If you’re running a company today, you’re probably signing a whole bunch of contracts with software as a service (SaaS) vendors to help simplify running your life as an entrepreneur. But, with great simplification comes great responsibility – or something like that.
Today, almost every SaaS application you use has a treasure trove of your data – and you want to make sure you’re contractually protected.
We won’t mention some of the obvious or boilerplate terms – like pricing, warranties, or general term of agreement. Here is a high level overview of 7 key provisions that you should review, re-review, and hammer down on with every SaaS agreement you sign (ideally with the help of an attorney):
Service Level Agreement
Your Service Level Agreement, or SLA, is the promise your vendor is making to you around availability, quality, responsibilities, performance, and support. This is usually mentioned in your SaaS agreement, and delivered in a separate document – an Exhibit – to your overall master services agreement. For larger deals, you can negotiate a better SLA with faster response times for more money. Some specifics include the promise of network availability (uptime) of over 99%, response times to support tickets – both regular and urgent, and a promise of data security – which is a whole other monster that we’ll get into below.
Handling of Personally Identifiable Information (PII)
Most SaaS products you use these days will be handling some level of PII – which includes something as little as name, telephone number, email address, physical address, IP address, etc. Your SaaS vendor’s agreement should explicitly state what they do with the PII, how they protect it through privacy policies and procedures, and any applicable privacy laws, regulations, statutes and guidelines. You should also demand that no PII resulting from your use is disclosed to a third party without your consent.
I can’t stress this enough. Data privacy is important, and becoming a bigger issue by the day with new regulations like GDPR and CCPA. The key here is to make absolutely no assumptions when it comes to data ownership. Your agreement should be absolutely clear about who owns the data that you are producing, the confidentiality of that data, what the SaaS vendor can use the data for, and the eventual destruction of that data after your agreement is over.
Building off of Data Ownership, some industries have strict data security standards built in (such as healthcare and HIPAA) – but this is becoming more of the norm, rather than the offset. Data Security has to do with what kinds of safeguards your SaaS vendor has baked in to how they’ve built their application – to prevent hacking, stealing of the data, malicious use. Make sure your SaaS agreement explicitly states how your vendor is approaching data security with things like encryption of your data at rest and in transit, database backups to multiple places, audit logging, data mapping, high availability, and disaster recovery.
Disaster Recovery and Business Continuity
So what if the unthinkable happens, and the data center your SaaS vendor uses burns to the ground? Do you just lose all your data? We’re not going to allow that. Make sure your vendor has a solid disaster recovery plan – which includes contingency planning that should be regularly updated and tested. This part of the agreement could include some specifics like where the data is backed up, and how to restore data if something does happen.
Limitations of Liability (Indemnification)
Standard contracts lack in this, heavily. You should absolutely negotiate to limit your liability in case your service vendor does something wrong. Additional provisions around the limitations of liability should mention third party claims, intellectual property infringement claims, breach of confidentiality, violation of law, and any contract breach that the service vendor partakes in. The last thing you want is to be named a co-defendant for something your vendor did wrong.
When the honeymoon period ends, or, ideally, if you’ve outgrown the SaaS you were using – it’s time to break up and move on. So what happens to your data? I’ve seen unfortunate circumstances where data export provisions were vague – and the customer was delivered with an unusable format for their data. To avoid this, make sure you discuss upfront how you are to receive your data should you need to export it and move to another vendor, and make sure that data is available to you in a common, usable format.
Let Us Help
Kader Law offers contract drafting, review, and negotiation services to startups and entrepreneurs at an affordable rate.
I personally have over a decade of experience working in sales and growth with startups – and have seen and negotiated dozens of these contracts both as a user and an attorney.
This post is not legal advice, and does not establish any attorney client privilege between Law Office of K.S. Kader, PLLC and you, the reader.