Archive for May, 2010

Cloud based Software, Cloud based Technologies, Cloud based Services

What is Cloud based Software

Applications that live in the cloud, are also known as SaaS (Software as a Service), on demand, hosted or online applications. Such cloud based services are proving to be useful tools for businesses looking to save money and ease the burden on IT. An increasing number of organisations are entering into SaaS Agreements for their customer relationship, email, financial, recruitment and talent management.

Advantages of Cloud Based Software

In contrast to the traditional, installed software model, SaaS solutions can reduce the administrative burden on IT, personnel and the strain on physical resources caused by supporting and maintaining traditional software. Upfront capital expenditure can also be reduced, as SaaS software is rented on a monthly basis, rather than being purchased outright for a large upfront fee.

The appeal of cloud based software is clear. Businesses are no longer responsible for purchasing, configuring, loading, and maintaining applications onto their own hardware. In very simple terms all that is needed is an Internet connection.

Avoiding Problems

However, due to the unique nature of SaaS applications it is important to obtain specialist legal advice on the terms of the SaaS agreement to ensure that it covers the requirements of your organisation. For example is disaster recovery included, what are the provisions for return of customer data, have you seen a copy of the SLA (service level agreement), are the data protection and security provisions adequate, will the source code be held in escrow by a third party?

If things go wrong, your data is lost and your customers start to move to your competitors –  making a claim for breach of contract will not repair the damage already sustained to your finances and business reputation. These issues should be dealt with upfront, as part of the commercial negotiation process, with the assistance of an experienced specialist SaaS lawyer. Thereby your interests can be adequately covered to minimise the risks of the above scenario occurring.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

Cloud Computing and the Legal Cloud

Everyone is talking about “cloud computing” but what is it?

What is Cloud Computing

Cloud computing is a new and rapidly expanding delivery model, often used to supply IT services to customers via the Internet. Cloud computing involves the sharing of resources, software and information on the Internet for users to use on their computers and other devices, on-demand.

Other Related Terms

Where software is supplied using the cloud you will hear people refer to SaaS, software as a service, ASP services and software on demand to describe the provision of the services.

Why refer to a “cloud”

The term “cloud” is used as a metaphor for the Internet, based on the cloud drawing used in the past to represent the telephone network, and later to depict the Internet. Typical cloud computing providers deliver business software applications online which are accessed from another web service or software i.e. a web browser while the software and customer data are stored on servers, hosted by the service provider.

The Legal Cloud

Most cloud computing infrastructures consists of services delivered through hosting centres. The service provided to users are usually set out in a service level agreement (SLA) and the software licence for use of the services and software will be set out in a SaaS agreement.

Help

For assistance with cloud computing matters, SaaS, ASP, software on demand contracts or any other IT legal issues contact:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

Trademark – Portfolio Management

What issues need to be considered in choosing and managing a company’s trademarks?

Registration

  • Focus on the company name or products.
  • Marketing should decide which trademarks to register.
  • Consider registering products names in local markets.
  • If companies are acquired, consider registering trademarks for new products or company names if no trademarks are already registered.
  • Carry out a trademark search before trying to register new trademarks, to see if they are available and what other similar marks are already registered.

Ownership

  • All trademarks should be registered and owned centrally by one company (holding company if possible).
  • Where it is not possible to register ownership with the holding company, discuss with marketing which subsidiary should be owner.
  • If companies are acquired which already have registered trademarks, ownership should be transferred to the parent in the long term (check the share purchase agreement for restrictions).
  • All changes in company names, address etc of the owning company must be forwarded to the local trademark register.

Registration Process

  • Obtain a costs estimate for any proposed registrations. (Roughly speaking each trademark costs 5,000 Euros to register and maintain over a 10 year period).
  • For international or expensive multiple registrations also obtain prior authority from marketing.
  • Decide which classes the trademarks need to be registered in. Note in some jurisdictions classes may differ as not all countries follow the Nice Classifications.
  • Decide which countries the marks should be registered in. Don’t forget the EU.
  • Consider extending an EU mark or local mark once registered to an international trademark.
  • Consider whether any non-treaty countries need to be applied for in addition.
  • Consider whether logos or Chinese character registrations are required in addition.
  • Local trademark lawyers usually have to register trademarks due to local restrictions on who can communicate with the trade mark and patent office.
  • Keep a all registrations and applications in a table to have an overview of the portfolio.
  • Update this table with all changes as the process moves forward to registration.

Watch Notices

  • Use a professional trademark watch service to monitor registrations of marks similar to your trademarks worldwide.
  • Watch “word” trademarks for all of your registered trademarks in the classes in which they are registered.
  • If new trademarks or classes are added to your portfolio the watch services should be changed to cover new classes and trademarks.
  • Watch “picture” trademarks for any logos that you have registered.
  • Watch notices usually arrive on a daily basis.
  • All notices must be checked promptly as deadlines for opposing the registration of trademarks are very short. If missed, no appeal can be made out of time.
  • Enter deadlines contained in watch notices into a critical dates, reminder book.

