An SaaS contract is a contract for software as a service. Software as a service is a model of software delivery that manages applications from a central location instead of just at a company's site. Using a SaaS contract allows for customers to access the applications remotely using the World Wide Web. 

The Chief Information Officer (or CIO) of a company is generally well-versed in information technology. The CIO must know exactly what terms and agreements should be included when making SaaS contract negotiations. The practice of using a SaaS contract is becoming much more prevalent in the world of IT infrastructures. In fact, the IDC (International Data Corporation) forecasted a rise in spending to $11 billion on SaaS by the year 2009.

What Level of Financial Liability is Appropriate for a SaaS Vendor When It Comes to Data Breaches?

Many business customers who are considering SaaS have concerns about the prospect of just handing over control of the company's data to a SaaS provider located off-site. However, there are multiple things a SaaS vendor can do in order to mitigate any risks of data breaches. Some of these security measures include:

  • Using secure technology (like encryption)
  • Use of multiple firewalls
  • Adequate personnel training
  • Certification of security measures
  • Third-party review of security measures.

Additionally, SaaS providers are commonly thought to be better equipped to safeguard and protect their customer's data than their customers are due to their role in the marketplace, SaaS providers are required to implement the latest security measures to stay competitive in the market and the ensure they are mitigating the risks of any major data breaches.

However, customers of SaaS often attempt to hold SaaS vendors legally liable and responsible for any ensuing loss of data, corruption, intrusion, damages, or any unintentional breach or disclosure. When looked at through the lens of contract law, this would involve the SaaS vendor being required to completely accept the liability for the potential severe consequential damages occurring as a result of any of these violations.

Consequential Damages

Consequential damages in this sense refer to the foreseeable financial damages that arise from a breach which can vastly exceed the amount of money paid by the customer via the terms of the contract. For a SaaS contract, these damages may include lost profit of the business, lost business contacts, and even the cost of having to notify any customers who had been affected by the data breach. 

Liability for Consequential Damages

It is common for SaaS vendors to decline to accept liability for consequential damages, because otherwise, they may have a hard time staying in business. It is not really reasonable for a SaaS customer to expect a vendor take on this liability since they would not typically agree to it in their contracts with their own customers. However, it is not unreasonable to expect the SaaS vendor to accept some liability for consequential damages if the ensuing data breach occurs due to the vendor's own intentional conduct or actions that rise to the level of gross negligence.

If a SaaS vendor did agree to fully take on liability for consequential damages, then it is possible that one single data breach that affected just one SaaS customer could force them to go out of business. 

One approach that is considered to be a bit fairer in these situations is for the customer to request that the SaaS vendor accept liability for direct damages resulting from a data breach only up to a previously specified amount.  This limit would be based on the overall assessed value of the contract.  One thing that both parties should keep in mind is that liability insurance for cyber purposes may be purchased in order to protect both of the parties against any risks that either party cannot contractually allocate to the other party.

The SaaS Application: Availability

There will be a reasonable expectation by the customer that the SaaS application will be readily usable and available as if it had simply been installed in the customer's own on-premise equipment. Most SaaS vendors will usually agree to have the application available to access at least 99.5% of the time. The specific terms of this agreement will be found in the service level agreement.

If you need help with a SaaS contract, you can post your legal need on UpCounsel's marketplace. UpCounsel accepts only the top 5 percent of lawyers to its site. Lawyers on UpCounsel come from law schools such as Harvard Law and Yale Law and average 14 years of legal experience, including work with or on behalf of companies like Google, Stripe, and Twilio.