As Software as a Service (SaaS) becomes the model for a business using software developed by another company, it is important to understand the legal and practical differences between the two. With a license, the company obtains rights from the developer to put copies of the software onto the company’s own computer system and run it from there. With SaaS, the company merely gets access over the internet to use the software. SaaS lets the company avoid more upfront costs and infrastructure and personnel acquisition and reduces the concern about maintenance, updates and backups. But, SaaS allows for less customization and increases security concerns.
Under the SaaS model, the company’s data processed and generated by the software is stored on remote servers controlled by the SaaS vendor – “on the Cloud.” This data may include personally identifiable information, personal health information, financial information, trade secrets or other sensitive information relating to customers. A SaaS agreement should ensure that the SaaS vendor is required to adhere to reasonable physical and data security standards, is annually audited and provides its “SOC-2” audit report for inspection.
A SaaS arrangement may create civil liability and statutory penalties for data breaches involving sensitive information stored on servers designated by the vendor. SaaS agreements should therefore address these issues. A company should attempt to prevent the SaaS vendor from excluding all liability for data breaches, such as by removing broad, “consequential damages” waivers in contract documents. A vendor should at least be sure the actual server host accepts responsibility. When a SaaS vendor does rely on a third-party hosting provider, the company should require notice if the host changes and require the new host to comply with the contract’s data security obligations. But there are many more considerations beyond what this brief video can provide.
Customization of a particular program to a company’s particular needs may be harder, but accessing different software with varied functionality is easier, so be sure access to different applications is well defined. Where a maintenance agreement is obsolete in a SaaS contract, a service level agreement is a close substitute. A good agreement will address when the vendor will fix errors and what minimum performance levels will be achieved. Companies should know that if the vendor goes bankrupt, the SaaS agreement could terminate, where a license might continue under the bankruptcy code. It may be wise to include some license language in the agreement, so the company can continue using the software, retain access to its data and even have access to the source code if the vendor goes bankrupt.