As we have discussed previously, drafting software as a service ("SaaS") contracts brings with it numerous contractual complexities that in many ways mirror the complexity of the underlying technology. Providers give customers access to software and cloud services, allowing remote access and off-site data storage and shifting the risk of downtime and data corruption or loss to the provider. Of course, the amount of risk the provider wishes to assume in the arrangement is entirely up to the parties to the contract -- but both parties must take care to avoid assuming risk through ambiguous drafting and ensure what is in the contract truly reflects the bargain struck.
Just as lines of code cannot be cut and pasted reflexively from one project to another, so too is the case with contract language. Boilerplate should be used a heuristic - a quick way to see a list of provisions and clauses that you may want to consider negotiating for your current transaction. This post can be considered a boilerplate of the heuristic variety: some common SaaS provisions that you may want to consider. It is neither complete nor exhaustive and the entire list will likely be neither necessary nor sufficient for any individual transaction. They are provided merely as a list of provisions to get you thinking.
Virtual Point of Demarcation
When goods are shipped internationally, parties to a sale agreement need to negotiate when title to the goods transfers from the seller to the purchaser. If Amazon sells you a box of crystal juggling pins and they are dropped on the warehouse floor, we have a pretty good understanding of who will bear the cost of replacement. Perhaps the answer remains clear if the pins are lost in transit. But what if Amazon sees them safely all the way to your doorstep where they are trampled and broken? Intuitively we have an understanding that the title and the risk of loss for those pins has now shifted to you - they were delivered safely to your door and were broken while in your possession.
In the digital world, as is so often the case, the situation becomes murkier. Take for instance a voice over internet protocol ("VOIP") provider that sells a telephone service to a mid-sized business that has its own existing telephony infrastructure. If the VOIP service goes down on the provider's end, we understand that the outage is their responsibility. What if, however, an outage occurs and it becomes clear that it was owing to a misconfigured piece of equipment owned by the business? Without a virtual point of demarcation, the answer may need to be provided through litigation.
Virtual points of demarcation make clear where a service provider's obligations end and the customer's begin. They are, conceptually, linked to the service level agreement -- they draw thick lines around the boundaries of the service level warranties. In essence, the service provider promises that X, Y and Z will not happen, but makes no additionally unenumerated assurances.
Most businesses' needs are in flux. When a customer first signs a service agreement they can only do so based on their requirements (users, devices, licenses, etc.) at the time of signing. While it seems obvious, care should be taken to ensure that there is a transactionally cost effective way for a customer to expand or contract the number of users, devices or licenses that they are licensing. Placing undue transactional costs here, such as requiring them to renegotiate a new license, may cost the provider a customer when it comes time to expand - the cost effectiveness of staying with an existing provider is wiped out if new terms will need to be renegotiated as though they were a new customer. Make the path to expansion or contraction clear and as painless as possible.
A number of years ago, cloud photo hosting service Flickr, now owned by Yahoo, ran in to some issues regarding the ownership of user photos uploaded to their service. Their Terms of Service, ambiguously worded, gave some users pause and caused them to wonder if Flickr was attempting to retain copyright ownership of all photos hosted on their service. Flickr responded, clarified their Terms of Service, reassured their users, and the furor died down. However, it really is impossible to say how much the debacle effected their growth, customer satisfaction, and even valuation.
Providers: don't be like Flickr, make it clear from the start. For many modern businesses, their most valuable asset is their data. While service uptime and data security and privacy provisions may go over the heads of everyone save for the nerds in the basement in IT, the concept of who "owns" the data that is stored with your service will be crystal clear to techies and Luddites alike. Make clear who owns the data, who can use the data, if the data can be used or sold in the aggregate by the provider. If you were leasing warehouse space and the leasing agreement left who would own the items kept in the warehouse ambiguous, wouldn't you want to make sure it was cleared up before pen met paper?
Indemnification and Insurance
Consideration should always be given on either side of a SaaS contract as to whether one or both parties should be compelled to carry insurance. Most obviously, a provider should carry insurance to cover data and privacy breaches, data loss, and service downtime. Less obviously, however, is the insurance carriage requirements of the customer. If the customer will be indemnifying the provider for any liability, the provider will want to ensure the customer carries sufficient insurance to cover the cost of liability.
Downtime Allotments for Updates and Maintenance
99.9%, 99.999%, the minimum acceptable level of uptime is getting more 9s after the period every year. Owing to virtual servers and data redundancy, the need for downtime for updates or maintenance is becoming less and less common. However, there remain some technologies that still may require data or services to be unavailable for a period of time - and there is always the dreaded DNS issue. If required downtime may be a factor that needs to be considered by a provider in a SaaS agreement, care should be taken to also consider whether that downtime needs to be provided for separate and apart from the service level provision. In other words, a provider may want to guarantee 99.999% uptime as pertains to nonscheduled maintenance outages, but provide for a certain amount of downtime for upgrades an maintenance.
A solid understanding of the underlying technology, if not a technical mastery, is really a prerequisite for properly negotiating a SaaS agreement. As is the case with any contract, the drafter needs to be able to imagine all the potential scenarios that might present in the course of performance and account for them. If you were drafting a service agreement for the provision of transportation services for nuclear waste, you would engage experts to help ensure you were considering all of the potential risks - you wouldn't rely on your own reckoning just because you have seen Atomic Train. The same should be true for SaaS contracts: engage technical personnel and be realistic about your own understanding of the technology. Posting a meme on Facebook may not be sufficient technical savvy to negotiate the terms alone!