2019 Edition - LawPracticeCLE · 2019-03-22 · 11161 E State Road 70 #110-213 Lakewood Ranch,...

SaaS Agreements: Drafting and Negotiating

2019 Edition

11161 E State Road 70 #110-213Lakewood Ranch, Florida 34202

www.lawpracticecle.com941-584-9833

LawPracticeCLE is a national continuing legal education company designed to provide education on current, trending issues in the legal world to judges, attorneys, paralegals and other interested business professionals. New to the playing field, LawPracticeCLE is a major contender with its offerings of Live Webinars, On-Demand Videos, and In-person Seminars. LawPracticeCLE believes in quali-ty education, exceptional customer service, long-lasting relationships and networking beyond the classroom. We cater to the needs

of three divisions within the legal realm: Pre-Law and Law Students, Paralegals and other support staff, and Attorneys.

At LawPracticeCLE, we partner with experienced attorneys and legal professionals from all over the country to bring hot topics and current content that are relevant in legal practice. We are always looking to welcome dynamic and accomplished lawyers to share their knowledge!

As a LawPracticeCLE Speaker, you receive a variety of benefits. In addition to CLE teaching credit attorneys earn for presenting, our presenters also receive complimentary tuition on LawPracticeCLE’s entire library of webinars and self-study courses.

LawPracticeCLE also affords expert professors unparalleled exposure on a national stage in addition to being featured in our Speakers catalog with your name, headshot, biography and link back to your personal website. Many of our courses accrue thousands of views, giving our speakers the chance to network with attorneys across the country. We also offer a host of ways for our team of speakers to promote their programs, including highlight clips, emails, and much more!

1. A Course Description2. 3-4 Learning Objectives or Key Topics3. A Detailed Agenda4. A Comprehensive PowerPoint Presentation

LawPracticeCLE The Law in Review

LAWPRACTICECLE UNLIMITED

LawPracticeCLE Unlimited is an elite program allowing Attorneys and Legal Professionals unlimited access to all LawPracticeCLE live and on-demand courses for an entire year.

LawPracticeCLE provides 20 new continuing legal education courses each month that will not only appeal to your liking, but also meet your State Bar Requirements.

Top Attorneys and Judges from all over the country partner with us to provide a wide variety of course topics from basic to advanced. Whether you are a paralegal or an experienced attorney, you can expect to grow from the wealth of knowledge our speakers provide.

A View From The BenchAnimal LawBankruptcy Law Business Law Cannabis Law Construction Law Criminal Law Cybersecurity LawEducation LawEmployment Law Entertainment Law

COURSE CATEGORIES

Estate Planning Ethics, Bias, and Professionalism Family Law Federal Law Food and Beverage Law Gun Law Health Law Immigration LawIntellectual Property LawInsurance Law Nonprofit Law

ACCREDITATION

Paralegal Studies Personal Injury Law Practice Management & Trial Prep Real Estate Law Religious LawSocial Security Law Specialized Topics Tax Law Technology LawTransportation LawTribal Law

More Coming Soon ...

LawPracticeCLE will seek approval of any CLE program where the registering attorney is primarily licensed and a single alternate state. The application is submitted at the time an attorney registers for a course, therefore approval may not be received at the time of broadcasting. In the event a course is denied credit, a full refund or credit for another LawPracticeCLE course will be provided.

LawPracticeCLE does not seek approval in Illinois or Virginia, however the necessary documentation to seek CLE credit in such states will be provided to the registrant upon request.

ADVERTISING WITH LAWPRACTICECLE

At LawPracticeCLE, we not only believe in quality education, but providing as many tools as possible to increase success. LawPracticeCLE has several advertising options to meet your needs. For advertising and co-sponsorship information, please contact the Director of Operations, Jennifer L. Hamm, [email protected].

CHECK US OUT ON SOCIAL MEDIA

� Facebook: https://www.facebook.com/LawPracticeCLE

fin Linkedln: https://www.linkedin.com/company/lawpracticecle

@ lnstagram: https://www.instagram.com/lawpracticecle

0 Twitter: https://twitter.com/LawPracticeCLE

1

SAVANNAH 912.236.0261

BRUNSWICK 912.262.5996

H U N T E R M A C L E A N . C O M

Negotiating

SaaS

Agreements

22

Some Recent & Continuing Trends

Cloud computing is becoming a utility• Expectation of continuous, secure, affordable access

Mobile and wireless devices• User access from anywhere, through any device

The Internet of Things• Ever-increasing numbers of “smart” devices

Interconnectivity and integration• Connectivity between systems (APIs, apps, etc.)

