If you’re reading this blog, there is a good chance you have heard of Software as a Service (SaaS), and maybe even SaaS’s cousins – IaaS, PaaS…the list goes on and continues to grow.
Formerly referred to by Microsoft as “software plus services”, SaaS is simply a software delivery model through which software is delivered to an end user’s terminal on a pay per use basis, typically over the internet. The key feature that distinguishes SaaS from on-premise software licencing is the fact that SaaS products are hosted centrally by a supplier. This blog does not intend to teach you what you probably already know about SaaS as model to sell your products or services. It will rather help to inform your decision making and risk profiling when it comes to contracting with your customers to deliver SaaS products.
SaaS is growing
The now infamous global events of 2020-2021 have driven even further and faster growth in the SaaS space. Now more than ever, businesses need to collaborate faster and with often unpredictable licencing requirements (i.e. fluctuating numbers of staff), the subscription nature of SaaS is ever appealing to customers. To give you an idea of the numbers, Gartner forecasts that worldwide SaaS revenues will reach $140.62 billion in 2022.
Why is your SaaS contract so important?
A fundamental part of a SaaS model is its ‘one to many’ nature. In other words, one version of your software will often support many of your customers. For this reason, SaaS models often provide significant cost savings to customers as opposed to the more traditional on-site licencing model. But importantly, this shouldn’t mean you as a supplier should cut corners with your SaaS contracts. As with all commercial IT contracts, SaaS contracts should be considered carefully, with risks allocated between the parties in the normal way, regardless of the size of your customer or the size of your deal. There are various often misunderstood nuances with SaaS contracts and we’ve broken these down below into 5 of the key things to consider when contracting for the delivery of SaaS products.
5 key things to consider in your SaaS contract
1. Fees and subscriptions
When it comes to SaaS contracts, it is really all about subscriptions. The more subscriptions your customers purchase, the more valuable the contract is to you. It is critical that your contract limits access to the SaaS product to the number of subscriptions that your customer has purchased. It may even be that you want to limit use of the SaaS product to identified authorised users at your customer. Top tip: Don’t forget to make sure you have the contractual ability to request a list of those identities from your customer from time to time. But there is more to consider! There are broadly four main types of fees you need to be thinking about when drafting your SaaS contract:
(1) subscription fees, which are generally either charges as a set price for each user subscription purchased or based on the volume of customer use. These are often paid in advance, (2) fees for additional user subscriptions, purchased during the term of the contract, (3) where relevant, fees for data stored in excess of any agreed data storage limit, and (4) where relevant, support fees, if your customer requires in life support.
Consider also whether you need the ability to increase fees during the contract term by giving notice to your customer. At Law 365 we often try to include this as an annual right, although customers may push for the right to be either attached to a pricing index (typically the Consumer Price Index (CPI)) or only allowed in response to a third party supplier’s increase.
Top tip: Remember that rights to access the software should automatically stop upon termination or expiration of individual subscriptions, or the contract as a whole!
2. Limitations on use
It’s always exciting to onboard a new customer and the temptation is to get them using your brilliant SaaS product as soon as possible, but remember to include some important limitations on use in your SaaS contract. Some of the key ones we look to include at Law 365 are prohibitions on: - copying, modifying, duplicating, de-compiling, reverse engineering (the list goes on, but you get the idea!) your underlying SaaS software; - using your SaaS software to design and build a competing product; and - providing services using, or otherwise license, the software to a third party. Top tip: These types of restrictions are really important to protect your proprietary rights and allow you to offer your product to as many customers as possible.
3. Audit rights
Closely linked to the granting of subscriptions are your rights to audit your customer’s use (and potential over-use) of those subscriptions. Here at Law 365, we would often expect that a supplier has the right to audit a customer once per quarter to ensure that the customer is not exceeding the number of user subscriptions purchased. If your audit finds that the customer has over-used its subscriptions, you will want to be able to recover the costs of that over-use, often by way of a payment in arrears. Your audit may also identify use of the subscriptions not in accordance with the terms of your SaaS contract, for example an authorised user of the SaaS product giving his/her password to a non-authorised user.
Top tip: Don’t forget to provide protections for yourself if these problems arise, such as limiting or banning access for end users who violate the terms.
4. Who owns the intellectual property (IP)?
The key distinguishing factor between SaaS and typical licencing of software is that your customers do not receive a copy of the source code underpinning your core software. Your customer will access your core software (usually) by way of a web application running on a web browser. For this reason, you should not be giving any licence to your core software to your customers. The wording is subtle, but you should always see references to the granting of ‘rights’ to use SaaS products, as opposed to the grant of a traditional licence.
Because you retain ownership of the IP to your SaaS product, your customer is likely to request indemnification in the event that it, by using your SaaS product, accidentally infringes the IP rights of somebody else. While this is relatively standard and reasonable, we at Law 365 will always be making sure that your liability is limited as much as possible.
5. Data and security
By their nature, SaaS deals generally involve suppliers storing (or hosting) customers’ information and therefore data security is of critical importance.
Suppliers are always going to be at a commercial and legal advantage if they implement and comply with recognised security standards such as ISO/IEC 27001. Regardless, your customer will often request a high level of data security and it’s important to find a balance where a customer feels its data and information is secure without you as supplier over promising.
If your customer is trying to flow down all of its regulatory security requirements to you, that isn’t going to fly.
Top tip: Your customer (or their end user) may be subject to heightened cybersecurity requirements because of their particular area of business – don’t be fooled into thinking you need to take all of their legal or regulatory burden.
Consider also that if you are hosting customer data, you may have to do so through a third party hosting provider. Any obligations you agree with your customer need to be backed off with such third party to make sure there are no liability gaps with you in the middle – we can of course help you with this!
It’s not all one way, though. What is your customer responsible for?
• Your customers should own and be responsible for the accuracy and quality of their own data. Further, you should include obligations on your customer to not access, store, distribute or transmit any viruses during use of your SaaS product, coupled with rights for you to disable your customer’s access immediately if they do.
• They should be responsible for any delays or delivery failures or other damage resulting from the customer’s transfer of data over communications networks, including the internet.
Top tip: Don’t forget to include typical controller-processor data protection provisions in your contract. As commercial lawyers at Law 365, we’re also experts in data protection and we can make sure you’re covered where you need to be.