Archive for July, 2010

SaaS, ASP Agreements – Data Protection Issues with Sub-contractors – Model Clauses

Thursday, July 22nd, 2010 at 13:34  
Comments Off

Using a sub-contractor to process your SaaS customer data is a problem under data protection law, where the sub-processor is based outside of the European Economic Area (EEA). Incorporating EU model clauses into your SaaS agreement is NOT the solution to this common problem.

EU Model Clauses

Under data protection law personal data may only be transferred to countries outside of the EEA where there is adequate protection. In order to deal with the problem of transfers of personal data from a customer (data controller) in the EEA i.e. in the UK, to a SaaS supplier (data processor) outside of the EEA i.e. a SaaS supplier in Asia, the EU drafted model clauses. When such model clauses are included in a SaaS agreement, the requirement to provide adequate protection for the data being transferred will be met.

New EU Model Clauses

In July 2010 the EU model clauses were amended to cover the position where personal data is transferred from a data controller in the EEA (customer) to a data processor outside of the EEA (supplier) and then a transfer to a sub-processor located outside of the EEA.

This is a common scenario in a SaaS agreement where a customer based in the UK is accessing SaaS software provided by a supplier outside of the EEA and the supplier is using a hosting centre or outsourced IT development centre located in India or Asia to process the customer data.

Sub-Processor located outside of the EEA

Despite the above changes to the EU model clauses, where a data processor (supplier) based inside the EEA, instructs a sub-processor based outside of the EEA, to process a customer’s data, the transfer of data is not covered by the new or old model clauses. This is a common scenario in SaaS agreements where the customer and supplier are both based in the EEA but the SaaS supplier uses a data centre or IT personnel outside the EEA i.e. in Asia to process the customer data.

The transfer of customer data to the sub-processor will not comply with data protection law if the new or old model clauses are used and an alternative solution will need to be found. This will usually take the form of an additional data protection agreement between the relevant parties.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS, ASP Agreement – SLA – Maintenance and Support Requirements

Tuesday, July 20th, 2010 at 10:14  
Comments Off

The maintenance and support section of a SaaS agreement should contain the following essential elements.

Duty to Acknowledge, Respond and Fix Errors

Clearly identify these three actions in the SLA. State when your duty to act starts. Does time for you to acknowledge, respond or fix a problem start to run upon receipt of a customer message, from your acknowledgement of the error, or some other trigger event?

Support and Maintenance Times

Clearly define times for all of your actions. Business hours and days need to be carefully defined in the SaaS agreement. If you have customers outside of the UK, or maintenance and support staff located across the globe, make sure that your business hours and business days are reflected in the SLA.

Supporting Global Customers

In a SaaS agreement which includes non-English speaking customer users, is support only offered in English? Does the service level agreement permit the customer to notify problems in any language other than English?

Response and Fix Times

These should be dependent upon the nature and severity of the problem. The differing levels of the severity of problems reported by the customer in the SLA should be determined by the supplier, not the customer. It is vital in the SaaS agreement to differentiate between errors (problems that can be reproduced) and bugs, when deciding upon severity levels, response and fix times.

Exclusions

Finally, do not forget to exclude errors or problems which have been caused by something beyond your control i.e. the customer’s inability to connect to the Internet. Also exclude errors or problems in the SaaS agreement which are caused by the customer i.e. the customer’s failure to use the specified browser, hardware etc.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS – Data Protection and Safe Harbor issues with German Customers

Friday, July 2nd, 2010 at 17:30  
Comments Off

If you have German SaaS customers, do not be surprised if they refuse to have their data hosted in the USA in the future, or start asking for onerous new provisions to be added to their existing SaaS agreements.

Safe Harbor is no longer adequate on its own

Due to a recent resolution issued by the German data protection authorities, additional due diligence is now required if German customer data is being exported to a US data centre.

Assessment of Safe Harbor Compliance

Prior to any data being exported, German customers may ask you to verify that the US data centre complies with the following minimum Safe Harbor requirements:

  • confirmation that the Safe Harbor registration was less than 7 years ago (if  more  the certification will be invalid),
  • evidence that the US data centre complies with its Safe Harbor obligation to provide notice of the data processing to the relevant individuals,
  • documentation of the above assessment and copies of such documentation.

Extra Contractual Requirements

As this is a recent new requirement (only applicable to transfers from Germany to the US) it remains to be seen how German customers will try to pass these obligations on to their SaaS providers.

Customers may ask for the EU standard contractual clauses to be used in the SaaS agreement or for you to provide binding corporate rules to ensure that there is adequate protection in place.

It is likely that customers will want to carry out some form of due diligence and if you carry this out on their behalf, they will want you to inform them of any breaches discovered when carrying out the assessment.  As an extra safeguard customers may require additional warranties and liabilities in the SaaS agreement to cover breaches of the above.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles: