short lines

Key Issues in SaaS Contracts

JUNE 2010

As explained in the second Short Lines article in this series, Software as a Service (“SaaS”) is an Internet-based software delivery model which enables a supplier to provide a service that remotely hosts and manages software applications (such as CRM, HR/payroll and accounts software) for its customers, and to provide ongoing support services in connection with that software.

Most of the contractual points for customers and suppliers to consider in the context of a SaaS contract are similar to those of a `grown up’ services contract, as opposed to a more traditional software licence. Typically, SaaS providers will offer their services on standard terms which are usually fairly supplier-biased. This article looks at some of the key issues for customers to consider when entering into a contract with a SaaS vendor.

Periodical Service Charge

It is fairly typical for SaaS providers to charge the customer a periodical subscription fee for the service based on the number of users, scaled according to the service features, resilience levels, storage space and the level of support (standard or enhanced) provided.

It would be wise for customers to agree up front the cost of purchasing additional user subscriptions, as well as the cost for any service “add-ons” which fall outside the scope of the core services. In addition, a separate charge will usually be payable for support and maintenance services, typically a certain percentage of the subscription fee.

Prior to entering into a subscription agreement, the customer should seek to ensure that the subscription and other fees remain fixed during the initial term and, in any renewal periods, any increases should be capped at a fixed percentage of the relevant fees paid in the previous year or be restricted to any percentage increase in, for example, the retail price index or relevant IT industry index in the previous 12 months.

License to Use the Software and Escrow

In the SaaS deployment model, the customer is simply subscribing to access the functionality of the relevant software application which is hosted by the supplier remotely, rather than being supplied with a physical copy of the software to be installed on its infrastructure. That said, it will still be necessary for the supplier to license the relevant software application to the customer and it usually grants to the customer a limited, revocable licence to `use’ the software for the term and for its internal business purposes only.

If a supplier suffers a service disruption, goes out of business or is acquired by another company that chooses to no longer support its SaaS solution, the customer is vulnerable to a severe disruption to its business operations.

One option in such circumstances may be for the customer to place into escrow both its data (which should be available at any time on demand) and the underlying code on which the SaaS service runs[1].

In weighing up whether this is something that a customer may wish to ask the supplier for (and any associated cost of doing so), the customer should consider how likely it is that it will actually use the source code of the underlying software and run it itself, particularly given that the customer will essentially be setting up an entire SaaS service if it replicates the source code.

It is, perhaps, far more likely and realistic to expect a customer to retake possession of its data and simply transfer it across to a replacement SaaS supplier, especially given that a supplier will be extremely reluctant to place the source code to its core business in escrow.

IPR Indemnity

The Customer should ensure that the supplier’s standard terms include an indemnity for the customer’s benefit if any third party claims that the software provided by the supplier infringes the intellectual property rights (including copyright and software patents) of a third party. This indemnity should cover all of the countries in which the customer uses the software.

Service Levels and Service Credits

The supplier should agree to make the services available to the customer 24 hours a day, 7 days a week, except for any planned maintenance carried out during a limited maintenance window and unscheduled maintenance performed outside normal business hours. The customer will be reliant on the supplier to ensure continuity of the service provided and the customer should, therefore, carefully consider what impact each of a small, moderate or severe service outage will have on the customer’s business, and also what happens if the services are not performed at all or up to scratch.

The customer should ensure that a workable service level and service credit regime is included in the contract to incentivise the supplier to provide services which are critical to the customer’s business to the required standard and quality. The customer should measure the up-time service availability and also the time taken by the supplier to respond to and fix faults arising with the service.

If the supplier fails to provide the services to the required standards, it should pay pre-agreed service credits to the customer. Service credits are usually calculated by reference to the supplier’s charges for providing the services, payable as an adjustment to the charges to reflect the value of the services actually provided (as compared to the services contracted for), rather than the customer’s losses[2]. The customer should ideally include a right to terminate the agreement if service availability falls below an acceptable threshold.

Disaster Recovery & Business Continuity

A reputable SaaS provider will have in place an appropriate business continuity/disaster recovery plan and will agree to invoke this plan in the event of a disaster in order to ensure that the services will be switched from the supplier’s primary facility to a standby facility which is geographically remote from that of its primary facility. The supplier should be required to test at least annually the resilience of the back-up and data return arrangements put in place under this plan, and the customer should request to see the results of those tests.

