top of page

    Cyber (Software-as-a-Service – SaaS)

 

  • A software-as-a-Service (SaaS) agreement is the current term referencing a delivery model for any type of software-related agreement, in any business, enterprise or industry, that resides in the cloud – “cloud” meaning any group of servers or multiple groups of multiple servers at one or more locations anywhere in the world, connected together through an intranet, network or virtual private network (VPN), intended to operate together harmoniously as a cohesive, single, virtual computing ecosystem, controlled or owned by an entity generally referenced as a cloud services provider (CSP) – under which any of the CSP’s services or software that may be the subject matter of the SaaS are not copied by any user or installed on any user device, but remain on the CSP’s servers, and is based on a subscription pricing model – in which a buyer/customer/user pays, either through the terms and conditions of the SaaS agreement itself or through a separate cloud services agreement (CSA), repetitive fees, whether hourly, daily, monthly, on-demand, yearly or multi-yearly, to the CSP – pursuant to which the authorized buyer/customer/user accesses the subject matter of that SaaS agreement in the CSP’s cloud first through the internet or world-wide web generally, and then specifically into the CSP’s intranet, network or VPN, after providing either a single authentication mechanism (such as a single password), or in more-secure situations, after providing multiple access authentication mechanisms (such as a password, plus some other authentication mechanism, such as an immediate call to the smartphone of the user attempting to access the CSP’s cloud), or even after providing some combination of several authentication mechanisms in immediate sequence (such as a password, plus a call to the user’s smartphone, plus some form of biometric authentication – such as a thumbprint scan or retina scan), depending on the available hardware.

 

  • The SaaS agreement may be very simple (only granting an authorized user access to some location of virtual space on only one server within the CSP’s intranet, network or VPN) or may be more complex (granting an authorized user not only access to virtual space at any location within any server within the CSP’s intranet, network or VPN, but also access to a “suite” – collection – of applications (whether such applications may be just controlled by the CSP or actually owned by the CSP, or some combination thereof), through a license agreement within the SaaS or the CSA.

 

  • Depending on the industry, products or services that may be involved in a SaaS agreement, there may be various clauses and provisions of the SaaS agreement that may gain significance, such as for example:

    • acceptable use (this provision may be so significant that it is often the subject of a separate agreement, the acceptable use policy – AUP – or separate exhibit in either the CSA or SaaS agreement, and provides extensive details, guidelines and metrics about how an authorized user may or may not use the CSP’s hardware and software, and any data that may be contained therein);

    • access rights (on what specific conditions, terms and times the authorized user may access the CSP’s intranet, network or VPN);

    • applicable law (depending upon the jurisdiction or jurisdiction in which the SaaS agreement is intended to apply, this may be very difficult to articulate, but a serious attempt should be made to do so, since the type of data used and where it may go is critical to determining what laws in which jurisdictions may be the most-problematic for the functioning of the SaaS);

    • authorized users (unless the SaaS specifically grants all the buyer/customer’s employees the unlimited right to access all the CSP’s services and software at any time, and from any location, the SaaS must specify in great detail which of the buyer/customer’s employeesare specified as authorized users, allowed to access whatever services or software the CSP may be providing);

    • customer service and support (critical for the buyer/customer, since many of the buyer/customer’s authorized users may not be completely familiar with whatever services or software the CSP may be providing under the SaaS);

    • data ownership (the buyer/customer should demand a carve-out in any licensing terms the CSP may require for accessing the CSP’s intranet, network or VPN, to clarify that all data loaded by the buyer/customer’s authorized users into the CSP’s intranet, network or VPN pursuant to the SaaS must remain under the exclusive ownership of the buyer/customer);

    • data privacy (that the CSP must treat all data loaded by the buyer/customer’s authorized users into the CSP’s intranet, network or VPN pursuant to the SaaS as confidential and proprietary, and sometimes, in situations requiring extreme security, the buyer/customer may insist that the CSP sign a confidentiality and non-disclosure agreement – NDA – whether as a separate agreement or as an exhibit to the SaaS agreement, which would also apply explicitly to all the CSP’s employees, independent contractors and subcontractors that the CSP may use for work under the SaaS agreement or CSA);

    • data security (the SaaS agreement should require the CSP to provide extremely robust covenants, guarantees, indemnification, insurance, representations and warranties protecting the buyer/customer’s data from appropriation, breach, corruption, misuse, theft and the like);

