Negotiating Software as a Service...

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Presenting a live 90-minute webinar with interactive Q&A

Negotiating Software as a Service Contracts Guidance for Corporate and Technology Counsel for Structuring Effective SaaS Agreements

Today’s faculty features:

TUESDAY, SEPTEMBER 8, 2015

Kristie D. Prinz, The Prinz Law Office, Silicon Valley, Calif.

Kelley C. Miller, Attorney, Reed Smith, Washington, D.C.

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-961-8499 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail [email protected] immediately so we can

address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about CLE credit processing call us at 1-800-926-7926

ext. 35.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

Negotiating Software as a Service (SaaS) Contracts: Guidance for Corporate Technology Counsel for

Structuring Effective SaaS Agreements

Strafford Publications Webinar

September 8, 2015

Kelley C. Miller, Esq. – Reed Smith LLP

Agenda of Presentation Topics:

Kelley Miller

I. Drafting and Negotiating Key Provisions in SaaS Agreements

I. Introduction and Overview of Cloud/SaaS

II. Examples of Services Covered Under CSAs

III. Data – What is it?

IV. Data – Use of SaaS Data by Cloud Service Providers

V. Ownership of Data

VI. Access to Data

VII. Data Security

II. Recent Legal Developments and Business Trends

I. ‘Pennies from Heaven’: How Tax Authorities are Looking to Cloud Computing for Revenue

I. Case Study in Cloud Taxation (U.S.): City of Chicago

6

Drafting Key Provisions in SaaS Agreements

Drafting Key Provisions in SaaS Agreements:

Introduction

• Cloud computing is an often ubiquitous term used to describe many

different processes involving “Internet-based” transactions.

• Some of the conceptions of cloud are correct; others are very misleading

• Similarly, cloud computing agreements have as different iterations

(e.g., Click Wrap, etc.) as definitions of cloud computing.

• The purpose of this presentation is to provide an overview of these

agreements and the many legal and compliance issues that are

inherent therein.

• Key to this part of our discussion will be an understanding of contract

terms as related to cloud data; namely, how data is owned, accessed

and secured in the cloud.

8


Overview of Cloud Computing

The key distinction between the three main iterations of ‘cloud computing’ services is whether the

function/attribute is managed by the customer or the vendor. As a general matter, the further along the

continuum of cloud products (e.g., Infrastructure), the more a function/attribute will be managed by the

customer. In the most ‘basic’ of cloud computing models—Software as a Service—all of the

functions/attributes are managed by the vendor—a fact magnified by the many issues with CSAs. 9



• Cloud Computing, Defined

• Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. (NIST Definition)

• Essential Characteristics

• On-demand self-service

• Broad network access

• Resource pooling

• Rapid elasticity

• Measured service

• Service Models

• SaaS – Software as a Service

• PaaS – Platform as a Service

• IaaS - Infrastructure as a Service

10



• Software as a Service (SaaS), Defined

• The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. (NIST)

• Essential Hallmarks of SaaS

• Use of software that is hosted remotely by a vendor (“service provider”); software is accessible by the customer (“user”) using the Internet

• User’s data is remotely stored and processed using the service provider’s software – there is no software, storage or processing that occurs on the user’s system

11


Examples of Services Covered Under CSAs

E.g., Windows Azure

(Runs apps; e.g.,

AccuWeather.com app)

E.g., Rackspace

(Public and private

clouds; Servers)

E.g., Office 365

(Allows users access to

One Note anywhere)

12


What are you getting? What are your risks?

Flexibility

Ability to forecast needs

(scale) and plan for cost

Not locked into current-

generation paradigms

Can change quickly—and

get a quick response where

change warrants the need for

the same

• Control – Data and Access to

Data are Key!

• SECURITY

• Performance

• Reliability

• Vendor Lock-Ins

BENEFITS RISKS

13


What are the most important factors effecting CSAs? (IT)

14

Drafting Key Provisions in SaaS Agreements: Why is it important to distinguish the CSA from other services contracts?

• Cloud services are not the same as contracts for software

licensing only!

• Licensing, while a component of cloud services, is growing

vastly more complex. Software licensing experts are not

always on the same page as the business team executing the

CSA.

• Accountability is Key! – (1) “Protect My Data!”; (2) Be Reliable

(Uptimes and Contingency Planning) – Not elements of

licensing agreements, generally; and (3) Make It Right (When

Something Goes Wrong…)

• CSAs = Marriage (Time + Cost)

15


Data – What is it?

• Two Levels – User/SaaS Customer + Customer

• Specific Considerations

• User/SaaS Service Customer Proprietary Data

• User/SaaS Service Customer PII

• Customer Data

• Customer PII

• Customer Locations and Preferences

16


Data – CSPs Use of SaaS Data

• There are many ways in which a CSP may use SaaS data.

• Monitor and administer the service

• Respond to and resolve issues with the service

• Complying data for analytical purposes of how efficiently the software is running; use of this data for design new services aimed at customer or customer’s market (anonymous as to customer/user-level identifiers; e.g., no production data should be released that may expose customer-sensitive data).

