Negotiating Software as a Service Contractsmedia.straffordpub.com/products/negotiating-software-as-a-service...Negotiating Software as a Service Contracts ... Agreement Term Specified

Negotiating Software as a Service Contracts Guidance for Corporate and Technology Counsel for Structuring Effective SaaS Agreements

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

TUESDAY, SEPTEMBER 9, 2014

Presenting a live 90-minute webinar with interactive Q&A

Rosemary Kuperberg, Senior Corporate Counsel, Deltek, Washington, D.C.

Paul Vince, Principal, Paul Vince Legal, Barnstead, N.H.

Michael L. Whitener, Partner, VLP Law Group, Washington, D.C.

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-961-8499 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail [email protected] immediately so we can

address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

For CLE purposes, please let us know how many people are listening at your

location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of

attendees at your location

• Click the SEND button beside the box

If you have purchased Strafford CLE processing services, you must confirm your

participation by completing and submitting an Official Record of Attendance (CLE

Form).

You may obtain your CLE form by going to the program page and selecting the

appropriate form in the PROGRAM MATERIALS box at the top right corner.

If you'd like to purchase CLE credit processing, it is available for a fee. For

additional information about CLE credit processing, go to our website or call us at

1-800-926-7926 ext. 35.

FOR LIVE EVENT ONLY

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

Negotiating Software as a Service (“SaaS”) Contracts Part I

Paul W. Vince

Paul Vince Legal, PLLC

[email protected]

What is Software as a Service (“SaaS”)

(c) 2014 Paul Vince Legal PLLC 6

Software as a Service (“SaaS”), also called “cloud computing” generally describes software that is:

remotely installed and maintained (“hosted”) by the SaaS provider or by a third party

operated by a user on a laptop or desktop computer via the Internet (with authentication credentials such as a user name and password)

requires minimal software management by the user

requires no additional user hardware

Major Differences between SaaS and “on-premise” software


Issue SaaS “On-premise” Software

Software and User

Data location

Remote Server (SaaS

provider or third party

host)

Licensee’s computers or

servers

Use rights Subscription (usually

name/password access;

occasionally retroactive

by number of accesses

in a specified period)

License (maximum total

or concurrent users, or

individual

name/password;

occasionally retroactive

“enterprise” license)

Agreement Term Specified period (annual

or multi-year)

“Perpetual” or specified

term

Software Maintenance

(Updates)

Included in SaaS fee;

timing and scope entirely

at provider’s discretion

Generally optional at an

additional fee for

“perpetual” licenses, may

be included in a term fee

Unique SaaS Issues


Access/Service Level Agreements

SaaS Providers should specify software and data availability “Uptime” as a minimum % availability

software maintenance/update scheduling should minimally interfere with usual/peak use times

Connection method

Generally worldwide access via Internet URL, VPN, etc., but there may be lack of access beyond SaaS provider’s reasonable control and should be protected by warranty exclusions.

SaaS contract Issues


Limited Warranty

Should warrant that the SaaS service will meet the Provider’s documentation.

Should provide for no-charge corrections for failures to meet the warranty specifications

Should exclude warranty liability for circumstances caused by the customer or beyond the provider’s reasonable control.

limit the provider’s liability and warranty exclusions

Sample SaaS Limited Warranty


Warranty. Provider warrants that the Services will substantially conform to the Documentation under normal use and circumstances in compliance with this Agreement. During the Subscription Period, at no additional cost to Customer and as Customer's sole and exclusive remedy for failure to meet this limited warranty, Provider will use reasonable efforts to provide a Correction to any material fault in the Provider software used to provide the Services ("Defect") in accordance with the Support guidelines, provided that Customer promptly notifies Provider in writing upon discovery of any such Defect and Provider's investigation discloses that such Defect exists. Customer shall provide a listing of output and other such data as may be required to reproduce the Defect. This limited warranty will be void if the Defect is caused by (i) the use or operation of the Services with an application or in an environment other than that described in the Documentation or recommended in writing by Provider, (ii) modifications to the Services that were not made by Provider, or (iii) disregard of any known or reasonably anticipated adverse consequences, warning messages, or other written instructions.

Sample SaaS Limited Warranty - 2


Disclaimer. Except for the express warranties specified in this section, Provider makes no warranties, either express, implied or statutory, including without limitation any implied warranties of merchantability, non-infringement, satisfactory quality or fitness for a particular purpose. Provider does not warrant or represent that the services or consulting services will be timely, complete, reliable, adequate, accurate, useful, secure or error-free. All mobile applications and software downloads are provided as-is with no warranty and Provider accepts no liability for any damages directly or indirectly caused by such applications or downloads.

