternatives to suspension without notice can include revising the suspension right to only be a right after vendor has given notice of non-payment and allowed the buyer a period to cure such non-payment.
2. Service Level Agreements (SLAs)
SLAs define the level of service that will be provided by the SaaS vendor for the software. For example, this generally includes uptime availability, resolution response time, maintenance windows, and service credits. SaaS vendors will rarely volunteer their SLAs. Instead, you will usually have to request to see it and then spend time reviewing and negotiating it with your client. It is important to ensure that once a proper SLA is agreed upon, it also acknowledges penalties (aka service credits) if the SaaS vendor fails to meet their SLAs. Frequently, this will be credits for the missed time. The buyer will not want to pay for software they cannot use. Further, you should always advocate the right for the buyer to be allowed to choose to terminate the contract after a certain time of continually missed SLAs. If the software performs poorly (i.e., by not being available) this will cause frustration and loss to your client and potentially disrupt their business. They should have a larger recourse for this.
3. Termination Rights
Termination rights are important in every contract and for every business. Often, a SaaS agreement only includes the right to terminate at the end of the term and for material breach; not termination for convenience. The SaaS buyer should ensure they properly understand their termination rights and monitor the various triggers. In some cases, the SaaS buyer may want to ask for a termination for convenience provision. However, most SaaS vendors will not allow this type of termination. There have been successful cases with an alternative approach of asking the vendor to agree to a termination clause with a buyout. To include this in the SaaS agreement, create a chart in which the closer a term gets to the end, the lower the buyout amount goes. This can be an acceptable alternative for SaaS providers depending on their business model and the deal size.
* * *
While each SaaS agreement will be unique to the particular SaaS vendor and buyer, the above legal and business considerations should be taken into account in most situations by the contract professional representing a SaaS buyer. A few other provisions that deserve some extra consideration: payment terms, auto renewal terms, implementation services, and customer support.
