Compliance with the Indian Digital Personal Data Protection Act, 2023

For: B2B SaaS businesses

The Digital Personal Data Protection Act, 2023 (“Act”) is intended to safeguard and protect digital personal data, and (inter alia) govern the manner in which it can be collected, stored, processed, transferred, and erased. The Act imposes requirements on data fiduciaries/collectors and data processors, as well as certain duties on the data subject/individual with respect to personal data.

“Personal Data” under the Act includes any digital or digitized data about an individual (including any data which can be used to identify an individual). This excludes any non-digital data, or any data which cannot be used to identify an individual in any manner (including in concert with any other data).

This document is intended to provide a summary of the obligations of B2B-based SaaS business, which arise from the Act.

An Overview

The key obligations of businesses towards complying with the Act include:

  • Identify the extent of Personal Data collection, storage and processing which your business undertakes, and how much is necessary.
  • Prepare notices for procuring consents from individuals whose Personal Data you collect, store, and process (including those individuals whose Personal Data has already been collected and/or is being stored or processed), specifying:
    • Type/s of Personal Data you will use;
    • The specific purpose/s you will use it for;
    • The manner in which they can withdraw consent or raise grievances; and
    • The manner in which they can make a complaint to the Data Protection Board of India.
  • Maintain a record of consents procured and provide the following rights:
    • Right to request for (i) summary of their Personal Data being used; and (ii) identities of parties to whom their Personal Data has been transferred;
    • Right to correct, update and/or delete Personal Data (unless required to be retained for compliance with law);
    • Right to redressal for grievances and complaints;
    • Right to nominate another individual to exercise their rights (in the event of death or incapacity)

Action Items

While B2B SaaS platforms have limited Personal Data collection, Personal Data can still be collected and processed in case of user accounts for individuals/employees/representatives of enterprise customers. Businesses can take the following actions towards compliance with the Act:

  • Data audit: Carry out an internal data audit, including identifying Personal Data collection, storage and processing requirements;
  • Limit Personal Data usage: Erase or anonymize Personal Data to the extent feasible to reduce the compliance and associated risks, or limit the Personal Data points which are collected;
  • Update your product to enable privacy rights: Businesses should therefore make available on the SaaS tool / platform functionalities to:
    • Issue notices for procuring consent for Personal Data collection, storage and processing prior to any such collection, storage or processing. These notices can be worded in simple and clear terms so as to enable individuals to know their rights, and should include language which clearly states that consent is provided for collection, storage, and processing (including processing by third-parties); specify the purpose/s for the type or types of processing. For example – in case the processing will be done for purposes A, B and C, consent will have to procured specific for each of A, B and C; mention that consent can be withdrawn
    • Request modification, correction, updating, or erasure of Personal Data. Other than any Personal Data which is necessary for providing the services (for example, corporate email IDs), all Personal Data should be subject to modification or erasure pursuant to withdrawal of consent.
  • Appoint person/s who can handle complaints, grievances, or requests from individuals. This can be an individual assigned specifically for this task or a team responsible for ensuring speedy response.
  • Implement technical measures to protect against and mitigate data breaches and their consequences. The Act requires fiduciaries/collectors to “take reasonable security safeguards to prevent personal data breach”, which can include cloud monitoring, penetration testing, ISO certification, etc., depending on the sensitivity and extent of Personal Data.

SaaS Contract Negotiation Checklist: Top Ten Considerations

While SaaS has simplified enterprise software in multiple ways, however, subscribing to an “enterprise-class” system still requires a fairly complex contract negotiation process. Here is a SaaS contract negotiation checklist that covers the top ten crucial factors to consider when negotiating your SaaS Agreement:

1. Commercials

Usually discussed by the sales and/or the business teams and are negotiated before commencing the legal negotiation process. Pricing, payment terms, taxes, and billing methods should be negotiated with the sales or business teams before legal negotiation.

2. Liability Cap

The liability cap is the most important clause for protecting parties in claims as it sets a limit on the liability brought. Usually incorporated in an agreement to safeguard a party from any potential liability that may arise and to safeguard from any unlimited liabilities.

3. Intellectual Property (IP) Rights

While negotiating SaaS agreement, IP rights are of integral importance. The IP clause determines who owns IP rights and ensures that the agreement covers areas such as indemnity if a third-party claims IP infringement.

4. Effect of Termination

It’s important to stipulate what happens to data after termination of the agreement and for how long the customer has access to the platform, data backup frequency, and procedures.

5. Term

If a vendor offers pricing discounts, subscription metrics and additional fees, in such cases extended contract terms may be required. Vendors prefer longer terms because it provides more predictability in their revenue forecasting. Terms can range from 30 days to five years.

