SaaS Vendors: A Legal Checklist
Due to the differences between traditional “on premise” software licensing and the newer software as a service (“SaaS”) offering, there were bound to be required adjustments on how the software customer contracted for these services. We owe a debt of gratitude to Gene Landy with the law firm of Ruberto, Israel & Weiner, P.C. in Boston, MA. Landy has put together a list of 8 items in his article 8 Legal Tips for SaaS Vendors that should be considered by the SaaS Vendor while developing their SaaS offering. Including some or all of these tips in your contract may be a smart decision. Here is a brief summary of those legal tips:
1. Look for restrictions in your own software licenses: As you develop your offering, do your licenses prohibit use as a service bureau or are there restrictions on remote access or use as an Application Service Provider. You wouldn’t want your SaaS application to be in violation of any of these restrictions.
2. Has your contract model evolved: Initially the SaaS offering came in a 2 part form - first a software license and then a hosting agreement. Today the more common contract model is to view this as a subscription and not mention licensing in the agreement.
3. The Tax Man: Your customers may be interested to know that most states do not levy a tax on services as they do for the sale of a license.
4. Trials: The SaaS Vendor could include a trial period bundled into the subscription agreement.
5. Required upgrades limit the SaaS vendor’s maintenance costs: Require customers to upgrade and eliminate having to maintain prior releases.
6. Security: It is fine to tout your security measures, but never promise 100% guaranteed data protection. This is IT after all and you are using the internet.
7. Consider SAS 70 as a selling feature: You can provide your customers with an extra level of comfort and some of your customers may actually require a SAS 70 certification. This is a certification performed by an outside accounting firm which attests to the accuracy and security a vendor provides. The certification states that the controls are adequate.
8. Data Breach Notification: In the event of a data breach most states require a notification be sent out to the subjects of such a breach. Make sure that your customers do not attempt to place such obligation upon you. The costs could be prohibitive.
This is by no means an inclusive list, but Landy has hit some key issues. I found it very informative and helpful.
