Upload
ledang
View
228
Download
0
Embed Size (px)
Citation preview
Negotiating Software as a Service Contracts Guidance for Corporate and Technology Counsel for Structuring Effective SaaS Agreements
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
TUESDAY, SEPTEMBER 9, 2014
Presenting a live 90-minute webinar with interactive Q&A
Rosemary Kuperberg, Senior Corporate Counsel, Deltek, Washington, D.C.
Paul Vince, Principal, Paul Vince Legal, Barnstead, N.H.
Michael L. Whitener, Partner, VLP Law Group, Washington, D.C.
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-961-8499 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can
address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
For CLE purposes, please let us know how many people are listening at your
location by completing each of the following steps:
• In the chat box, type (1) your company name and (2) the number of
attendees at your location
• Click the SEND button beside the box
If you have purchased Strafford CLE processing services, you must confirm your
participation by completing and submitting an Official Record of Attendance (CLE
Form).
You may obtain your CLE form by going to the program page and selecting the
appropriate form in the PROGRAM MATERIALS box at the top right corner.
If you'd like to purchase CLE credit processing, it is available for a fee. For
additional information about CLE credit processing, go to our website or call us at
1-800-926-7926 ext. 35.
FOR LIVE EVENT ONLY
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
Negotiating Software as a Service (“SaaS”) Contracts Part I
Paul W. Vince
Paul Vince Legal, PLLC
What is Software as a Service (“SaaS”)
(c) 2014 Paul Vince Legal PLLC 6
Software as a Service (“SaaS”), also called “cloud computing” generally describes software that is:
remotely installed and maintained (“hosted”) by the SaaS provider or by a third party
operated by a user on a laptop or desktop computer via the Internet (with authentication credentials such as a user name and password)
requires minimal software management by the user
requires no additional user hardware
Major Differences between SaaS and “on-premise” software
(c) 2014 Paul Vince Legal PLLC 7
Issue SaaS “On-premise” Software
Software and User
Data location
Remote Server (SaaS
provider or third party
host)
Licensee’s computers or
servers
Use rights Subscription (usually
name/password access;
occasionally retroactive
by number of accesses
in a specified period)
License (maximum total
or concurrent users, or
individual
name/password;
occasionally retroactive
“enterprise” license)
Agreement Term Specified period (annual
or multi-year)
“Perpetual” or specified
term
Software Maintenance
(Updates)
Included in SaaS fee;
timing and scope entirely
at provider’s discretion
Generally optional at an
additional fee for
“perpetual” licenses, may
be included in a term fee
Unique SaaS Issues
(c) 2014 Paul Vince Legal PLLC 8
Access/Service Level Agreements
SaaS Providers should specify software and data availability “Uptime” as a minimum % availability
software maintenance/update scheduling should minimally interfere with usual/peak use times
Connection method
Generally worldwide access via Internet URL, VPN, etc., but there may be lack of access beyond SaaS provider’s reasonable control and should be protected by warranty exclusions.
SaaS contract Issues
(c) 2014 Paul Vince Legal PLLC 9
Limited Warranty
Should warrant that the SaaS service will meet the Provider’s documentation.
Should provide for no-charge corrections for failures to meet the warranty specifications
Should exclude warranty liability for circumstances caused by the customer or beyond the provider’s reasonable control.
limit the provider’s liability and warranty exclusions
Sample SaaS Limited Warranty
(c) 2014 Paul Vince Legal PLLC 10
Warranty. Provider warrants that the Services will substantially conform to the Documentation under normal use and circumstances in compliance with this Agreement. During the Subscription Period, at no additional cost to Customer and as Customer's sole and exclusive remedy for failure to meet this limited warranty, Provider will use reasonable efforts to provide a Correction to any material fault in the Provider software used to provide the Services ("Defect") in accordance with the Support guidelines, provided that Customer promptly notifies Provider in writing upon discovery of any such Defect and Provider's investigation discloses that such Defect exists. Customer shall provide a listing of output and other such data as may be required to reproduce the Defect. This limited warranty will be void if the Defect is caused by (i) the use or operation of the Services with an application or in an environment other than that described in the Documentation or recommended in writing by Provider, (ii) modifications to the Services that were not made by Provider, or (iii) disregard of any known or reasonably anticipated adverse consequences, warning messages, or other written instructions.