6. Indemnities

Clarify when indemnification is required and if limitations of liability apply to an indemnification claim. Ensure the contract provides indemnification for data as well as for security breaches and IP infringement.

7. Service Level Agreements (SLAs)

The SLA is the vendor’s commitment to keeping the system up and running and is typically expressed as a percentage of “up time”. You will almost always see the SLA represented as 95 to 99.9% or thereabouts. However, there is a wide variation in how the vendor calculates system uptime. A breach of the up time can result in grant of service credits, or a proportionate extension of the subscription period.

8. Data Protection Provisions

Include a differentiation between processor and controller and respective obligations in the agreement and ensure that it is GDPR-compliant.

9. Data Export

Two key things for consideration:

(a) you must ensure that data ownership is retained; and

(b) that you know how to export data in case of migrating to another system or the vendor going out of business and you need access to your data even before you select a new system.

10. Warranties

Generally, cloud service contracts contain many of the following warranties:

(1) that the service will materially conform to the documentation,

(2) the services will be performed in a workmanlike and professional manner,

(3) the provider will provide the necessary training for the customer to use the services

(4) the provider has sufficient authority to enter into this agreement

Other important considerations include disclaimers of warranties, force majeure, survival clause, and confidentiality provisions. Always ensure the customer fully understands that the services provided always carry inherent risks.

By prioritizing these ten factors in your SaaS contract negotiation checklist, you can create a solid SaaS agreement that aligns with your business’ needs, protects your interests, and ensures a successful and stress-free implementation.

FAQs on Points of Negotiation for SaaS Agreements

Q: How to negotiate the price for SaaS?

A: When negotiating the price for SaaS, it’s important to understand the service you’ll be receiving and what it’s worth to your business. You can request a detailed breakdown of the pricing structure and compare it with other vendors on the market. Be prepared to discuss payment terms and negotiate for discounts or bundling options when possible.

Q: How do you politely negotiate a contract? 

A: When negotiating a contract, it’s important to approach the process with an open and collaborative mindset. Be clear about your needs and priorities, but also take the time to understand the vendor’s perspective. Listen carefully and ask questions when necessary, and seek common ground where possible. Ultimately, aim for a mutually beneficial agreement that meets both parties needs.

Q: What are the key points in a SaaS agreement? 

A: The key points in a SaaS agreement include commercial terms, liability cap, intellectual property rights, effect of termination, terms, indemnities, service level agreements, data protection provisions, data export provisions and warranties. These areas cover crucial aspects such as pricing, data protection, and vendor responsibilities, and should be negotiated and agreed upon before signing the contract.

Q: What are the payment terms for SaaS contracts?

A: Payment terms for SaaS contracts can vary depending on the vendor and specific agreement. Some vendors may require payment upfront or on a monthly or annual basis. Others may offer more flexible payment schedules or subscription models. It’s important to review and negotiate payment terms to ensure they align with your business’ budget and cash flow needs.

Understanding SaaS or Software-as-a-Service

SaaS or Software-as-a-Service is a software distribution model in which a third-party provider hosts applications centrally and licenses them to customers over the internet on a subscription basis. It is one of the three main categories  of cloud computing-based services, alongside Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS).

Pros and Cons of SaaS

SaaS has turned out to be quite helpful to organizations in terms of flexibility and cost-effectiveness, enabling businesses to provide efficient software-based services to large customer bases, using the widespread and ubiquitous availability of the cloud. However, recent stories around hacking and data leaks have shed light on the vulnerability of centrally and cloud-hosted software systems. In this regard, it is essential for SaaS-based startups and businesses to have well-drafted agreements, like a SaaS contract or software-as-a-service agreement, as well as strong technical and procedural security safeguards, to protect legal responsibility and safeguard the distribution and subscription licensing of the offering.

B2B vs B2C

B2B SaaS companies offer cloud business management solutions (products and services) to other companies and businesses, while B2C SaaS businesses sell products and services to consumers directly. Both B2B and B2C are subscription-based and track customer acquisition cost, churn rate, and user lifetime value metrics. However, their marketing strategies and approaches are different.

The Importance of a SaaS Agreement

A SaaS agreement, also known as a software-as-a-service agreement, sets out the provision and delivery of software services to customers through the internet, eliminating the hassle around conventional software licensing models. SaaS agreements are serious undertakings that require careful consideration.  Once properly drafted, a SaaS agreement eliminates the hassle around conventional software licensing models. The terms in a SaaS agreement can be renewed when the subscription period expires. A properly drafted SaaS agreement is crucial to prevent disputes from arising.