Site and Network Security

Access to the supplier’s data centres should be tightly controlled by the supplier and restricted to the supplier’s authorised personnel. The customer should enquire as to the location of the supplier’s data centre facility and satisfy itself that the physical data centre site is sufficiently robust to withstand adverse weather conditions, located in a reasonable area and monitored 24 x7 by on-site security.

The customer should fully explore what protections the supplier has in place to protect and ensure the security of the customer’s data on the supplier’s network. The supplier should be under an obligation to provide the services in accordance with a suitable network security policy and the customer’s access to the supplier’s systems should be username and password protected. The supplier (as well as the customer) should effectively monitor the service for unauthorised access and be placed under an obligation to notify the customer if any suspected or actual unauthorised access does occur.

Having received notice, the customer will also want the ability to audit the supplier’s systems and procedures in order to verify the security and integrity of its data. Any audit rights included in the SaaS agreement should be wide enough to enable any regulatory body governing the activities of the customer to carry out an audit. More and more customers also require that the SaaS vendor is compliant with the Statement on Auditing Standards No.70 (SAS 70), which is a rigorous audit standard for controls on accuracy and security.

Customer Data

The supplier should acknowledge in the SaaS agreement that the customer has full, unrestricted rights and title to intellectual property in the customer data, and the supplier should be bound by appropriate obligations in order to ensure that the supplier protects the confidentiality of such data.

It is extremely important from the customer’s perspective to not only ensure the security and confidentiality of its data but also to ensure that the supplier completes back-ups of the customer’s data on a regular (for example, daily) basis, thereby minimising the consequences of such data being lost or corrupted. If loss or corruption does occur, the supplier should, at its cost, be obliged to restore the customer’s data using the latest back-up copy maintained by it.

Personal Data

It is likely, given the nature and scope of the services provided under any SaaS agreement, that the supplier will be processing personal data on behalf of the customer. In order to comply with the Data Protection Act 1998 (DPA), the customer (data controller) will need to ensure that the supplier (data processor) complies with the DPA and in particular the seventh principle which requires the supplier to have in place appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data.

In addition, the supplier should be prevented from either hosting the service or allowing a third party to support and maintain the services from outside the EEA, unless the relevant country or countries offer(s) an `adequate level of protection’ in relation to processing personal data.

The data controller must decide itself or rely on a Commission finding that certain countries[3] or specific transfers to the USA by the use of Safe Harbor regime offer such an adequate level of protection. For exports of personal data to a third country which does not pass the data controller’s adequacy assessments or is not subject to a Commission finding of adequacy, UK data controllers may employ mechanisms such as model contract clauses approved by the Commission or rely on one of the exemptions set out in Schedule 4 of the DPA[4].

Termination and Consequences of Termination

The customer should review the supplier’s contract to understand in what circumstances each party has the ability to terminate the agreement. The customer should consider carefully the length of any termination notice periods set out in the agreement and whether such period will give the customer adequate opportunity to select and enter into a contract with an alternative supplier. In addition, the customer should think through the exit/disengagement strategy before entering into a contract with the supplier to make sure an effective, workable exit plan is put in place.

The customer will also want to ensure that upon termination of the SaaS agreement, the supplier promptly returns to the customer the then most recent back-up of the customer data stored on the supplier’s servers in such a form that it may readily be used by the customer and the supplier reimburses it for any fees paid up front for Services provided after the date of termination.

Rebecca Anderson

[1] The NCC has recently published its standard SaaS Escrow Agreement: http://www.nccgroup.co.uk/services/escrow-solutions/software-as-a-service.aspx

[2] This means that the service credits paid will, therefore, be significantly less than the actual loss suffered by the customer. Often, the maximum amount available to a customer by way of service credits is a sum calculated to deprive the supplier of its profits. In order to be legally enforceable, service credits should be reasonable and should not seek to penalise the supplier. Penalties are unenforceable under English law.

[3] The Commission has made positive findings that the following countries offer an adequate level of protection in respect of the processing of personal data: Argentina, Canada (subject to conditions), Switzerland, the Isle of Man and Guernsey.

[4] Please see the latest PLC IT Handbook on Data Transfers: http://www.kemplittle.com/PDFs/PLCCrossBorderDataProtectionHandbook_2010.pdf