Many licensors and licensees are utilising alternative delivery models for providing and accessing software applications. These alternative delivery models are most illustrated through the use of cloud computing. While these delivery models raise many similar issues to traditional software licensing some raise unique issues. The focus of this article is to highlight such issues associated with the Software-as-a-Service (“SaaS”) delivery model.
SaaS is a business model where a software application is delivered to the customer as a service usually over the internet. The end-user does not purchase a copy of the software and accesses it on a timesharing basis via a subscription. In essence the end-user rents the software on an as-needed basis.
Advantages and Disadvantages
From a software vendor’s perspective, SaaS allows the vendor to reduce its support cost by maintaining a single version of its software on a single platform. Customers typically benefit from having updates automatically made available to the software and do not need to pay for the newest update. Perhaps, the most beneficial aspect of the SaaS model is that it allows vendors to sell to customers who may have otherwise not been in a position to purchase such software (or have the infrastructure to support such software) and on the other hand, it makes such software affordable to a broader portfolio of customers.
There are some limitations to this style of engagement. From the customer’s perspective, the greatest basis of concern is that it has relinquished control of its IT to a third party. Certain challenges can arise for example where the software vendor ceases trading as it can prove difficult for a customer to replace the service, whereas in a typical perpetual licensing situation, having access to the source code through an escrow arrangement provides a customer with an effective “self-help” remedy where the software vendor ceases trading or is in material breach of the contract. The other consideration for a customer is that most software vendors will not customise the application for specific customer’s needs.
Typically, through a SaaS model, customers are charged through various means including on a “per user/per month basis”, on an “enterprise basis” or perhaps based on the actual usage of the software. Again, the advantages in this regard are that the true costs of the software vendor are spread out over the lifespan of the customer relationship rather than recovered in one large sum at the outset. This cost spreading is then passed to the customer in the form of a monthly subscription payment.
Security is always an important concern when utilising a SaaS model. By centralising data in a secure data centre a party may actually increase security. On the other hand, the client has ceded control over its data and now is dependent on the vendor’s protection. A prudent customer will address its concerns with the vendor and incorporate security measures into the underlying agreement. Depending on the size of the contract and the importance of the application the customer should visit the facility from which the software as a service is provided, if applicable, and request a written copy of the vendor securities protocol for the buildings physical security and the security of the network from intrusion against viruses and the like.
A prudent European customer should contractually require that all customer data remain within the EU to avoid subjecting the customer to laws of other jurisdictions in which the data resides and in particular most likely breaching the GDPR without having taken the proper safeguards and implemented additional contractual protections. The contract should also address the party’s respective responsibilities for complying with all GDPR requirements and include the appropriate controller and processor contractual provisions. For example, notification of data breaches is an important consideration. The vendor should be obligated to notify the client immediately in the event of a data breach and provide a detailed written explanation of the nature of such breach and the actions it has taken to remedy such breach.
The vendor’s disaster recovery plans should be carefully reviewed by the client. The parties should include in the contract the level of redundancy for the application i.e. the availability of the application in the event of the failure of the primary server application as well as the vendor’s protocol for backing up data, the storage of such data offsite, and the period for which it will retain the backups.
Performance standard/service level agreements
When entering into a SaaS agreement the customer should seek to include performance standard/SLA’s to ensure the promised services meet the customer’s needs/expectations. Common measurements include availability, response time, and scalability. Vendors should be hesitant about being measured against customer dependent elements such as location processing capability. Perhaps the most important metric from the customer’s perspective concerns planned outages. Many customers insist on an availability of 99.99% per month and all maintenance will be scheduled in advance and limited to the hours of 12 AM to 4 AM on weekdays and on weekends.
Any penalties or credits should be carefully delineated in the agreement. The agreement should include examples of how such penalties or credits should be calculated and applied if a service interruption occurs. Note: “penalty” clauses are notoriously difficult to enforce in most common law jurisdictions unless such clauses have been carefully considered and are a genuine pre-estimation of loss. See our related article for further consideration of Penalty Clauses: Penalty Clauses: Are they enforceable?
Most software vendors seek to have the client sign pro forma “click-through” contracts without amendment and with little contractual protections provided. Typically, the contract disclaims almost all warranties and liabilities and limits liability to a multiple of the monthly fees paid. Vendors argue that pro forma contracts are industry standard and are in line with the low costs they are charging the customers. Clients should carefully evaluate a contract pricing model to ensure the pricing structure is clearly delineated and that the client has the ability to independently verify any amounts it is billed by the vendor.
Typically, one might expect the vendor to warrant that there will be no material reduction in functionality at the time of the licence/service agreement. From a vendor perspective, the vendor should require the customer to indemnify the vendor against any third-party claims concerning data placed in the cloud by the customer that infringes a third party’s intellectual property rights. In addition, the customer shall indemnify the vendor in the event that the customer breaches the terms of the service agreement as well as in the event of its failure to follow the contractually required security procedures.
For further information about SaaS or to make an appointment please email firstname.lastname@example.org .
The content of this article is provided for information purposes only and does not constitute legal or other advice.