Negotiating Software as a Service...
Transcript of Negotiating Software as a Service...
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
Presenting a live 90-minute webinar with interactive Q&A
Negotiating Software as a Service Contracts Guidance for Corporate and Technology Counsel for Structuring Effective SaaS Agreements
Today’s faculty features:
TUESDAY, SEPTEMBER 8, 2015
Kristie D. Prinz, The Prinz Law Office, Silicon Valley, Calif.
Kelley C. Miller, Attorney, Reed Smith, Washington, D.C.
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-961-8499 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can
address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about CLE credit processing call us at 1-800-926-7926
ext. 35.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
Negotiating Software as a Service (SaaS) Contracts: Guidance for Corporate Technology Counsel for
Structuring Effective SaaS Agreements
Strafford Publications Webinar
September 8, 2015
Kelley C. Miller, Esq. – Reed Smith LLP
Agenda of Presentation Topics:
Kelley Miller
I. Drafting and Negotiating Key Provisions in SaaS Agreements
I. Introduction and Overview of Cloud/SaaS
II. Examples of Services Covered Under CSAs
III. Data – What is it?
IV. Data – Use of SaaS Data by Cloud Service Providers
V. Ownership of Data
VI. Access to Data
VII. Data Security
II. Recent Legal Developments and Business Trends
I. ‘Pennies from Heaven’: How Tax Authorities are Looking to Cloud Computing for Revenue
I. Case Study in Cloud Taxation (U.S.): City of Chicago
6
Drafting Key Provisions in SaaS Agreements
Drafting Key Provisions in SaaS Agreements:
Introduction
• Cloud computing is an often ubiquitous term used to describe many
different processes involving “Internet-based” transactions.
• Some of the conceptions of cloud are correct; others are very misleading
• Similarly, cloud computing agreements have as different iterations
(e.g., Click Wrap, etc.) as definitions of cloud computing.
• The purpose of this presentation is to provide an overview of these
agreements and the many legal and compliance issues that are
inherent therein.
• Key to this part of our discussion will be an understanding of contract
terms as related to cloud data; namely, how data is owned, accessed
and secured in the cloud.
8
Drafting Key Provisions in SaaS Agreements:
Overview of Cloud Computing
The key distinction between the three main iterations of ‘cloud computing’ services is whether the
function/attribute is managed by the customer or the vendor. As a general matter, the further along the
continuum of cloud products (e.g., Infrastructure), the more a function/attribute will be managed by the
customer. In the most ‘basic’ of cloud computing models—Software as a Service—all of the
functions/attributes are managed by the vendor—a fact magnified by the many issues with CSAs. 9
Drafting Key Provisions in SaaS Agreements:
Overview of Cloud Computing
• Cloud Computing, Defined
• Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. (NIST Definition)
• Essential Characteristics
• On-demand self-service
• Broad network access
• Resource pooling
• Rapid elasticity
• Measured service
• Service Models
• SaaS – Software as a Service
• PaaS – Platform as a Service
• IaaS - Infrastructure as a Service
10
Drafting Key Provisions in SaaS Agreements:
Overview of Cloud Computing
• Software as a Service (SaaS), Defined
• The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. (NIST)
• Essential Hallmarks of SaaS
• Use of software that is hosted remotely by a vendor (“service provider”); software is accessible by the customer (“user”) using the Internet
• User’s data is remotely stored and processed using the service provider’s software – there is no software, storage or processing that occurs on the user’s system
11
Drafting Key Provisions in SaaS Agreements:
Examples of Services Covered Under CSAs
E.g., Windows Azure
(Runs apps; e.g.,
AccuWeather.com app)
E.g., Rackspace
(Public and private
clouds; Servers)
E.g., Office 365
(Allows users access to
One Note anywhere)
12
Drafting Key Provisions in SaaS Agreements:
What are you getting? What are your risks?
Flexibility
Ability to forecast needs
(scale) and plan for cost
Not locked into current-
generation paradigms
Can change quickly—and
get a quick response where
change warrants the need for
the same
• Control – Data and Access to
Data are Key!
• SECURITY
• Performance
• Reliability
• Vendor Lock-Ins
BENEFITS RISKS
13
Drafting Key Provisions in SaaS Agreements:
What are the most important factors effecting CSAs? (IT)
14
Drafting Key Provisions in SaaS Agreements: Why is it important to distinguish the CSA from other services contracts?
• Cloud services are not the same as contracts for software
licensing only!
• Licensing, while a component of cloud services, is growing
vastly more complex. Software licensing experts are not
always on the same page as the business team executing the
CSA.