Sample SaaS Limited Warranty - 2
(c) 2014 Paul Vince Legal PLLC 11
Disclaimer. Except for the express warranties specified in this section, Provider makes no warranties, either express, implied or statutory, including without limitation any implied warranties of merchantability, non-infringement, satisfactory quality or fitness for a particular purpose. Provider does not warrant or represent that the services or consulting services will be timely, complete, reliable, adequate, accurate, useful, secure or error-free. All mobile applications and software downloads are provided as-is with no warranty and Provider accepts no liability for any damages directly or indirectly caused by such applications or downloads.
Exclusion. Information transmitted and received through the internet cannot be expected to remain confidential, and Provider does not guarantee the privacy, security, authenticity and non-corruption of any information so transmitted, or stored in any system connected to the internet. Provider shall not be responsible for any consequences whatsoever of customer's connection to or use of the internet, and Provider shall not be responsible for any use by customer or its authorized users of any internet connection in violation of any rule, law or regulation.
SaaS contract Issues
(c) 2014 Paul Vince Legal PLLC 12
Acceptable Use
SaaS providers will generally require a right to suspend or terminate services for abuse or actions that could put its network or other clients at risk
Limits potential provider liability for customer misuse of service
Prohibits customer from copying or sharing service
Sample “Acceptable Use” Provision
(c) 2014 Paul Vince Legal PLLC 13
“Customer is responsible for use of the Services by those to whom Customer provides access. Provider reserves the right, at any time, to deactivate or suspend Customer's or any Customer’s User’s access if use of the Services is found or reasonably suspected, in Provider’s judgment, to :
Sell, assign or otherwise transfer its rights to access and use the Services,
copy, modify, sell, export, transfer, or prepare derivative works of, reverse engineer, decompile or otherwise attempt to extract the source code or source data from the Services except and only to the extent permitted or required by law,
grant access to any part of the Services except to an Authorized User, including, without limitation, any consultant or customer of Customer,
provide, post, or transmit any data that infringes or violates any Intellectual Property Rights or publicity/privacy rights, or that contains any viruses or programming routines that may damage, interrupt or appropriate the Subscription or Services,
use the Services or Documentation to create any service offering, computer software program, training materials or user documentation that is substantially similar to the Services or Documentation,
use or facilitate use of the Services in any way that is harassing, harmful, obscene, threatening, libelous, or otherwise tortious, or for illegal, abusive or unethical activities (including violations of law or privacy, hacking or computer viruses),
attempt to disable or circumvent any security mechanisms used by the Services or otherwise attempt to gain unauthorized access to any portion or feature of the Services,
use any device, software or routine to interrupt or interfere with, or attempt to interrupt or interfere with, the proper operation and working of the Services or any transaction being conducted on the Services,
forge headers or otherwise manipulate identifiers in order to disguise Customer’s or any Authorized User’s identity, or the origin of any message or other communication that Customer or any Authorized User sends to Provider in connection with the Services,
use the Services to process or store classified data. If Customer introduces classified data into the Services, Customer will be responsible for all sanitization costs incurred by Provider,
permit any Authorized User or other third party to do any of the foregoing.
SaaS contract Issues
(c) 2014 Paul Vince Legal PLLC 14
Limitation of Liability Sounds “legalese” but is fundamentally a business “risk-
benefit” decision.
A reasonable risk-benefit match is to cap liability at the Customer’s fees paid for Services for the contract period (usually 1 year).
Should exclude indirect damages, which are generally speculative and difficult to prove
Should exclude Customer’s violation of Provider’s IP to avoid an “economic breach” incentive.
