With the increase in cloud computing, Software as a Service (SaaS) has become a widely adopted model for procuring software that would otherwise require investment in hardware, hosting and development.
There are a number of important considerations for the customer buying access to the software when entering into a SaaS agreement.
1. Focus on results
It can be tempting to view SaaS as just a licence to use the supplier’s software with an agreement for the supplier to host the software on their servers. However it is more helpful to focus on the service the software provides rather than the technical specification of the software.
Much of the code and the development work stays on the supplier side, with the customer just accessing the software. It is therefore much better to focus the specification on measurable results, i.e. to deliver a certain output within a certain timeframe.
2. Supplier financial stability
Assess the supplier’s likely ability to deliver the software over its expected lifespan. Typically the customer does not obtain a licence to operate the software independently of the supplier’s servers. This means if the supplier fails, access to the software stops. Also, assess the supplier’s dependence on sub contractors to deliver, as well as the financial stability of those subcontractors, for example third party hosting.
3. Disaster recovery
What happens if it all goes wrong? Assess the supplier's own disaster recovery/business continuity arrangements. Ideally they would have a plan to recover all data within a specific timeframe. As part of this assessment, consider your dependence on the supplier and their services, and what you would do if access was withdrawn.
4. How easy can you switch to an alternative supplier?
How easy or difficult is it (and hence the time and resources required) to switch to an alternative supplier? Ideally the contract should include termination provisions on notice, as well as obligations on the supplier to transfer data to a replacement supplier within a specific timeframe.
5. Compliance with GDPR requirements
The customer will almost certainly be the data controller for the purpose of personal data stored on the SaaS supplier’s servers. This could be anywhere in the world, including on subcontractor’s server. This inevitably means that personal data processed by the SaaS product is within the customer’s responsibility but outside of its direct control.
This makes it vital to assess the entire chain of responsibility to ensure you know where that data could end up. While there should be suitable warranties by the supplier to comply with GDPR in the SaaS contract, this alone is not enough. The customer really needs to make its own investigation.
These are of course just a few of the specific matters relevant to SaaS contracts.
Find out more
If you would like any help or support then visit our dedicated Intellectual Property pages or contact our expert team.