Importance and value of data

2

33

3

Key Concept: Miles’ Law

Where you stand

depends on where you sit

• Role in negotiations (customer vs. vendor)

• Organizational culture / risk tolerance

• Leverage

▪ At least understand

the risks, even if

little or no leverage

44

Overview

Due diligence

Contractual provisions

• Basic drafting issues

• Issues/risks in SaaS contracts

Service level agreements

Data-related issues

• Increasingly important

Legal and regulatory concerns

• Ever-changing and increasingly complex

4

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://www.polyvore.com/sun_clipart_free_graphics_images/thing?id%3D1089657&ei=X49bVfcbkYc2mrWAiAg&bvm=bv.93564037,d.eXY&psig=AFQjCNH3ejmvsyWz1eoyq5vwXwm9P26OiA&ust=1432150143535006

55

Due Diligence

Identify prospective SaaS vendors• Review and compare

▪ Product offerings/functionality

▪ Potential leverage

▪ Pricing and costs➢ Including implementation, set-up & configuration

▪ Reputation/customer experiences & feedback➢Online searches (including litigation searches)

➢User groups/conferences

▪ Historical performance information

▪ Form agreements/standard terms

5

66

Contractual Provisions

Basic drafting issues

• Each party needs firm commitments

from the other – but often different ones

• Absolute commitments (shall, will, must, etc.)

▪ Vs. something less (goals, targets, objectives, will strive

or endeavor to, etc.)

• Defined levels of efforts

▪ Best efforts, commercially reasonable efforts, etc.

• Can a stranger understand/interpret the contract?

6

77

Contractual Provisions (cont’d)

Description of SaaS services

• Products/services purchased

▪ Identification, functionalities, capabilities, etc.

➢For each applicable user type

• Basis of pricing/fees

▪ Usage parameters, limitations, restrictions

➢Numbers and types of permitted users

➢Any other parameters

» Storage space, API calls, data transmitted, etc.

7

88


Scope of permitted use• Employees

• Corporate affiliates▪ Majority interest

▪ Minority interest with right to manage/control

• Other third parties▪ Business partners (customers, vendors, etc.)

➢Counted as users / subject to additional fees?

▪ Contractors and consultants in performing services

• Geographic locations

• Other applicable parameters

8

99


Scope of implementation, set-up,and configuration work

• Separate professional services engagement?▪ Statement of Work

➢Each party’s responsibilities

➢Timeline/schedule for performance

➢Loading of historical data from legacy systems?

➢ Interfaces

▪ Additional fees?➢Method of calculation

» Time-and-materials, not-to-exceed, fixed fee, etc.

» Applicable rates

9

1010


Invoicing and payment terms

• Frequency

▪ Monthly, quarterly, annually, etc.

• Timing

▪ In advance vs. in arrears

• Payment terms / due date

• Notice/cure period for non-payment

▪ Vendor right to suspend?

• Taxes

10

1111


Price protection• Initial term pricing

▪ Additional users

▪ Any other additional charge parameters➢ Storage space, API calls, data transmitted, etc.

• Periodic increases▪ Frequency - at will, annually, renewal terms, etc.

▪ Caps on price increases➢Fixed percentage

➢CPI, ECI, or other index

➢Duration of price protection

11

1212


Term

• Initial term

▪ Pricing tied to duration?

• Renewal terms

▪ Duration

▪ Auto-renewals?

▪ Notice periods for:

➢Price increases

➢Non-renewal - customer vs. vendor

12

1313


Termination rights

• For convenience

▪ After initial term or specified period?

➢With decreasing exit/termination fee?

• For cause

• Force majeure

• Change of control

• Chronic/recurring service level failures

13

1414


Post-termination obligations

• Limited extension of term by customer?

▪ Specific percentage increase in fees?

• Return of customer data/content

▪ Format

▪ Process and timing

▪ Additional charges?

• Deletion of data/confidential information

▪ Exceptions for backups/archival copies, legal and regulatory obligations, etc.?

14

1515


Warranties• SaaS products/services

▪ Exclusions/exceptions?

▪ Sole and exclusive remedies?

• No viruses/disabling or malicious code

• Intellectual property (IP)/third-party rights

• Sunsetting

▪ Duration/advance notice

▪ Moving functionality to new/alternative product?

15

1616


Indemnities

• IP and other third-party rights

▪ By vendor

➢SaaS products/services, deliverables, etc.

▪ By customer

➢Customer data/content

• Violations of law and regulations

• Data security breaches

16

1717


Limitations of liability• Mutual vs. unilateral

• Exclusion of indirect damages

▪ Specific exclusions/examples?

• Cap/limit on recoverable damages

▪ Total fees (or multiple of total fees) paid during:

➢Most recent 12 months vs. entire term

▪ Fixed dollar amount

▪ Specified minimum/floor?

