This article supplements my post, “11 Key Benefits and Risks of SaaS Contracts.” This time, I’ll address some ways SaaS (“software as a service,” cloud-based) software application providers and their customers can reasonably expect to contractually allocate some of the fundamental business and legal risks associated with use of a SaaS application.
There are myriad issues involved in this complex topic, and where the parties end up in their written contract often depends on relative bargaining power, negotiation skill and willingness to devote money, guns and lawyers (well, hopefully not guns) to the negotiation process.
In my experience, the following topics frequently consume an inordinate amount of time in SaaS contract negotiations.
Many prospective SaaS customers view with trepidation the prospect of handing over “physical” control of their company’s data to an off-site SaaS provider.1 It seems that every month we learn of a new large-scale data security breach, whether from cybercriminals, espionage, ineptitude or otherwise.2
There are many things a SaaS vendor can and should be expected to do to mitigate the risk of a data breach, e.g., appropriate personnel training, use of security technology such as encryption, multiple firewalls, intrusion detection systems, etc.,3 and third-party review and certification of the adequacy of those measures.4 In addition, one might argue (and some industry commentators have5), that because SaaS providers have been required by the marketplace to implement robust, state-of-the-art security infrastructure in order to remain competitive and mitigate the risk of catastrophic data breaches, they are better equipped to protect and safeguard their customers’ data than their customers are.
Nevertheless, in my experience, SaaS customers will frequently try to hold SaaS vendors fully (lawyers love this word when imposing an obligation on the other side, but not when it applies to their client, which is exactly how it should be) responsible and liable for any data loss, damage, intrusion, corruption, unintended disclosure or breach. From a contractual standpoint, this involves having the SaaS vendor accept liability for potentially enormous consequential damages resulting from any of the above. Consequential damages are foreseeable financial damages arising from the breach which may greatly exceed the amount the customer paid and the vendor received6. Examples in the SaaS context would be the customer’s lost business or profit and the significant cost of notifying those affected by the data breach.
SaaS vendors will generally not accept consequential damages liability if they wish to remain in business. Nor is it reasonable for a SaaS customer to expect them to (these same customers will typically not accept consequential damages liability in their contracts with their own customers). If a SaaS vendor accepted full consequential damages liability, a single data breach affecting a single SaaS customer could put them out of business.
The customer should attempt to persuade the SaaS vendor to accept liability for direct damages from a data breach up to an agreed upon limit based on the overall value of the contract or a multiple thereof, e.g., 1.5x or 2x the amount the vendor is expected to be paid over an agreed upon time period. In addition, it is not unreasonable to expect that the SaaS vendor accept some consequential damages liability when the data breach results from the vendor’s gross negligence or intentional misconduct. Both parties should bear in mind that cyber-liability insurance is available to protect against those risks which a party is unable to contractually allocate to the other side.
The customer has a reasonable expectation that the SaaS application should be available and usable to the same degree it would be if installed in the customer’s on-premises computing environment. Apart from the issue of whether the application is working properly (which should be addressed by having appropriate performance warranties and remedies stated in the contract, as discussed below), if a critical SaaS application is unavailable, the customer’s operations can potentially be significantly impaired. The SaaS vendor should agree to make the application available and accessible at least 99.5% of the time 24x7x365. Most SaaS vendors will make this type of commitment, typically in what are called “service level agreements” (which are part of the overall SaaS contract) because the marketplace has demanded it7.
Customers should expect this commitment to be subject to routine maintenance outages (only during non-peak usage hours) and events outside the vendor’s control, such as general Internet outages and equipment failures not within the SaaS vendor’s environment. The contract should also obligate the vendor to provide fee credits in the event of failures to meet the availability commitment. Customers should attempt to include in the contract a “death by a thousand cuts” termination right, e.g., if the vendor fails to meet the availability commitment on three separate occasions during a two month period, this should constitute a material breach and entitle the customer to terminate and receive at least a prorated refund of the unused fees paid in advance.