Trademark Disputes

  • Obtain authorisation from relevant persons before initiating any dispute procedure.
  • All disputed trademark issues should be entered into your trade mark table.
  • All deadlines for taking actions in dispute matters should be entered into a critical dates reminder book.
  • Local trademark lawyers usually have to be used to dispute trademarks due to local restrictions on who can pursue an action with the trademark and patent office.

Renewals

  • Trademark protection in all jurisdictions is for 10 years usually from either the date of filing or the date of registration of the application.
  • Renewals are not automatic and if a trademark lapses someone else can obtain the trademark.
  • Check the critical dates reminder book monthly for all pending renewals.

Original Certificates

  • When a trademark is registered you will be sent the original certificate. This proves ownership of the trademark.
  • Check that the details on the certificate are correct i.e. trademark, class, address, owner etc.
  • Update your trademarks table with all renewal dates, registration number and other details.
  • Enter all deadlines, in particular, renewal dates in the critical dates reminder book, with reminders.
  • Inform marketing that the mark has been registered – as it must be used in order to protect it from lapsing for non-misuse!

Brand Awareness

  • Obtain regular information from local marketing departments on our use of trademarks.
  • Centralise storage of this information as this will help if you need to provide information quickly to oppose registration of a trademark.

Help

For assistance with trademarks or any other IT legal issues contact:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

Domain Name – Portfolio Management

What issues need to be considered in choosing and managing a company’s domain names?

Which Name to Register

  • Focus on the company name worldwide.
  • Marketing should decide on which domain names to register, bearing in mind which trade marks the company has registered.
  • If companies are acquired, consider registering domain names if none are already registered.
  • Carry out a domain name search at www.nic.com before trying to register new domain names.

Ownership

  • All domain names should be registered and owned centrally by one company (a holding company).
  • Where it is not possible to register ownership with the holding company (owner needs to be a locally registered company etc) consider which subsidiary should be the owner.
  • If companies are acquired which have already registered domain names – consolidate ownership to the holding company of the acquired company – if there is one. In the long term, after earn outs, or tax implications have been investigated, ownership should be transferred to the ultimate holding company, if possible (check the share purchase agreement for restrictions)
  • No domain names should be owned by individuals. (exception in a few countries where the owner has to be an individual. e.g. Italy)
  • All changes in company names, address etc of the owning company must be forwarded to the domain registry so that they can update their records. It is an offence to have incorrect details at most registries.

Registration

  • Use an external DNS provider to register all domain names, if you have multiple domains.
  • Obtain a costs estimate before registrations are made, if there are multiple registrations.
  • Add all domain names that are to be registered into a domain name portfolio table.
  • Update these tables whenever the registration process has a change in status or any domain name actions are in progress.

External DNS Provider

  • Restrict the number of employees entitled to instruct the DNS provider – they will charge for everything they do.

Domain Name Disputes

  • All disputed matters should be entered into the domain name portfolio table.
  • As the dispute progresses the table should be updated
  • All deadlines for taking actions in dispute matters should be entered into a critical dates book.
  • Local trade mark lawyers usually have to be used to deal with domain disputes due to local restrictions on who can pursue an action with the domain registry and such disputes are often in the local language and local courts.
  • Obtain authorisation from before initiating any dispute procedure.

Renewals

  • A Domain name registration is usually valid in most jurisdictions for 1 – 2 years.
  • Renewals are not automatic and if a domain name lapses someone else can register the domain name.
  • External DNS providers can monitor and renew all domains that they administrate and have on their servers. Any names not on their servers must be monitored by you and the deadlines for renewals must be entered into your critical dates book

Invoices

  • All invoices can be dealt with by the external DNS provider.

Help

For assistance with domain names or any other IT legal issues contact:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS, ASP Agreements – Transfer of Personal Data outside of the EEA

There are no restrictions on transferring personal data within the EEA.  However, due to the global nature of SaaS or ASP agreements personal data often needs to be  transferred outside of the EEA, for example to an IT outsourcing provider in India, a subsidiary of your company in China or a data centre or software development centre in Vietnam.

Restrictions on Export of Data Outside of the EEA

Under the 8th principle of the Data Protection Act 1998 before any personal data may be exported to any country outside of the EEA, you must ensure that there are adequate levels of protection in place. The European Economic Area consists of the 27 EU member states plus Norway, Iceland and Liechtenstein. There are four ways in which adequate levels of protection can be achieved:

  • consent
  • equivalent protection/ safe harbor
  • use of the EU model contract clauses
  • binding corporate rules

Consent

The easiest method of compliance is to obtain specific consent from the data subject before the transfer takes place. If the data subject consents to the transfer, you will comply with the Data Protection Act. Consent is usually obtained by having a data subject agree to the transfer of its personal data outside of the EEA and full details about the transfer itself should be set out in your privacy policy.

