Bodle Law

SaaS Agreements – Data Protection – Data Stored in the USA

admin — Wed, 01 Feb 2012 09:50:23 +0000

SaaS suppliers who use data centres physically located in the USA to store or process data should be aware of a recent US Court of Appeals ruling that the Electronic Communications Privacy Act (ECPA) – an American law – protects the data of non-USA citizens when their data is stored on servers in the USA.

Suzlon Energy Ltd

A Korean firm, Suzlon Energy Ltd, applied for a court order for Microsoft to disclose email documents belonging to an Indian citizen which were stored on a server used by Microsoft which was located in the USA. Suzlon argued that the emails should be disclosed as part of a litigation process because the privacy protections of the ECPA only applied to the data of US citizens.

The US court determined that the ECPA covered “any person” and not just a US citizen. Part of the reason for this was the impracticality of expecting Microsoft to assess whether or not its account holders were US citizens, when receiving a disclosure request. The court decided that the ECPA applied to any data stored in the USA, regardless of the citizenship of the owner of the data.

Increased Protection for EU Customer Data?

Following this decision any SaaS customer data stored in the USA will be protected by the provisions of the ECPA, regardless of the citizenship of the data owner and must not be disclosed as part of a US litigation process. This decision may help to alleviate some of the concerns being raised by SaaS customers in Europe about the inadequacy of data protection provisions in the USA. However, if the server on which the SaaS customer’s data is stored is physically located outside of the USA the data will not be protected by the ECPA.

On a practical level, SaaS suppliers will need to know exactly where each customer’s data is geographically stored in order to correctly respond to disclosure requests and to determine whether or not such a request can be rejected under the provisions of the ECPA.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – Reseller/Distribution – Terms to Include

admin — Fri, 20 Jan 2012 09:00:32 +0000

When using a local partner to resell your SaaS software to customers outside of the countries in which you are based, you will need to have a distributor/reseller agreement in place between yourself and each distributor/reseller. This will in part mirror your standard SaaS terms and conditions but will also need to include additional clauses to cover the issues set out below.

Applicable Law and Language

Usually your reseller will be located in another country. The reseller will be selling your SaaS software to its customers using its own local terms and conditions. These will probably be subject to local law i.e. German law if the reseller is in Germany and in the local language, German. However, there is no reason why your reseller agreement should be in German and subject to German law, as you the supplier have no relationship with the customers. You should resist any attempt by the reseller to use its local law and language.

As a compromise, it is worth allowing the reseller to have the reseller agreement translated into their local language “for convenience”, in parallel to the English version. However if you have two language versions ensure that the English version of the agreement prevails if there are any discrepancies between the two different language versions.

Please note that in some countries it is mandatory under local law to have the agreement in the local language.

IPR

It is essential that you control the use of your name, trademarks and intellectual property rights by your resellers. You should set out clearly in the reseller agreement whether or not the reseller is permitted to register local domain names, company names and trademarks on your behalf for your SaaS application and products. You may require this, as in certain countries you need to be a resident national of that country or have a company located in the country to make such registrations.

If you do grant the reseller such rights, it is essential that you regulate what happens to ownership of the trademarks, domains and use of your name if the reseller agreement is terminated or expires.

Territories

You should identify the territories in which the reseller may resell your SaaS application and products. List country names and do not refer to unclear terms such as EMEA, the Middle East or North Africa – there is no agreed definition of which countries these include. You should also decide whether or not your reseller should have exclusive or non-exclusive rights in the territories. If you grant the reseller exclusive rights ensure that you retain the right to make passive sales to customers, or you will be in breach of EU competition law.

EU and Local Competition Law

Depending upon the country in which you are based and the country in which the SaaS distributor is based, you will need to comply with the various anti-competitive laws that will automatically apply to the reseller agreement. Failure to comply with relevant competition laws could make not just an individual clause in the reseller agreement, but the whole agreement invalid. Additionally you could be subject to very large fines based on a substantial percentage of your annual turnover for breaches of competition law.