• Accountability is Key! – (1) “Protect My Data!”; (2) Be Reliable
(Uptimes and Contingency Planning) – Not elements of
licensing agreements, generally; and (3) Make It Right (When
Something Goes Wrong…)
• CSAs = Marriage (Time + Cost)
15
Drafting Key Provisions in SaaS Agreements:
Data – What is it?
• Two Levels – User/SaaS Customer + Customer
• Specific Considerations
• User/SaaS Service Customer Proprietary Data
• User/SaaS Service Customer PII
• Customer Data
• Customer PII
• Customer Locations and Preferences
16
Drafting Key Provisions in SaaS Agreements:
Data – CSPs Use of SaaS Data
• There are many ways in which a CSP may use SaaS data.
• Monitor and administer the service
• Respond to and resolve issues with the service
• Complying data for analytical purposes of how efficiently the software is running; use of this data for design new services aimed at customer or customer’s market (anonymous as to customer/user-level identifiers; e.g., no production data should be released that may expose customer-sensitive data).
• Common among SaaS CSAs is a tool that uses application data to provide customers with statistical analyses for their own use and planning
• Key, Take-Away: No customer IDs; no customer data or personal identifying information!
17
Drafting Key Provisions in SaaS Agreements:
Data – Who Owns It?
Who Owns What in a SaaS Transaction?
(Straightforward… but important to specify in the CSA!)
SaaS Service Provider
• SaaS Service Provider will own all aspects of the cloud service configuration including
User/SaaS Customer
• Any data provided by the User/Customer
Other Parties (Hosts) May Own Components!
Example
OWNERSHIP. Other than the rights and interests expressly set forth in this Agreement, and excluding Third Party and works derived from Third Party, you reserve all right, title and interest (including all intellectual property and proprietary rights) in and to Your Content.
Think about what will happen to data upon termination of the CSA…
18
Drafting Key Provisions in SaaS Agreements:
Data Access
Service Level Agreement (SLA)
• SLAs will ideally contain specific parameters and minimum
levels for each element of the service provided.
• SLAs must be enforceable and state specific remedies that
apply when they are not met.
• Relevant SLA-SaaS Functions:
• Response Time
• Error Correction
• Time
• Infrastructure/Security/Privacy
Downtime
Downtime Period
Monthly Uptime Percentage
Scheduled Downtime
19
Drafting Key Provisions in SaaS Agreements:
Data – How to Protect It
“It may be necessary to reconsider the premise that an individual
has no reasonable expectation of privacy in information
voluntarily disclosed to third parties.
This approach is ill-suited to the digital age.”
-U.S. Supreme Court Justice Sotomayor’s Concurrence in
U.S. v. Jones (2012).
20
Drafting Key Provisions in SaaS Agreements:
Data – How to Protect It
Pre-Contract Due Diligence
• Jurisdictional Rules
• US and EU Provisions
• State laws
• Vendor’s Privacy Policy
• US Security Laws
• Is the Vendor using/advertising the use of a third-party Cloud Privacy Certification Service (e.g., TRUSTe)?
• Vendor’s Date Security Policy and Practices
• ISAE/SSAE Compliant?
• SOC Complaint?
21
Drafting Key Provisions in SaaS Agreements:
Data – How to Protect It
SaaS
Provider
User
Web
Hosting
Supplier
User transmits
data (PII) to SaaS
Provider for
processing
1. Will the SaaS
Provider use third-
party hosting
supplier?
Who is the Web Hosting
Supplier? Where is it/its
servers located? Where will
servers be located during
the term of the CSA?
2. Where will the
SaaS provider
process User’s
data? 3. When and how
is User’s data
encrypted 4. What security
protocols are in
place?
22
Drafting Key Provisions in SaaS Agreements:
Data – How to Protect It
Best CSA Data Security Practices
1. Be clear about where the data (PII) will reside.
• Clarity on restrictions; limit migration—counter-balance with uptime considerations.
2. Be clear (as possible) about where your data processing will occur.
3. Be clear about when and how data (PII) encryption will occur.
• Remember: At-rest is best.
4. Be clear about the frequency of encryption, data transmissions, data back-ups and how the record of the same is kept by the vendor and regularly provided (e.g., Will User require Vendor security performance audits?)
5. Be clear about scope of the SaaS Provider’s use of data.
• Contractual provisions that the data may NOT be used by SaaS Provider’s own purposes (analytics are likely to be a point for negotiation).
6. Be clear about what happens if disaster or breach occurs
• Contractual provisions that the data may NOT be used by SaaS Provider’s own purposes (analytics are likely to be a point for negotiation). Notice of incidents paramount.
