ACCAM17 Panel – Key Issues in Negotiating and Drafting Subscription Services Agreements
Technology was a common theme at the Association of Corporate Counsel (ACC) annual meeting, from the opening plenary on blockchain, to sessions on payment fintech and cybersecurity. Technology-related contracting continues to attract significant interest among lawyers, whether it’s utilizing automation or machine learning in the drafting and review processes, or substantive issues that typically arise in negotiating software as a service (SaaS) agreements. Below are a few highlights from the “Key Issues in Negotiating and Drafting Subscription Services Agreements” session, which was led by a panel of four in-house counsels representing multinational companies (from either a buyer or a seller perspective).
Service Level Agreements (SLAs)
The SaaS supplier is responsible for hosting its software, and for the performance and availability of the software. Many suppliers offer “availability SLAs” where customers can receive credits, typically a percentage of the monthly fees, for service level failures. Customers should assess whether an availability SLA is sufficient or if they require additional SLAs (such as for latency, data recovery, security breach notification, incident management, processing accuracy, or other measureable metrics). SLA requests specific to a customer’s business when in a multi-tenant environment may be difficult for a supplier to agree to (or offer without additional costs involved).
Customers also should evaluate to what extent SaaS providers may use their data. Sometimes it may be appropriate to grant broad data rights to suppliers, but in other instances, suppliers’ data rights should be limited. For example, suppliers offering virus checking services or other security-type services, where the value is based on leveraging the supplier’s ability to identify threats across customers, may require use of customer data in order to improve services for the good of the whole. Likewise, anonymized health data within a SaaS may have a public health purpose that researchers should be able to use. On the other hand, customer data may be so sensitive that customers may want to restrict suppliers from any kind of data use except to provide the services. A supplier’s ability to mine customer information for big data trends or for other non-essential purposes might not be OK for many customers.
Supplier Risk Management
Customers also should focus on supplier risk management, which includes assessing suppliers’ information security programs and processes, screening/vetting third parties and having governance frameworks in place. Security of customer data within a SaaS is paramount, particularly if it contains personally identifiable information (PII), sensitive data, confidential information, or other regulated data. Customers should verify that a supplier’s information security measures are adequate for the particular services and the data processed, and contractually require suppliers to regularly provide evidence of compliance through auditor reports, third party certifications, or other executive summaries (followed by customer review). Contracts should include contractual remedies for failure to meet the agreed-to standards.
SaaS contracting will continue to have unique issues as the complexity of systems grow, customer reliance increases, and machine learning within delivered solutions puts new twists on intellectual property frameworks.
The following people hosted this ACC session: Jennifer Arbuckle, assistant general counsel, Thomson Reuters; William Eipert, senior managing counsel, Xerox Corporation; Daniel Greenberg, general counsel, SAP Canada Inc.; and Elizabeth Staples, corporate counsel, Symantec Corporation.
This post was written by Jennifer Arbuckle, assistant general counsel at Thomson Reuters.