The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
Presenting a live 90-minute webinar with interactive Q&A
Negotiating SaaS Agreements:
Drafting Key Contract Provisions,
Protecting Customer and Vendor Interests
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
TUESDAY, AUGUST 8, 2017
Kelley C. Miller, Attorney, Reed Smith, Washington, D.C.
Kristie D. Prinz, The Prinz Law Office, Silicon Valley, CA
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-961-8499 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can
address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 35.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
Negotiating Software as a Service (SaaS) Contracts: Guidance for Corporate Technology Counsel for
Structuring Effective SaaS Agreements
Strafford Publications Webinar
August 8, 2017
Kelley C. Miller, Esq. – Reed Smith LLP
Agenda of Presentation Topics:
Kelley Miller
I. Drafting and Negotiating Key Provisions in SaaS Agreements
I. Introduction and Overview of Cloud/SaaS
II. Examples of Services Covered Under CSAs
III. Data – What is it?
IV. Data – Use of SaaS Data by Cloud Service Providers
V. Ownership of Data
VI. Access to Data
VII. Data Security
II. Recent Legal Developments and Business Trends
I. ‘Pennies from Heaven’: How Tax Authorities are Looking to Cloud Computing for Revenue
I. Case Study in Cloud Taxation (U.S.): City of Chicago
6
Drafting Key Provisions in SaaS Agreements
Drafting Key Provisions in SaaS Agreements:
Introduction
• Cloud computing is an often ubiquitous term used to describe many
different processes involving “Internet-based” transactions.
• Some of the conceptions of cloud are correct; others are very misleading
• Similarly, cloud computing agreements have as different iterations
(e.g., Click Wrap, etc.) as definitions of cloud computing.
• The purpose of this presentation is to provide an overview of these
agreements and the many legal and compliance issues that are
inherent therein.
• Key to this part of our discussion will be an understanding of contract
terms as related to cloud data; namely, how data is owned, accessed
and secured in the cloud.
8
Drafting Key Provisions in SaaS Agreements:
Overview of Cloud Computing
The key distinction between the three main iterations of ‘cloud computing’ services is whether the
function/attribute is managed by the customer or the vendor. As a general matter, the further along the
continuum of cloud products (e.g., Infrastructure), the more a function/attribute will be managed by the
customer. In the most ‘basic’ of cloud computing models—Software as a Service—all of the
functions/attributes are managed by the vendor—a fact magnified by the many issues with CSAs. 9
Drafting Key Provisions in SaaS Agreements:
Overview of Cloud Computing
• Cloud Computing, Defined
• Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. (NIST Definition)
• Essential Characteristics
• On-demand self-service
• Broad network access
• Resource pooling
• Rapid elasticity
• Measured service
• Service Models
• SaaS – Software as a Service
• PaaS – Platform as a Service
• IaaS - Infrastructure as a Service
10
Drafting Key Provisions in SaaS Agreements:
Overview of Cloud Computing
• Software as a Service (SaaS), Defined
• The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. (NIST)
• Essential Hallmarks of SaaS
• Use of software that is hosted remotely by a vendor (“service provider”); software is accessible by the customer (“user”) using the Internet
• User’s data is remotely stored and processed using the service provider’s software – there is no software, storage or processing that occurs on the user’s system
11
Drafting Key Provisions in SaaS Agreements:
Examples of Services Covered Under CSAs
E.g., Windows Azure
(Runs apps; e.g.,
AccuWeather.com app)
E.g., Rackspace
(Public and private
clouds; Servers)
E.g., Office 365
(Allows users access to
One Note anywhere)
12
Drafting Key Provisions in SaaS Agreements:
What are you getting? What are your risks?
Flexibility
Ability to forecast needs
(scale) and plan for cost
Not locked into current-
generation paradigms
Can change quickly—and
get a quick response where
change warrants the need for
the same
• Control – Data and Access to
Data are Key!
• SECURITY
• Performance
• Reliability
• Vendor Lock-Ins
BENEFITS RISKS
13
Drafting Key Provisions in SaaS Agreements:
What are the most important factors effecting CSAs? (IT)
14
Drafting Key Provisions in SaaS Agreements: Why is it important to distinguish the CSA from other services contracts?
• Cloud services are not the same as contracts for software
licensing only!
• Licensing, while a component of cloud services, is growing
vastly more complex. Software licensing experts are not
always on the same page as the business team executing the
CSA.
• Accountability is Key! – (1) “Protect My Data!”; (2) Be Reliable
(Uptimes and Contingency Planning) – Not elements of
licensing agreements, generally; and (3) Make It Right (When
Something Goes Wrong…)
• CSAs = Marriage (Time + Cost)
15
Drafting Key Provisions in SaaS Agreements:
Data – What is it?
