Software-as-a-Service (“SaaS”) companies are generally acutely aware of the need to protect their intellectual properties (“IP”), like patents, copyrights, and trademarks, when preparing their service contracts.

SaaS companies must be just as acutely aware of protecting IP that is covered by trade secret law. A good example of the dangers is the recent lawsuit filed by SaaS company Replenium against Albertsons — a grocery store chain with more than 2,000 stores in 30 States. Replenium worked with Albertsons for three years, developing an online subscription purchasing platform that would allow Albertsons’ customers to have their frequently purchased items automatically repurchased at chosen intervals for delivery or pick-up. Replenium’s platform design is alleged to be unique in that its automation can be used for large “baskets” of goods — instead of small-batch replacements — and that it can be used with products having varying profiles such as fresh, frozen, needs refrigeration, must-be-kept-cool, etc.

Replenium alleges that, despite extensively negotiated non-disclosure and confidentiality agreements, Albertsons misappropriated its trade secrets, launched its own version of the Replenium platform, and then canceled its SaaS contract with Replenium. During the three years of development, Replenium shared various details of its platform structure and operation to ensure integration and compatibility with Albertsons’ systems. Replenium then filed a lawsuit in federal court alleging misappropriation of trade secrets, breach of contract, and other claims.

What is a Trade Secret?

Most States and the federal government have enacted statutes to protect trade secrets. The general definition of trade secrets involves four elements which are:

• Information, data, device, method, or anything similar
• That is secret, meaning that it is “not generally known”
• That the owner takes “reasonable efforts” to keep from becoming generally known and
• That provides “commercial value” from the fact that the information is secret

“Commercial value” is generally defined to mean that there is some “competitive advantage” gained from the fact that the information is secret.

Almost anything can be deemed a “trade secret,” including things as simple as customer or vendor lists, recipes, formulas, methods, plans, practices, etc. The federal Defend Trade Secrets Act explicitly lists technical information, programs, processes, and codes as items that can be protected as trade secrets.

“Misappropriation” is also broadly defined under U.S. trade secret laws. Misappropriation can mean an outright theft of secrets through something like espionage. But it can also mean unauthorized USE of trade secrets. This is the legal theory being used by Replenium. It willingly shared its trade secrets with Albertsons, but under non-disclosure and confidentiality agreements that required Albertsons to keep the data/information secret and to not use the secrets for their own purposes.

Some Lessons

SaaS companies must protect their trade secrets with the same intensity that they protect their other forms of IP. Even with high levels of protection, SaaS companies may STILL face misappropriation and/or IP infringement. When that happens, SaaS companies must be prepared to litigate. Replenium’s experience also suggests the need for some level of practical steps to prevent complete loss of relevant trade secrets. It may not be possible in a given circumstance, but it may be wise to entirely hold back key information, methods, devices, codes, etc. or hold such back until the very last possible moment.

Contact the SaaS Attorneys at Revision Legal

For more information, contact the experienced SaaS Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Why SaaS Trade Secret Exposure Is Different from Other IP Risks

Patent, copyright, and trademark protection for SaaS companies all involve public registration or disclosure — the trade-off for legal protection is making the intellectual property visible to competitors and the public. Trade secret protection works in the opposite direction: protection is conditioned entirely on keeping the information secret. The moment a trade secret becomes generally known, the protection evaporates. This creates a structural tension for SaaS businesses that must share technical details with enterprise customers for integration, customization, and compatibility purposes.

The Replenium case illustrates the specific risk: a SaaS company shared platform architecture details, integration specifications, and operational methodology with a major enterprise customer over three years of collaborative development. That sharing was necessary — without it, the integration could not have worked. But the same information that enabled the integration also enabled Albertsons to reverse-engineer and replicate the platform after terminating the contract. The lesson is not that SaaS companies should refuse to share technical details with customers; it is that they must structure that sharing within carefully designed legal and operational protections.

The Federal Defend Trade Secrets Act and State Equivalents

The federal Defend Trade Secrets Act (DTSA), 18 U.S.C. § 1836 et seq., provides a federal cause of action for trade secret misappropriation that is available alongside state law claims. The DTSA defines trade secrets broadly to include “all forms and types of financial, business, scientific, technical, economic, or engineering information” if the owner has taken reasonable measures to keep the information secret and the information derives independent economic value from its secrecy. That definition encompasses source code, algorithms, database schemas, system architectures, training data, model weights, and the design specifications of any novel SaaS feature or process.

Most states have enacted versions of the Uniform Trade Secrets Act (UTSA) that parallel the DTSA, allowing SaaS plaintiffs to bring both federal and state claims in federal court. The advantage of federal jurisdiction includes the availability of ex parte seizure orders — an emergency remedy available only under the DTSA that allows a court to order the immediate seizure of property containing misappropriated trade secrets before the defendant can destroy or transfer the information. For a SaaS company that discovers a customer has copied its platform, an ex parte seizure order can be the difference between preserving and losing the evidentiary record needed to prove misappropriation.

Drafting Enforceable NDAs and Confidentiality Agreements

A non-disclosure agreement is only as useful as its enforceability. Courts have declined to enforce NDAs that are overbroad, lack specificity about what information is confidential, have no time limitation, or are entered into without adequate consideration. For SaaS companies sharing technical information with enterprise customers, well-drafted NDAs should include:

• A specific definition of confidential information that identifies, with as much particularity as practical, the categories of information being protected — broad definitions like “all information shared between the parties” are less enforceable than targeted definitions describing platform architecture, integration specifications, algorithms, and design methodology
• A prohibition on using confidential information for purposes beyond the scope of the contracted services — the “no unauthorized use” provision is what Replenium relied on when Albertsons allegedly replicated its platform for internal use
• An explicit prohibition on reverse engineering any software, API, or platform component
• A requirement that the receiving party limit disclosure within its organization to personnel with a need to know, and maintain records of who had access
• A provision requiring the return or destruction of confidential information upon termination of the relationship
• Injunctive relief provisions acknowledging that breach would cause irreparable harm — courts will issue a preliminary injunction to stop ongoing use of misappropriated trade secrets, but the agreement should make that remedy explicitly available

Operational Protections Beyond the Contract

Contract protections alone are insufficient for SaaS trade secret protection. The “reasonable efforts to maintain secrecy” requirement under the DTSA and UTSA means that a SaaS company must take operational steps — not just legal steps — to protect confidential information. Courts have denied trade secret protection to companies that signed NDAs but then left sensitive information unprotected in ways that suggested the company itself did not treat it as genuinely confidential. Operational protection measures relevant to SaaS contexts include:

• Access controls limiting API documentation, integration specifications, and platform architecture documents to credentialed users with a documented business need
• Watermarking sensitive technical documents so that any leak can be traced to a specific recipient
• Information compartmentalization — sharing only the specific technical details needed for each phase of integration, rather than providing comprehensive platform documentation upfront
• Logging and auditing third-party access to development and integration environments
• Exit procedures that include confirmation of deletion or return of all confidential materials upon contract termination

The combination of strong contractual protections and documented operational security measures creates the factual record a SaaS company needs to succeed on a trade secret misappropriation claim. Without both, even a clear case of copying may fail if the court finds that the plaintiff did not take reasonable steps to maintain secrecy. Contact the SaaS and trade secret attorneys at Revision Legal through the form on this page or call (855) 473-8474.