Fallbacks may add indirect damages for confidentiality breaches, and exclude gross negligence or willful misconduct from the cap.
Sample Limitation of Liability
(c) 2014 Paul Vince Legal PLLC 15
Limitation of Liability. EXCEPT FOR CUSTOMER'S VIOLATION OF THE USE OF SERVICES TERMS, INFRINGEMENT OF PROVIDER'S INTELLECTUAL PROPERTY RIGHTS, OR THIRD PARTY CLAIMS ARISING OUT OF CUSTOMER’S BREACH OF THE THIRD PARTY TERMS, (A) IN NO EVENT SHALL EITHER PARTY OR PROVIDER'S LICENSORS BE LIABLE FOR INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, AND (B) THE TOTAL LIABILITY OF EITHER PARTY OR PROVIDER'S LICENSORS ON ANY CLAIM ARISING OUT OF ANY SERVICES OR CONSULTING SERVICES SHALL NOT EXCEED THE TOTAL AMOUNT OF ALL FEES PAID OR PAYABLE TO PROVIDER UNDER THIS AGREEMENT IN THE TWELVE (12) MONTHS PRIOR TO THE ACTION GIVING RISE TO THE LIABILITY. NOTWITHSTANDING THE FOREGOING OR ANY OTHER PROVISION OF THIS AGREEMENT, IN NO EVENT SHALL PROVIDER OR ITS LICENSORS BE LIABLE TO CUSTOMER OR ANY THIRD PARTY FOR ANY LOSS, DAMAGE OR INJURY TO PERSON OR PROPERTY ARISING OUT OF OR INCIDENT TO THE PERFORMANCE OF EVALUATION SERVICES UNDER THIS AGREEMENT. THIS SECTION APPLIES TO DAMAGES ARISING FROM ANY CAUSE OF ACTION WHATSOEVER, INCLUDING WITHOUT LIMITATION CONTRACT, WARRANTY, STRICT LIABILITY, TORT, OR NEGLIGENCE, EVEN IF SUCH LOSS OR DAMAGE WAS FORESEEABLE OR CONTEMPLATED BY THE PARTIES.
Unique SaaS contract Issues
(c) 2014 Paul Vince Legal PLLC 16
Data Recovery after SaaS subscription ends
Timing (providers may require a maximum time period, after which they will destroy the data)
Format (if the software uses a proprietary format, you’ll need to specify an alternate format to be able to access your data after receipt)
Certification of permanent data deletion. Depending on the nature of your data, this is particularly important if your data incudes personal, sensitive, or restricted information subject to applicable laws and regulations (HIPPA, ITAR, state privacy laws, etc.).
Negotiating Software as a Service (“SaaS”) Contracts
(c) 2014 Paul Vince Legal PLLC 17
Questions?
The preceding slides and sample clauses are intended solely as opinions and examples based on personal experience.
The information and samples may not be appropriate (or applicable) for particular providers or customers.
Data Privacy and Security
19 © Deltek, Inc. - All Rights Reserved
Disclaimer: the examples and tips are not a substitute for legal advice, and do not
represent the position of the speaker’s employer
General Tips
20 © Deltek, Inc. - All Rights Reserved
Data security concerns should be addressed in every deal – not just SaaS
Be aware of all the types of data involved – don’t focus on only personal data
Data Checklist – SaaS customers
21 © Deltek, Inc. - All Rights Reserved
Before you start to negotiate, know the following:
What data will be provided?
o Do you know the laws/regulations that apply to that data? Whose data is it?
o SaaS customer, its affiliates, vendors, employees, customers, etc.
o If the data belongs to others, do you have the right to give it to a SaaS provider?
Does the SaaS provider use third-party(ies) to host or store the data at any point?
o If yes, who are those parties?
o Do you get notice if they change? Where are the data centers physically located?
o Who controls the physical location? The provider or the customer? What is the governing law of the agreement? What security measures are currently in place?
o Do you get notice if those measures change?
