There has been a growing trend over the past few years for software suppliers to make their software applications available as a service. This is where the software remains installed on the software suppliers’ own servers (or servers under its control) and users access the software via a portal over the internet. Data entered by the users is stored on the software suppliers’ servers.
The model generally provides a low-cost, flexible solution, which lends itself to proactive development and maintenance for the benefit of the whole user community.
Businesses should consider a number of key legal and practical issues when purchasing software as a service, and should ensure these are properly addressed in the contract.
Suppliers are usually inclined to contract on their standard terms and conditions and offer little room for these to be amended, but where you are purchasing software as a service and you feel the standard terms and conditions challenge the boundaries of reasonableness you should not be afraid to negotiate with the supplier in an attempt to balance the risk.
- As with any procurement of software, there should be clarity over what you are buying. You should expect to be provided with a specification or description of the software, together with certain guarantees regarding availability and performance. The software should be available for you to access at the times when you require it to be available (subject to downtime for routine or emergency maintenance) and response times should be acceptable.
- The scope of services should also be specified and you may find this set out in a separate service level agreement (SLA). The SLA must be properly incorporated into the contract. We sometimes find that the specification or SLA is perfectly adequate yet entirely separate from the main contract which makes enforcement difficult in the event the software is found to be unacceptable in terms of functionality, availability or response.
- Since the software is within the control of the supplier, support should be ongoing and preventative rather than the usual reactive model. However, there must be the ability to alert the supplier to faults and have these fixed. Response and fix times must be reasonable in order to minimise any impact on your business.
- You should check whether the supplier is in fact a reseller authorised by the software owner to grant sub-licences of the software and deliver this as a service to end users. If this is the case, the supplier may in practice provide only first line or helpdesk support. You should confirm that the software can be fixed by the software owner within your required response times.
3. Data security
- When using software as a service, you are absolutely reliant on the supplier to keep your data secure. Data is not just personal data about your employees or customers, but may also include your routine and often confidential business data. Security measures applied by the supplied must be adequate and appropriate to the sensitivity of your data. Check whether the supplier holds any data security accreditations such as ISO 27001, which will give you comfort that the supplier’s working practices regarding security are adequate.
- The supplier will act as data processor in respect of any personal data which you enter into the software. However your business will be responsible to the Information Commissioner and any data subject for a security breach caused by the supplier. You should therefore make sure that your contract includes adequate data processing clauses, backed by an indemnity if the possibility and consequences of a data security breach are significant.
- Where the software is critical to the operation of your business, you should ensure that access to the software and your data can be resumed quickly following a disaster so as to minimise impact on your business.
4. Limitation or exclusion of liability
- Suppliers of software as a service sometimes take a very firm line on limitation and exclusion of liability on the basis that the software is delivered as a low cost solution and businesses which purchase the software as a service should take some of the risk. However you should beware of any limitation of liability clause which seeks to exclude the supplier’s liability for loss or corruption of data. This is fundamentally unreasonable and the supplier should as a minimum seek to remedy the situation by restoring the dta to the last available backup.
- You should also check any remedies for poor quality or unavailability of the service which are usually in the form of service credits. Such remedies are often limited and exclusive, meaning that in the event the quality of the software is poor during any particular month you would not be able to claim any other damages as a result of the poor service impacting on your business.
- It is important to consider what will happen at the end of the contract. Many service providers will attempt to lock their customers in by making it very difficult to access or retrieve data at the end of the contract. Others may charge a significant fee (exceeding the suppliers’ costs) for returning your data, or promise to do so only within 30 days or more.
- It is reasonable for you to expect that your important business data will be returned to you promptly at the end of the contract so that you can continue with your business. You should also make sure that your data can be returned quickly if the supplier becomes insolvent, or terminates the contract for your alleged breach.
- Your data should be returned in an appropriate format so that it is transferable to another software application or software as a service provider. You might be charged a reasonable fee for return of the data but this should not exceed the costs associated with download and transmission of the data.
6. Governing Law
When buying software as a service, you should make sure that you are aware which law governs the contract. If the supplier is located overseas then they will often seek to apply their own local laws which might leave you bound to resolve the dispute overseas, subject to significant costs.This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.