Legal Download 2.0 - Advantages and Risks of Software-as-a-Service

Software-as-a-Service is now an established and credible option for CIOs but there are key legal issues that customers need to consider when contracting with a SaaS vendor

Tags: DLA Piper Middle EastUnited Arab Emirates
  • E-Mail
By  Chris Edwards Published  May 5, 2008

Technological advancement, innovation and the ultimate demands of the marketplace are often the death knell for once-dominant business models. Such developments are now threatening the prevailing market for software being licensed at huge margins by a handful of dominant vendors.

Software-as-a-Service (SaaS), a distribution model in which software applications are hosted by a vendor or service provider and made available to customers over a network (often over the internet or through a virtual private network), is now an established and credible option for CIOs considering their company's future information and communication technology (ICT) requirements.

The rapid increase in global ICT connectivity with high levels of bandwidth has allowed software vendors to shift from providing mainly locally installed applications to a remote on-demand dynamic service, where customers can access software from multiple locations and are charged on a robust per-user, per-time basis. Economies of scale, low upfront costs, hassle free upgrades/updates and less reliance by customers on their in-house IT function are some of the key features of SaaS driving its adoption across a wide variety of business sectors.

The shift to SaaS is well recognised with leading industry experts such as Gartner predicting that 25% of all new business software will be delivered as SaaS by 2011.

In this article, we touch on some of the key legal issues that customers need to consider when contracting with an SaaS vendor and highlight the differences from the standard software licensing model.

Security and Data

With traditional software licensing, applications are usually hosted upon a customer's private network and maintained and supported either by remote access to the network or through attendance on site by a vendor or third party. Consequently, vital corporate data exists within the customer's sphere of control. In contrast, with many SaaS services a customer will input corporate data into an off-site application hosted on the SaaS vendor's own data centres. This loss of control over their own data is a critical feature that all customers must appreciate when it comes to reviewing the small print of contractual terms.

Customers need to ensure that key risks relating to data are appropriately covered within the contract. What happens to the company data if the SaaS services are interrupted? Is there a clear process that will enable the company to continue using the SaaS services in the event of a disaster or interruption event at the vendor's location? How often is data backed up by the SaaS vendor? What processes are in place for migration of the data to another vendor or back in-house? Customers should seek clear commitments from vendors on the issues raised above to ensure the risks arising from the loss of control over data are mitigated as far as possible. In addition, customers would be prudent to request an escrow agreement allowing them access to the SaaS services source code to run the application in-house upon the occurrence of certain events (e.g. insolvency of SaaS vendor).

Corporate Governance/Due Diligence

Customers need to be mindful of relevant corporate governance issues and applicable local regulatory laws (i.e. data protection) when considering adopting the SaaS model. If a customer's activities involve the processing of restricted types of data (e.g. personal health information), the location and data controls of a SaaS vendor may need to be independently accredited. A customer should seek local legal advice if it is unsure whether its use of SaaS would breach any particular legal requirements.

A customer needs to consider the range of ‘worst-case' scenarios and ensure that the contract adequately covers them for such events. Undertaking a thorough due diligence will reduce the risk of the potential SaaS services not meeting the customer's requirements or affecting its core business activities (e.g. ascertaining an SaaS vendor's credit rating/financial position, reviewing disaster recovery plans, etc).

Term of the Contract

In the SaaS model the term of a contract is often an area of significant difference from standard software licence agreements. As revenue is often derived from usage/user levels rather than agreed upfront yearly licence fees, customers should seek to realise their improved leverage by negotiating shorter and more flexible contractual terms. The ability for a customer to escape from a contract at short notice should drive a more customer-oriented approach from vendors than previously seen in the traditional licence model.

Service Performance

Similar to an outsourcing contract, vendors need to be obligated to provide SaaS to explicit standards. How quick will response times be to reported errors or outages? What are the availability targets? A contract should clearly set out the standards to which a vendor will provide SaaS services and, if such standards are not met, the remedies available (e.g. clawback of fees, provision of temporary solutions). Typical service levels include obligations on the vendor to ensure the application runs correctly (often difficult to obtain in a standard licence model), the availability of the 'service' and time frames for notification of minor issues and outages.

Payment

A single monthly payment often covers the provision of the SaaS services to the customer along with all upgrades/updates and support. The single fee may be calculated remotely according to the time the services have been used and/or through the number of users. When reviewing the contractual terms, customers need to focus on what constitutes a ‘user' in their own context and ensure they understand the parameters of the applicable charging mechanism.

Training

Despite the easier start-up process and cheaper costs, a customer will still require training assistance to ensure its employees are able to use SaaS adequately. Ideally, a contract should obligate a vendor to provide support continually during the lifetime of a contract to ensure appropriate training is provided to cover major updates/upgrades. Such services are often standard and rolled in to the monthly charge providing scope for businesses to redeploy IT departments to more core ICT business projects. Training obligations should be separately set out and defined appropriately.

Summary

The SaaS model's clear financial and functional advantages, in contrast to the traditional software licence model, will ensure its adoption will increase across all business sectors. Customers interested in the model need to be alive to the wide range of issues that must be considered and should consult with their in-house legal departments and local counsel where appropriate to ensure the risks in using SaaS are appropriately covered.

The author, Chris Edwards, is a Legal Consultant with DLA Piper (Dubai).

3459 days ago
Frank Bruno

Excellent article, Chris! Those interested in SaaS Escrow Agreements (& Guidance) should call or email me. 678-849-8394 frank.bruno@ironmountain.com We have escrow templates and written best practices to assist you with establishing the right escrow arrangement.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code