Help

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

Website Legal Requirements – Online Sales – New Consumer Rights

admin — Wed, 04 Jan 2012 10:00:11 +0000

If you supply goods and services to consumers via the Internet you will need to change your terms and conditions of sale to incorporate the new EU Consumer Rights Directive before the end of 2013. The new directive harmonises consumer rights protection across the EU for all BTC (business to customer) online sales of goods and services. The directive must be implemented into UK law before the end of 2013 (probably in a Consumer Bill of Rights) which will result in the following compulsory rules applying to online sales.

Cooling-off Period

Customers will have 14 days (instead of the current 7 days) to cancel an online contract for no reason, free of charge. The 14 days will start on receipt of goods (where goods, or goods and services, are purchased) and on the date of the contract (where services are purchased). There is an exception for digital content – where the sale is deemed to be concluded from the moment that downloading begins, provided that:

you have obtained the customer’s prior express consent; and
the customer has acknowledged that there is no right to cancel.

Suppliers must inform customers of their right to withdraw from the contract within the cooling-off period, otherwise the customer’s right to withdraw will automatically extend to 12 months.

If a contract is cancelled during the cooling-off period, provided that the goods are returned within 14 days of the customer giving notice of cancellation, the supplier must refund:

the price within 14 days of the cancellation date; and
the postage costs for returning the goods, unless the supplier clearly informed the customer prior to the contract being concluded, that these costs would not be refunded.

Pre-Contract Information

The following minimum information must be provided to customers before online sales are concluded.

the name and full address of the supplier;
exactly what is being bought;
the price (including any additional charges or costs, such as taxes and delivery costs);

The above information must be provided in a way which allows the customer to store, access and reproduce the information for as long as may be necessary in connection with the online sale.

Also note that before the online sale is concluded the total price, including all charges should be made clear. The use of ‘pre-ticked boxes’ to conceal hidden charges will no longer be acceptable.

Delivery Date

Goods must be delivered without undue delay and in any case no later than 30 days from the conclusion of the contract.

Surcharges and ‘Hotlines’

Suppliers must not charge customers more for specific payment methods than they pay themselves i.e. fees for using a credit or charge card. In addition customer service telephone numbers must be charged at a basic NOT premium rate.

What to do Next

In preparation for the changes, you should review your current terms and conditions and customer policies now to adapt them to comply with the new rules. Customers are more aware of their online rights and increasingly make complaints. Also, national regulators will also be keen to enforce the new rules and make public examples of non-compliant companies.

Help

Irene Bodle is an IT lawyer specialising in Internet Law and SaaS Agreements with over 10 years experience in the IT sector. If you require assistance with any Internet Law, SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – Need for an Escrow Agreement

admin — Tue, 20 Dec 2011 10:00:12 +0000

As a SaaS supplier you may want to consider offering escrow agreements to your customers, particularly if you run SaaS applications which are critical to your customer’s business.

What is Escrow

Escrow refers to a third party holding a copy of the SaaS software source code on behalf of the customer and the supplier.

What is an Escrow Agent

An escrow agent is a third party who stores a copy of the SaaS software source code. The escrow agent will release a copy of the source code to the customer if any of the events set out in the escrow agreement occur.

Why use Escrow

This is usually a customer driven requirement resulting from the fact that the source code for the SaaS software, the expertise to implement it and rights to the SaaS software are only licensed to, and not owned by, the customer for the term of the SaaS agreement.

Customers are concerned that the supplier may:

fail to maintain the software;
transfer ownership of intellectual property rights in the SaaS software;
become insolvent; or
become unable to carry on supporting and maintaining the software for some other reason.

By having an escrow agreement in place the customer has the right to continue to use the software, if the supplier is in default of its obligations under the SaaS agreement.

Advantages of an Escrow Agreement

Having an escrow agreement in place protects all parties involved in the development, supply and use of business critical SaaS applications. It provides customers with peace of mind for securing long-term availability of a critical SaaS application by enabling customers to update software and fix any bugs even if the supplier is no longer able to support them.

