The legal specifics and challenges involved in drafting SaaS contracts are as diverse as the areas of application of SaaS and other cloud services.
Are you looking for support? Feel free to contact our team of experts.
We have summarized a brief overview of the most frequently asked questions from our clients in practice on the subject of drafting SaaS/cloud contracts as well as some basic knowledge in our FAQ.
There is a wide range of SaaS solutions on the market. As varied as the selection and the respective range of functions of SaaS solutions are, so too are the aspects that need to be taken into account when drafting the contract. In order to be legally protected as comprehensively as possible as a provider of a SaaS solution, the SaaS contract should reflect the specifics of the respective SaaS solution and the planned business model. In a worst-case scenario, the unchecked adoption of standard formulations can leave potential liability risks unconsidered. It is therefore recommended to seek professional advice when drafting a standard customer contract.
We offer our clients the practical advice they need when drafting SaaS contracts. Thanks to our legal tech solution for SaaS contract drafting, we can quickly and purposefully create customized SaaS contracts for use with clients - at predictable costs with maximum efficiency and quality.
What is SaaS?
Software as a Service ("SaaS") and other cloud services are becoming increasingly popular with companies and public bodies. Applications such as HR and recruiting software and customer relationship management are offered as SaaS. Other cloud services include the provision of storage, server or other IT resources as Infrastructure as a Service ("IaaS") or cloud-based environments in which in-house applications are developed and provided as Platform as a Service ("PaaS").
Which provisions in the contract should I pay particular attention to in general?
What is a Service Level Agreement ("SLA") and why is the SLA so important?
The SLA contains information on minimum quality standards ("service level") that must be met by the respective SaaS or other cloud services.
The uninterrupted availability of the SaaS or other cloud services promised in the SLA is particularly relevant. This refers to the extent to which it is guaranteed that the corresponding services can be accessed and used as agreed.
As part of an SLA, particular attention should therefore be paid to the following:
It makes a considerable difference whether the availability is 98% monthly or 98% annually, for example. At 98% per year, the maximum permissible downtime is approx. 7 days and 7 hours in a row per year. With 98% per month, on the other hand, it is approx. 14 hours at a time per month.
Many SLAs list a large number of cases that do not count as a failure of the SaaS or other cloud services. These exceptional cases are not taken into account when checking whether the promised availability has been met.
Classic exceptions are:
The more exceptions there are to the SLA, the more this affects the promised performance parameters, such as availability.
Umso mehr Ausnahmen vom SLA vorgesehen sind, desto mehr wirkt sich dies auf die versprochenen Leistungsparameter wie bspw. die Verfügbarkeit aus.
In addition, some SLAs shorten the statutory rights of the user organization under German law in the event of a breach of the SLA (e.g. claims for damages, defect rights). This can be accompanied by extensive exclusions of liability. If these are effective, this is good for the service provider and bad for the customer.
In addition, some SLAs shorten the statutory rights of the user organization under German law in the event of a breach of the SLA (e.g. claims for damages, defect rights). This can be accompanied by extensive exclusions of liability. If these are effective, this is good for the service provider and bad for the customer.
What do I need to look out for in the license terms?
The license terms regulate the scope of content, time and space in which the organization can use the SaaS and other cloud services.
For example, it makes a considerable difference whether only certain named persons (so-called "named users") or a certain number of random persons (so-called "concurrent users") may use the SaaS or cloud services at the same time.
In addition, the authorized intensity of use and, where applicable, the specific technical integration of the SaaS and other cloud services into the existing IT systems are particularly relevant.
What should be considered when setting prices?
Remuneration models for SaaS and cloud services can take a variety of forms.
Possible remuneration models could be, for example:
When setting prices, particular attention should be paid to the following aspects:
Price adjustment clauses
SaaS/cloud contracts often have a long contract term. Price adjustment clauses are common in longer business relationships. However, regulations on price adjustments are generally only possible within narrow limits under German law.
As an alternative to price adjustments, other measures, like fixed graduate prices can be agreed in favour of calculation security.
Maturity of the remuneration
In the context of comprehensive IT projects, the due date for payment often falls on the date of acceptance of the SaaS or other cloud services. Particularly in the case of longer-term projects, payments can be agreed for the achievement of certain milestones in order to set the payments in an appropriate relationship to the performance results.
To what extent may the provider limit their liability?
Many limitations of liability in contracts - even those of prominent providers - are ineffective when applying the standard of the German legal system.
Pre-formulated contract terms are often subject to German law on general terms and conditions (§§ 305 ff. BGB), provided that German law applies. In this case, the contract is subject to GTC control. Many liability clauses do not stand up to a GTC review and are invalid. Liability for intent, for example, cannot be excluded under German law. However, if another legal system is applicable to the contract, comprehensive limitations of liability may be effective.
If the provisions on liability in the GTC are ineffective and there is no negotiation, the statutory provisions, which are generally more favorable for customers, apply.
Why is comprehensive exit management essential?
When the contract ends, the provider's obligation to continue to make the SaaS or cloud services available for use also ends. However, in some cases (e.g. for SaaS/cloud products that are particularly business-critical for the user), it may be necessary to continue to provide support services after the end of the contract, at least on a transitional basis. It may therefore make sense to contractually regulate exit management from the outset.
Why is the choice of law important for SaaS/cloud contracts?
Especially with SaaS and other cloud services, services are often provided across borders. Due to the possible multitude of legal systems that can be affected in this way, the applicable law should be determined in the contract. In principle, the parties to a contract are free to choose the applicable law. The following example shows why the choice of law is so important.
Clauses that would be invalid under German GTC law are permissible under US law, as they are not subject to GTC control. In the USA, a different liability regime applies than in the German legal system with, for example, much more extensive options for limiting liability.
Who owns the data for SaaS/cloud services?
As a rule, the data also belongs to the organization when using a cloud-based service. Details or deviating regulations can be agreed in the contract.
How can data protection and data security be contractually secured?
With SaaS and cloud services, the organization's data is usually stored and processed on the provider's servers in the cloud. As the data must be protected against unauthorized access by third parties, the right contract design is crucial for ensuring data protection and data security in the cloud. Depending on the purpose of the SaaS or cloud services, the sensitivity of the data and the environment, different security requirements must be met.
If personal data (e.g. customer or employee data) is processed in the cloud, various legal requirements, in particular those of the General Data Protection Regulation ("GDPR"), must be complied with.
What should be considered in particular with regard to data protection aspects?
Data protection should not be treated lightly in the context of cloud/SaaS services. The following aspects in particular should be checked: