SaaS agreements: what to look out for in the UK and EU
Published on 29th Aug 2023
SaaS vendor and customer contractual expectations will differ but what are the key provisions and current market practice?
As businesses look for new revenue streams, many who would typically be software as a service (SaaS) consumers are commercialising their software assets and becoming vendors. However, this switch is not always straightforward and the ideal contracting positions for customers and vendors do not often align. What are the key issues that vendors and customers will want to consider when entering into SaaS agreements in a business-to-business context?
Third party 'pass through'
A major issue that can be overlooked by vendors is that the solution on offer often comprises multiple components, including proprietary third-party material and open-source elements. Any vendor must ensure it has all the necessary licence rights to offer the overall solution to customers – the licence chain must be "unbroken".
This will involve an understanding of the components included in the SaaS solution and an appreciation of the aspects that can (and cannot) be passed through under the relevant upstream licence terms. If the terms do not allow onward licensing to customers, the licence to the vendor will need to be expanded to cater for that, usually at additional expense.
Likewise, vendors must understand what guarantees are available from upstream vendors. They may be willing to pass these on to customers and any reluctance to do so should be seen as a red flag. It is critical to clear any licensing chain issues well in advance.
Scope, specification and service levels
The nature of the rights being granted to the customer should be clarified, so it is clear how the service may (and may not) be used. Customers must ensure those rights meet their commercial requirements. It would be typical for the SaaS agreement to define whether any exclusivity or geographical restrictions apply, limitations on the number of authorised users, the duration of the licence, and whether the service can be used for internal purposes only or in customer-facing environments too.
SaaS agreements are often accompanied by a separate specification, setting out the technical features of the service, its functionality and any applicable service levels. This should be sufficiently clear to give customers an understanding of the features of the service and recourse against the vendor in the event of defective performance. Depending on the wording of the agreement, separating the specification potentially gives vendors more flexibility to make changes to the underlying product; for example, to reflect additional functionality or changes in applicable laws. Customers will want to ensure any changes are undertaken in a controlled manner and do not materially degrade the service.
Service levels (if any are offered) are generally not negotiable, as they will be standardised across the customer base and subject to certain exceptions to allow for situations such as unplanned maintenance or downtime caused by the customer. Typically, vendors commit to service levels in respect of availability, support, hosting and (occasionally) responding to defects, but tend to avoid committing to service levels in respect of defect resolution or any aspects of the underlying service that are dependent on a third party. Remedies for service-level breaches tend to incentivise improved performance rather than compensate fully for any associated loss (despite often being offered as the only remedy), although serious service-level breaches may also give rise to termination rights for the customer.
Subscription/payment models and audit
While there is a wide range of common pricing models for SaaS services, customers typically pay on a recurring basis, usually linked to actual or projected consumption levels (as opposed to a one-time licence fee). The payment structure will need to align with the parties' commercial objectives and should allow for scalability; for example, to accommodate additional users. It must also be clear, as customers can be driven away by complex models, and should cater for any periodic pricing reviews (which are usually annual).
Vendors often insist on contractual audit rights to ensure that customers are not exceeding the scope of their licence (although, in practice, this can generally be done remotely) and, if they are, to recover payment for excess use. The provisions in the agreement will need to be backed up by technical and practical measures that allow the vendor to measure usage and conduct the audit. While customers are not typically permitted to audit vendor systems or premises, it may be possible to require any overpayments that are discovered during an audit to be repaid.
Warranties, indemnities and remedies
Customers will typically expect minimum warranties about the performance of the service (for example, that it will meet any specification) and that the vendor has the relevant consents and permissions needed to perform the agreement. However, other remedies, such as that the service will be uninterrupted, virus free or fit for a particular purpose, tend to be much more limited or excluded entirely.
Market practice generally dictates that vendors will indemnify customers against third-party intellectual property (IP) infringement claims arising from the customer's use of the service. Any such indemnity is typically uncapped, although some vendors seek to limit the scope so as to apply only in respect of particular categories of intellectual property and territories. Customers generally consider an indemnity to be a stronger remedy than a warranty, so it is common for SaaS agreements to include an IP indemnity instead of IP warranties. It is generally appropriate for vendors to control the defence of any IP infringement claim, as they have a better understanding of the underlying IP and will, therefore, be better placed to deal with infringement allegations.
While liability under any IP indemnity is usually uncapped, vendors generally exclude or limit any further liability. Customers should expect to struggle to change that unless they have strong bargaining power, but the appropriateness of caps should still be considered, including ensuring that they are "reasonable" and enforceable under the applicable governing law.
EU or UK data privacy law or both will need to be considered if the service involves processing data about identifiable individuals. Under SaaS agreements, data will be processed by a system hosted in the vendor's (or a third party's) IT environment, which can bring complexities depending on where that processing occurs. Any trans-bordering of personal data will need to be subject to appropriate safeguards; for example, an international data transfer agreement or a relevant adequacy decision.
Cloud providers typically position themselves as processors of personal data (rather than controllers) in order to limit their obligations under applicable privacy law. However, the characterisation of the parties as controller or processor needs to be considered on a case-by-case basis.
While the requirements of the General Data Protection Regulation are prescriptive, cloud vendors tend to take an approach that is – strictly speaking – not entirely compliant but reflects a now-established market practice. In particular:
- While data processing agreements ought to be bespoke, this presents a practical challenge for vendors operating in a "one to many" scenario, so they tend to offer a standardised or template data processing addendum (where required) to supplement the overarching SaaS agreement.
- Controllers should be able to audit their processors but most SaaS providers are reluctant to agree to that. Instead, large vendors will conduct their own audit and allow customers to view the audit report.
Term, renewal and termination
SaaS agreements tend to run for a defined subscription period (often 12 months) and automatically renew unless expressly terminated within any defined notice period. There is usually an initial lock-in period (during which the customer may not terminate without cause) and a narrowly defined window or notice period during which the customer may terminate (typically at the next renewal date). However, any termination outside that window will not be effective. On termination, customers should have the opportunity to recover any data held on the platform, although vendors often time-bound this right, after which they reserve the right to delete that data.
For customers operating in some sectors, particularly financial services and healthcare, specific regulations may apply. In the EU, this could involve the Digital Operational Resilience Act or Markets in Crypto-Assets Regulation. Vendors' standard terms may need to be amended or supplemented to meet or cater for these specific requirements. This, in turn, often means that SaaS vendors must accept more stringent obligations, in particular, in terms of security, resilience, customer audit rights and the scope of the services being provided.
In addition, the EU's Data Act, which is currently expected to come into force in mid-2025, will impose cross-sector obligations regarding data access that may impact on SaaS vendors that collect customer data.
Osborne Clarke comment
Any business thinking about "switching" from being a SaaS consumer to vendor will need to undertake critical due diligence on the terms of its upstream licences before offering solutions to paying customers. The preparation will play an important role in determining the contractual terms that vendors put in place. Each situation will likely require a slightly different approach and, although very tempting, it may prove difficult to offer a one-size-fits-all set of standard terms to customers.
Customer and vendor expectations in SaaS agreements can be misaligned, with market practice and negotiating power influencing a number of provisions. All of the issues outlined in this Insight will need to be carefully considered to prevent unfairly balanced, unreasonable or inappropriate contract terms.
The parallel trends of moving software off premise and into the cloud and of digitalisation across all sectors mean that these considerations will be in play for a widening range of businesses. While the first phase of digital transformation may be digitalisation of a business's own operations, valuable in-house technology can be "flipped" into a potential profit centre by making it available to third parties. Understanding market practice, key areas for negotiation and the potential pitfalls in SaaS agreements will be a crucial element in the success of these initiatives.
If you would like to discuss any of these issues, please contact the authors or your usual Osborne Clarke contact.
Melissa Woodfield, Trainee Solicitor at Osborne Clarke, contributed to this Insight.