Apart from the availability commitment discussed above, SaaS vendors will typically warrant that the hosted SaaS application will perform “in all material respects” (or “substantially”) in accordance with its applicable specifications or documentation, sometimes without limitation as to time when the customer is paying on an annual subscription basis8. However, the remedy for breach can be quite limited, e.g., termination of the agreement if the application’s performance does not meet the warranty and the vendor cannot correct it9.
In my view, the customer should reasonably expect that it should be entitled to a prorated refund of the unused portion of the subscription license fee for the remainder of the (typically annual) term or service period10 and, ideally, a refund for a portion of the fees paid prior to termination. Other vendors will limit their warranty to some period of time after either the commencement of the agreement or after discovery of the defect. Ninety days is typical and reasonable.
Customers should consider attempting to obtain the right to a refund of at least the entire service period’s fees, if not more, given the hardship and expense associated with researching, selecting and switching to an alternate vendor. In addition, customers should seek to expand the vendor’s overall maximum liability to the total amount paid by the customer over the period of the contract, as is frequently the case in a traditional installed software license agreement.
This article is provided for information purposes only and is not intended as legal advice. If you’d like to discuss any of the issues mentioned, please feel free to contact the author.
Eric S. Freibrun runs a legal practice focused on I.T./software/cloud/Internet transactions and intellectual property protection – representing software and SaaS vendors and their corporate user customers. He has over 30 years software and I.T. transactional experience; former in-house I.P. and transactional counsel for Andersen Consulting (now Accenture). Eric has been in private practice since 1992.
Editor's Note: This post was originally published in July 2015. It has been updated for accuracy and comprehensiveness.
 See “Cloud Security: 6 Steps for Keeping Your Data Safe,” Paul Gillin, CIO, June 2, 2015 - http://www.cio.com/article/2929830/cloud-security/cloud-security-6-steps-for-keeping-your-data-safe.html, citing “20 of the Greatest Myths of Cloud Security,” David Spark, CIO, May 13, 2015 - http://www.cio.com/article/2922374/cloud-security/20-of-the-greatest-myths-of-cloud-security.html.
 See, e.g., “China Suspected in Massive Breach of Federal Personnel Data,” New York Times, June 4, 2015 - http://www.nytimes.com/aponline/2015/06/04/us/politics/ap-us-government-hacked.html; “Up to 1.1 Million Customers Could be Affected in Data Breach at Insurer CareFirst,” New York Times, May 20, 2015 - http://www.nytimes.com/2015/05/21/business/carefirst-discloses-data-breach-up-to-1-1-million-customers-affected.html?_r=0; “Adult Dating Site Investigating Breach of User Data,” New York Times, May 22, 2015 - http://www.nytimes.com/aponline/2015/05/22/technology/ap-us-tec-dating-site-hack.html.
 See, e.g., Salesforce.com, inc., Security Overview - http://www.trust.salesforce.com/trust/learn?tab=learn&title=Salesforce%20Trust%20-%20Learn.
 See, e.g., Microsoft Security, Audits, and Certifications - https://www.microsoft.com/online/legal/v2/en-us/MOS_PTC_Security_Audit.htm.
 Ibid. Note 1.
 SAP offers a bit less, i.e., 99%: See Article 3.3 of General Terms and Conditions for SAP Cloud Services (for Indirect Sales) (US, English) v.9-2014 – http://global.sap.com/corporate-en/our-company/agreements/north-america/agreements.epx. Microsoft offers a bit more, i.e., 99.9%: See Sec. A-1 of Microsoft Dynamics CRM Online Service Level Agreement (“SLA”) - https://port.crm.dynamics.com/portal/static/1033/sla.htm.
 See, e.g., Section 9.2, Master Subscription Agreement - Salesforce.com and Article 7.1, General Terms and Conditions for SAP Cloud Services (for Indirect Sales) (US, English) v.9-2014 – http://global.sap.com/corporate-en/our-company/agreements/north-america/agreements.epx.
 See Article 7.1, General Terms and Conditions for SAP Cloud Services (for Indirect Sales) (US, English) v.9-2014 – http://global.sap.com/corporate-en/our-company/agreements/north-america/agreements.epx.
 See Section 12.3, Master Subscription Agreement - Salesforce.com.