SaaS contracts are legal agreements between two or more parties, including a software as a service provider and a customer.

Financial Liability for a Data Breach

A prospective SaaS customer might be worried by the idea of giving total control of important company data to a SaaS provider located off-site. Nowadays we constantly hear about new and massive data security breaches, often resulting from mistakes, espionage, cybercriminals, and other causes.

A vendor of a SaaS platform should be expected to handle certain tasks to reduce the data breach risk. Some of these tasks include:

  • Third-party reviews
  • Appropriate training of personnel
  • Use of adequate security technology
  • Firewalls

A vendor should also take steps to ensure that all security measures are certified.

Some industry experts have argued that since a SaaS provider is required to implement fully functional and robust security infrastructure to reduce the risk of data breaches and remain competitive, these types of vendors are actually more equipped to handle the protection and safeguarding of customer data. With this knowledge and experience in the area of security, the vendor is probably more equipped to handle secure data than the customer is equipped to handle their own data.

However, customers will typically still hold SaaS vendors liable and responsible for any breach, intrusion, unintended disclosure, damage, and data loss. In SaaS contracts, the vendor must accept liability for potentially massive consequences resulting from data breaches, intrusion, and loss. In a contract, consequential damages include any financial damages that could be foreseen and arise as the result of a breach. Those damages could exceed the cost of the SaaS substantially. Some of these examples might include the cost associated with notifying anyone affected by the breach and the cost of any business lost by the customer.

Consequential Damage Liability

Most SaaS vendors are not liable for consequential damages. Doing so could result in a vendor having to go out of business after a single breach or loss of data. It isn't reasonable for a SaaS customer to expect a vendor to accept consequential damages, especially since these same customers often don't accept consequential damages in their own contracts with their customers. By choosing to accept the liability for full consequential damages, a SaaS vendor could be bankrupted after one breach.

Instead of trying to get a vendor to accept full consequential damages, it is better for a customer to look at options for liability related to direct damages from a loss of data. In a SaaS contract, this will typically be up to a limit agreed upon by both parties, such as the overall contract value or its multiple. The amount the SaaS vendor is expected to be paid over the life of the contract could also be a factor in the limit.

Additionally, a SaaS vendor should be responsible for at least some consequential damages when a data breach happens because of intentional misconduct or gross negligence on the part of the vendor. Cyber-liability insurance may be a good option for both the vendor and the customer. This type of insurance protects against data loss risks when one or both parties aren't able to offer the extent of the protection needed.

Availability of the SaaS Application (Uptime Commitment)

Any SaaS customer should have a reasonable expectation that the software is functional and available to the degree that it would be if it were installed in their on-site computing environment. If a mission-critical SaaS application is not available, the customer's business and operations can be hit hard. Vendors should include in the SaaS contract sufficient warranties concerning performance and also remedies for any issues.

Any good vendor will agree that the application will be accessible and available at least 99.5 percent of the time, out of the 24 hours in a day, seven days in a week, and 365 days in a year. In a service-level agreement, a SaaS vendor might outline this part of the contract. Today's marketplace demands that a SaaS platform is available and accessible. Exceptions to this uptime commitment include routine maintenance upgrades and outages, which should be performed during non-peak times, as well as general outages and equipment failures that are outside the vendor's control.

If you need help with SaaS contracts, you can post your legal need on UpCounsel's marketplace. UpCounsel accepts only the top 5 percent of lawyers to its site. Lawyers on UpCounsel come from law schools such as Harvard Law and Yale Law and average 14 years of legal experience, including work with or on behalf of companies like Google, Stripe, and Twilio.