• Common among SaaS CSAs is a tool that uses application data to provide customers with statistical analyses for their own use and planning

• Key, Take-Away: No customer IDs; no customer data or personal identifying information!

17


Data – Who Owns It?

Who Owns What in a SaaS Transaction?

(Straightforward… but important to specify in the CSA!)

SaaS Service Provider

• SaaS Service Provider will own all aspects of the cloud service configuration including

User/SaaS Customer

• Any data provided by the User/Customer

Other Parties (Hosts) May Own Components!

Example

OWNERSHIP. Other than the rights and interests expressly set forth in this Agreement, and excluding Third Party and works derived from Third Party, you reserve all right, title and interest (including all intellectual property and proprietary rights) in and to Your Content.

Think about what will happen to data upon termination of the CSA…

18


Data Access

Service Level Agreement (SLA)

• SLAs will ideally contain specific parameters and minimum

levels for each element of the service provided.

• SLAs must be enforceable and state specific remedies that

apply when they are not met.

• Relevant SLA-SaaS Functions:

• Response Time

• Error Correction

• Time

• Infrastructure/Security/Privacy

Downtime

Downtime Period

Monthly Uptime Percentage

Scheduled Downtime

19


Data – How to Protect It

“It may be necessary to reconsider the premise that an individual

has no reasonable expectation of privacy in information

voluntarily disclosed to third parties.

This approach is ill-suited to the digital age.”

-U.S. Supreme Court Justice Sotomayor’s Concurrence in

U.S. v. Jones (2012).

20



Pre-Contract Due Diligence

• Jurisdictional Rules

• US and EU Provisions

• State laws

• Vendor’s Privacy Policy

• US Security Laws

• Is the Vendor using/advertising the use of a third-party Cloud Privacy Certification Service (e.g., TRUSTe)?

• Vendor’s Date Security Policy and Practices

• ISAE/SSAE Compliant?

• SOC Complaint?

21



SaaS

Provider

User

Web

Hosting

Supplier

User transmits

data (PII) to SaaS

Provider for

processing

1. Will the SaaS

Provider use third-

party hosting

supplier?

Who is the Web Hosting

Supplier? Where is it/its

servers located? Where will

servers be located during

the term of the CSA?

2. Where will the

SaaS provider

process User’s

data? 3. When and how

is User’s data

encrypted 4. What security

protocols are in

place?

22



Best CSA Data Security Practices

1. Be clear about where the data (PII) will reside.

• Clarity on restrictions; limit migration—counter-balance with uptime considerations.

2. Be clear (as possible) about where your data processing will occur.

3. Be clear about when and how data (PII) encryption will occur.

• Remember: At-rest is best.

4. Be clear about the frequency of encryption, data transmissions, data back-ups and how the record of the same is kept by the vendor and regularly provided (e.g., Will User require Vendor security performance audits?)

5. Be clear about scope of the SaaS Provider’s use of data.

• Contractual provisions that the data may NOT be used by SaaS Provider’s own purposes (analytics are likely to be a point for negotiation).

6. Be clear about what happens if disaster or breach occurs

• Contractual provisions that the data may NOT be used by SaaS Provider’s own purposes (analytics are likely to be a point for negotiation). Notice of incidents paramount.

23



Additional Security Considerations + Best Practices

• Requiring SaaS Provider Audits

• Server Location Audits

• SOW should address all controls used by the SaaS Service Provider

• Determine—be clear—about compensation in the case of data (PII) misuse or loss

• Specific terms as to use of subcontractors

• Think critically about term – watch for auto-renewal clauses

• SaaS Provider limitations on liability

• Watch for:

• Excluding indirect and consequential losses

• Low liability caps (e.g., 1 year CSA fee)

• IP infringement

• Data loss, misuse, uptime delays and interruptions

24

Negotiating Software as a

Service Contracts

Guidance for Corporate and Technology Counsel

for Structuring Effective SaaS Agreements

Presented by Kristie Prinz,

The Prinz Law Office, Silicon Valley, CA

I. Drafting and Negotiating Key Provisions

in the SaaS Agreement

D. Service Level Agreement

1. Uptime Guarantee

(a) What are the exclusions?

(b) Can the guarantee be implemented?

(c) Is the guarantee realistic?

©2015 The Prinz Law Office. All rights reserved.

The Prinz Law Office | Silicon Valley, CA | Los Angeles, CA | Orange County, CA | San Diego, CA 26




2. Service Credit

(a) Is the service credit calculation clear

and easy to apply?

(b) Is the payment of a service credit an

acknowledgement of a material breach?

(c) Effect of issuance of multiple

service credits






3. Technical Support Response Times

(a) Guarantee or target?

(b) Which party determines urgency

level?

(c) Resolution to support issue or

response only?






4. System Responsiveness Guarantees

(a) How do you measure responsiveness

of web-based system vs. Internet

connection speed?

(b) Realistic guarantee?