23
Drafting Key Provisions in SaaS Agreements:
Data – How to Protect It
Additional Security Considerations + Best Practices
• Requiring SaaS Provider Audits
• Server Location Audits
• SOW should address all controls used by the SaaS Service Provider
• Determine—be clear—about compensation in the case of data (PII) misuse or loss
• Specific terms as to use of subcontractors
• Think critically about term – watch for auto-renewal clauses
• SaaS Provider limitations on liability
• Watch for:
• Excluding indirect and consequential losses
• Low liability caps (e.g., 1 year CSA fee)
• IP infringement
• Data loss, misuse, uptime delays and interruptions
24
Negotiating Software as a
Service Contracts
Guidance for Corporate and Technology Counsel
for Structuring Effective SaaS Agreements
Presented by Kristie Prinz,
The Prinz Law Office, Silicon Valley, CA
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
D. Service Level Agreement
1. Uptime Guarantee
(a) What are the exclusions?
(b) Can the guarantee be implemented?
(c) Is the guarantee realistic?
©2015 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley, CA | Los Angeles, CA | Orange County, CA | San Diego, CA 26
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
D. Service Level Agreement
2. Service Credit
(a) Is the service credit calculation clear
and easy to apply?
(b) Is the payment of a service credit an
acknowledgement of a material breach?
(c) Effect of issuance of multiple
service credits
©2015 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley, CA | Los Angeles, CA | Orange County, CA | San Diego, CA 27
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
D. Service Level Agreement
3. Technical Support Response Times
(a) Guarantee or target?
(b) Which party determines urgency
level?
(c) Resolution to support issue or
response only?
©2015 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley, CA | Los Angeles, CA | Orange County, CA | San Diego, CA 28
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
D. Service Level Agreement
4. System Responsiveness Guarantees
(a) How do you measure responsiveness
of web-based system vs. Internet
connection speed?
(b) Realistic guarantee?
©2015 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley, CA | Los Angeles, CA | Orange County, CA | San Diego, CA 29
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
E. Warranties and Limitations
1. Warranties
(a) IP Warranty
(i) Parameters
(ii) Exclusions
(iii) Options in Material Breach
©2015 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley, CA | Los Angeles, CA | Orange County, CA | San Diego, CA 30
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
E. Warranties and Limitations
1. Warranties
(b) Performance Warranties
(i) Parameters
(ii) Exclusions
(iii) Options in Material Breach
©2015 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley, CA | Los Angeles, CA | Orange County, CA | San Diego, CA 31
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
E. Warranties and Limitations
2. Limitations of Liability
(a) Unlimited vs. Fixed/Capped
(b) Parameters of Liability Limits
(i) Type of Claim
(ii) Fixed Level vs. Multiple of
Specified Fees
©2015 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley, CA | Los Angeles, CA | Orange County, CA | San Diego, CA 32
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
F. Indemnification
1. Negotiated Indemnifications
(a) Intellectual Property & Trade Secrets
(b) Acts of Employees
(c) Data Breach
(d) Other
2. Negotiation Points
©2015 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley, CA | Los Angeles, CA | Orange County, CA | San Diego, CA 33
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
G. Other Critical Provisions
1. Implementation Services
(a) Defining Scope of Work
(b) Establishing a Realistic Timetable
(c) Defining Customer Obligations
(d) Data Importation Issues
(e) Defining Customization Milestones
©2015 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley, CA | Los Angeles, CA | Orange County, CA | San Diego, CA 34
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
G. Other Critical Provisions
2. Training Services
(a) Defining Scope of Services Offered
(b) Structuring Training Service Fees
(c) Setting Parameters
(d) Defining Cancellation Policy
(e) Defining Travel Policy
©2015 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley, CA | Los Angeles, CA | Orange County, CA | San Diego, CA 35
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
G. Other Critical Provisions
3. Customization Services
(a) Defining Customizations Required
(b) Defining Scope of Work, Timetable
for Completion, and Milestones
(c) Structuring Customization Fees and
Payment Schedule
©2015 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley, CA | Los Angeles, CA | Orange County, CA | San Diego, CA 36
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
G. Other Critical Provisions
4. Subscription Fees
(a) Structuring Subscription Fees
