Aspects to take into account in software as a service contract

Aspects to take into account in software as a service contract

The SaaS contract comes from the English term “Software as a Service” (SaaS), this concept is born from the new way of distributing software or programs to end customers.

Before the advent of the Internet, the mechanism by which the software industry delivered its product to customers was through the creation of executable applications, which were delivered by physical means, such as diskettes, USB, CD, DVD, among others.

What is a Software as a Service contract?

The SaaS contract model is based on recurring payment business. Software as a Service subscriptions are the language of digital transformation. This change of perspective offers many advantages for different types of businesses, optimizing results. 

The SaaS industry has applications for everything from movies to contract signing platforms. Some of the most well-known SaaS applications include Microsoft Office 365, Netflix, DocuSign or Zendesk.

Also, the SaaS license serves as an agreement between the software developer and the customer. SaaS license agreements aim to maintain customer compliance with guidelines and payments and the software developer’s commitment to deliver updates, technical support and customer privacy as promised.

On the other hand, in a Cloud computing environment the management of the information is virtually in the hands of the customer who contracts the cloud services, who treats it through the Internet by accessing database solutions, email, or any type of applications according to their needs. Depending on the model used, the data may not actually be in the hands of the contractor, since the ownership, maintenance and management of the information hardware, processes and communications may be in the hands of third parties. The service provider may be located almost anywhere in the world and its ultimate goal will be to provide the above services by optimizing its own resources through, for example, offshoring, resource sharing and mobility practices or by performing additional subcontracting.

Essential elements of the SaaS contract

With SaaS solutions, the software company has control over the entire service, including the data infrastructure and information systems.

In this regard, the contract is of paramount importance based on:

1. Subscription: The customer does not pay for a license, but makes a subscription. The contract, therefore, determines the terms and conditions of the subscription.

2. Quality of service.

3. Service availability and upgrades: Service availability and maintenance periods should also be included in the contract. A clause to this effect will commit the service provider to ensure 24/7 availability of the SaaS software to its customer.

4. Data security: In order to ensure the security of the service and data, the parties undertake to dedicate technical resources.

5. Data processing: Data processing. This clause of the contract must specify, among other aspects, the guarantee of compliance with the regulations in force regarding the collection and processing of personal data, the guarantee to inform the client in the event of a security breach that may affect the processing of data, etc. 

Other legal aspects to take into account

The contracting of SaaS services will be carried out through a service provision contract. It is essential that this contract includes among its clauses the guarantees required by the RGPD (article 28).

It should be noted, first of all, that the customer contracting a SaaS has a legal duty of care to, according to Article 28.1 of the GDPR, choose “only a processor providing sufficient guarantees to implement appropriate technical and organizational measures, so that the processing is in compliance with the requirements of this Regulation and ensures the protection of the rights of the data subject”. 

This duty of care will be translated, given the specific characteristics of these services, into a range of information requests to the service provider aimed at knowing the guarantees it offers for the protection of the personal data for which it remains responsible. This information will be essential for you to decide on the type of cloud and the type of services you hire and, specifically, to discriminate which one or ones offer adequate guarantees and choose between them. 

Compliance with this duty of diligence must have as a counterpart on the part of the cloud computing service provider a correlative diligence in providing information, in particular on the mechanisms that ensure compliance with the obligations arising from the data protection regulations, in order to be considered as a transparent provider, as established in art. 28. 3 letter h): “shall make available to the controller all information necessary to demonstrate compliance with the obligations set out in this Article, as well as to allow and assist audits, including inspections, by the controller or by another auditor authorized by the controller”, as well as in the final paragraph of the same article “the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.