Disadvantages of an Escrow Agreement

Having the right to use the software under an escrow agreement is in reality of little use if the customer does not have the know-how and resources to actually use, maintain and support the source code itself.

Also, the costs of setting up an escrow agreement and maintaining it are relatively expensive. Escrow costs are usually paid for by the customer.

Help

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – Reseller/Distribution – Need for a Reseller Agreement

admin — Tue, 06 Dec 2011 10:00:30 +0000

If you decide to use a local partner to resell your SaaS software to customers outside of the countries in which you are based, you will need to have a distribution/reseller agreement in place between yourself and each distributor/reseller.

What is a Reseller/Distributor?

A reseller is the same as a distributor. A reseller/distributor purchases the supplier’s SaaS software and services under the terms of a reseller/distribution agreement. The reseller/distributor then resells the SaaS software and services to its own local customers in the territory using its own terms and conditions (and SLA). The SaaS supplier has no legal relationship with the reseller/distributor’s customers. Customers enter into a SaaS agreement with the reseller/distributor directly.

Why use a Reseller/Distributor?

Most SaaS suppliers use distributors to enable them to sell their software and services to customers who would not otherwise purchase the SaaS software, due to the Supplier’s:

lack of physical presence in the customer’s country
lack of sales channels and contacts in the customer’s country
inability to speak the local language
inability to provide customer support in the local language
inability to provide customer support within the customer’s local business hours
terms and conditions not being written in the customer’s language, or subject to local laws and regulations

By using a distributor/reseller the above problems are resolved as the distributor sells the SaaS software directly to customers, in the local language, pursuant to local law, with local support as if the SaaS software was his own software.

Advantages

The main advantage of using a reseller/distributor is that the SaaS supplier will have no liability to customers – as there is no contract or legal relationship between the customer and the SaaS supplier. For example, any implementation issues or software errors that the customer encounters when using the SaaS software will be the distributor’s problem. The distributor will be liable to the customer and will be obliged to resolve such issues directly with the customer.

Disadvantages

The main disadvantage of using a reseller/distributor is that the SaaS supplier has no control over the sales process and in particular of the choice of customers. Also, the terms of the agreement itself will be subject to local anti-competitive laws and regulations.

Is an Agent the same as a Distributor?

Agents are often confused with distributors, but there are clear legal differences. An agent is a person or company who acts on behalf of the SaaS supplier to find leads and/or assist with sales of the supplier’s SaaS software to local customers in the agent’s territory.

The agent has no legal relationship with the customer – the agent has no contract with the customer. The supplier enters into a SaaS agreement, with the customer using the supplier’s terms and conditions and SLA and the supplier is liable to the customers for issues and errors that may arise during use of the software.

Help

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – Data Protection – Google Analytics in Germany

admin — Tue, 22 Nov 2011 10:00:03 +0000

If your website uses Google analytics and you provide SaaS services to customers based in Germany you are now required to provide specific information to users in order to comply with recent changes to German data protection law.

Google Analytics and German Data Protection

Google analytics collects statistics about website users by „tracking” an individual’s use of a website. This information is then made available to website operators free of charge. Following an agreement between Google and the German data protection authorities it is now the responsibility of the operators of websites to implement certain measures when using Google analytics.

Making your Website Compliant

Under German data protection law website users must be able to stop user profiles being created and prevent their complete IP address from being saved, unless they have specifically consented to this. If you are a SaaS website operator you now need to include the following in your privacy policy:

inform users that you use Google analytics; and

advise users that they can turn off Google analytics tracking in their browser settings

In addition you should use a Google software solution that masks the IP address of the user.

Application to UK Websites

Although this is a German data protection issue, if your website is directed at German customers, or the majority of your customers are located in Germany, it is advisable to make these changes in order to avoid any potential breach of German data protection law.