• Two Levels – User/SaaS Customer + Customer
• Specific Considerations
• User/SaaS Service Customer Proprietary Data
• User/SaaS Service Customer PII
• Customer Data
• Customer PII
• Customer Locations and Preferences
16
Drafting Key Provisions in SaaS Agreements:
Data – CSPs Use of SaaS Data
• There are many ways in which a CSP may use SaaS data.
• Monitor and administer the service
• Respond to and resolve issues with the service
• Complying data for analytical purposes of how efficiently the software is running; use of this data for design new services aimed at customer or customer’s market (anonymous as to customer/user-level identifiers; e.g., no production data should be released that may expose customer-sensitive data).
• Common among SaaS CSAs is a tool that uses application data to provide customers with statistical analyses for their own use and planning
• Key, Take-Away: No customer IDs; no customer data or personal identifying information!
17
Drafting Key Provisions in SaaS Agreements:
Data – Who Owns It?
Who Owns What in a SaaS Transaction?
(Straightforward… but important to specify in the CSA!)
SaaS Service Provider
• SaaS Service Provider will own all aspects of the cloud service configuration including
User/SaaS Customer
• Any data provided by the User/Customer
Other Parties (Hosts) May Own Components!
Example
OWNERSHIP. Other than the rights and interests expressly set forth in this Agreement, and excluding Third Party and works derived from Third Party, you reserve all right, title and interest (including all intellectual property and proprietary rights) in and to Your Content.
Think about what will happen to data upon termination of the CSA…
18
Drafting Key Provisions in SaaS Agreements:
Data Access
Service Level Agreement (SLA)
• SLAs will ideally contain specific parameters and minimum
levels for each element of the service provided.
• SLAs must be enforceable and state specific remedies that
apply when they are not met.
• Relevant SLA-SaaS Functions:
• Response Time
• Error Correction
• Time
• Infrastructure/Security/Privacy
Downtime
Downtime Period
Monthly Uptime Percentage
Scheduled Downtime
19
Drafting Key Provisions in SaaS Agreements:
Data – How to Protect It
“It may be necessary to reconsider the premise that an individual
has no reasonable expectation of privacy in information
voluntarily disclosed to third parties.
This approach is ill-suited to the digital age.”
-U.S. Supreme Court Justice Sotomayor’s Concurrence in
U.S. v. Jones (2012).
20
Drafting Key Provisions in SaaS Agreements:
Data – How to Protect It
Pre-Contract Due Diligence
• Jurisdictional Rules
• US and EU Provisions
• State laws
• Vendor’s Privacy Policy
• US Security Laws
• Is the Vendor using/advertising the use of a third-party Cloud Privacy Certification Service (e.g., TRUSTe)?
• Vendor’s Date Security Policy and Practices
• ISAE/SSAE Compliant?
• SOC Complaint?
21
Drafting Key Provisions in SaaS Agreements:
Data – How to Protect It
SaaS
Provider
User
Web
Hosting
Supplier
User transmits
data (PII) to SaaS
Provider for
processing
1. Will the SaaS
Provider use third-
party hosting
supplier?
Who is the Web Hosting
Supplier? Where is it/its
servers located? Where will
servers be located during
the term of the CSA?
2. Where will the
SaaS provider
process User’s
data? 3. When and how
is User’s data
encrypted 4. What security
protocols are in
place?
22
Drafting Key Provisions in SaaS Agreements:
Data – How to Protect It
Best CSA Data Security Practices
1. Be clear about where the data (PII) will reside.
• Clarity on restrictions; limit migration—counter-balance with uptime considerations.
2. Be clear (as possible) about where your data processing will occur.
3. Be clear about when and how data (PII) encryption will occur.
• Remember: At-rest is best.
4. Be clear about the frequency of encryption, data transmissions, data back-ups and how the record of the same is kept by the vendor and regularly provided (e.g., Will User require Vendor security performance audits?)
5. Be clear about scope of the SaaS Provider’s use of data.
• Contractual provisions that the data may NOT be used by SaaS Provider’s own purposes (analytics are likely to be a point for negotiation).
6. Be clear about what happens if disaster or breach occurs
• Contractual provisions that the data may NOT be used by SaaS Provider’s own purposes (analytics are likely to be a point for negotiation). Notice of incidents paramount.
23
Drafting Key Provisions in SaaS Agreements:
Data – How to Protect It
Additional Security Considerations + Best Practices
• Requiring SaaS Provider Audits
• Server Location Audits
• SOW should address all controls used by the SaaS Service Provider
• Determine—be clear—about compensation in the case of data (PII) misuse or loss
• Specific terms as to use of subcontractors
• Think critically about term – watch for auto-renewal clauses
• SaaS Provider limitations on liability
• Watch for:
• Excluding indirect and consequential losses
• Low liability caps (e.g., 1 year CSA fee)
• IP infringement
• Data loss, misuse, uptime delays and interruptions
24
Negotiating Software as a
Service Contracts Guidance for Corporate and Technology Counsel
for Structuring Effective SaaS Agreements
Presented by Kristie Prinz
Founder of The Prinz Law Office
Silicon Valley, CA
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
D. Service Level Agreement (typically drafted
as separate schedule)
1. Uptime Guarantee:
Example: Company shall maintain an uptime service
level of X% measured monthly
(a) What are the exclusions?