    • indemnification (any indemnification provided by the CSP entity should extend to some or all of the CSP directors, officers and owners, to both highlight how seriously the CSP must take precautions to protect the buyer/customer’s data, and to also render moot any claim by the CSP entity itself – if the SaaS agreement specified only the CSP entity itself as the only indemnitor to the buyer/customer – in the event the buyer/customer ever actually had to enforce the CSP’s indemnification);

    • insurance (including but not limited to specialty cyber insurance lines, such as for example: business interruption; computer fraud; content liability; crisis management; cyber business interruption; cyber extortion and ransomware; cyber terrorism; data appropriation; data breach; data destruction; data loss; data ownership; data privacy; data risk; data security; data tort risk; defamation; denial of service; digital cash liability; directors’ and officers’ (D&O) cyber errors & omissions (E&O); e-theft; fiber optics failure; fuel-cell technology; funds transfer loss; high-tech equipment; intellectual property (IP) protection; information technology (IT) E&O; media liability; payment card expenses and penalties; reach response; regulatory defense; regulatory investigation; software theft; systems damage; virus transmission; and the like);

    • license (critical from the perspective of both parties, in that they want to clarify what remains theirs, and including language to the effect that buyer/customer’s personnel do not have any right to copy or to receive a physical copy of the software used by the CSP to provide the cloud services under CSA or the SaaS agreement); limitation of liability (LOL – specifying the maximum dollar value to either party of any damages, and specifically excluding or including the types of damages that may result from the any activity of either party related to the SaaS agreement);

    • master language (if the SaaS agreement is intended to be a master agreement acting as an umbrella for many different activities and types of work, then language should be included along with an exhibit for a statement of work – SOW – form that would be used to describe each discrete subsequent activity or project, along with any unique terms and conditions that may be applicable to such activity or project);

    • performance goals (indicating in general what the buyer/customer might expect regarding the reliability of the CSP’s intranet, network or VPN);

    • pricing (probably the most-important provision from the CSP’s perspective, specifying in great detail the charges to the buyer/customer for access to each particular CSP service or product, hopefully itemized in a clear schedule, including details about the type of subscription plan used);

    • renewals (how will renewals occur, whether by advanced notice or automatically, and under what terms and conditions);

    • service-level agreement (SLA) (perhaps the most-important provision from the perspective of the buyer/customer, either a clause within the SaaS itself, or as an exhibit to the SaaS agreement, or even as a separate agreement referenced in the SaaS agreement, if the required descriptions of the applicable metrics become too voluminous, specifying the metrics and specifics, in granular detail, to be required of the CSP’s intranet, network or VPN on a moment-to-moment basis, for whatever type of product or service is to be provided to the buyer/customer through the SaaS agreement in any particular context, so it is not unusual now, for example, for there to be a SaaS that references a voluminous companion and parallel SLA between the buyer/customer and CSP entities, specifying all the minute details of the metrics for the particular products and services noted in that SaaS agreement);

    • term (any length of time mutually agreed between the parties, but considering the rapid changes in applicable regulations, advancement of technologies and volatility of data market, it may be more efficient productive to allow for the expiration of agreements on a short-term basis, perhaps yearly, in order to allow entire new agreements to be negotiated based on the then-current conditions, rather than trying to negotiate numerous new amendments and modifications to very long-term agreements, and it would also allow the buyer/customer to always take advantage of the most-recent favorable price adjustments in the market); termination (under what conditions which party may terminate for cause or for no reason other than convenience).

 

  • Drafting, negotiation or review of various types of SaaS agreements, contracts, documents, forms, guidelines, policies and templates for various industries and situations.

 

  • Drafting, negotiation or review of various types of ancillary agreements, contracts, documents, forms, guidelines, policies and templates related to the activities generated by SaaS agreements, such as for example: company-level – assignments (for IP), confidentiality, employment, executive compensation, human resources (HR), labor, non-competition (NCA), non-disclosure (NDA), non-interference (NIA), non-solicitation (NSA), shareholders agreements, transfers; customer-facing – end-user license (EULA), master service (MSA), purchase, sales, service-level (SLA); third-party – advisor, affiliate, consultant, expert witness, independent contractor, joint venture, partnership, subject matter expert (SME); public-facing – corporate policies, privacy, terms and conditions, terms of service, terms of use.

    Progress_Page_Last_Updated_220122_1456

bottom of page