(b) Selection of a Start Date
(c) Providing for Addition or Reduction
of Users during Subscription Term
©2015 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley, CA | Los Angeles, CA | Orange County, CA | San Diego, CA 37
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
G. Other Critical Provisions
4. Subscription Fees
(c) Defining Rate Increase Policy
(d) Defining Continuation of Services
Policy in Event of Non-Payment
(e) Defining Renewal Policy
©2015 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley, CA | Los Angeles, CA | Orange County, CA | San Diego, CA 38
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
G. Other Critical Provisions
5. Termination
(a) Defining Termination Policy
(b) Defining Policy for Expungement of
Data
(c) Defining Data Transitioning Service
Policy and Fees
©2015 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley, CA | Los Angeles, CA | Orange County, CA | San Diego, CA 39
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
G. Other Critical Provisions
6. Disaster Recovery Policy
(a) Defining disaster recovery plan
(b) Defining timetable for recovery in
the event of loss of services in disaster
©2015 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley, CA | Los Angeles, CA | Orange County, CA | San Diego, CA 40
I. Drafting and Negotiating Key Provisions
in the SaaS Agreement
G. Other Critical Provisions
7. Personal Health Information Security
(a) Data breach notification obligations
(b) Establishing parameters on
reimbursement costs
(c) Defining indemnification obligation
©2015 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley, CA | Los Angeles, CA | Orange County, CA | San Diego, CA 41
Recent Legal Developments and Business Trends
‘Pennies from Heaven’:
How Tax Authorities are Looking to Cloud Computing for Revenue
• Key Concepts – Revisited
• Remote Access
• Software is housed on a server (in/out-of-state) and accessed on a computer or web-enabled device via the internet or other network.
• SaaS
• Software-as-a-Service
• Software “on-demand”, if you will. With SaaS, software and the code running that software is hosted on a server or series of servers and is access on a computer or web-enabled device.
• ASP
• Application Service Provider.
• An ASP is a company that is providing what amounts to remote access, software on-demand, or SaaS.
• Cloud Equivalents – Why do the states care about the cloud?
• The Cloud… Conceptualized – How do the states fit the cloud into their concept of tangible property?
43
How Have States Developed Their
Cloud Computing Guidance? Example: Washington State
Remote Access
Software
Digital Automated
Service
Digital Good
The Cloud
Software Services that use
software
Books, music,
video, data,
facts,
information
44
Overview:
Survey of State Guidance on
Sales Tax on Remote Access Software
No Specific Guidance
No Sales Tax
Statute or Regulation
DOR Ruling or Policy
Unofficial Position or Policy
45
Income Tax - Sourcing the Cloud
• Is it a sale of TPP or of a service?
• Colorado – Sale of TPP, source to delivery location. PLR 13-
008 (Oct. 2, 2013). But what is the delivery location? The
server? The end user’s address?
• Illinois, Massachusetts, Pennsylvania – Sale of a service,
sourced to customer location. But how do you determine
customer location?
46
Cloud Seeding: SaaS as (Taxable) Service:
City of Chicago SaaS Tax
• July 2015: Department of Finance issues two Rulings.
1. Electronically delivered amusements
2. Nonpossessory computer leases
• Tax = 9 percent tax on certain types of online services.
• Second Ruling applies to remote database or computing platforms like Amazon Web Services or LexisNexis.
• Prognosis hazy… Effective date of lease tax delayed until (at least 1.1.2016)
FOR FURTHER QUESTIONS + UPDATES: WWW.TAXINGTECH.COM
47
II. Legal Developments and Business
Trends
B. Business Trends
1. Consequences of Increasing Data Breach
Incidents
(a) Indemnification and limitation of
liability negotiations
(b) New focus on requiring insurance
©2015 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley, CA | Los Angeles, CA | Orange County, CA | San Diego, CA 48
II. Legal Developments and Business
Trends
B. Business Trends
2. Insurance Negotiations
(a) Commercial General Liability
(b) Errors and Omissions
(c) Employee Liability
(d) Automobile Liability
(e) Cyberinsurance
©2015 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley, CA | Los Angeles, CA | Orange County, CA | San Diego, CA 49
Contact Information:
Kristie D. Prinz, Esq.
The Prinz Law Office
Silicon Valley Locations:
Los Gatos: 20 S. Santa Cruz Avenue, Suite 300
Los Gatos, CA 95030
Sunnyvale: 1250 Oakmead Parkway, Suite 210
Sunnyvale, CA 94085
Email: [email protected]
Telephone: 408.884.3577
Website: www.prinzlawoffice.com
Software Law Blog: www.siliconvalleysoftwarelaw.com
©2015 The Prinz Law Office. All rights reserved.
The Prinz Law Office | Silicon Valley, CA | Los Angeles, CA | Orange County, CA | San Diego, CA 50