A long time ago in a galaxy not so far away, the legal bit of delivery of software would be covered by a licence – if it was documented at all. The contracts we prepared and had a lot about installation, site visits and licence fees, and a lot about interaction of systems, too.
SaaS (Software as a Service) created different issues, some of which might not be so obvious; and some of them lead to contractual wranglings which sometime suggest a gap in understanding over what’s possible. In our experience, increasing concerns about information security and data protection are often at the root of these points, because the essence of SaaS is that the customer has entrusted systems and data to another company, and it takes an operational and cultural leap to do that. Where so many businesses are ever more tightly regulated, their nervousness is understandable.
Software as a service, not as a right
Perhaps the first thing to understand is that with SaaS, you don’t get a licence; you get a right to use a service, for as long as you pay. Software as a service, not software as a right. It’s therefore all about what that service is, and for that reason, service levels become important, and especially that the service uptime is pretty much uninterrupted. If you have installed software, then the access to the software is the customer’s own concern, because it will mainly depend on internal infrastructure. Access to a support helpdesk may be the main availability issue, with fix times. SaaS agreements might therefore allow for service credits, if uptime doesn’t reach particular percentages (often expressed as e.g. 99.8%).
Protecting personal data
The protection of personal also data is a key concern, and suppliers’ contractual responsibilities are given force by their statutory responsibilities under the General Data Protection Regulation, and under national laws implementing this (such as the UK Data Protection Act 2018). It will be important for businesses to understand what data is being held, and how much of that is personal data (as opposed to commercial data). Sometimes the data will just be held on servers, but not accessed; but data might need to be accessed for support purposes, and if it is, then the extent of that data will affect the sensitivity of the issue. If the access is from outside the UK or the European Economic Area (EEA), then there will be additional questions to consider around ensuring GDPR compliance. If support is outside the EEA or a list of counties with approved legislation, there could be problems.
Information security is connected to but not the same as data protection, Customer may be given comfort by the use of highly trusted suppliers such as Rackspace, Azure or AWS, or by the achievement of standards such as ISO27001, but often customers nonetheless seek access and audit rights on the servers. Often they can’t be given this – because hosting companies won’t allow their customers’ customers poking around in their data centres; they won’t be happy agreeing penetration testing, either. They have a core obligation to ensure maximum security, failing which they are out of business. If customers want to audit the suppliers, that’s a different matter; but often they won’t see any data or anything of any real value.
Intellectual property is another area which customers tend to misunderstand, but which is different with SaaS. The frequent customer call to own things is even more remote and unlikely than with installed software; this is a service; it is not a licence, and generally the customer will own its own data, and perhaps the branding applied to their instance of the service; but that’s about it.
Often it is the case that the competing concerns need understanding, and it’s a specialist knowledge of the underlying issues which will get you there.
Paul Berwin is a leading technology and digital law specialist and heads Berwins Digital, the specialist IT and Technology division of Berwins.