At Lighthouse Law, we have watched Software-As-A-Service (“SaaS”) terms evolve in the market place over the last five years. We are still learning but we’ve noticed a few things to look out for. Here are six of them:

  • Hyperlinks to online Terms and Conditions and policies (e.g. Acceptable Use Policy)
  • Suspension rights
  • No liability for loss of actual data
  • Uncapped liability for the customer coupled with wide indemnities for losses caused by the customer
  • Sole and exclusive remedies
  • No meaningful service level or service level remedies

SaaS continues to grow with ease of use and friendly subscription-based pricing models being obvious benefits. While this form of cloud-based software delivery may tick many boxes with the procurement and business functions, SaaS Agreements can be tricky when it comes to risk. 

SaaS is generally referred to as a “one to many” model which allows the SaaS provider to host and provide the same software for multiple users. SaaS providers are, therefore, generally reluctant to deviate from their standard terms, and your ability to negotiate these terms will depend on various factors including the size of the Customer, the potential spend, bargaining power and the size of the SaaS provider. 

The potential cost savings are a huge advantage, but the legal risks need to be carefully managed to ensure that the benefit justifies the risk. Our six key issues will help you navigate these:

1. Hyperlinks to Online Terms and Conditions and Policies (e.g. Acceptable Use Policy)

It’s common for SaaS providers to refer to additional terms and documents by inserting a reference or hyperlink to these terms. These terms, documents and/or policies are incorporated ‘by reference’, and in turn are binding on the parties. This means that they will apply automatically in addition to the terms set out in the SaaS agreement itself. For this reason, it’s important that each of these other documents is carefully reviewed individually. Although there are many variations of this type of clause, most SaaS providers tend to reserve the right to change and vary these terms unilaterally by simply publishing amended terms on their website and stating that the continued use of the SaaS will be considered deemed acceptance by the Customer.

Points to Consider: It’s important to review all the documents and terms that are incorporated by reference to ensure compliance with the SaaS agreement and to ensure that the SaaS agreement aligns to your business objectives and operational needs. You should not accept a right for the SaaS provider to unilaterally change the terms of the SaaS agreement. Any proposed changes should be discussed and agreed in writing. If the SaaS provider argues that it cannot renegotiate the proposed changes to their standard terms with all of their customers, then you should have the right to terminate the SaaS agreement if you don’t agree with the change, and importantly get your money back if you’ve paid any amounts upfront. 

2. Suspension Rights

SaaS providers will generally try to suspend the services they provide where there is non-compliance by the Customer with its standard terms or the Acceptable Use Policy. While it is unlikely that a Customer will succeed in removing such rights, there may be a significant operational risk to the Customer if the SaaS provider can unilaterally switch-off the services. If the service is a business-critical service, then consider carefully the ways to limit the impact of a suspension right on your operations. 

Points to Consider: Suspension rights may have a material and adverse operational risk for the Customer, and if key services are being provided it is unlikely that the customer will want the SaaS provider to be able to switch-off the services unilaterally. Consider including a level of governance and notice period where the Customer is provided an opportunity to rectify any purported breach. Consider also whether the rights to suspend can be limited to certain specified breaches only, and importantly, limit the suspension only to the specific user that is non-compliant rather than a wholesale suspension of all the services to the Customer. The suspension right has to be reasonable and proportionate. 

3. No Liability for Loss of Actual Data

Most SaaS providers, to varying degrees, attempt to exclude their liability if they lose any Customer data. Loss of data could have a material and adverse impact on the Customer’s business. 

Points to Consider: As a Customer, consider to what extent the SaaS provider has access to and stores any of your data. If the SaaS provider does, then it’s necessary to consider the potential loss and impact to your business, and then ensure that the SaaS agreement deals specifically with such instances of loss and provides adequate protection for the Customer, for e.g. including such loss as part of the general liability provisions, corresponding indemnities, back-up and disaster recovery solutions. Consider also ‘data escrow’ products which are increasingly used in the market place (e.g. the NCC Group) as these products now hold data in escrow in a way that allows the Customer to access it if something goes wrong with the SaaS provider or system. 

4. Uncapped liability for the customer coupled with wide indemnities for losses caused by the customer

Liability caps are designed to both limit and provide predictability around potential exposure for both parties under the SaaS agreement. But in a SaaS agreement drafted by the SaaS provider, it is common for the agreement to seek to limit and cap the liability of the SaaS provider but to have uncapped liability for the Customer, coupled with widely drafted uncapped indemnities for losses caused by the Customer. This should not be the risk profile that a Customer should accept, and it’s very unlikely that you as the Customer would accept this risk in other commercial contracts. 

Points to Consider: As a Customer, read these provisions carefully because they often cross-refer to other provisions in the SaaS agreement and can be confusing. Discuss and consider issues with the business such as:

- What is the worst that can happen?

- What are the potential ways in which the business can suffer loss if something goes wrong with the service?

- Is the general cap sufficient protection to manage this risk?

- What types of damages are unrecoverable in any case (for e.g. indirect or consequential loss)?

- What categories of claims are excluded from the caps, the presence of deductibles or thresholds and other types of sole remedies and so on?

It is also always preferable to clearly define any indemnities and understand how they fit in with the caps on liability. 

5. Sole and exclusive remedies

In general, the remedies available to a Customer are often weak and SaaS providers commonly include provisions stating that the remedies available to the Customer are the “sole and exclusive” remedies. This means the Customer has weak remedies for non-performance or breach of the SaaS agreement, and no rights to do anything about it because the Customer is limited to the remedies set out in the SaaS agreement only. This includes the Customer’s rights to claim for all of the damages it may incur. An example of this is where a SaaS provider confirms that the payment of service credits is the Customer’s sole and exclusive remedy for non-performance. 

Points to Consider: You as the Customer should not accept any “sole and exclusive” remedies. If you are unsuccessful removing these rights from the SaaS agreement, then consider the potential impact and loss that you as a Customer may incur beyond the provision which has been limited to a sole remedy. If you identify any such losses that may go beyond the sole remedy, then you should seek to ensure that these types of losses are not subject to a sole remedy.

6. No meaningful service level or service level remedies

The service levels and service credit mechanism typically proposed by SaaS providers, if proposed at all, are often not sufficient and do not incentivise the right type of performance by the SaaS provider. At a minimum, the SaaS agreement should contain service levels for availability, capacity, response and resolution times, capability, support and service reliability. It is important for the Customer to ensure that the service levels are clearly defined, and that there are clear consequences for the failure to achieve these service levels. Customers should also be wary of the performance standards that are incorporated in a hyperlink or URL as these are often unilaterally amended by the SaaS provider and therefore do not give the Customer scope and performance certainty.

Points to Consider: When determining whether a service level and service credit mechanism are sufficient or not, a Customer should run the actual numbers and prepare calculations. Insert actual numbers and charges into the formulas to determine whether the actual monetary amount, in the form of a service credit, is a sufficient number to (a) incentivise performance; and (b) be commensurate with the reduced charges you should be able to pay due to the reduction in service level achieved. A Customer should consider the impact on its business if the SaaS provider fails to provide the service in accordance with the proposed service level and determine what service levels meet its’ business needs and expectations. 

Matthew McConkey

Lighthouse Law