Essentials of Every SaaS Agreement

Here are the essential elements that every SaaS agreement should include:

  • Subscription and grant of rights, services, and functionality: Specify the type of service that you render to the client under the agreement, as well as ensure access to the software provided to users, subject to conditions, on a case-to-case basis.
  • Data Protection: Include a clause that highlights the protection of data that will be transmitted to the providers and how they will further process that data.
  • Intellectual Property (IP) Rights: Outline the intellectual properties of all parties involved in the SaaS agreement.
  • Confidentiality Clause: Safeguard confidential and proprietary information that will be shared between the parties.
  • Indemnities: Parties involved in an agreement may suffer certain losses and/or damages for which they shall stand liable and indemnify the other party for all losses, including costs that will be incurred during the course of legal suits.
  • Disclaimer: Include a disclaimer specifying what will not hold the provider liable.
  • Limitation of Liabilities: Limit liabilities of the provider under the SaaS agreement.
  • Representations and Warranties: Include the representations and warranties of both parties in the SaaS agreement. Since the provider will usually be the data processor and the user is the data controller, both parties should have certain warranties set out in the agreement
  • Terms of Service: Set out the term based on the subscription that the user has subscribed for.
  • Force Majeure: This clause will include the course of action at the time of extreme events that can be termed as ‘act of god’ – including hurricanes, tornadoes, floods, etc.
  • Service Level Agreements (SLA): A SaaS agreement should always include an SLA that covers the provisions of technical and support services, including availability and penalties.

SaaS vs EULA

While a SaaS provides the provision and delivery of software services to customers through the internet, an End User License Agreement (EULA)  licenses the end user to use the software in a limited manner. Under SaaS applications, users do not get a copy of the software. SaaS is usually hosted and accessed through the internet, similar to other commonly-used subscriptions availed by consumers for media, gaming, and more. A well-drafted SaaS example can provide more clarity and help in avoiding legal disputes.

SaaSEULA
Full FormSoftware-as-a-ServiceEnd User License Agreement
OwnershipVendor offers the software and users access it on the internet on a subscription basis. Ownership of software is not transferred to the userSoftware is purchased by the end user. Users have all rights – including copyrights. The user can make copies of the software for personal use
Termination of UsageUser’s right to the software ends upon termination of the SaaS agreementUser owns the software and has the grant of copying, downloading and installing it but is not allowed to resell it
Licensing/AccessThe customer is usually granted an access to use the softwareThe customer is provided with the licensing of the product/software

FAQs about SaaS Agreements

Q: What is included in a SaaS agreement?

A: A SaaS (Software as a Service) agreement typically includes terms and conditions related to the usage, access, and hosting of software applications provided via the internet. Key provisions that may be included are payment terms, data privacy and security, intellectual property rights, warranty, indemnification, termination, and liability limitations.

Q: Why use a SaaS agreement?

A: A SaaS agreement is used to establish a legal relationship between the provider and the customer for the use of software programs provided as a service. It sets out the terms and conditions of use to protect the rights of both parties.

Q: What is the difference between a license agreement and a SaaS agreement?

A: A license agreement typically refers to an agreement for the use of software installed on a specific computer or server, while a SaaS agreement governs access to software that is hosted on the internet and accessed via a web browser.

Q: What is the IP clause in the SaaS agreement?

A: The IP (intellectual property) clause in a SaaS agreement addresses ownership and licensing rights related to the software and its components. It defines what proprietary material is considered to be part of the software, how the provider can utilize the software, and how the user can transfer or sublicense the software.

Q: What is the difference between a SaaS agreement and EULA?

A: A EULA (End User License Agreement) is a legal agreement between the software provider and the end-user that governs the use of software, while a SaaS agreement is a legal document that sets out the terms and conditions for the use of software hosted on the internet and accessed via a web browser.

Q: What is a SaaS agreement?

A: An SaaS agreement is a legal contract between a software provider and a customer that outlines the terms and conditions of usage and support of the provider’s software as a service.

Q: What is a SaaS reseller agreement?

A: A SaaS reseller agreement is a legal contract between the software provider and a reseller that outlines the terms and conditions of reselling the provider’s software as a service. It sets out the relationship between the provider, the reseller, and the end-user customers.

Q: How are SaaS contracts structured?

A: SaaS contracts are typically structured to include different levels of service, pricing, payment terms, constraints on usage, data privacy, warranties, and disclaimers. They may also include provisions for technical support, customization, upgrades, and the termination of the agreement. To ensure compliance with applicable legal requirements and best practices, it is important that SaaS contracts are drafted and reviewed by experienced legal professionals.