Exclusion. Information transmitted and received through the internet cannot be expected to remain confidential, and Provider does not guarantee the privacy, security, authenticity and non-corruption of any information so transmitted, or stored in any system connected to the internet. Provider shall not be responsible for any consequences whatsoever of customer's connection to or use of the internet, and Provider shall not be responsible for any use by customer or its authorized users of any internet connection in violation of any rule, law or regulation.



Acceptable Use

SaaS providers will generally require a right to suspend or terminate services for abuse or actions that could put its network or other clients at risk

Limits potential provider liability for customer misuse of service

Prohibits customer from copying or sharing service

Sample “Acceptable Use” Provision


“Customer is responsible for use of the Services by those to whom Customer provides access. Provider reserves the right, at any time, to deactivate or suspend Customer's or any Customer’s User’s access if use of the Services is found or reasonably suspected, in Provider’s judgment, to :

Sell, assign or otherwise transfer its rights to access and use the Services,

copy, modify, sell, export, transfer, or prepare derivative works of, reverse engineer, decompile or otherwise attempt to extract the source code or source data from the Services except and only to the extent permitted or required by law,

grant access to any part of the Services except to an Authorized User, including, without limitation, any consultant or customer of Customer,

provide, post, or transmit any data that infringes or violates any Intellectual Property Rights or publicity/privacy rights, or that contains any viruses or programming routines that may damage, interrupt or appropriate the Subscription or Services,

use the Services or Documentation to create any service offering, computer software program, training materials or user documentation that is substantially similar to the Services or Documentation,

use or facilitate use of the Services in any way that is harassing, harmful, obscene, threatening, libelous, or otherwise tortious, or for illegal, abusive or unethical activities (including violations of law or privacy, hacking or computer viruses),

attempt to disable or circumvent any security mechanisms used by the Services or otherwise attempt to gain unauthorized access to any portion or feature of the Services,

use any device, software or routine to interrupt or interfere with, or attempt to interrupt or interfere with, the proper operation and working of the Services or any transaction being conducted on the Services,

forge headers or otherwise manipulate identifiers in order to disguise Customer’s or any Authorized User’s identity, or the origin of any message or other communication that Customer or any Authorized User sends to Provider in connection with the Services,

use the Services to process or store classified data. If Customer introduces classified data into the Services, Customer will be responsible for all sanitization costs incurred by Provider,

permit any Authorized User or other third party to do any of the foregoing.



Limitation of Liability Sounds “legalese” but is fundamentally a business “risk-

benefit” decision.

A reasonable risk-benefit match is to cap liability at the Customer’s fees paid for Services for the contract period (usually 1 year).

Should exclude indirect damages, which are generally speculative and difficult to prove

Should exclude Customer’s violation of Provider’s IP to avoid an “economic breach” incentive.

Fallbacks may add indirect damages for confidentiality breaches, and exclude gross negligence or willful misconduct from the cap.

Sample Limitation of Liability


Limitation of Liability. EXCEPT FOR CUSTOMER'S VIOLATION OF THE USE OF SERVICES TERMS, INFRINGEMENT OF PROVIDER'S INTELLECTUAL PROPERTY RIGHTS, OR THIRD PARTY CLAIMS ARISING OUT OF CUSTOMER’S BREACH OF THE THIRD PARTY TERMS, (A) IN NO EVENT SHALL EITHER PARTY OR PROVIDER'S LICENSORS BE LIABLE FOR INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, AND (B) THE TOTAL LIABILITY OF EITHER PARTY OR PROVIDER'S LICENSORS ON ANY CLAIM ARISING OUT OF ANY SERVICES OR CONSULTING SERVICES SHALL NOT EXCEED THE TOTAL AMOUNT OF ALL FEES PAID OR PAYABLE TO PROVIDER UNDER THIS AGREEMENT IN THE TWELVE (12) MONTHS PRIOR TO THE ACTION GIVING RISE TO THE LIABILITY. NOTWITHSTANDING THE FOREGOING OR ANY OTHER PROVISION OF THIS AGREEMENT, IN NO EVENT SHALL PROVIDER OR ITS LICENSORS BE LIABLE TO CUSTOMER OR ANY THIRD PARTY FOR ANY LOSS, DAMAGE OR INJURY TO PERSON OR PROPERTY ARISING OUT OF OR INCIDENT TO THE PERFORMANCE OF EVALUATION SERVICES UNDER THIS AGREEMENT. THIS SECTION APPLIES TO DAMAGES ARISING FROM ANY CAUSE OF ACTION WHATSOEVER, INCLUDING WITHOUT LIMITATION CONTRACT, WARRANTY, STRICT LIABILITY, TORT, OR NEGLIGENCE, EVEN IF SUCH LOSS OR DAMAGE WAS FORESEEABLE OR CONTEMPLATED BY THE PARTIES.

