SaaS Agreements: Developing A Strong Legal Foundation (Checklist Included)

7 minutes

Table of Contents

Picture of Andrew Rapacke
Andrew Rapacke is a registered patent attorney and serves as Managing Partner at The Rapacke Law Group, a full service intellectual property law firm.
SaaS Agreements: Developing A Strong Legal Foundation

Over the past 20 years, Software as a Service (SaaS) has seen substantial growth in sales. Although annual growth is starting to slow compared to other service models, its lead in sales remains substantially higher. In fact, projections show that sales in SaaS will exceed the next most prominent service model (i.e. Cloud System Infrastructure Services) in 2022.

SaaS typically consists of software applications that are made available over the internet and are tied to a subscription fee, which may be tiered based on the end user’s desired level of service. Often these services are managed by a third party. The internet has facilitated user access and flexibility; there is no need to install programs and therefore SaaS applications can be accessed on any device with user-specific logins. Additionally, SaaS applications are more cost-efficient, not requiring on-premise IT staff, and thus are being utilized by a range of businesses, including large enterprises. Due to the rise in popularity of SaaS applications, vendors and technology companies developed and offered similar “as a Service” solutions, of which the four most popular (including SaaS) are:

  • SaaS – Software as a Service (web based software and applications)
  • PaaS – Platform as a Service (like SaaS, but you develop the applications and provide the data)
  • IaaS – Infrastructure as a Services (managed servers/virtualization/networking/storage, like PaaS, but without the OS or runtime)
  • FaaS – Function as a Service (serverless cloud computing).

Other “as a Service” solutions include:

  • AIaaS – Artificial Intelligence as a Service
  • BaaS – Backend as a Service or Blockchain as a Service
  • DaaS – Data as a Service

The evolution of these new technologies and platforms has also introduced new risks for both providers and consumers to consider. These risks, however, can be addressed through agreements that have a strong legal foundation. This article will discuss what should be considered when reviewing SaaS agreements, the various types of agreements, and what should be included in a legally sound agreement. The concepts discussed will generally be applicable to other “as a Service” solutions, depending on the technology, implementation, and services provided.

What Should I Look for In A SaaS Agreement

There are several important considerations to evaluate when evaluating a SaaS agreement, including terms related to data security, financial liability, and the availability of the software or application. Gaps in the agreement relating to any of these categories could result in substantial financial loss or damages to a business. Considerations are also business sector-specific, as needed protections may vary across business sectors.

1. Data Security

Data security is one of the most important term considerations. A security breach could result in significant damages to the business owner. An attorney should be consulted to carefully assess the agreement and address any questions prior to entering into the agreement. An attorney should also be engaged to review the agreement for compliance with the company’s security requirements. Every business is different; therefore, security needs vary. Security needs that aren’t addressed within the agreement can result in unexpected risks and consequences and a lack of liability for either the SaaS customer or the SaaS provider. Gaps can be addressed by offering warranties related to the security provided by the SaaS and clauses allocating responsibility for data breaches and losses incurred by the business. Generally, the agreement should include terms providing the ability for the business to conduct periodic audits to ensure compliance with the agreement. Detailed statements regarding data ownership and return policies, as well as the vendor’s obligations (e.g., data backup, deletion of data and copies upon SaaS termination) should also be carefully drafted.

If the data under the SaaS agreement will include personal identifying information, banking information, business plans, trade secrets, data regulated by privacy laws (e.g., healthcare information), or will otherwise sensitive details, the SaaS agreement should identify the owner of the data and properly limit what the SaaS provider can do with the data. Is the data encrypted? Can the SaaS provider read your data while providing support, updating software, or servicing the hardware and infrastructure for the SaaS? If these issues initially do not appear to be important for the business, it is important to keep in mind that that the business may have entered into a contract with another party a party agreed to a certain level of privacy or security. Furthermore, after entering into a SaaS agreement, a party may engage a client that will require a level of data security that the SaaS agreement failed to address. Strategic planning regarding data security often pays off in the long run. If a party is the SaaS developer or provider, they may also need to define what other terms they will be responsible for, the limits to the services offered and its availability, and limitations of liability for the use of the services, among other issues.

2. Financial Liability

In addition to financial loss, data breaches can impact consumer confidence. Risks associated with a data breach may include data loss, breaches in confidentiality, corruption, and other damages to the client. Vendors can protect themselves from liability by having their security measures evaluated by a third party to ensure they are sufficient. This protects the vendor from being held accountable and also protects the client to make sure proper measures are in place to limit the potential for a breach.

3. Availability of SaaS Agreement

From a technological perspective, accessibility of SaaS is critical to many business ventures. Software does not need to be downloaded and, as a result, if there is not access to the application, a business could be significantly impacted. Many clients now require 24/7 SaaS access regardless of geographic location, particularly with the rise in popularity and shift to more remote work. SaaS agreements should include a Level of Service section to address technological/internet availability.