Help

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – SLA – Data Backup

admin — Tue, 08 Nov 2011 10:00:43 +0000

When providing SaaS services you must specify in your SaaS agreement who is responsible for the backup/loss of customer data. The extent of your backup duties should be included in the service level agreement (SLA) and these will be dependent on a number of factors set out below.

Backup Process

You should set out details about the nature of the backups and the data media being used, for example:

will the backup be made to tape or disk or using some other media
how often will the backup media be changed/rotated/updated
how often will backups be made i.e. hourly/daily/monthly
will incremental backups be made

Security

In view of customer concerns over data security it is essential that you provide details of where and how the backup media will be stored, for example:

will this be at a physically separate location
will a provider other than the hosting centre be used
what security is in place at the storage location
who has access to the facility
is emergency power available

Disaster Recovery

This should be considered as an add on extra, to cover the eventuality that the hosting centre (where the SaaS software and data backups are created) becomes unusable. The disaster recovery centre should be physically remote from your hosting centre to avoid a double hit! Other points to consider are:

carefully define what a “disaster” is
set out expected data recovery times
test your disaster recovery procedure at least once a year

Commercial Considerations

The exact nature and extent of any data backup (and related disaster recovery) services that you offer to SaaS customers will depend on:

how much has the customer pays for the SaaS solution, maintenance and support
whether or not service credits are offered for breaches of error fix times
whether the SaaS application is business critical i.e. online banking
what is standard in that particular business area

Exclusions

Ensure that errors or problems caused by something beyond your control are excluded from your obligations i.e. loss of data caused by the customer’s failure to use the specified browser, hardware, virus checking programmes etc.

Help

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – SLA – Security Issues

admin — Tue, 25 Oct 2011 09:00:07 +0000

As a SaaS supplier you will have noticed the increasing concerns about security voiced by SaaS customers. Your SaaS agreement should therefore provide comfort to your customer by including security provisions in the service level agreement (SLA). The specific matters you should consider including are set out below.

Access

The persons able to access the hosting centre should be very limited and the individuals should be defined. Access should only be allowed for hardware and software maintenance. A record of all visits should be logged, which can be easily achieved if swipe cards are used. Remember that when using a third party hosting centre, access will be controlled by, and should reflect, the terms of your hosting agreement with the hosting centre.

Physical Security

This should prevent unauthorised access to the hosting centre to prevent damage, loss or theft to hardware and software. Surveillance of the hosting centre is essential and details of whether or not this is 24 x 7, via video camera, watchmen or electronic alarm systems should be included in the SLA. Within the hosting centre itself, racks themselves should be separately secured.

Hosting Environment Security

In order to provide a continuous service to customers, the hosting centre must have:

an uninterrupted power supply;
a dual power source;
air conditioning; and
fire and flood detection systems.

Server Security

In order to protect your servers, you should use:

up to date virus protection;
up to date security patches; and
firewalls.

Data Security

In order to protect customer data you should set out:

how, where and when data will be backed up;
how often data will be backed up;
where backups will be stored; and
when discs/tapes will be rotated.

ISO 27001 Certification

ISO 27001 is an internationally recognised security certification which is often required by SaaS customers who are looking for assurance that adequate levels of data security are in place to protect their data. Having this certification demonstrates to customers your commitment to data security by confirming that you comply with “best practice” security management.

Disaster Recovery

Is this offered at all, consider whether is it included in your standard subscription fee, or if a premium will be charged. Also, remember that your disaster recovery centre should be physically remote from your hosting centre, and with a different provider.

Commercial Considerations

The level of security obligations offered to SaaS customers will depend upon:

how much a customer pays for the SaaS solution, maintenance and support;
whether the SaaS application is business critical i.e. online banking;
what is standard in that particular business area.

Exclusions

Ensure that your SaaS agreement contains appropriate security obligations applicable to your customer, for example using up to date virus programmes. Exclude liability for any security breaches which are caused by something beyond your control or an act, omission or breach of your customer’s security obligations under the SaaS agreement.