(b) Can the guarantee be implemented?
(c) Is the guarantee realistic?
©2015-17 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley | Los Angeles | Orange County | San Diego 26
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
D. Service Level Agreement
2. Service Credit
Example: In the event that Company fails to meet the
service level guaranty in any term or applicable
renewal period, Customer shall be entitled to a credit of
$X applied to the applicable renewal period
©2015-17 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley | Los Angeles | Orange County| San Diego 27
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
D. Service Level Agreement
2. Service Credit
(a) Is the service credit calculation clear
and easy to apply?
(b) Is the payment of a service credit an
acknowledgement of a material breach?
(c) Effect of issuance of multiple
service credits
©2015-17 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley | Los Angeles | Orange County | San Diego 28
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
D. Service Level Agreement
3. Technical Support Response Times
(a) Guarantee or target?
(b) Which party determines urgency
level?
(c) Resolution to support issue or
response only?
©2015-17 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley | Los Angeles | Orange County| San Diego 29
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
D. Service Level Agreement
3. Technical Support Response Times Sample Chart:
©2015-17 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley | Los Angeles | Orange County| San Diego
30
Priority Description Response
time
Resolution Goal
P1 –
Critical
A Problem that causes a
catastrophic failure of the
Service or renders the Service
completely inoperative.
X hours Support personnel will begin working on the Problem immediately and will
work continuously to implement an update or workaround.
P2 –
Urgent
A Problem that is causing an
inconvenience, but the
Service can still be accessed
or used.
X hours Support personnel will begin working on the Problem within X hours and
will exercise commercially reasonable efforts to resolve the Problem.
P3 –
Non
Urgent
An enhancement request or
intermittent issue that may
require research to resolve.
X
business
day(s)
Assuming that the issue is related directly to the Service, Company will
address request and work to establish a mutually acceptable time frame for
resolution of the issue.
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
D. Service Level Agreement
4. System Responsiveness Guarantees
(a) How do you measure responsiveness
of web-based system vs. Internet
connection speed?
(b) Realistic guarantee?
©2015-17 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley | Los Angeles | Orange County | San Diego 31
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement E. Warranties and Limitations
1. Warranties
(a) IP Warranty
Example: Company warrants and represents that the
software will not infringe the patent rights or
copyright of any third party
(i) Parameters
(ii) Exclusions
(iii) Options in Material Breach
©2015-17 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley | Los Angeles | Orange County | San Diego 32
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
E. Warranties and Limitations
1. Warranties
(b) Performance Warranties
Example:
--Company warrants that the services will be performed
in a professional, workmanlike manner in accordance
with generally accepted industry standards.
--Company warrants that the software platform will
perform in accordance with published documentation.
©2015-17 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley | Los Angeles | Orange County| San Diego 33
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
E. Warranties and Limitations
2. Limitations of Liability
(a) Unlimited vs. Fixed/Capped
(b) Parameters of Liability Limits
(i) Type of Claim
(ii) Fixed Level vs. Multiple of
Specified Fees
©2015-17 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley | Los Angeles | Orange County | San Diego 34
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
F. Indemnification
1. Negotiated Indemnifications
(a) Intellectual Property & Trade Secrets
(b) Acts/Omissions of Employees
(c) Data Breach
2. Negotiation Points: scope of liability,
obligations of customer
©2015-17 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley | Los Angeles | Orange County | San Diego 35
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
G. Other Critical Provisions
1. Implementation Services
(a) Defining Scope of Work
(b) Establishing a Realistic Timetable
(c) Defining Customer Obligations
(d) Data Importation Issues
(e) Defining Customization Milestones
©2015-17 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley | Los Angeles | Orange County | San Diego 36
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
G. Other Critical Provisions
2. Training Services
(a) Defining Scope of Services Offered
(b) Structuring Training Service Fees
(c) Setting Parameters
(d) Defining Cancellation Policy
(e) Defining Travel Policy
©2015-17 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley | Los Angeles | Orange County | San Diego 37
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
G. Other Critical Provisions
3. Customization Services
(a) Defining Customizations Required
(b) Defining Scope of Work, Timetable
for Completion, and Milestones