Data Checklist – SaaS providers
22 © Deltek, Inc. - All Rights Reserved
Before you start to negotiate, know the following:
Does your service restrict the types of data that customers can provide?
o If yes, are those restrictions in the product or by contract?
Do you use third-party(ies) to host or store the data at any point?
Where are the data centers physically located?
o Who controls the physical location? The provider or the customer?
What security measures are currently in place?
o Who can answer questions about security measures?
• Are these people available to talk to customers?
o Which, if any, of the security measures can be changed for individual
customers?
Start with the Basics
23 © Deltek, Inc. - All Rights Reserved
SaaS Agreement should cover confidentiality in general, typically protecting both parties’ information:
Any information disclosed by one party ("Disclosing Party") to the other party ("Recipient") in connection with this Agreement that is marked confidential or that due to its character and nature a reasonable person under like circumstances would treat as confidential (the "Confidential Information") will be protected and held in confidence by the Recipient. Confidential Information will be used only for the purposes of this Agreement. Recipient shall disclose Confidential Information only to the Recipient's employees, contractors, or business partners which are bound by confidentiality obligations no less stringent than these prior to any disclosure on a "need to know" basis. Confidential Information does not include information that: a) is already known to the other party at the time of disclosure; b) is or becomes publicly known through no wrongful act or failure of the Recipient; c) is independently developed without benefit of the other party's Confidential Information; or d) is received from a third party that is not under an obligation of confidentiality. Recipient agrees to protect the Confidential Information at all times and in the same manner as it protects the confidentiality of its own proprietary and confidential material of similar kind, but in no event with less than a reasonable standard of care. A Recipient may disclose Confidential Information to the extent required by law, provided that the Recipient provides the Disclosing Party with notice as soon as reasonably practicable to allow the Disclosing Party an opportunity to respond to such requirement, and provided further that such disclosure does not relieve Recipient of its confidentiality obligations with respect to any other party. Upon the request of Disclosing Party, the Recipient shall promptly destroy or return to the Disclosing Party all copies of the Confidential Information and any documents derived from it. This obligation to return or destroy materials or copies thereof does not extend to automatically generated computer back-up or archival copies generated in the ordinary course of Recipient's information systems procedures, provided that Recipient shall make no further use of Confidential Information contained in those copies. Except as to the confidentiality of trade secrets, these confidentiality restrictions and obligations will terminate two years after the expiration or termination of the Agreement. The Recipient may return any Confidential Information to the Disclosing Party at any time.
Add SaaS-Specific Terms
24 © Deltek, Inc. - All Rights Reserved
Who owns the data?
What can provider do with the data?
o Does that change if the data is anonymized and/or aggregated?
Who responds to requests from individuals to change/delete data?
Specific security standards
Unauthorized access/data breach
Backup/redundancy
Return of data at the end of the SaaS subscription
Add SaaS-Specific Terms (cont.)
25 © Deltek, Inc. - All Rights Reserved
Who owns the data?
o Typically, the SaaS customer continues to own data that it puts into the SaaS
product.
Customer owns all electronic data or information that Customer or any user loads or enters into the SaaS
Services and all results from processing such data, including compilations and derivative works of such
data or information (“Customer Data”). Customer is solely responsible for the accuracy, integrity, quality,
legality, reliability, appropriateness of and copyright permissions of any Customer Data and for adopting
procedures to identify and correct errors and omissions in Customer Data.
o That means that the Customer remains responsible for compliance obligations
with respect to the data.
o Sometimes, if the SaaS product combines customer’s data with provider’s
data, the provider will want to own the combination.
Add SaaS-Specific Terms (cont.)
26 © Deltek, Inc. - All Rights Reserved
What can provider do with the data?
o As a customer, you want to know exactly what provider will do. o As a provider, you want flexibility to do what you need to provide the best product.
