Software as a Service (SaaS) Agreements
As Software as a Service (SaaS) arrangements increasingly overtake on-premises software licensing for many software applications, potential parties to SaaS contracts must recognize the major legal, technical, and commercial considerations that typically arise in a SaaS arrangement. This article discusses the key benefits and risks of moving to a SaaS cloud computing environment.
Common characteristics of SaaS arrangements
SaaS arrangements differ from traditional on-premises software licensing in the following key ways:
- The service software is not installed or stored on the customer's computer systems. The SaaS provider (or its subcontractor) hosts core SaaS software applications. While the customer may receive limited client-side software to aid connectivity to the provider's network, the customer accesses the provider's software remotely on the internet or another public, private, or hybrid public and private cloud network.
- The SaaS services and infrastructure are managed by or for the SaaS provider and shared by multiple customers. Each SaaS customer accesses the service applications remotely from various client devices, but does not configure, manage, or control the underlying cloud infrastructure.
- Service customization is limited. The software configuration is largely or entirely uniform throughout the provider's customer base.
- The provider maintains the service software and provides service support subject to service levels. SaaS agreement maintenance and support provisions typically specify service levels and standards for the provision of support. Service levels define how well the provider needs to perform and are often accompanied by service credits if the provider fails to maintain certain service level standards.
- Service fees accrue and are payable on a recurring, periodic basis. Fees may be based on provider subscription rates, the volume of customer use, or both.
In particular, the provider's remote hosting of the software application and the customer's data result in a shift of priorities compared to on-premises software licensing in which the key issues are configuration, implementation, and acceptance. In contrast, the top priorities for cloud-based contracts are:
- Service availability and performance
- Service levels
- Data security
The multi-user, networked distribution of SaaS services makes them particularly well-suited for standardized applications such as:
- Communication and collaboration applications, for example, applications for email, calendar, and web management, database sharing, and collaborative document preparation.
- Transactions between SaaS customers and their employees and third parties, such as funds transfer, invoicing, inventory management, and customer relationship management (CRM).
- Software and website development.
The benefits of using SaaS services for these types of standardized applications, compared to traditional software licensing, include:
- A quick startup, and convenient and on-demand service with little or no required software installation.
- Lower costs from:
- Efficient, one-to-many performance of the services
- Services geared to and priced at the level of customer use
- Avoidance of large up-front license fees and capital expenditures on system infrastructure
- Expanded capacity for data collection, storage, and processing.
- Greater scalability and elasticity, allowing the customer to rapidly expand and contract its use of the service without incurring unnecessary hardware upgrade or expansion costs.
- Global reach through multi-location and multi-device access to the SaaS service.
- Access to the provider's professional data management services, including security scanning, regulatory and technical compliance checking, redundant data processing and storage, data backup, and disaster recovery.
The special risks associated with SaaS services include:
- The limitations of the internet or other networks over which SaaS services are provided, including network dependency, service disruptions, data bottlenecks, and browser security vulnerabilities.
- The customer's lack of control over:
- Levels of service performance, availability, and support actually delivered
- Privacy and security of customer data processed and stored by the SaaS provider, including the potential inadvertent exchange or commingling of multiple customers' data
- Location of the SaaS provider's or its subcontractors' servers, databases, and other service infrastructure, unless the SaaS agreement specifies or restricts these locations
- Effect of the provider's bankruptcy or insolvency on the availability of the SaaS services.
- The potential disruptive effect and costs of transferring the customer's operations and data to and from the provider's SaaS systems.
- Provider form contracts that tend to be aggressively one sided in the provider's favor that often include:
- Disclaimers of responsibility for data losses, backup, service interruptions, or data security breaches
- Limitations on remedies for service downtime and support level failures
- The provider's monitoring or blocking of the customer's use of the SaaS service.
- The provider's collection of customer data for the provider's or third parties' commercial use.
Minimizing SaaS risks
The customer may avoid or mitigate many of these risks through skillful negotiation and drafting of the SaaS agreement if it has sufficient bargaining power to negotiate the contract terms. If the SaaS provider's standard contract terms are non-negotiable, or the provider remains inflexible on terms that present unacceptable risks to the customer, the customer must consider whether to walk away from the proposed agreement.