Unique SaaS contract Issues


Data Recovery after SaaS subscription ends

Timing (providers may require a maximum time period, after which they will destroy the data)

Format (if the software uses a proprietary format, you’ll need to specify an alternate format to be able to access your data after receipt)

Certification of permanent data deletion. Depending on the nature of your data, this is particularly important if your data incudes personal, sensitive, or restricted information subject to applicable laws and regulations (HIPPA, ITAR, state privacy laws, etc.).

Negotiating Software as a Service (“SaaS”) Contracts


Questions?

The preceding slides and sample clauses are intended solely as opinions and examples based on personal experience.

The information and samples may not be appropriate (or applicable) for particular providers or customers.

Part II Rosemary Kuperberg

[email protected]

® Deltek, Inc. - All Rights Reserved

Data Privacy and Security

19 © Deltek, Inc. - All Rights Reserved

Disclaimer: the examples and tips are not a substitute for legal advice, and do not

represent the position of the speaker’s employer

General Tips


Data security concerns should be addressed in every deal – not just SaaS

Be aware of all the types of data involved – don’t focus on only personal data

Data Checklist – SaaS customers


Before you start to negotiate, know the following:

What data will be provided?

o Do you know the laws/regulations that apply to that data? Whose data is it?

o SaaS customer, its affiliates, vendors, employees, customers, etc.

o If the data belongs to others, do you have the right to give it to a SaaS provider?

Does the SaaS provider use third-party(ies) to host or store the data at any point?

o If yes, who are those parties?

o Do you get notice if they change? Where are the data centers physically located?

o Who controls the physical location? The provider or the customer? What is the governing law of the agreement? What security measures are currently in place?

o Do you get notice if those measures change?

Data Checklist – SaaS providers


Before you start to negotiate, know the following:

Does your service restrict the types of data that customers can provide?

o If yes, are those restrictions in the product or by contract?

Do you use third-party(ies) to host or store the data at any point?

Where are the data centers physically located?

o Who controls the physical location? The provider or the customer?

What security measures are currently in place?

o Who can answer questions about security measures?

• Are these people available to talk to customers?

o Which, if any, of the security measures can be changed for individual

customers?

Start with the Basics


SaaS Agreement should cover confidentiality in general, typically protecting both parties’ information:

Any information disclosed by one party ("Disclosing Party") to the other party ("Recipient") in connection with this Agreement that is marked confidential or that due to its character and nature a reasonable person under like circumstances would treat as confidential (the "Confidential Information") will be protected and held in confidence by the Recipient. Confidential Information will be used only for the purposes of this Agreement. Recipient shall disclose Confidential Information only to the Recipient's employees, contractors, or business partners which are bound by confidentiality obligations no less stringent than these prior to any disclosure on a "need to know" basis. Confidential Information does not include information that: a) is already known to the other party at the time of disclosure; b) is or becomes publicly known through no wrongful act or failure of the Recipient; c) is independently developed without benefit of the other party's Confidential Information; or d) is received from a third party that is not under an obligation of confidentiality. Recipient agrees to protect the Confidential Information at all times and in the same manner as it protects the confidentiality of its own proprietary and confidential material of similar kind, but in no event with less than a reasonable standard of care. A Recipient may disclose Confidential Information to the extent required by law, provided that the Recipient provides the Disclosing Party with notice as soon as reasonably practicable to allow the Disclosing Party an opportunity to respond to such requirement, and provided further that such disclosure does not relieve Recipient of its confidentiality obligations with respect to any other party. Upon the request of Disclosing Party, the Recipient shall promptly destroy or return to the Disclosing Party all copies of the Confidential Information and any documents derived from it. This obligation to return or destroy materials or copies thereof does not extend to automatically generated computer back-up or archival copies generated in the ordinary course of Recipient's information systems procedures, provided that Recipient shall make no further use of Confidential Information contained in those copies. Except as to the confidentiality of trade secrets, these confidentiality restrictions and obligations will terminate two years after the expiration or termination of the Agreement. The Recipient may return any Confidential Information to the Disclosing Party at any time.