There is also a legal aspect to software availability that should be addressed in a SaaS agreement. If a business relies on a particular software provided as an SaaS, a myriad of situations can result in the business losing access to the software. The SaaS provider may go bankrupt or out of business, significantly change the software, sell the business, sell the software, or otherwise stop providing the software. The SaaS provider may stop providing the software in unintended ways and situations, such as when the SaaS provider is sued for patent or copyright infringement based on the software, when a third party provider to the SaaS provider stops licensing a sub-module of the software, or when foreign privacy laws modify the manner in which a foreign SaaS provider is able to deliver service to the business. In highly sensitive situations, the SaaS agreement may need to include means for a business to ensure their continued access to the software, or at least the underlying data accessible through the software.

In addition to the above considerations, it is important to carefully review the terms governing requirements and implications for exiting a contract. This can result from many causes including: experiencing a data breach, a breach of contract from the vendor, and/or others. It is important that a business knows its rights and has appropriate safeguards in place to protect itself from its, or the SaaS provider’s, failure to execute the agreement as written.

Types of SaaS Agreements

1. Business-to-Customer

Generally, business-to-customer SaaS agreements are not negotiated, regardless of the size of the business. Instead, business-to-customer SaaS agreements are frequently agreements under which a business offers its SaaS solution. Business-to-customer SaaS agreements are generally included in the Terms of Use and/or Privacy Policy of a website that provides a SaaS solution.

2. Enterprise-to-Business

Enterprises (large businesses) often offer SaaS solutions to other businesses somewhere between a standard SaaS service and a fully customized solution. The closer the transaction is to a standard SaaS service, the less of an opportunity a smaller business will have for negotiation of the Agreement. However, enterprises often develop SaaS solutions with multiple tiers, different levels of service, options, and selectable modules. Businesses with different needs may select an appropriate SaaS tier/service/module to meet their needs. On the opposite end of the spectrum is the fully customized SaaS solution. One common situation exists where a business seeks a SaaS solution that needs to be partially or fully developed as part of a transaction. Parties will negotiate multiple agreements touching on the development, work orders and change orders, development pricing, service pricing, software ownership, and information/data ownership. The agreements are sometimes combined in one document or handled in a single negotiation over multiple agreements. Here is a list of exemplary agreements and issues they may address :

  • Software/SaaS Development Agreement
    • Indicates scope of work, development and solution requirements
    • Defines intellectual property ownership, assignments, licensing
    • Exclusivity of Use
    • Software/Data hosting (who will control the computer and servers)
    • Allows/limits subcontracting developers
  • Master Services Agreement
    • Covers overall terms of service
    • Indicates process for and management of Statements of Work, Change Orders, and the like.
    • Indicates scope of work, development, solution, and service requirements
    • Defines intellectual property ownership, assignments, licensing
    • Exclusivity of Use
    • Software/Data hosting (who will control the computer and servers)
    • Allows/limits subcontracting developers/service providers
  • Non-Disclosure Agreement
    • Defines confidential information and non-confidential information
    • Sets time periods for non-disclosure
    • Often expands into non-use, non-competition, and information ownerhsip
    • Limits disclosure, use, and/or development of confidential information
    • Addresses trade secret law requirements and employee non-compete requirements
  • Service Level Agreement
    • Defines services coverage
    • Sets availability of service
    • Provides for changes to the service level
    • Duration of Service / Termination

3. Business-to-Business and Enterprise-to-Enterprise

Two businesses of relatively the same size and economic power often will fully negotiate the terms for a SaaS solution. In this process, the business more interested in the transaction (often the business with the lesser economic standing) will have to compromise between features and pricing. However, in some situations a SaaS solution is fully standardized, including its terms of service, such that businesses seeking the SaaS solution do not have an opportunity to negotiate terms or pricing. Similar to and more common than enterprise-to-business negotiations, parties will negotiate multiple agreements. See the list above for examples of contracts and issues often addressed in negotiations.

If you are building a SaaS business, you should carefully consider corporate governance matters. And the sooner, the better. There are many issues associated with corporate organization and structure, corporate IP protection, data privacy and terms, the hiring process, and venture capital financing. In order to keep track of and complete all the necessary documents for each of these areas, check out our SaaS Legal Forms Checklist. The agreements are more nuanced than described, and require a careful and knowledgeable eye to be sure they are completed appropriately and thoroughly.

Consult With an Experienced Attorney

The Rapacke Law Group is an intellectual property and business law firm built for the speed of startups. No hourly building, no charges for calls or emails. We offer startup legal services for a transparent flat fee. Our experience ranges from initial business formation and planning to the final liquidity event. Our startup lawyers are involved with fast-moving entrepreneurial companies seeking legal counsel in IP asset protection, company formation agreements, liability, equity issuance, venture financing, and infringement resolution and litigation. Contact us to schedule a free consultation with one of our experienced attorneys.

Schedule a Free Strategy Call
  • Get help identifying what type of IP protection may the best fit for your situation.
  • We explain every step of the IP protection process
  • Get answers to your questions.

Recommended for you

Want more actionable IP tips like this delivered straight to your inbox?