When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include:

• The monthly subscription price — flat fee or based on the number of users
• How much access to the software — the limited or unlimited number of users?
• Methods of access — desktop vs. apps vs. dedicated machines, etc.
• Availability — limited or 24/7/365?
• Maintenance — how often are the updates, and when are they scheduled?
• Support — do you get live persons to help; will they be available on the phone and in person?

As important as the foregoing issues are, one often overlooked aspect of SaaS contracts is the collection of personal data and the potential that the data will be sent across national borders. This might happen based on where the SaaS programming is hosted and where data is “parked” for various processing purposes. Cross-border data transfers of personal information are now a highly regulated legal issue, particularly under the rules and regulations of the European Union (“EU”). The EU is a vast geographical space, and numerous firms host software and offer data storage services. Thus, data transfer restrictions are potentially implicated with any use of European firms. If you or your business is thinking of entering into an SaaS subscription agreement, data collection, storage, and transfers should be a major focus of negotiations and contractual provisions.

If you need legal assistance, the Internet Lawyers here at Revision Legal can help. Our lawyers have years of experience with internet laws, data protection statutes, and SaaS agreements. Here are some thoughts on possible steps to take to avoid running afoul of cross-border data transfer regulations, both with respect to employees and third-party personal data.

Is personal data collected?

The first step is to ask whether personal data will be collected as part of the SaaS offering. If the answer is “no,” then somewhere in the negotiated SaaS agreement, the provider should “rep and warrant” that no personal data is collected.

However, in many cases, the answer is “yes” — if only because employee data may be collected. There is often a great deal of personal information collected as part of setting up usernames, passwords, and the like. This is routinely done by SaaS providers.

But, on the other hand, there ARE alternatives where an SaaS provider agrees to a different set of procedures to identify the relevant employees allowed to have access. As an example, the business using the SaaS could provide unique and anonymous identifiers for their employees that are then used to create usernames and passwords. That is, the SaaS provider is not provided with the personal data of the individual employees.

Is third-party consumer data collected for processing or other purposes?

A more difficult problem exists where the SaaS relates, in some manner, to the data that is being processed, collected, or stored by the SaaS programming. Here, the solution is various contractual provisions where the SaaS provider is responsible for compliance with the cross-border data transfer regulations. For example, there should be “reps and warranties” that the SaaS provider is in compliance with the data transfer regulations and that the SaaS will indemnify the customer from any damages related to alleged non-compliance.

Contact the SaaS Attorneys at Revision Legal

For more information, contact the experienced SaaS Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.