Software as a Service (SaaS): SaaS law and subscription agreementsby Aaron Kelly (The Kelly Law Firm)
SaaS Law and SaaS agreements
SaasY Law: Understanding the legal implications of Software as a Service (SaaS)
Software as a Service (SaaS), or sometimes known as cloud computing, has been hailed as the next level of modern software. SaaS offers significant advantages to businesses and consumers alike, both in its cost and ease of use. This article will provide a basic overview of SaaS and SaaS law and why developers and end users alike need to understand the role an SaaS attorney plays in this new software.
With the proliferation of high speed internet and faster computers comes the desire to access information quickly and securely. At the same time, there are concerns with privacy online and data security. Enter SaaS. SaaS is unlike traditional software that you would purchase at a store on a cd-rom and install on your computer. SaaS is accessed over the internet with the data (i.e. documents, pictures, contacts, notes, billing) being stored on the software developers servers rather than yours. Right now, I’m guessing many of you who are unfamiliar with SaaS are probably asking a simple question….”why would anybody do this?”. The answer is simple: access and ease of use.
With SaaS there is usually no installation of any software on your computer, no updates or maintenance fees, and no upfront costs. SaaS, unlike the traditional software license, is based on a “subscription model”. Naturally, a subscription implies a continuing relationship between the provider and the user. In this case the provider of SaaS is the software developer and the user is you and I, the customer. Since there is no license, the end user are paying to have access to the service for as long as we pay for the subscription. Kind of like having a safety deposit box at a credit union where you have to pay to be a member. The types of SaaS applications range from document management programs and payroll, to data hosting and office productivity. The one thing that does not vary though is the concerns that people have with these types of applications.
As said before, SaaS is all about building a long-term relationship with the customer. Because of this ongoing relationship there needs to be a level of trust and reliability. The concerns that most people have are directly related to these two things: the SaaS developers ability to provide uninterrupted and secure access to the information. Therefore, before entering into a subscription for SaaS you should ask the following questions to the SaaS developer:
1) What kind of data security/privacy/confidentiality do you have?
2) How often is my data backed up? Do you have multiple backup data centers in different geographic locations?
3) What is the history of your company?
4) Can I obtain my data from your servers to backup on my computer?
5) If I cancel my subscription what do you do with my data, and how long do I have to backup that information?
An SaaS developer should be able to answer these questions with confidence, if they have consulted with an experienced attorney that handles SaaS law. This is because the SaaS company should have a subscription agreement in place that has been carefully drafted and reviewed by an SaaS law attorney.
The SaaS subscription agreement differs from your typical software license agreement that pops up when you install a cd-rom. This is because SaaS is not a license to use the software, but rather is a subscription to access the software. Thus, the agreement must be flexible in order to build the ongoing relationship, but limit the liability of the SaaS company. An SaaS subscription agreement should cover, at the bare minimum: (1) what company holds the information; (2) what personal information is stored; (3) how the user is notified in case of a breach; (4) disclaimer of liability. However, not all SaaS agreements are the same and are not boilerplate forms that you can download off of the internet.
SaaS agreements can touch upon nearly every area of the law, from intellectual property to criminal law. Most laws are directed primarily at the security of the data, and the theft of data by criminals. As such, most SaaS companies must protect themselves and the data that is stored. The SaaS company can protect itself best by not overstating its security, as doing so could lead to litigation down the road for fraud or misrepresentation (i.e. Don’t claim that the data is “100% secure” and “guaranteed to be safe”). In other words, don’t write checks your insurance liability policy can’t cash.
The SaaS agreement should state in writing what the companies security system consists of, including whether the company uses a firewall, how often they test for vulnerabilities, and whether you change all passwords daily/quarterly. Since data security is one of the primary concerns of most SaaS customers, a certain level of transparency must be had between the company and the user. The SaaS company can provide this transparency by including documentation to new users about its data security, and the steps the company takes to protect the information.
In spite of the risks, SaaS is flourishing. Our firm uses several types of SaaS applications because of their ease of use and ability to access the information from mobile devices to work computers. It not only makes the practice of law more efficient but keeps our costs lower which translates into savings for our clients.