SaaS products revolutionized business practices. But, as with any business operation, risks exist. Make sure you can spot them. “Software as a service” (“SaaS”) is a method of delivering software that allows you to access your data from any device with an Internet connection and web browser.
Think . . . Gmail, Salesforce, or Microsoft Office.
Instead of installing software on the hard drive of your computer or laptop, it’s now customary to pay a monthly or yearly licensing fee and access the service/ product through the internet. Five years ago, SaaS was still relatively rare but today it is a routine way to deliver software. As you evaluate different SaaS vendors to meet your business needs, you’ve likely thought about cost and functionality. But there are other important considerations that might not have occurred to you. Be sure to review the terms of service (“TOS”) or license agreement and be on the lookout for these issues:
Who owns the data?
Small business owners often rely on SaaS to operate their companies. Over time, substantial amounts of mission critical and sensitive data becomes stored in the SaaS products they’re using. The TOS should address who owns your data (hint: it should be you). Also, the TOS should set forth when you can export or locally back up data and address your access to your data if the vendor fails.
Who owns the server?
SaaS providers may not own the servers they use to provide their product and that’s not necessarily bad news. The question is, who does? If the TOS merely reference “hosting partners” or “third party systems” with no transparency as to who those partners are, then you should be aware that your data may be held in off-shore jurisdictions where U.S. laws and customary practices do not apply. Also, TOS with vague descriptions of hosting partners allow the SaaS vendor significant latitude in when, how, and whether to change their hosting partners. The vendor may host your data with partner A today, partner B next month, and partner C next quarter. You will have no control over this and, potentially, no notice either.
Does the vendor encrypt your data?
I recently reviewed TOS for a client who has invested significant time, energy, and money in moving all business operations into one SaaS platform. It was a significant accomplishment that allowed greater business efficiency and streamlined operations. However, the vendor she chose created significant risks for her business. Tucked into the TOS was notice that the SaaS vendor uses “hosting partners” and may transfer her data from one server to another at any time. But what really raised the hair on the back of my neck was this:
“your content may be transferred unencrypted. . . .”
That means the SaaS vendor is likely using off-shore servers that it can swap out at will and that it moves my client’s data from server to server without encrypting it. Encryption is easy and inexpensive — failing to encrypt data is a shockingly cavalier practice. Pause for a moment and consider the sensitive information your company’s databases likely contain: client names, addresses, phone numbers. Maybe birthdates. Credit card numbers? That’s enough to keep me awake at night. If she had asked me to review the TOS before she committed to using this vendor, I would have told her to look elsewhere because the risks are too high. And that brings me to my next point . . .
Who is liable?
It’s perfectly normal for a vendor to disclaim liability for any damages resulting from a breach. If the vendor was my client, that’s how I’d draft it. However, you should prepare and carefully consider the scope of the disclaimer. In the example above, the scope of the vendor’s TOS disclaimer was so broad that even if the vendor knew of damage it would not be liable. Essentially, the vendor has no responsibility if the service failed, hackers stole or altered my client’s data, or my client had to purchase back-up software. Whether to accept a scope this broad is a business decision. Just recognize that you have to protect your business from the risks this creates by creating a robust plan for responding to a data breach and purchasing cybersecurity insurance.
We all rely on SaaS products to run our businesses. There is no avoiding it. Like any business decision, you simply must understand the risks that lurk in the different products you’re considering. TOS can be difficult to read and understand – they’re drafted by lawyers, after all. If you’re struggling to figure out what the terms in the TOS really mean, reach out and get help. It’s what we do every day.