17

1818


Exceptions to limitations of liability

• Applicable to both exclusion of indirect

damages and cap on damages?

▪ Indemnities

▪ Willful repudiation or abandonment by vendor

▪ Gross negligence and willful misconduct

▪ Violations of law/regulations

▪ Breaches of confidentiality and security breaches

18

1919


Alternative caps on liability• Breaches of confidentiality

and security breaches▪ Specified dollar amount

▪ Specified multiple of fees paid (or of standard cap)

▪ Limit of insurance (cyber-liability) coverage

➢Vs. extent to which insurance actually pays out on customer’s claims as insurable events

▪ List of typically resulting items/damagesthat are not capped

19

2020


Required insurance coverage

• Workers’ comp./employers’ liability

• Commercial general liability

• Professional liability/errors & omissions

• Umbrella/excess liability

• Cyber-liability/technical errors & omissions

▪ Many SaaS vendors now carry

▪ Scope of coverage may vary

20

2121


Cyber-liability insurance coverage examples:• Liabilities, claims, regulatory fines, penalties, punitive damages, costs

of forensic investigations, and expenses arising from data breach

• Loss, disclosure, alteration, extortion, and theft of data

• Defamation and identity theft

• Internet advertising, media and content rights infringement/liability

• Network and system security failures, denial of service attacks, DNS spoofing, transmission of malicious code, unauthorized access/use

• Costs of notifying individuals and authorities of security/data breach

• Cost of credit monitoring services

• Other causally-related crisis management expenses

21

2222


Confidentiality• Definition

• Meaningful obligations

▪ Downstream obligations

➢Employees, subcontractors, etc.

• Permitted uses/disclosures

• Compelled/required disclosures

▪ Notification and cooperation

• Return or destruction

22

2323


Other general provisions• Assignment

• Governing law

• Choice of forum/venue▪ Waiver of jury trial?

• Dispute resolution▪ Informal process

▪ Mediation?

▪ Arbitration?

• Time limitations on actions

• Audit rights

23

2424

Service Level Agreements

In general

• Most SaaS vendors have form

service level agreements

▪ Customer may need to request

• Most SaaS vendors will resist

substantive changes to their form

service level agreements

• Consider relative value of remedies

24

2525

Service Level Agreements (cont’d)

Common SaaS service levels

• Problem response and resolution (support)

▪ Severity levels

▪ Hours of coverage (and time zones)

➢By severity level

➢Staffed vs. on-call

▪ Absolute commitments vs. something less

▪ Escalation process

25

2626


Common SaaS service levels

• Availability/uptime

▪ Hours of coverage

▪ Metrics and calculation

▪ Frequency of assessment

➢Monthly, quarterly, ad hoc, etc.

▪ Required uptime percentage

▪ Exceptions

26

2727


Service level process/remedies• Automated reporting/credit issuance

▪ Or only upon request?

• Service credits

▪ Percentage of fees

▪ Fixed amounts

▪ Added days of service

▪ Sole and exclusive remedies

➢Termination right for chronic/recurring failures

27

2828

Data-Related Issues

Privacy and security

• Some of the primary risks of SaaS

• Customer gives up control of data

▪ But still responsible/liable to third parties

• Vendor processing/storing/transferring data

▪ But possibly more expertise, personnel, resources

▪ May be directly liable to third parties in some

cases

28

2929

Data-Related Issues (cont’d)

Assess data risks• What data will be processed/stored?

▪ Any personal data?➢ Individuals from what countries/states?

▪ Will data be encrypted?➢ At rest/in transit

• Where will data be processed/stored/transferred?▪ Can locations be specified/limited?

• Who may access data?▪ Encrypted/unencrypted

• Who will have what rights to data?

• When/how will data be returned or destroyed?

29

3030


Other issues

• Data retention

• Data backups

▪ Near real-time or less frequently?

▪ Backup storage location(s)

• Disaster recovery

▪ RPO – extent of data loss (in terms of time)

▪ RTO – recovery time

30

3131


Standards/audits

• Service Organization Control (SOC) reports

▪ SOC 1 – SSAE 18 – financial controls

▪ SOC 2 and SOC 3 – trust services principles

➢Security, availability, processing integrity,

confidentiality, privacy

▪ Report types

➢Type I – design of controls

➢Type II – design + effectiveness

31

3232


Other industry standards/certifications

• ISO 9000➢Quality management systems

• ISO 27001➢ Information security management

• ISO 3402➢ International version of SSAE 16 / SSAE 18

• Cloud Security Alliance (CSA) STAR

• HITRUST

32

3333


Basic data rights• Customer must obtain third-party authorizations

and consents necessary to provide data and content to vendor

• Customer retains all rights to data/content▪ Data provided, received, or created

▪ All derivative data➢ Summaries, extracts, metadata, etc.