Help

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

Website Legal Requirements – Cookies – Non-compliance of Public Authority Websites

admin — Tue, 11 Oct 2011 09:30:27 +0000

As a result of changes to the EU Privacy and Electronic Communications Directive it is unlawful to use cookies to collect user data without first obtaining explicit consent. In a recent audit of over 600 public sector websites only 1% complied with the new cookie law.

Website Audit

The Society for Local Authority IT Managers (Socitm), an independent organisation funded through the membership of local government IT workers, recently carried out an audit of UK public sector websites. Using automated search technology it audited over 600 public sector websites and discovered that only 6 complied with the obligation to obtain informed consent to the use of cookies.

Prior to carrying out the audit each organisation was asked to estimate how many cookies they used on their website. Most organisations substantially underestimated the number of cookies they used.

Legal Implications

By May 2012, the UK Information Commissioner’s Office (ICO) expects businesses and organisations to:

provide clear information about the way in which cookies are operating on websites; and
have a method for obtaining consent to the use of cookies.

A failure to comply with the above runs the risk of a fine of up to 500,000 GBP.

In addition the European Commission has set a deadline for European companies to create a uniform way for web users to opt out of being tracked by cookies within a year of the previous deadline. The Commission has said it will take action if industry does not standardise opt outs in that time.

Compliance

The ICO has published guidelines on its website. Nevertheless, in each individual case the specific action required and the information to be given to users will depend upon the precise purpose of the cookie(s). For example using browser settings to obtain consent may be acceptable and the Government is currently working with Adobe, Apple, Google, Microsoft, Mozilla and Yahoo to create such a technological solution. However, it is not clear whether or not this will suffice to meet European data protections requirements.

It is also unclear whether companies based outside of the UK i.e. in the USA have to comply with the new rules, particularly if they have a website aimed at UK users.

Help

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – Entire Agreement Clauses

admin — Mon, 26 Sep 2011 09:00:31 +0000

In the recent Court of Appeal decision Axa Sun Life Services Plc v Campbell Martin Ltd an entire agreement clause did not exclude liability for pre-contractual misrepresentations although the clause was reasonable under the Unfair Contract Terms Act (UCTA).

What is an Entire Agreement Clause?

An entire agreement clause asserts that the SaaS agreement constitutes the whole agreement between the parties and seeks to prevent the parties from relying on any preceding agreements, negotiations or discussions in any subsequent claims.

Entire agreement clauses form part of the standard provisions of many SaaS agreements, and are frequently used by SaaS suppliers to argue that a customer cannot rely upon pre-contractual misrepresentations. (e.g. verbal promises, product claims, or previous agreements).

Unfair Contract Terms Act (UCTA)

The validity of an entire agreement clause in a SaaS agreement will be determined by a court by applying UCTA. In the AXA case as the agreement was based on AXA’s standard terms of business, UCTA states that a party contracting on its standard terms cannot exclude or restrict liability in respect of its breach unless the clause is reasonable.

Axa Sun Life Services Plc v Campbell Martin Ltd

AXA standard terms contained the following entire agreement clause:

“This Agreement…constitute[s] the entire agreement and understanding between you and us in relation to the subject matter thereof…[and] shall supersede any prior promises, agreements, representations, undertakings or implications where made orally or in writing”

The Court of Appeal held that this entire agreement clause did not exclude AXA’s liability for pre-contractual misrepresentations, even though it was reasonable under UCTA.

Excluding Liability for Pre-Contractual Misrepresentation

It is essential that clear wording is used to exclude liability for misrepresentation. It is not enough to simply state that the agreement “supersedes” any previous representations. The entire agreement clause of your SaaS agreement should state that you have no liability in respect of errors or misleading information that may have been communicated by one party to another and liability for misrepresentation must be specifically excluded.

However, note that under English law liability for fraudulent misrepresentation cannot be excluded or limited.

Help

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles: