October 18, 2010
You’re offering a SaaS (Software as a Service) solution to the corporate market. You’ve developed your standard form SaaS agreement (sometimes referred to as a “hosted software services agreement”). And you’ve presented your agreement to your corporate prospect’s representative.
Are you prepared for the issues you’re most likely to be confronted with by a SaaS-savvy corporate user – or do you flunk the test?
Two Approaches to SaaS Contracting
There are two basic approaches to SaaS agreements with end-user customers:
* the click-wrapped agreement approach – a “take it or leave it” online agreement that’s presented electronically during your site’s registration process with an “I Agree” button, and;
* the traditional paper-based, signed agreement approach – an agreement that’s presented with the expectation that it will be negotiated and eventually (you hope) accepted and signed by the user.
Since the click-wrapped approach is not subject to negotiation, that’s not the subject of this article. What we’re concerned with here, is whether you’re prepared to negotiate the cutting edge issues of a traditional paper-based, signed agreement with a corporate user – and a SaaS-savvy one at that.
The single, most significant driver of your prospect’s questions and concerns with your traditional paper-based, signed SaaS agreement is the fact that your prospect is considering surrendering its valuable and sensitive data to you – transferring it into the “cloud.” Your prospect will test you with questions and concerns regarding the privacy and security if its data. How you respond will determine, in most transactions, whether you’ll get the business.
Are you ready for the test?
Your Data Center
If you’re typical, you’ve outsourced your data center to an outside hosting service provider, and your prospect knows that. So the prospect is considering a transaction where its data is being outsourced not once, but twice. This raises questions and concerns regarding privacy and security.
Some of the key questions and concerns are:
* Who is your hosting service provider? What’s their reputation in the field and financial viability? Is it permissible to visit the data center for purposes of evaluation?
* Where are the servers located? Will servers be required to be located only in the United States?
* Security audits – does the hosting service provider provide SAS 70 reports periodically (Type 1 or Type 2)?
* Changes to a successor data center – will the prospect insist on approval of any change to another hosting service provider?
* Privacy and security agreements – are satisfactory privacy and security agreements in place between you and the hosting service provider?
* Responsibility – will you be responsible for the acts and omissions of the hosting service provider as if the acts and omissions were yours?
* Disaster recovery – what’s the level of support?
* Redundancy – if there is a problem with the active server, does a mirrored server kick in?
* Backups – what’s the frequency of data backups?
* Access to data – who at the hosting service provider has access to data in the server?
Your Customer’s Access to its Data
Although the data resides in servers located at your hosting service provider’s facility, your customer may have a need to access this data from time to time.
Some of the key questions and concerns are:
* Data requests – how will the customer’s requests for data be handled, including responses to legal discovery (eDiscovery) requests, search warrants, and subpoenas?
* Return of data – when the SaaS relationship ends, how will the data be returned and will the hosting service provider retain data, such as in its backup system?
Are You an Insurer for Data Security Breach?
Do you give an indemnity for any and all security breaches that affect your customer’s data? This is a key question. If you do, you need to be sure that you’ve added an additional fee to your pricing to cover this significant risk.
Think about it. It’s a fact that there’s no system currently known to man that is guaranteed to be absolutely safe and secure from outside hacks. So, if you guarantee data security with a general indemnity, you’re providing a guarantee over which you have no control and which you’ll be expected to honor financially in the future with some of your customers. Count on it. In essence, you’ll be providing an insurance policy, and you had better be charging an insurance “premium” to cover the risk.
One way to deal with the issue is to agree to a standard for data security that you’ll be responsible to satisfy. The standard may be general in nature, such as compliance with reasonable data security measures that are generally followed in the industry. Or, the standard may be more specific, such as standards set by the EU Safe Harbor or the Gramm-Leach-Bliley Act, or a very specific negotiated standard. In any case, once the standard is agreed upon, you might agree to be responsible for a security breach only if it’s enabled by your failure to comply with the standard. If the breach is not enabled by your breach of the standard, you’re not responsible.
One of the issues regarding your scope of responsibility for a data breach is who is responsible (or the extent that the responsibility may be shared) for notifying the persons affected by the data breach as required by the patchwork quilt of state laws dealing with breach notification.
Did you pass the test?
If you’re not prepared to discuss these questions and concerns competently, then you’ve flunked the test.
If you’re not sure about how to handle these issues, you’re advised to seek competent legal counsel who’s familiar with them.
The ultimate questions are whether you:
* understand and adequately provide for the risk allocation inherent in your SaaS agreement, and;
* provide a satisfactory response to your prospects’ questions and concerns regarding privacy and security.
Leading Internet, IP and software lawyer Chip Cooper has automated drafting your SaaS Agreement www.digicontracts.com/saas.aspx with his DigiContracts.com SaaS Agreement Form Generator. Use his free online tool — Website Documents Determinator — to determine which documents your website really needs. Discover how quick, easy, and cost-effective it is to draft your website legal forms at DigiContracts.com.