Add SaaS-Specific Terms


Who owns the data?

What can provider do with the data?

o Does that change if the data is anonymized and/or aggregated?

Who responds to requests from individuals to change/delete data?

Specific security standards

Unauthorized access/data breach

Backup/redundancy

Return of data at the end of the SaaS subscription

Add SaaS-Specific Terms (cont.)


Who owns the data?

o Typically, the SaaS customer continues to own data that it puts into the SaaS

product.

Customer owns all electronic data or information that Customer or any user loads or enters into the SaaS

Services and all results from processing such data, including compilations and derivative works of such

data or information (“Customer Data”). Customer is solely responsible for the accuracy, integrity, quality,

legality, reliability, appropriateness of and copyright permissions of any Customer Data and for adopting

procedures to identify and correct errors and omissions in Customer Data.

o That means that the Customer remains responsible for compliance obligations

with respect to the data.

o Sometimes, if the SaaS product combines customer’s data with provider’s

data, the provider will want to own the combination.



What can provider do with the data?

o As a customer, you want to know exactly what provider will do. o As a provider, you want flexibility to do what you need to provide the best product.

Provider will handle Customer Data only in accordance with this Agreement. Customer hereby agrees that Provider is reliant on Customer for direction as to the extent to which Provider is entitled to use and process the Customer Data. Provider reserves the right, at any time and without notice to Customer, to review, monitor, flag, filter, modify, refuse or remove any or all Customer Data from the SaaS Services which violate the terms of this Agreement, but Provider has no obligation to do so.

o Does that change if the data is anonymized and/or aggregated?

• Many SaaS providers will ask for the right to gather anonymized data or aggregated data to improve the SaaS services.

• Some providers want to do even more than that.

Without limiting Customer’s ownership rights in Customer Data, Customer acknowledges and agrees that Provider shall have the right to utilize data capture, syndication and analysis tools and other similar tools to extract, compile, synthesize and analyze any non-personally and non-Customer identifiable data or information resulting from Customer’s use of the SaaS Services ("Statistical Data"). Statistical Data may be collected by Provider for any lawful business purpose without a duty of accounting to Customer, provided that the Statistical Data is used only in an aggregated form without specifically identifying the source of the Statistical Data.

Provider may make use of analytics to understand Customer’s use of the SaaS Services. Provider may transfer Customer Data to third-parties on an anonymous basis and such providers aggregate the data to create benchmarks.



Who responds to requests from individuals to change/delete data?

o This will depend on the SaaS Services.

o Most SaaS providers will require customers to be responsible for changes to

data.

(from clause on a previous slide) Customer is solely responsible for the accuracy, integrity, quality, legality,

reliability, appropriateness of and copyright permissions of any Customer Data and for adopting

procedures to identify and correct errors and omissions in Customer Data.

Customer is responsible for responding to all access requests, inquiries, or requests to correct Customer

Data from any individuals or third parties.



Specific security standards

o Not always practical to include in the contract – standards change frequently

o If specific standards ARE included, Customer will want to include a provision

saying that standards cannot be reduced during the term

Provider may modify the security standards from time to time [with notice to Customer], but will continue to

provide at least the same level of security as is described herein as of the effective date.

o Customer should also confirm that the identified standards (whether in the

contract or not) meet what Customer needs to fulfill its compliance obligations

o Provider should

• reserve the right to change standards as appropriate,

• confirm internally that any security standards included will be followed for the

term of any current subscriptions, plus renewals, and

• confirm that the Customer has also implemented security standards



Unauthorized access/data breach

o Both parties will likely have obligations under applicable law

o Contract should be clear who is responsible for addressing breach, and who is

responsible for required notifications

o As a Customer, you normally remain liable for compliance with respect to

individual end users and your customers

o As a Provider, you are normally responsible to notify your Customer

Customer is responsible for addressing any privacy breach and providing required notifications as required

by law or regulation, provided, however, that Customer will not, without Provider's prior consent, make any

public statement which directly or indirectly refers to Provider in connection with any privacy breach, access

request or correction request.



Backup/redundancy

o Customer may be able to pull its own backups.

Customer is responsible for maintaining appropriate backup and routine archiving of Customer Data.

o If not, contract should address whether Provider will do them and whether

there is an additional fee.

[When ordered,] Provider will provide monitoring, back-up, disaster recovery, and application and

infrastructure upgrades [at no additional charge].



