Software as a Service (SaaS): What Are the Benefits and Risks? | Practical Law

Software as a Service (SaaS): What Are the Benefits and Risks? | Practical Law

A discussion of the unique characteristics that distinguish Software as a Service (SaaS) from on-site software licensing arrangements and the key technical and legal issues that organizations should consider when entering into a SaaS agreement.

Software as a Service (SaaS): What Are the Benefits and Risks?

Practical Law Legal Update 4-526-6870 (Approx. 4 pages)

Software as a Service (SaaS): What Are the Benefits and Risks?

by PLC Intellectual Property & Technology
Published on 07 May 2013USA (National/Federal)
A discussion of the unique characteristics that distinguish Software as a Service (SaaS) from on-site software licensing arrangements and the key technical and legal issues that organizations should consider when entering into a SaaS agreement.
SaaS providers can offer their customers greatly expanded data processing, memory and storage capacity. Whether these benefits outweigh the risks of replacing on-site software with SaaS services depends on considerations such as:
  • The feasibility, cost, quality, consistency and reliability of:
    • the SaaS provider's levels of service availability, maintenance and support;
    • integrating the SaaS application with the customer's other software solutions; and
    • migrating the customer's data to and, if necessary, from the SaaS provider's database and servers.
  • Data confidentiality, privacy and security.
  • SaaS service legal and regulatory compliance.
Before entering into SaaS agreements, prospective customers must weigh these factors against the anticipated benefits of the provider's services and ensure that they are adequately addressed in the SaaS agreement. To make this assessment the customer must conduct some due diligence.

Due Diligence

A proper assessment of the benefits and risks that are likely to accompany a particular SaaS arrangement requires the customer's making due diligence inquiries into the provider's:
  • Financial condition.
  • Data processing and storage capacity.
  • Service availability and support levels.
  • Data backup, disaster recovery, security and privacy capabilities and practices.
Some of the key benefits and risks of SaaS the prospective customer may uncover in its due diligence and contractual provisions for minimizing these SaaS risks are as follows.

Benefits of SaaS Services

The multiuser distribution of SaaS services makes them particularly well-suited for standardized applications such as e-mail and calendar management, web conferencing, document, records and other enterprise content management (ECM), and customer service and relationship management (CRM). The benefits of using SaaS services for these and other standardized uses, rather than installing and operating software on the customer's system, include:
  • Convenient, on-demand service with little or no installation of customer software required.
  • Lower costs from:
    • the pass-along to the customer of cost savings from the networked distribution and implementation of SaaS services at a lower cost than that of on-site software distribution;
    • use-based or subscription services geared to the level of customer use; and
    • the avoidance of large upfront software license fees and capital expenditures on computing infrastructure needed to run additional on-site software.
  • Better collection, storage and processing of large quantities and varieties of customer data.
  • Greater elasticity, allowing the customer to rapidly expand and contract its use of the service without incurring unnecessary hardware upgrade or expansion costs.
  • Multi-location and multi-deviceaccess to the SaaS service, allowing for more productive and flexible use of the service software.
  • Availability of professional data management services, including security scanning, regulatory and technical compliance checking, data backup and disaster recovery, as an integral part of its SaaS services.
  • Availability of redundant SaaS processing and backup facilities that minimize the risk of catastrophic failure or destruction of data.

Risks of SaaS Services

The special risks associated with SaaS services that are not experienced in the use of on-site software and customer data include:
  • Network dependency and the service disruptions, data bottlenecks, browser security vulnerabilities and other limitations of the internet or other networks (for example, extranets) SaaS services are provided over.
  • The customer's lack of control over:
    • security for customer data received, processed and output by the SaaS provider's software system, database and network, including control over the preservation of data confidentiality, privacy, integrity and availability (see, for example, NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations (April 2013));
    • the location of the SaaS provider's or its subcontractors' service infrastructure and the customer's data within that infrastructure;
    • the inadvertent exchange or commingling of multiple customers' data, which SaaS providers may combine in a shared database and process concurrently with a single copy of the SaaS software; and
    • actions of other customers that may degrade service performance.
  • The SaaS provider's disclaimer of responsibility for:
    • service interruptions;
    • breaches of data security and loss of data; and
    • failures to backup customer data.
  • Terms making the customer primarily responsible for data backup and limiting the customer's remedies for service downtime and support level failures to service credits.
  • The provider's reserving the right to change or delete SaaS application programming interfaces without assurances that these changes will not adversely affect service performance.
  • The SaaS provider's fixed and non-negotiable pricing structure and service levels.
  • The SaaS provider's monitoring of the customer's use of the SaaS service and collection of customer and personal data for commercial use.
  • The effect of the provider's bankruptcy or insolvency on the continued availability of the SaaS services.

Minimizing SaaS Risks

The customer may avoid or mitigate many of these risks through skillful negotiation and drafting of the SaaS agreement if it has sufficient bargaining power to negotiate the contract terms. If the SaaS provider's standard contract terms are non-negotiable, or the provider remains inflexible on terms that present unacceptable risks to the customer, the customer must consider whether to walk away from the proposed agreement.
For comprehensive contract terms, explanatory notes and drafting tips designed to assist the SaaS customer in minimizing the risks associated with SaaS arrangements, see Standard Document, Software as a Service (SaaS) Agreement (Pro-customer).
For a concise chart of key SaaS agreement terms and customer and provider negotiating points, see Software as a Service (SaaS) Agreement Chart.
For SaaS service support level terms and explanatory notes, see Standard Document, Software/SaaS Support Service Level Agreement (Pro-customer).
For information and practice tips on maintaining the customer's right and ability to obtain continued SaaS services if the SaaS provider is bankrupt or insolvent, see Legal Update, Protecting Licensees and SaaS Customers Against Software Licensor or Provider Bankruptcy and Standard Clauses, IP License Clauses: Effect of Licensor Bankruptcy.