5 Important Clauses in a SaaS agreement
BY ABHIJIT MURTHY B.TECH(BIOTECH), M.SC(UK), LLB, PG DIPLOMA IN CYBER LAWS
The following discussion highlights certain key elements that every Software-as-a-Service (SaaS) company compulsorily should be included in its agreement with its end users. A significant point to be observed is that a SaaS agreement differs from a Licensing Agreement.
A SaaS agreement may be inclusive of heavy service elements, or it may simply be given access to users to products that can have an alternate form of licensing. A simple difference is that the involvement of physical hardware components to be installed by the user; required in a licensing agreement, not required in a SaaS agreement.
The list is not exhaustive, but for the purpose of lexical brevity, the following aspects are key elements in my considered view:
Privacy Policies pertaining to SaaS
One of the leading concerns today is that of the Privacy Policies being so inscrutable. According to a research poll conducted by www.pewresearch.org, 20% of Americans say that they always (9%) or often (13%) read these policies before agreeing to them, and nearly 36% say they never read them. Thus, the onus of liability rests solely on the company rendering the service in order to ensure a faux pas moment does not arise because of a legal leak in the Privacy Policy.
If a SaaS service is collecting personal data, then it is a legal necessity to have a Privacy Policy in place. There are many countries and regions that have laws ensuring these laws are strictly followed and that includes:
- The European Union: General Data Protection Act (GDPR)
- California: The California Online Privacy Protection Act (CCPA)
- Canada: The Personal Information Protection and Electronic Documents Act (PIPEDA)
Since almost all SaaS agreements require the collection of at least personal identifying information, it mandates that a strict privacy policy is in place to provide specific relief to both the service provider and the user. The costs involved in lax policies and non-compliance is high wherein humungous fines are imposed on firms that fail to comply in collecting GDPR compliant data (Gal & Aviv, 2021).
Terms of Use Agreements for a SaaS (ToU)
A well-drafted type of this agreement acts as an agent that legally binds your company and your customers. A well-known Latin maxim ‘ignorantia juris non-excusat’ explicitly points out the fact that a consumer, on more than occasion, feigning ignorance about the ToU is more than just a convenient way to get out of liability arising out of their violation of the ToU. A few clauses to be included are:
- Copyright and intellectual property rights.
- Handling of the consumers’ data by the system.
- Laws governing the contract, restrictions, and limitations of use.
- Licensing information.
- Business contact information.
An important aspect that needs to be kept in mind while drafting the ToU is that the legal jargon is toned to the level of a layman.
Liability Clause
The most important aspect here is to frame the agreement in a manner that limits the liability of the service provider, and if possible completely absolves the service provider of any liability. Legally speaking, every SaaS transaction is covered under the ambit of a liability model that is only limited to the extent of damages caused by the service provider to the client itself. Therefore, all such agreements should have an embedded contractual risk model whose sole purpose is to mitigate the threat of actual risks.
Let us now carefully examine the case of limited liability of a popular SaaS provider Paytm. In the event of a fraud occurring to a consumer, there are certain limited liability clauses that work for both parties i.e. the consumer and Paytm (henceforth referred to as the ‘issuer’).
- In case the fraud happened due to the erroneous nature of the customer, for instance, clicking on potentially harmful links that compromise the credentials of the customer, then the issuer is not held liable.
- In case the fraud happened because of the involvement of a third party having malicious intentions, then certain remedies such as blocking and reversal of the transaction if reported within 24 hours are available.
Another company Upstox, a major trading platform, has now recently fallen victim to such a cyber attack wherein 25 lakh user credentials have been leaked and are now up for sale on the dark web. It is yet another example of how a perfectly drafted SaaS agreement can now bail the service provider out of legal hassles arising out of the situation. The above company now has to follow the SOP of the instructions and guidelines laid down by the RBI in the circular RBI/2018–2019/55 issued from FMRD.FMID.07/14.03.027/2018–19.
Now, however, according to the RBI circular RBI/2017–18/109 issued from DCBR.BPD. (PCB/RCB). Cir.№06/12.05.001/2017–18, the burden of proving the customer liability lies with the issuer. This calls for even more robust pointers in the Limitation of Liability provisions.
- The amount of direct damages is capped that either party may have to pay another.
- Totally severe any indirect types of damages.
- Indemnity obligations from the cap are exempted.
- If possible add a provision that ensures a higher cap for the service provider’s data breach liability.
Now it would be quite unethical on the customer’s part to think that the company is wholly and solely responsible in the event of a data breach that arises out of hacking attacks. In a recent event, about 550 million Facebook account details were hacked and the database was uploaded on a darknet website. In such cases, the onus of proving damages incurred lies on the customer to prove that these damages were a direct result of the data leak associated with Facebook. It would be quite surreal since one cannot exactly point out and attribute misuse of personal information solely to one company’s data breach event. Thus, there is absolutely no liability on the company in an event of a data breach as a result of hacking (Borders, 2021).
Intellectual property in user-generated content
In the event that an app or software allows the users to create their own content, a license needs to be obtained from the users enabling the service provider to use the content. This enables the provider to minimize the risk associated with the license by categorically and explicitly stating whether or not the customer is authorized to transfer any of the licensed rights (Bowen, 2021). A well-drafted agreement contains specific provisions under which the customer should be aware of
1. Specifically, enumerated limitations of the license and
2. Any deviations from the standard limitations shall tantamount to breach of agreement thereby preventing any ambiguity from arising (Bowen, 2021).
One such example of Dropbox’s policy can be observed. It has a very lucid and clear policy that states that the user shall grant Dropbox a license to use those photos i.e. put them into a folder, store and share them as per user-generated requests
To sum it up, two parts are essential to be included in such an agreement:
Jurisdictional and remedial clauses in a SaaS Agreement:
A major empirical problem in any such agreement is that of the jurisdictional scope of the operation of the agreement. In any service, a thorough legal mechanism to deal with the deficiency of service should be in place to solve any disputes arising out of it. Each SaaS Agreement is tailor-made with a majority of the portion based on the varying geographical preferences of the client. Thus, in case of a dispute, the language of the resolution of the dispute must be mentioned specified aforehand. The bare reading of the clause shall begin resembling something like this, “This Agreement shall be governed and construed under the laws of India. Any dispute arising out of or in relation to this Agreement shall be submitted to the sole jurisdiction of the court of law at_________”.
Any dispute is subjected to an Arbitration clause that states that an amicable solution shall be found via the mode of Arbitration first. Only after Arbitration, are both parties free to approach the appropriate court. The arbitration shall be governed under the provisions of the Arbitration and Conciliation Act, 1996. A mandatory Force Majeure clause also is included that absolves the service provider of any liabilities from deficiency of services in events such as acts of nature, electrical failure, disturbance, riots, equipment failures, and internet failures to name a few (Pandey, 2021).