• Vendor may only access/process customer data and content as necessary to fulfill contractual obligations during contract term

33

3434


Expanded data rights

• Vendors increasingly provide right to create and freely use and distribute aggregated or summarized data and statistics

▪ De-identification – data should not identify or provide reasonable basis for identification of individuals

▪ Limitations on uses/purposes?

▪ Consider whether legally permissible, whether have necessary consents/authorizations, and potential exposure

34

3535


Data analytics/big data• Increasing awareness of value of data

• More data being collected, processed, generated

+ More points of data generation and collection(e.g., mobile devices, Internet-enabled “things,” etc.)

+ More integration and interoperation of systems

+ More combining/aggregation of data

+ More data analytical capabilities

+ More pressure (and potential opportunities)tomonetize data

= More potential risk and exposure?

35

3636


Data and security breaches

• More frequent and more publicized

▪ Lasting reputational damage?

• Risks to consumers include:

▪ Identity theft/identity fraud

▪ Financial damage – theft, fraudulent charges

▪ Reputational damage – credit history, medical history, etc.

• Increasingly complex legal/regulatory environment

36

3737

Legal and Regulatory Concerns

Different regulatory approaches/regimes

• United States

▪ Patchwork of federal and state laws/regulations

▪ Often focus on specific industries

• European Union and other jurisdictions

▪ Broader, more comprehensive approach

▪ Focus on rights/freedoms of individuals

37

3838


U.S. federal regulatory regimes/concerns

• Gramm-Leach-Bliley

▪ Financial institutions and service providers

• HIPAA/HITECH

▪ Covered entities and business associates

➢Business associate addendums

• Sarbanes Oxley

▪ U.S. public companies

38

3939


U.S. federal regulatory regimes/concerns

• FTC enforcement actions

▪ Unfair or deceptive trade practices

➢Website privacy policies/terms of use

• Telecommunications CPNI rules

• Export control regulations

• Government contracting regulations

▪ FedRAMP certification

39

4040


U.S. state regulatory regimes/concerns

• Data privacy/breach notification laws

▪ Nearly every state

▪ Continuously evolving

➢Often becoming more comprehensive, strict

• Confidentiality and other laws relating to

specific professions/industries/activities

➢Healthcare

40

4141


European Union (EU)• General Data Protection Regulation (GDPR)

▪ Became effective May 25, 2018

▪ Comprehensive scope/broadly defined terms➢Applies to “processing” of “personal data”

» regardless of whether processing takes place in the EU

» includes processing related to the offering of goods or services to data subjects in the EU (regardless of whether payment by data subject is required), by a controller or processor not established in the EU

41

4242


GDPR Definitions• ‘Personal data’ means any information relating to an identified or

identifiable natural person (i.e., one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person)

• ‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

42

4343


GDPR Definitions

• ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data

▪ Typically, the SaaS customer

• ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

▪ Typically, the SaaS vendor

43

4444


GDPR

• EU Privacy Shield

▪ Self-certification program for U.S. companies

▪ Replaces Safe Harborunder EU Data Protection Directive

• Data Processing Addendum (DPA)

▪ Typically includes Standard Contractual Clauses

▪ Addresses SaaS vendor’s processing of personal data

➢ Including use of subprocessors, security controls, incident management/notification, etc.

44

4545


Legally required/compelled disclosures

• SaaS vendor should be obligated to:

▪ Provide prompt notice, unless prohibited by law

▪ Cooperate and assist in efforts to prevent or protect disclosure

➢Additional costs?

▪ Provide data, or access to data, to SaaS customer upon request

▪ Retain and preserve data

45

4646


eDiscovery/Litigation holds

• Legally required provision of copies of data,

or retention and preservation of data

▪ Required regardless of industry

▪ Failures to comply may be severe

▪ Especially applicable to emails, document

collaboration, etc.

• Best if addressed in SaaS contracts

46

4747

Questions

Milton L. PetersenPartner – Information Technology Practice Group

Hunter, Maclean, Exley & Dunn, P.C.

200 East Saint Julian Street

Savannah, Georgia 31401

Direct (912) 238-2629

Cell (912) 414-1263

[email protected]

www.huntermaclean.com

47

2019 Edition - LawPracticeCLE · 2019-03-22 · 11161 E State Road 70 #110-213 Lakewood Ranch,...

Documents

Transcript of 2019 Edition - LawPracticeCLE · 2019-03-22 · 11161 E State Road 70 #110-213 Lakewood Ranch,...