Return of data at the end of the SaaS subscription

o May not be required if Customer is able to download the data during the term

o As a Customer, find out if data will be in readable/usable format

• If not, contract should address how the Customer can get its data at the end

o As a Provider, contract should be clear whether there is a fee for return of data

o Contract should also specify whether Provider has an obligation to retain data

after the end of the term

Upon Customer's written request made within thirty (30) days of termination or expiration of a Subscription

or this Agreement, Provider will return to Customer a single copy of all Customer Data then in Provider’s

possession in Provider’s then-current industry standard data extract format. Additional Customer Data

copies shall be available for a fee. After such thirty (30) day period, Provider shall have no obligation to

maintain or provide any Customer Data and shall, unless legally prohibited, delete all Customer Data in its

possession or under its control. Notwithstanding the foregoing, Provider may retain Customer Data in

backup media for an additional period of up to twelve (12) months, or longer if required by law.

SERVICE LEVEL AGREEMENTS

Part III

Michael L. Whitener

[email protected]

What Is an SLA?

Usually not a separate agreement, but a schedule or exhibit to the SaaS agreement

Sets performance bar that services must achieve Insurance policy, not guarantee Serves dual purposes:

For customer: Describes level of services that can be expected

For service provider: Helps instill trust in the service provider by the customer

33

Do You Need an SLA?

Not necessarily! Factors:

Type of services being delivered Price tag attached to SLAs Additional negotiating time Monitoring commitment Remedies

Alternative to SLA: simple statement of available support

34

Sample Alternatives to SLA

May be acceptable:

Web and Hotline Support. Customer will designate two representatives who will have access to our technical support website and may contact our call-in technical support during our normal hours of operation (currently 9 am to 5 pm local time). On-site support is not included and is subject to our standard hourly rate.

Not so much:

Service Provider will use commercially reasonable efforts to implement and operate the Services for Customer.

35

Elements of an SLA

Description of services covered Service availability (uptime)

Aka “How often does this thing go down”? Often expressed in “nines”: e.g., 99.9% availability 100% uptime commitment is no longer unusual May be calculated by a formula: e.g., ((TMM-TMU) x

100)/TMM

Response and resolution time Support options Remedies

36

Contentious SLA Issues

How broad is the definition of “services” for SLA purposes?

How is service uptime calculated? What are the exceptions to the uptime

commitment? How are severity levels defined? What remedies does the customer have if service

level commitments aren’t met?

37

THREE SLA TRAPS FOR THE UNWARY

38

Trap No. 1

Overbroad Carve-outs from Commitments

Pay attention to uptime exceptions Typical exceptions:

Scheduled maintenance, including system upgrades Emergency maintenance Force majeure events Bugs in software or hardware of service provider’s

suppliers Customer acts/omissions that cause downtime Customer failure to provide timely notice

Carve-outs may swallow the commitments

39

Sample Sleight of Hand

Commitment: 100% uptime, 10,000% service credit

Limitations: Only failures “due to known [Service Provider] problems” Customer must open support case “during the Failure in

question” and follow case opening procedures Customer must request credit within 48 hours of start of

failure Credit limited to 100% of fees during billing month and

capped at two months’ fees per year

40

Trap No. 2

High “Failure” Threshold

SLA may impose onerous threshold for claiming SLA breach

Watch out for requirements that: Outage must be total to count as downtime –

degradation of service is not sufficient Short-term outages (e.g., less than 15 minutes) ignored

As you review an SLA, ask: Who is responsible for monitoring? How must service issues be reported? What time period is used for calculating service failure?

41

Trap No. 3

Inadequate or Non-Existent Remedies

Make sure SLA even provides a remedy So you get a credit – what’s a credit?

Rebate to customer Reduction in next payment customer owes Additional period of service

Credit tables and percentage caps Right to terminate? “Sole and exclusive” remedy for failure to meet SLA

commitments?

42

Typical SLA Credit Formula

Standard credit table:

System Availability Credit Amount 97.00 – 97.99% 5% of user fees in month 96.00 – 96.99% 10% of user fees in month 95.00 – 95.99% 15% of user fees in month < 95.00% 20% of user fees in month

Note that anything below 95% availability is limited to 20% credit, no matter how poor the service

43

Documents

Negotiating Software as a Service Contractsmedia.straffordpub.com/products/negotiating-software-as-a-service...Negotiating Software as a Service Contracts ... Agreement Term Specified