Conducting Software as a Service (SaaS) Agreement Due Diligence | Practical Law

Conducting Software as a Service (SaaS) Agreement Due Diligence | Practical Law

Software as a Service (SaaS) arrangements are increasingly replacing on-site software licensing for many IT applications. Migrating software applications to the cloud can have significant cost and operational advantages. However, before entering into a SaaS agreement, potential SaaS customers must weigh the special issues and risks that differentiate SaaS services from traditional software licensing. Only after conducting this due diligence analysis can a potential SaaS customer adequately determine whether to enter into a SaaS agreement and, if so, on what terms.

Conducting Software as a Service (SaaS) Agreement Due Diligence

Practical Law Legal Update 6-550-5879 (Approx. 4 pages)

Conducting Software as a Service (SaaS) Agreement Due Diligence

by Practical Law Intellectual Property & Technology
Published on 03 Dec 2013USA (National/Federal)
Software as a Service (SaaS) arrangements are increasingly replacing on-site software licensing for many IT applications. Migrating software applications to the cloud can have significant cost and operational advantages. However, before entering into a SaaS agreement, potential SaaS customers must weigh the special issues and risks that differentiate SaaS services from traditional software licensing. Only after conducting this due diligence analysis can a potential SaaS customer adequately determine whether to enter into a SaaS agreement and, if so, on what terms.
Software as a Service (SaaS) customers' priorities differ significantly from those of traditional software licensees. For example, while on-site software licensees typically focus on software configuration, implementation and acceptance as key issues, the top priorities for cloud-based contracts are:
  • Service availability and performance.
  • Service levels.
  • Data security.
  • Control.
These special SaaS priorities arise from the fact that the SaaS service software is not installed, stored or operated on the customer's computer systems. The SaaS provider (or its subcontractor) hosts the SaaS software applications. While the customer may receive limited client-side software to aid connectivity to the provider's network, the customer accesses the provider's software remotely on the internet or another public, private, or hybrid public and private cloud network. The SaaS customer lacks direct control over the SaaS provider's processing of the customer's data and therefore relies on the provider's compliance with suitably detailed service level, confidentiality and security obligations set out in the SaaS agreement.

Considering the Benefits and Risks

Before entering into a SaaS agreement, a prospective customer must understand the benefits and risks associated with SaaS and evaluate the level of risk it assumes in the SaaS arrangement based on:
  • The nature of the particular application, for example, whether it is a mission critical application for the customer.
  • The sensitivity of the customer's data, including whether this data is subject to confidentiality or privacy obligations to third parties under contract or applicable law.
  • The customer's operational requirements.
Risk can generally be classified into three broad categories:
  • High risk posed by mission critical SaaS solutions using highly sensitive customer data.
  • Medium risk posed by the need for high service levels to process generally available customer data.
  • Low risk posed by non-mission-critical solutions processing generally available data.

Due Diligence

While both the SaaS provider and customer can benefit from conducting preliminary SaaS due diligence, pre-contract due diligence is typically more essential to the customer because of the customer's:
  • Reliance on the provider's services.
  • Need to fully assess the risks presented by SaaS in general and the prospective SaaS provider's services in particular (see Considering the Benefits and Risks).
The customer's due diligence inquiry generally should include an analysis of:
  • Its current and anticipated software capabilities, needs and expectations, including:
    • how successfully the SaaS provider can deploy the relevant software applications; and
    • how well the provider's services can be integrated into the customer's existing or planned operations, including the portability of the provider's data formats and their compatibility with formats used by the customer and other SaaS providers.
  • The level of risk the SaaS service poses based on the sensitivity of the customer's data and the importance of the SaaS service to the customer's business or operations.
  • The prospective SaaS provider's:
    • financial condition;
    • service specifications and limitations, especially as these affect data processing and storage capacity and service reliability, expandability, interoperability and performance;
    • terms of service, including its service availability and support service level obligations and ability to meet the customer's current and anticipated service level requirements;
    • record of capacity or service level issues;
    • capabilities, policies, plans and practices concerning data privacy and security, including data redundancy, backup, disaster recovery and business continuity; and
    • record of and ability to maintain legal compliance.
  • The SaaS provider's deployment of its services, including:
    • where the customer's data and the provider's system will be located and, specifically, whether offshore data storage or processing will be allowed and which law will govern;
    • who will operate the SaaS data center (whether the provider or a third party) and who will have access to the customer's data;
    • if a subcontractor or other third party will operate all or part of the SaaS data center, whether the provider is assuming responsibility and liability for the third party's actions, the third-party is entering into a confidentiality agreement with or for the benefit of the customer and the customer is being given advance written notice of any change in service providers;
    • whether the SaaS services will be deployed publicly (for example, through the internet) or privately (for example, through an extranet);
    • whether the SaaS services will be delivered on a small or large scale and with what software, hardware and other resources and with sufficient scalability and elasticity to meet surges in load and increases in multi-customer demands; and
    • whether provider and third-party tools will be made available to measure service availability and other performance metrics.
A due diligence action list can help the customer get this information. The action list may include one or more of the following measures:
  • Requiring the provider to complete a due diligence questionnaire.
  • Conducting on-site visits to the provider's data center.
  • Consulting the provider's online service status pages or service health dashboard.
  • Requiring product demonstrations.
  • Having discussions with the provider's personnel, competitors, and user and industry groups.
  • Conducting internet searches of customer, industry, and government comments and actions.
  • Vetting the SaaS service's performance by trial use under an evaluation agreement.
These measures, as part of a thorough and systematic due diligence inquiry into the SaaS provider's ability to meet the customer's operational needs, can be an invaluable aid in determining whether, and on what terms, the customer should enter into a SaaS agreement.
For more information on SaaS due diligence, benefit and risk assessment and an analysis of the major legal, technical and commercial issues to consider when negotiating and drafting SaaS agreements, see Practice Note, Software as a Service (SaaS) Agreements.