Provider will handle Customer Data only in accordance with this Agreement. Customer hereby agrees that Provider is reliant on Customer for direction as to the extent to which Provider is entitled to use and process the Customer Data. Provider reserves the right, at any time and without notice to Customer, to review, monitor, flag, filter, modify, refuse or remove any or all Customer Data from the SaaS Services which violate the terms of this Agreement, but Provider has no obligation to do so.
o Does that change if the data is anonymized and/or aggregated?
• Many SaaS providers will ask for the right to gather anonymized data or aggregated data to improve the SaaS services.
• Some providers want to do even more than that.
Without limiting Customer’s ownership rights in Customer Data, Customer acknowledges and agrees that Provider shall have the right to utilize data capture, syndication and analysis tools and other similar tools to extract, compile, synthesize and analyze any non-personally and non-Customer identifiable data or information resulting from Customer’s use of the SaaS Services ("Statistical Data"). Statistical Data may be collected by Provider for any lawful business purpose without a duty of accounting to Customer, provided that the Statistical Data is used only in an aggregated form without specifically identifying the source of the Statistical Data.
Provider may make use of analytics to understand Customer’s use of the SaaS Services. Provider may transfer Customer Data to third-parties on an anonymous basis and such providers aggregate the data to create benchmarks.
Add SaaS-Specific Terms (cont.)
27 © Deltek, Inc. - All Rights Reserved
Who responds to requests from individuals to change/delete data?
o This will depend on the SaaS Services.
o Most SaaS providers will require customers to be responsible for changes to
data.
(from clause on a previous slide) Customer is solely responsible for the accuracy, integrity, quality, legality,
reliability, appropriateness of and copyright permissions of any Customer Data and for adopting
procedures to identify and correct errors and omissions in Customer Data.
Customer is responsible for responding to all access requests, inquiries, or requests to correct Customer
Data from any individuals or third parties.
Add SaaS-Specific Terms (cont.)
28 © Deltek, Inc. - All Rights Reserved
Specific security standards
o Not always practical to include in the contract – standards change frequently
o If specific standards ARE included, Customer will want to include a provision
saying that standards cannot be reduced during the term
Provider may modify the security standards from time to time [with notice to Customer], but will continue to
provide at least the same level of security as is described herein as of the effective date.
o Customer should also confirm that the identified standards (whether in the
contract or not) meet what Customer needs to fulfill its compliance obligations
o Provider should
• reserve the right to change standards as appropriate,
• confirm internally that any security standards included will be followed for the
term of any current subscriptions, plus renewals, and
• confirm that the Customer has also implemented security standards
Add SaaS-Specific Terms (cont.)
29 © Deltek, Inc. - All Rights Reserved
Unauthorized access/data breach
o Both parties will likely have obligations under applicable law
o Contract should be clear who is responsible for addressing breach, and who is
responsible for required notifications
o As a Customer, you normally remain liable for compliance with respect to
individual end users and your customers
o As a Provider, you are normally responsible to notify your Customer
Customer is responsible for addressing any privacy breach and providing required notifications as required
by law or regulation, provided, however, that Customer will not, without Provider's prior consent, make any
public statement which directly or indirectly refers to Provider in connection with any privacy breach, access
request or correction request.
Add SaaS-Specific Terms (cont.)
30 © Deltek, Inc. - All Rights Reserved
Backup/redundancy
o Customer may be able to pull its own backups.
Customer is responsible for maintaining appropriate backup and routine archiving of Customer Data.
o If not, contract should address whether Provider will do them and whether
there is an additional fee.
[When ordered,] Provider will provide monitoring, back-up, disaster recovery, and application and
infrastructure upgrades [at no additional charge].
Add SaaS-Specific Terms (cont.)
