This post is the first in a two-part series. It will briefly address some of the principal benefits to users of cloud-based, Software as a Service (SaaS) solutions, as well as some of the key business and legal risks to corporate users.
The second post discusses how these SaaS contracts risks are typically and fairly addressed during negotiations between cloud software providers and customers. The issues are frequently very complex, but understanding them and properly and reasonably allocating risk between the customer and the cloud provider are critical to arriving at a satisfactory and sustainable agreement.
There is little doubt that the enterprise software paradigm shift away from on-premise to remotely hosted cloud applications has been remarkably rapid. It’s clear to me that the benefits and risks to companies operating their key IT systems in the cloud are much better understood today by sophisticated buyers, their IT departments and their attorneys than they were just a few years ago.
First, in summary fashion, some of the benefits and risks of cloud-based applications (see, Salesforce's Benefits of SaaS):
Instead, the customer “subscribes,” typically on an annual basis, to the right to use the provider’s cloud computing infrastructure and applications on a shared basis with the provider’s other customers.
There’s no need for the core software applications to be installed in the customer’s computing environment. Instead, they “reside” or are “hosted” in in the vendor’s cloud environment. (Still, some configuration of the application may be necessary to optimize it for the customer’s business.)
The customer does not need to pay a large up-front license fee for a traditional “perpetual, non-exclusive” license to the software. SaaS applications are typically licensed on a subscription basis with an annual subscription/license fee. Over time, however, subscription costs may exceed the up-front license fee required in a traditional installed software model.
Updates, upgrades, enhancements, bug fixes, etc., are made across the entire code base hosted by the vendor and apply to all customers. Often the subscription license fee includes this “maintenance.” However, technical support services will frequently require an additional charge. In the traditional installed software model, combined maintenance and technical support services can cost between 15-20% of the aggregate software license fee annually.
There is no need to purchase additional hardware as the customer’s needs grow, but the customer may need to purchase additional computing capacity from the provider, e.g., bandwidth, data storage, etc.
Cloud vendors typically will commit to a “service level agreement” guaranteeing at least 99.5 and frequently 99.9% uptime/availability, subject to superior force, including Internet outages and other exceptions.
Given the importance of customers’ concerns regarding the security of their data when it resides off-site (not to mention customers’ legal obligations with respect to confidential information, personally identifiable information and sometimes protected health information under HIPAA), reputable SaaS vendors will frequently provide potentially more robust data security than the customer would itself – this is particularly the case where the customer is a smaller company without deep IT resources, staff, controls or expertise.
The customer’s critical proprietary and confidential data will reside and be processed in the provider’s cloud-based infrastructure. While not limited to commercial cloud vendors, data breaches or unauthorized or illegal system intrusions resulting from malicious or criminal activity, hacking, data theft, espionage (whether by competitors, criminals, insiders, cyber-terrorists, governments and other groups of misfits) or negligence (employee or contractor mistakes) occur with alarming frequency.
If a critical SaaS application is unavailable, the customer’s business operations can be significantly impaired. SaaS vendor will typically agree to make the application available and accessible at least 99.5% of the time 24x7x365, subject to certain exceptions for e.g., routine maintenance, Internet outages, etc.
If the customer can’t access or process its critical data because its cloud software provider has “gone dark” or is out of business, there’d better be a backup or disaster recovery plan in place to get access to the data to mitigate the harm.
As of April 2017, according to The National Conference of State Legislatures, all but two states in the U.S. (Alabama and South Dakota) have data breach notification laws. If personally identifiable information (PII) is provided by individuals, e.g., consumers, to a company which processes that data in the cloud, and a breach in the security of the cloud provider’s environment results in unauthorized or unintentional disclosure of the PII of those individuals, the company, i.e., the cloud provider’s customer, will be responsible for notifying those affected under applicable breach notification laws. In addition, U.S.-based multinational companies having facilities in the EU which process the PII (“personal data”) of EU citizens, will need to conform their data security processes and standards to EU data security requirements – and ensure that their cloud software providers can meet those requirements. The legal and regulatory environment in the area of data privacy is very fluid, but cloud software customers (and providers) should expect more stringent and rigorous requirements.
Editor's Note: This post was originally published in May 2015. It has been updated for accuracy and comprehensiveness.