(c) Structuring Customization Fees and
Payment Schedule
©2015-17 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley | Los Angeles | Orange County | San Diego 38
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
G. Other Critical Provisions
4. Subscription Fees
(a) Structuring Subscription Fees
(b) Selection of a Start Date
(c) Providing for Addition or Reduction
of Users during Subscription Term
©2015-17 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley | Los Angeles | Orange County | San Diego 39
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
G. Other Critical Provisions
4. Subscription Fees
(c) Defining Rate Increase Policy
(d) Defining Continuation of Services
Policy in Event of Non-Payment
(e) Defining Renewal Policy
©2015-17 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley| Los Angeles | Orange County | San Diego 40
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
G. Other Critical Provisions
5. Termination
(a) Defining Termination Policy
(b) Defining Policy for Expungement of
Data
(c) Defining Data Transitioning Service
Policy and Fees
©2015-17 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley | Los Angeles | Orange County| San Diego 41
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
G. Other Critical Provisions
6. Disaster Recovery Policy
(a) Defining disaster recovery plan
(b) Defining timetable for recovery in
the event of loss of services in disaster
©2015-17 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley | Los Angeles | Orange County | San Diego 42
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
G. Other Critical Provisions
7. Personal Health Information Security
(a) Data breach notification obligations
(b) Establishing parameters on
reimbursement costs
(c) Defining indemnification obligation
©2015-17 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley | Los Angeles | Orange County | San Diego 43
Recent Legal Developments and Business Trends
‘Pennies from Heaven’:
How Tax Authorities are Looking to Cloud Computing for Revenue
• Key Concepts – Revisited
• Remote Access
• Software is housed on a server (in/out-of-state) and accessed on a computer or web-enabled device via the internet or other network.
• SaaS
• Software-as-a-Service
• Software “on-demand”, if you will. With SaaS, software and the code running that software is hosted on a server or series of servers and is access on a computer or web-enabled device.
• ASP
• Application Service Provider.
• An ASP is a company that is providing what amounts to remote access, software on-demand, or SaaS.
• Cloud Equivalents – Why do the states care about the cloud?
• The Cloud… Conceptualized – How do the states fit the cloud into their concept of tangible property?
45
How Have States Developed Their
Cloud Computing Guidance? Example: Washington State
Remote Access
Software
Digital Automated
Service
Digital Good
The Cloud
Software Services that use
software
Books, music,
video, data,
facts,
information
46
Overview:
Survey of State Guidance on
Sales Tax on Remote Access Software
No Specific Guidance
No Sales Tax
Statute or Regulation
DOR Ruling or Policy
Unofficial Position or Policy
47
Income Tax - Sourcing the Cloud
• Is it a sale of TPP or of a service?
• Colorado – Sale of TPP, source to delivery location. PLR 13-
008 (Oct. 2, 2013). But what is the delivery location? The
server? The end user’s address?
• Illinois, Massachusetts, Pennsylvania – Sale of a service,
sourced to customer location. But how do you determine
customer location?
48
Cloud Seeding: SaaS as (Taxable) Service:
City of Chicago SaaS Tax
• July 2015: Department of Finance issues two Rulings.
1. Electronically delivered amusements
2. Nonpossessory computer leases
• Tax = 9 percent tax on certain types of online services.
• Second Ruling applies to remote database or computing platforms like Amazon Web Services or LexisNexis.
• Prognosis hazy… Effective date of lease tax delayed until (at least 1.1.2016)
FOR FURTHER QUESTIONS + UPDATES: WWW.TAXINGTECH.COM
49
II. Legal Developments and Business
Trends
B. Business Trends
1. Data Breach Concerns
(a) Indemnification and limitation of
liability negotiations
(b) Notification requirements;
obligations to remedy
(c) New focus on requiring insurance
©2015-17 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley | Los Angeles | Orange County | San Diego 50
II. Legal Developments and Business
Trends
B. Business Trends
2. Insurance Negotiations
(a) Commercial General Liability
(b) Errors and Omissions
(c) Employee Liability
(d) Automobile Liability
(e) Cyberinsurance
©2015-17 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley | Los Angeles | Orange County | San Diego 51
II. Legal Developments and Business
Trends
B. Business Trends
3. Class action litigation over auto-renewal
clauses
4. Restrictions against subcontractors
5. Negotiation of on-site work terms
6. Third party procurement of subscriptions
for other entities
©2015-17 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley | Los Angeles | Orange County | San Diego 52
Kristie D. Prinz, Esq.
Email: [email protected]
Telephone: 408.884.3577
Firm Website: www.prinzlawoffice.com
Twitter: @prinzlaw, @KristiePrinz
Google Plus: https://plus.google.com/+KristiePrinz
Software Law Blog: www.siliconvalleysoftwarelaw.com
©2015-17 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley | Los Angeles | Orange County, | San Diego, CA 53