31 © Deltek, Inc. - All Rights Reserved
Return of data at the end of the SaaS subscription
o May not be required if Customer is able to download the data during the term
o As a Customer, find out if data will be in readable/usable format
• If not, contract should address how the Customer can get its data at the end
o As a Provider, contract should be clear whether there is a fee for return of data
o Contract should also specify whether Provider has an obligation to retain data
after the end of the term
Upon Customer's written request made within thirty (30) days of termination or expiration of a Subscription
or this Agreement, Provider will return to Customer a single copy of all Customer Data then in Provider’s
possession in Provider’s then-current industry standard data extract format. Additional Customer Data
copies shall be available for a fee. After such thirty (30) day period, Provider shall have no obligation to
maintain or provide any Customer Data and shall, unless legally prohibited, delete all Customer Data in its
possession or under its control. Notwithstanding the foregoing, Provider may retain Customer Data in
backup media for an additional period of up to twelve (12) months, or longer if required by law.
What Is an SLA?
Usually not a separate agreement, but a schedule or exhibit to the SaaS agreement
Sets performance bar that services must achieve Insurance policy, not guarantee Serves dual purposes:
For customer: Describes level of services that can be expected
For service provider: Helps instill trust in the service provider by the customer
33
Do You Need an SLA?
Not necessarily! Factors:
Type of services being delivered Price tag attached to SLAs Additional negotiating time Monitoring commitment Remedies
Alternative to SLA: simple statement of available support
34
Sample Alternatives to SLA
May be acceptable:
Web and Hotline Support. Customer will designate two representatives who will have access to our technical support website and may contact our call-in technical support during our normal hours of operation (currently 9 am to 5 pm local time). On-site support is not included and is subject to our standard hourly rate.
Not so much:
Service Provider will use commercially reasonable efforts to implement and operate the Services for Customer.
35
Elements of an SLA
Description of services covered Service availability (uptime)
Aka “How often does this thing go down”? Often expressed in “nines”: e.g., 99.9% availability 100% uptime commitment is no longer unusual May be calculated by a formula: e.g., ((TMM-TMU) x
100)/TMM
Response and resolution time Support options Remedies
36
Contentious SLA Issues
How broad is the definition of “services” for SLA purposes?
How is service uptime calculated? What are the exceptions to the uptime
commitment? How are severity levels defined? What remedies does the customer have if service
level commitments aren’t met?
37
Trap No. 1
Overbroad Carve-outs from Commitments
Pay attention to uptime exceptions Typical exceptions:
Scheduled maintenance, including system upgrades Emergency maintenance Force majeure events Bugs in software or hardware of service provider’s
suppliers Customer acts/omissions that cause downtime Customer failure to provide timely notice
Carve-outs may swallow the commitments
39
Sample Sleight of Hand
Commitment: 100% uptime, 10,000% service credit
Limitations: Only failures “due to known [Service Provider] problems” Customer must open support case “during the Failure in
question” and follow case opening procedures Customer must request credit within 48 hours of start of
failure Credit limited to 100% of fees during billing month and
capped at two months’ fees per year
40
Trap No. 2
High “Failure” Threshold
SLA may impose onerous threshold for claiming SLA breach
Watch out for requirements that: Outage must be total to count as downtime –
degradation of service is not sufficient Short-term outages (e.g., less than 15 minutes) ignored
As you review an SLA, ask: Who is responsible for monitoring? How must service issues be reported? What time period is used for calculating service failure?
41
Trap No. 3
Inadequate or Non-Existent Remedies
Make sure SLA even provides a remedy So you get a credit – what’s a credit?
Rebate to customer Reduction in next payment customer owes Additional period of service
Credit tables and percentage caps Right to terminate? “Sole and exclusive” remedy for failure to meet SLA
commitments?
42
Typical SLA Credit Formula
Standard credit table:
System Availability Credit Amount 97.00 – 97.99% 5% of user fees in month 96.00 – 96.99% 10% of user fees in month 95.00 – 95.99% 15% of user fees in month < 95.00% 20% of user fees in month
Note that anything below 95% availability is limited to 20% credit, no matter how poor the service
43