Companies across all industries use the services of software as a service (SaaS) vendors to help simplify running the business. Almost every SaaS vendor you use hosts a treasure trove of your company data – and you want to make sure you’re contractually protected. Here is a high level overview of key provisions that you should review, re-review, and hammer down on with every SaaS agreement you sign.
SaaS contracts generally lay out specific use restrictions and want their solutions to be used for “internal purposes only”. Depending on what you’re using the SaaS for, you may want to negotiate, or get clarification, on this specific provision. For example, if you’re a services company that will utilize the SaaS solution to delivery services to YOUR Clients – you want to make sure that your access rights include that use case.
Intellectual Property Rights
SaaS solutions generally reserve the right to the SaaS and associated documentation itself, which is fine. The points that should be reviewed carefully are the Customer Data, Usage Data/Aggregated Statistics, and Feedback sections. The Customer should generally own all right, title, and interest to Customer Data and only provide a limited license to the SaaS vendor to use the Customer Data only to deliver the services. Usage Data/Aggregated Statistics should be de-identified and anonymized, and ONLY used to improve upon services. Feedback is a trickier section, and is dependent on how much feedback a Customer would give a vendor to improve upon services.
Handling of Personally Identifiable Information (PII)
Most SaaS products you use these days will be handling some level of PII – which includes something as little as name, telephone number, email address, physical address, IP address, of your users and end customers. The SaaS vendor’s agreement should explicitly state what they do with the PII, how they protect it through privacy policies and procedures, and any applicable privacy laws, regulations, statutes and guidelines. You should also demand that no PII resulting from your use is disclosed to a third party without your consent and enter into a Data Processing Addendum if you see fit.
Regulated industries have strict data security standards built in (such as healthcare and HIPAA) – but this is becoming more of the norm, rather than the exception. Data Security has to do with what kinds of safeguards your SaaS vendor has baked in to how they’ve built their application – to prevent hacking, stealing of the data, malicious use, etc. It is in your best interest to ensure the SaaS agreement explicitly states how your vendor is approaching data security with things like encryption of your data at rest and in transit, database backups to multiple places, audit logging, data mapping, high availability, and disaster recovery. It is common for Enterprise companies to require a Data Security Exhibit as part of the agreement package.
An often negotiated point in SaaS agreements, indemnification covers who is responsible for judgments and associated legal costs in case of a third party claim. The best practice here from a Customer’s standpoint is to ensure that the SaaS vendor indemnifies you for third party claims of intellectual property infringement, breach of warranty, and negligence. Customer’s should further attempt to limit what they indemnify the SaaS vendor’s for – specifically to third party claims of intellectual property infringement.
Limitations of Liability
The amount for limitation of liability is often negotiated, and the meeting point is generally mutual limitation of liability for 1x the total amounts paid by Customer to Vendor over a given period. Carveouts also come into play, whether to exclude specifics such as indemnification or data breaches.
Let Us Help
This is by no means a comprehensive overview of terms to negotiate in your SaaS vendor agreements. If you need further assistance, feel free to reach out.
This post is not legal advice, and does not establish any attorney client privilege between Law Office of K.S. Kader, PLLC and you, the reader.