5 Key Pointers required in a SaaS Agreement

In the previous article on Software as a Service (“SaaS”) Products, we understood the meaning of SaaS Products and how SaaS Agreements are different from End User License Agreements. In this article let’s understand some key things that should definitely form part of any SaaS Agreement.

1. Software Subscription Model and Rights of Users: 

The SaaS agreement, as we had read earlier, is a software service provided over the internet. The agreement allows the user to access the software, by making the user subscribe to the software service, during the period of the SaaS agreement. After the term of the agreement, the user shall no longer have access to the SaaS product. Additionally, the agreement should broadly define the scope of services which shall be accessible to the user and shall lay down the manner in which the users are supposed to subscribe to the service platform. 

Further, the agreement should set out how the users may access the software and should also define and limit the rights of such users. Such clauses should enlist all major restrictions that the users shall be subjected to and should also highlight the fact that the SaaS product shall be used only by the users and the authorized personnel appointed by such users. Furthermore, the Agreement should specify how the SaaS product shall be accessible to the users. There should also be provisions for maintenance and support services that shall be provided by the service provider and the agreement should also provide that the users shall be eligible to receive all software updates and upgrades.

2. Intellectual Property Rights (“IPR”): 

The SaaS service provider should retain ownership of all the IPR in the software, technology and services it provides. The SaaS customer should retain ownership of all IPR in the data transmitted by it to the service provider during provision of services. Additionally, the agreement should specifically mention that all the source code remains owned by the SaaS service provider. The SaaS customers should also grant the SaaS service provider the right to use their testimonials for the duration of the SaaS agreement, for which purpose, the service provider may display the customer’s logos and other copyrighted information on its platform.

Any and all rights to the service, its contents, and any other documentation provided therewith, including title, ownership rights and IPR therein, shall remain the sole and exclusive property of the service provider.

Any unauthorized use of the service provider’s IPR by the customer shall be construed as a material breach of the SaaS agreement.

3. Subscription Plan, Model, and Pricing Clause

The agreement should provide what exactly the subscription plan includes and how the provider will provide the services. The agreement should clearly specify regarding pricing, how and when the detailed costs would be charged. As SaaS agreements typically practice a subscription model, payment is usually made monthly, quarterly, or annually. Since it is a subscription-based pricing model, customers shall pay the provider on a regular basis for continued use of the service. 

There are several pricing models, viz:

• Flat-rate pricing, wherein the customers may avail a single product, a single set of features, and at a single price.
• Usage-based pricing, which is a pay-as-you-go model
• Tiered pricing, wherein the customers may avail multiple "packages," with different combinations of the features provided at different price points
• Per-user pricing, wherein a single user pays a fixed monthly price; if another user is added, the price doubles, and so on
• Per-active-user pricing, wherein it does not matter how many users are registered, only those who actually use the platform will be charged.

4. Data Security Provisions

The degree to which any particular data security provision, laid down in a SaaS agreement, is appropriate or realistic depends on the specific type of information to which it applies, the definition of “data security incident,” the specific obligations that arise in the event of a data security breach—including whether financial liability is capped or uncapped, the commercial value of the contract to the service provider, and, ultimately, the relative negotiating leverage between the business customer and the service provider.

SaaS agreements should include a privacy policy that details how the provider is using the customer’s data, including the information it collects and shares internally or with third parties. This section shall also include information on data encryption, how data is backed up, and the provider’s roles and responsibilities in the event of a data breach or  a security issue.

Data security terms should also cover systems, procedures and consequences relating to data breaches by way of a commitment to data protection through the service provider.

In India, Rule 4 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 requires every body corporate which collects, receives, possess, stores, deals or handle information of provider of information, to provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and to also ensure that the same are available for view by such users who has provided such information under lawful contract.

The policy shall be published on website of body corporate or any person on its behalf and shall provide for:

• Clear and easily accessible statements of its practices and policies; 
• type of personal or sensitive personal data or information collected under Rule 3 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011;
• purpose of collection and usage of such information; 
• disclosure of information including sensitive personal data or information as provided in Rule 6 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011; 
• reasonable security practices and procedures as provided under Rule 8 of Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

Other than the privacy policy, data security shall be governed by the Master Service Agreement entered between the parties along with the service order issued enlisting the services to be provided.

5. Indemnity and Limitation of Liability 

Indemnity provisions are a contractual promise by one party to compensate and/or defend the other party from the risk of harm, liability or loss. The indemnity clause is usually one of the most heavily negotiated clauses in SaaS agreements. In SaaS agreements, the Indemnity clause shall apply in case of claims, damages, liabilities, costs and expenses, including reasonable attorneys’ fees, arising out of:

• any breach of representation and warranties by the other party;
• an act of gross negligence, fraud or for infringement of IPR by the other party.

The indemnity clause is usually accompanied by provisions relating to limitation of liability which usually states that neither party shall be liable under the agreement in case of any special, punitive, indirect, incidental, exemplary or consequential losses arising out of any breach of such agreements or otherwise relating to the subject matter of such agreements.

Disclaimer:
The content of this article is for information purpose only and does not constitute advice or a legal opinion and are personal views of the author. It is based upon relevant law and/or facts available at that point of time and prepared with due accuracy & reliability. Readers are requested to check and refer to relevant provisions of statute, latest judicial pronouncements, circulars, clarifications etc before acting on the basis of the above write up. The possibility of other views on the subject matter cannot be ruled out. By the use of the said information, you agree that the Author / Treelife Consulting is not responsible or liable in any manner for the authenticity, accuracy, completeness, errors or any kind of omissions in this piece of information for any action taken thereof.