E. Warranties and Limitations

1. Warranties

(a) IP Warranty

(i) Parameters

(ii) Exclusions

(iii) Options in Material Breach






1. Warranties

(b) Performance Warranties

(i) Parameters

(ii) Exclusions

(iii) Options in Material Breach






2. Limitations of Liability

(a) Unlimited vs. Fixed/Capped

(b) Parameters of Liability Limits

(i) Type of Claim

(ii) Fixed Level vs. Multiple of

Specified Fees





F. Indemnification

1. Negotiated Indemnifications

(a) Intellectual Property & Trade Secrets

(b) Acts of Employees

(c) Data Breach

(d) Other

2. Negotiation Points





G. Other Critical Provisions

1. Implementation Services

(a) Defining Scope of Work

(b) Establishing a Realistic Timetable

(c) Defining Customer Obligations

(d) Data Importation Issues

(e) Defining Customization Milestones






2. Training Services

(a) Defining Scope of Services Offered

(b) Structuring Training Service Fees

(c) Setting Parameters

(d) Defining Cancellation Policy

(e) Defining Travel Policy






3. Customization Services

(a) Defining Customizations Required

(b) Defining Scope of Work, Timetable

for Completion, and Milestones

(c) Structuring Customization Fees and

Payment Schedule






4. Subscription Fees

(a) Structuring Subscription Fees

(b) Selection of a Start Date

(c) Providing for Addition or Reduction

of Users during Subscription Term






4. Subscription Fees

(c) Defining Rate Increase Policy

(d) Defining Continuation of Services

Policy in Event of Non-Payment

(e) Defining Renewal Policy






5. Termination

(a) Defining Termination Policy

(b) Defining Policy for Expungement of

Data

(c) Defining Data Transitioning Service

Policy and Fees






6. Disaster Recovery Policy

(a) Defining disaster recovery plan

(b) Defining timetable for recovery in

the event of loss of services in disaster






7. Personal Health Information Security

(a) Data breach notification obligations

(b) Establishing parameters on

reimbursement costs

(c) Defining indemnification obligation



Recent Legal Developments and Business Trends

‘Pennies from Heaven’:

How Tax Authorities are Looking to Cloud Computing for Revenue

• Key Concepts – Revisited

• Remote Access

• Software is housed on a server (in/out-of-state) and accessed on a computer or web-enabled device via the internet or other network.

• SaaS

• Software-as-a-Service

• Software “on-demand”, if you will. With SaaS, software and the code running that software is hosted on a server or series of servers and is access on a computer or web-enabled device.

• ASP

• Application Service Provider.

• An ASP is a company that is providing what amounts to remote access, software on-demand, or SaaS.

• Cloud Equivalents – Why do the states care about the cloud?

• The Cloud… Conceptualized – How do the states fit the cloud into their concept of tangible property?

43

How Have States Developed Their

Cloud Computing Guidance? Example: Washington State

Remote Access

Software

Digital Automated

Service

Digital Good

The Cloud

Software Services that use

software

Books, music,

video, data,

facts,

information

44

Overview:

Survey of State Guidance on

Sales Tax on Remote Access Software

No Specific Guidance

No Sales Tax

Statute or Regulation

DOR Ruling or Policy

Unofficial Position or Policy

45

Income Tax - Sourcing the Cloud

• Is it a sale of TPP or of a service?

• Colorado – Sale of TPP, source to delivery location. PLR 13-

008 (Oct. 2, 2013). But what is the delivery location? The

server? The end user’s address?

• Illinois, Massachusetts, Pennsylvania – Sale of a service,

sourced to customer location. But how do you determine

customer location?

46

Cloud Seeding: SaaS as (Taxable) Service:

City of Chicago SaaS Tax

• July 2015: Department of Finance issues two Rulings.

1. Electronically delivered amusements

2. Nonpossessory computer leases

• Tax = 9 percent tax on certain types of online services.

• Second Ruling applies to remote database or computing platforms like Amazon Web Services or LexisNexis.

• Prognosis hazy… Effective date of lease tax delayed until (at least 1.1.2016)

FOR FURTHER QUESTIONS + UPDATES: WWW.TAXINGTECH.COM

47

II. Legal Developments and Business

Trends

B. Business Trends

1. Consequences of Increasing Data Breach

Incidents

(a) Indemnification and limitation of

liability negotiations

(b) New focus on requiring insurance



II. Legal Developments and Business

Trends

B. Business Trends

2. Insurance Negotiations

(a) Commercial General Liability

(b) Errors and Omissions

(c) Employee Liability

(d) Automobile Liability

(e) Cyberinsurance



Contact Information:

Kristie D. Prinz, Esq.

The Prinz Law Office

Silicon Valley Locations:

Los Gatos: 20 S. Santa Cruz Avenue, Suite 300

Los Gatos, CA 95030

Sunnyvale: 1250 Oakmead Parkway, Suite 210

Sunnyvale, CA 94085

Email: [email protected]

Telephone: 408.884.3577

Website: www.prinzlawoffice.com

Software Law Blog: www.siliconvalleysoftwarelaw.com



Negotiating Software as a Service...

Documents

Transcript of Negotiating Software as a Service...