As a SaaS supplier you will have noticed the increasing concerns about security voiced by SaaS customers. Your SaaS agreement should therefore provide comfort to your customer by including security provisions in the service level agreement (SLA). The specific matters you should consider including are set out below.

 Access

The persons able to access the hosting centre should be very limited and the individuals should be defined. Access should only be allowed for hardware and software maintenance. A record of all visits should be logged, which can be easily achieved if swipe cards are used. Remember that when using a third party hosting centre, access will be controlled by, and should reflect, the terms of your hosting agreement with the hosting centre.

Physical Security

This should prevent unauthorised access to the hosting centre to prevent damage, loss or theft to hardware and software. Surveillance of the hosting centre is essential and details of whether or not this is 24 x 7, via video camera, watchmen or electronic alarm systems should be included in the SLA. Within the hosting centre itself, racks themselves should be separately secured.

Hosting Environment Security

In order to provide a continuous service to customers, the hosting centre must have:

• an uninterrupted power supply;
• a dual power source;
• air conditioning; and
• fire and flood detection systems.

Server Security

In order to protect your servers, you should use:

• up to date virus protection;
• up to date security patches; and
• firewalls.

Data Security

In order to protect customer data you should set out:

• how, where and when data will be backed up;
• how often data will be backed up;
• where backups will be stored; and
• when discs/tapes will be rotated.

ISO 27001 Certification

ISO 27001 is an internationally recognised security certification which is often required by SaaS customers who are looking for assurance that adequate levels of data security are in place to protect their data. Having this certification demonstrates to customers your commitment to data security by confirming that you comply with “best practice” security management.

Disaster Recovery

Is this offered at all, consider whether is it included in your standard subscription fee, or if a premium will be charged. Also, remember that your disaster recovery centre should be physically remote from your hosting centre, and with a different provider.

Commercial Considerations

The level of security obligations offered to SaaS customers will depend upon:

• how much a customer pays for the SaaS solution, maintenance and support;
• whether the SaaS application is business critical i.e. online banking;
• what is standard in that particular business area.

Exclusions

Ensure that your SaaS agreement contains appropriate security obligations applicable to your customer, for example using up to date virus programmes. Exclude liability for any security breaches which are caused by something beyond your control or an act, omission or breach of your customer’s security obligations under the SaaS agreement.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

• SaaS, ASP Agreements – SLAs Explained – Essential Elements
• SaaS, ASP Agreements – SLA – Maintenance and Support Requirements
• SaaS, ASP Agreements – SLA – Service Credits
• SaaS, ASP Agreements – SLA – Data Backup
• SaaS, ASP Agreements – SLA – Maintenance
• SaaS, ASP Agreements – SLA – Error Fix Times
• SaaS, ASP Agreements – Essential Elements
• SaaS, ASP Agreements – FAQs – Security
• SaaS, ASP Agreements – FAQs – Confidential Information
• SaaS, ASP Agreements – FAQs – Software Licence
• SaaS, ASP Agreements – FAQs – Source Code and Object Code
• SaaS, ASP Agreements – FAQs – Escrow
• SaaS, ASP Agreements – FAQs – Data Protection
• SaaS, ASP Agreements – Data Protection and Safe Harbor, Issues with German Customers
• Legal Clauses to include in a SaaS Sales Proposal
• Cloud Computing and the Legal Cloud
• SaaS, ASP, Software on Demand – Confused?

As a result of changes to the EU Privacy and Electronic Communications Directive it is unlawful to use cookies to collect user data without first obtaining explicit consent. In a recent audit of over 600 public sector websites only 1% complied with the new cookie law.

Website  Audit

The Society for Local Authority IT Managers (Socitm), an independent organisation funded through the membership of local government IT workers, recently carried out an audit of UK public sector websites. Using automated search technology it audited over 600 public sector websites and discovered that only 6 complied with the obligation to obtain informed consent to the use of cookies.

Prior to carrying out the audit each organisation was asked to estimate how many cookies they used on their website. Most organisations substantially underestimated the number of cookies they used.

Legal Implications

By May 2012, the UK Information Commissioner’s Office (ICO) expects businesses and organisations to:

• provide clear information about the way in which cookies are operating on websites; and
• have a method for obtaining consent to the use of cookies.

A failure to comply with the above runs the risk of a fine of up to 500,000 GBP.

In addition the European Commission has set a deadline for European companies to create a uniform way for web users to opt out of being tracked by cookies within a year of the previous deadline. The Commission has said it will take action if industry does not standardise opt outs in that time.

Compliance

The ICO has published guidelines on its website. Nevertheless, in each individual case the specific action required and the information to be given to users will depend upon the precise purpose of the cookie(s). For example using browser settings to obtain consent may be acceptable and the Government is currently working with Adobe, Apple, Google, Microsoft, Mozilla and Yahoo to create such a technological solution. However, it is not clear whether or not this will suffice to meet European data protections requirements.

It is also unclear whether companies based outside of the UK i.e. in the USA have to comply with the new rules, particularly if they have a website aimed at UK users.

Help

Irene Bodle is an IT lawyer specialising in Internet Law and SaaS Agreements with over 10 years experience in the IT sector. If you require assistance with any Internet Law, SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

• Website – Legal Requirements
• Website – Legal Requirements – Ecommerce Rules
• Website – Legal Requirements – Cookies and Consent
• Website – Legal Requirements – Cookies and Consent Policies
• Website – Legal Requirements – New ASA Rules
• Website – Legal Requirements – Contact and Company Information
• Website – Legal Requirements – Online Sales – New Consumer Rights
• Google Adwords & Trademark Infringement
• SaaS Agreements – Essential Elements
• SaaS Agreements – Essential Elements – SLAs Explained
• SaaS Agreements – FAQs – Security
• SaaS Agreements – FAQs – Software Licence
• SaaS Agreements – FAQs – Source Code and Object Code
• SaaS Agreements – FAQs – Escrow
• SaaS Agreements – FAQs – Confidential Information
• SaaS Agreements – FAQs – Data Protection
• SaaS Agreements – Data Protection – Data Commissioner Issues First Fines in UK
• SaaS Agreements – Distributor or Agent – Is There a Difference?
• SaaS Agreements, Software on Demand – Confused?
• Cloud Computing and the Legal Cloud