Ensuring your business is protected when working in the cloud

Many businesses are moving their software applications to the cloud to take advantage of the increased accessibility and potential cost reductions. But Software as a Service (SaaS) agreements differ from license agreements for software housed on-site or otherwise managed by companies.
“Prior to signing SaaS agreements, businesses need to recognize and understand the issues unique to cloud-based software and address them in the context of their specific needs,” says Alexis Dillett Isztwan, a member at Semanoff Ormsby Greenberg & Torchia LLC.
Smart Business spoke with Isztwan about what to look for in SaaS/Cloud-based software agreements to ensure your business is protected.
What issues are unique in a SaaS/Cloud agreement?
Given that businesses access and use software applications remotely under a SaaS model, SaaS agreements introduce several unique components that require specific attention, including data security, performance service levels and credits, support services response times, business continuity and disaster recovery, and data security and protection. How a business addresses each of these issues in its SaaS agreement will depend on a number of factors, including how mission critical the software application is to the business, the function the software performs, and what, if any, types of data will be stored by the SaaS provider.
Of course, businesses will need to consider issues similar to those in a traditional license, such as who is permitted to use the cloud software, what are the permitted uses, whether the license is global or restricted to use in the United States or other jurisdictions, whether the rights are perpetual or revocable, and what happens at termination.
What about company data in a SaaS model?
Protection of company data, such as customer information, is another significant issue to consider since company data will likely reside at a remote location rather than onsite. Multiple privacy laws potentially apply to the treatment of a company’s data and may set certain minimum security or other requirements, particularly if the data includes non-public personal information. Businesses should have a full understanding of what data will be shared with or stored or accessible by the SaaS provider and where the provider stores the data. The answers to these questions must be consistent with businesses’ compliance obligations under privacy laws.
What performance metrics matter?
While the number and types of performance measures will vary based on the type of software application, a SaaS agreement should include specific performance service level metrics such as a minimum application availability commitment as well as potentially a maximum transaction processing time. The availability commitment provides that the software application will be available for use by the business at least a minimum percentage of each month. The maximum transaction time measures the time required for the application to receive, process and respond to requests made of the application. Businesses should review these service level metrics to ensure that they meet their needs. The SaaS provider should deliver to the company monthly reports of the actual performance of the software against these metrics. A business may be able to negotiate credits against future invoices for repeated or chronic failures of the provider to meet the contractual service levels.
Similarly, businesses should ensure that the SaaS agreement sets out specific support services requirements, such as response time minimums and error resolution obligations based on the severity of the problem.

SaaS agreements should include details of the provider’s business continuity plan and disaster recovery services. Businesses should fully understand whether and when the software will be available for use in a disaster, including what data will remain accessible. The SaaS agreement should specify the time period anticipated between a disaster event and restoration of subscribers’ use of the software, even if via a temporary environment. More robust disaster recovery services often come with a more robust price tag.

Insights Legal Affairs is brought to you by Semanoff Ormsby Greenberg & Torchia, LLC