“Software as a service” or SaaS is increasingly popular as a way to licence certain software. You buy the right to use the software for a certain period, but it remains on the supplier’s servers, which you access through a cloud-based system. You might sign up to this sort of arrangement for access to Microsoft licences, or Adobe Pro for example.
A contract for software as a service will invariably include great swathes of technical and legal language. So when you’re sent a SaaS agreement for the first time, what are the key things you should look out for?
Of course you’ll check the payment and duration terms. Beyond that, which clauses do you need to note and action, that may not necessarily be front-of-mind?
Your first port of call is to check what you’re signing up to under the agreement. The customer responsibilities are usually straightforward and your obligations are likely to be things like keeping your credentials secure, preventing unauthorised access and co-operating with the supplier.
If you have staff, make sure you circulate this information and impress on them the importance of compliance. Staff members who breach their responsibilities could negate the whole contract, leaving you without your software, and potentially exposed to a financial penalty.
You may come across a particularly widely drafted clause, such as the promise that you will comply with “all applicable laws.” If you’re not too sure how that impacts your operations, check with a solicitor.
Data Protection and Cybersecurity
Introducing new software into your business will carry a risk to your cybersecurity. Most software will be robust, but if there are any inherent vulnerabilities, your business could be exposed to the risk of malware.
If the new software involves processing personal data, then you should also carry out a Data Protection Impact Assessment (DPIA) as required by GDPR. Or undertake a Data Transfer Impact Assessment if the supplier is based in the USA for example.
In addition to any data protection risk assessments and due diligence, the way to protect your business in your SaaS agreement is to include warranties relating to cybersecurity. You want to see that the supplier warrants that reasonable steps will be taken to remove all vulnerabilities (or something along those lines).
On occasion, breaches of cybersecurity attract regulatory fines, so it’s a bonus if you can agree an indemnity in your contract (as far as possible). That way, your supplier will be on the hook for any fines incurred as a result of vulnerabilities in their software. This type of clause is clearly high stakes for your supplier, so if it’s not already included, it’s likely to be resisted if you ask for its insertion.
Remember that the supplier usually has access to your IT systems and information about your business when you enter into a SaaS arrangement.
For most businesses, there will be little material risk of harm from your supplier seeing confidential information. But, if you hold particular sensitive information, or your SaaS supplier happens to be a competitor of yours, you may want to bolster the confidentiality provisions to protect your business secrets.
Make sure all these issues are taken into consideration in your due diligence and addressed in any Data Processing Agreement to comply with the UK GDPR.
Is this software critical to the functioning of your business? If so, it’s wise to have an obligation in the contract that the supplier maintains an insurance policy to recoup your losses in the event of serious outages.
Limitation of liability
In every SaaS contract, the supplier will limit their liability for losses. It’s worth being aware of the level of recoverable losses from your supplier.
If you’re worried that the limitation of liability is too low for your business and your circumstances, you’ve got a couple of options. You can either ask you SaaS supplier to increase the limit (to which they are unlikely to agree), or you can speak to your own insurer to amend your policy accordingly.
It’s tempting to simply sign a SaaS agreement to get the software you need in place.
But the arrangement is not without risk and you want to make sure your business is adequately protected if anything goes wrong. Make sure your staff are aware of their obligations under the contract, and amend your business insurance if the contract increases your risk to business disruption. If the supplier has access to your systems personal data then make sure you consider any data protection implications of using the supplier.
If you’d like a solicitor to review your SaaS agreement to advise you on your level of exposure, please do get in touch with us at SME Comply. Call us on 01386 641 928) or drop us an email at email@example.com.