Can You Review this SaaS Agreement for Major Red Flags?
In an ideal world, an attorney would review every commercial agreement line-by-line for each and every possible risk and issue that may arise from the business relationship contemplated under the agreement. However, companies do not always want, or have the ability, to spend the time and money required for this level of review and the lengthy negotiation that often follows. Rather, certain agreements are deemed low-risk by the company and require a “major red flags only” level of review.
The “major red flags only” review is a common request by clients that are buying a low-cost software-as-a-service (SaaS) solution that is not mission critical and requires a short and simple implementation. Below is a list of terms that companies should consider when reviewing a SaaS agreement from the customer’s perspective, even in the context of a limited legal review.
- Basic Commercial Terms: The basic commercial terms of the business arrangement, including the length of the agreement term, term renewals, termination rights (described in more detail below), price, payment terms and description of the SaaS solution, should be accurate and precise. Customers are often surprised when the provider’s first draft of the agreement does not reflect the basic business deal negotiated between the parties. Some common issues with the basic deal terms are: (i) the provider’s ability to increase pricing over time; (ii) clarity on distinction between implementation fees and SaaS solution fees; (iii) clarity on the commencement date of each category of fees; (iv) structure of fees for implementation services (flat fee, time and materials fee, time and materials fee with not to exceed amount, etc.); and (v) little to no specificity on the SaaS solution or its features and functionalities.
- Termination Rights: The agreement should contain all of the “standard” termination rights (uncured material breach, bankruptcy, etc.). Customers may also consider inserting a termination for convenience right and a termination right triggered upon Customer’s rejection of the nonconforming SaaS solution after post-implementation acceptance testing. Providers almost always object to a customer’s request for a termination for convenience right, but a customer may be able to obtain such a termination right that commences later in the term after the provider has recouped its implementation costs (e.g., after the second anniversary of the effective date). Termination rights tied to acceptance testing can be critical for a customer if problems arise during the implementation phase of the project. Further, providers often include for themselves a termination for convenience right in their form agreements. Customers should consider whether or not that is acceptable in the context of the business arrangement. Finally, customers should consider whether or not they need to insert some basic transition assistance requirements that obligate the provider to assist the customer in its efforts to transition the services in-house or to another third party.
- Data: There are very few issues that can create existential risk to the customer’s business as a whole in non-mission critical SaaS arrangements, but data privacy and security matters are one of them. Customers may be subject to significant liability and business interruption if the provider experiences a data breach or uses customer data in violation of law. Every SaaS agreement should obligate the provider to comply with all data privacy and security laws and adhere to some basic level of data privacy and security practices. The agreement should also set forth the provider’s obligations and the customer’s remedies that are triggered upon a data breach.
- Service Level Agreements (SLAs): Form agreements from the provider may not include any service level commitments. The agreement should contain basic performance standards for the SaaS solution’s availability and the provider’s maintenance and support obligations. With respect to maintenance and support SLAs, the customer should consider problem response time and problem resolution time commitments of the provider. Without these basic performance standards, the customer may have limited ability to claim breach of contract and terminate the agreement if the SaaS solution or provider’s performance of maintenance and support fall below expectations. Finally, customers should be mindful of “sole and exclusive” remedy language that may limit its remedies to invoice credits in the event of SLA violations.
- Intellectual Property: A standard SaaS agreement typically does not include any assignment of intellectual property rights from one party to the other, so such provisions should be removed or reviewed in detail. However, if the business arrangement includes development of any code or other materials by the provider to be owned by the customer, the customer should ensure proper work for hire, assignment and back-up license provisions are included in the agreement. All intellectual property licenses granted by the customer to the provider (e.g., licenses to use customer data or customer’s logo for marketing purposes) should be narrow in scope. Customer data licenses granted from the customer to the provider should be limited to internal use during the agreement term for the sole purpose of providing the SaaS solution and related services to the customer. Provider form agreements often contain licenses from the customer to the provider that are much broader in scope, and such licenses should be removed or narrowed.
- Restrictive Covenants: At a high-level, restrictive covenants are contractual provisions that prohibit a party from soliciting the other party’s customers, soliciting the other party’s employees, competing with the other party or using any goods or services that compete with the goods or services provided by the other party. These provisions are not appropriate for the typical SaaS arrangement, with the possible exception of employee non-solicit provisions. Most provider form agreements will not contain egregious restrictive covenants. Of course, there are exceptions, and every customer should remove all restrictive covenants from a standard SaaS agreement, with few exceptions.
- Compliance Obligations: Courts and regulators won’t care whether or not the provider or its SaaS solution is “mission critical” if such provider or SaaS solution causes the customer to be in violation of law or regulations that apply to the customer. So, customers should ensure that the agreement requires the provider to comply with all applicable laws and regulations generally. In addition, if customer is in or serves a heavily regulated industry, more robust provider compliance obligations may be appropriate or required under the applicable regulations.
- Limitation of Liability: Form agreements are very aggressive in limiting the provider’s liability under the agreement, typically limiting the provider’s liability to an amount equal to 12 months’ fees and leaving the customer’s liability unlimited. Every customer should ensure it has the potential for meaningful recovery under the agreement. Accordingly, certain critical breaches or liabilities (e.g., breach of confidentiality, data security breaches, indemnity obligations, intentional suspension of services, etc.) should be exceptions to the liability cap and subject to unlimited liability or a “supercap” that is higher than the typical 12 months’ fees general cap. Also, every customer should ensure that the limitation of liability provisions are mutual and limit the customer’s liability as well.
- Indemnification: All providers should provide indemnity protection for third-party claims against the customer that allege customer’s use of the SaaS solution infringes a third-party’s intellectual property rights. A provider should also have indemnity and cost reimbursement obligations that arise from data breaches. As mentioned above, customers should ensure that these provider obligations are not subject to an unreasonably low liability cap. Form agreements can also be very aggressive by imposing broad indemnity obligations on the customer. In most arrangements, its not necessary or appropriate for the customer to provider broad indemnity protections to the provider, especially if such obligations are subject to unlimited liability.
- Insurance: The customer should be comfortable with its ability to recover against the provider in the event that it needs to make a claim against the provider. As the saying goes, “You can’t get blood from a turnip.” In other words, a judgment against a provider may be close to worthless if the provider is judgment-proof. One mechanism to help mitigate against this risk is to contractually require the provider to obtain and maintain certain insurance coverages that add the customer and its affiliates as additional insureds. Customer should consider requiring the provider to obtain and maintain commercial general liability coverage, network/cyber liability coverage, professional liability coverage, and errors and omissions coverage. Customers should require the provider to deliver certificates of insurance throughout the term of the agreement to confirm such insurance is in place.
- Amendments. Many provider forms permit the provider to amend terms of the agreement without the customer’s prior written consent. Customers should require that changes to the agreement need to be set forth in a written amendment signed by both the customer and the provider.
This list is non-exhaustive and may change depending on the specific facts and circumstances of the business arrangement. However, these issues are always worth legal review, even in the context of a limited review. Finally, whether or not a particular agreement is an appropriate candidate for the “major red flags only” review is an agreement-by-agreement analysis and is dependent on much more than the fees owed under the agreement. Of course, the limited legal review approach can make a lot of business sense when appropriate, but it does provide for a greater chance of unfavorable outcomes if any problems with the business deal arise.
This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.