Equivalent Protection and Safe Harbor

Alternatively, the transfer is permitted if the non-EEA country to which the personal data is being transferred has equivalent data protection legislation. Currently only Switzerland, Canada and Argentina are recognised as having adequate protection. Certain companies in the USA are also recognised under the safe harbor process, provided that the company to which the personal data is being transferred has an up to date safe harbor registration.

EU Model Clauses

The European Commission has issued its own model clauses to cover transfers of personal data outside of the EEA. If these model clauses  are used in the SaaS agreement with the data subject and the agreement with the third party IT outsourcer, data centre or software developer to whom the data is being transferred, there will be adequate protection. However, these clauses are not ideal due to the different legal responsibilities of the data processor and the data controller which still remain unclear in the situation where there is a sub-processor.

Also, from the 15th of May, the new model clauses should be used – which replace the previous version.

Binding Corporate Rules

These are designed to cover transfers of personal data within multi-national companies where they have subsidiaries based in many countries. These rules only permit the inter-company transfer of personal data and do not cover transfers to third parties such as IT outsourcing providers or data centres. To date very few companies have adopted binding corporate rules due to the expense and time it takes for the rules to be recognised within the EU.

Help

For assistance with transfers of personal data within or outside the EEA, SaaS, ASP, software on demand contract  or any other IT legal issues contact:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

How to Register an EU Trademark

Where do I Apply?

In order to register a community trademark an application must be made to OHIM in Spain. The application can be made in English or any other EU language and OHIM will translate the application into a second EU language of your choice. One registration will cover the registration of the trademark in all 27 EU member states.

Costs

Currently, the cost of registering a trade mark in three classes is 900 Euros (if applying online) or 1,050 Euros if the application is made on paper. If you want to register a trademark in more than 3 classes, each additional class will cost an extra 150 Euros.

Trademark Search

Before applying for a trademark you must carry out a search to see if anyone has already registered the trademark, or applied to register the trademark. You also need to consider whether or not the trademark is capable of registration. For example it cannot be generic i.e. “business” or “dog” and there are certain words that you cannot use. A trademark can be registered as a word mark, or a picture mark i.e. with a logo. Trademarks can also be registered with, or without, colours.

The Application Process

You need to file an application with a description for each of the classes that you have chosen. There are more than 40 classes which cover the various goods or services which can be registered. Once OHIM receives the completed application and fee, it will examine the application. This involves amending the description or moving the description of the goods and services to different classes or rejecting the application in part or in whole.

Opposition and Registration

The trademark is then published to permit persons or entities to register their opposition to the registration of the trademark. Anyone who wishes to oppose registration of the trademark has 3 months to register such opposition. In the meantime, you will be sent a search report for similar trademarks by OHIM. If no-one opposes the trademark, protection is granted for 10 years. If any oppositions are raised these must be successfully disputed in order for the trademark to be registered.

Help

For assistance with registering an EU trademark  or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS, ASP Agreements – HCM, ATS & Erecruitment

Human resources (HR) departments are increasingly turning to SaaS or ASP agreements for their recruitment and talent management needs.  Often referred to as software as a service, SaaS or on demand services many suppliers are now providing SaaS solutions specifically designed to assist employers with their HCM (human capital management), ATS (applicant tracking systems) and e-recruitment requirements. Here are some of the legal issues which HR professionals and suppliers need to consider when negotiating a SaaS agreement.

Third Party Access to the Software

Although the customer enters into the SaaS agreement with the supplier, quite often HCM functions will be outsourced to recruitment agencies or IT outsourcing providers. It is therefore essential that the software licence permits such third parties to access the software and services, on behalf of the customer. The supplier should specifically name such third parties in the SaaS agreement and only grant them a limited licence to access the software on behalf of the customer for the purposes of the SaaS agreement.

Liability

Third parties who are granted access to the software and services will not be bound by the terms of the SaaS agreement to the supplier, or the customer, as they are not a contractual party to the SaaS agreement.

The supplier should protect itself by requiring the customer to warrant that the customer will be liable for any acts or omissions or breaches of the SaaS agreement caused by such third parties, as if these had been caused by the customer itself.

The customer should protect itself by having a “back to back” agreement with the recruitment agency/IT outsourcing provider which mirrors the terms of the SaaS agreement and makes the third party liable to the customer for any breaches, acts or omissions.

Candidate Data & Employee Data

Names, email addresses, dates of birth, and national insurance numbers of candidates and employees will be stored and processed by the supplier on behalf of the customer. Such information is personal data under the Data Protection Act 1998. The customer must obtain consent from all employees and candidates before it processes their personal data. Consent can be obtained from candidates when they register in the customer’s database by having the candidate actively agree to the customer’s privacy policy. For employees, such consent can be obtained by employees agreeing to a data and security policy or by including suitable provisions in the employee’s employment contract.

The customer must provide information to candidates and employees about any third parties to whom their data will be passed. This should include the supplier, the supplier’s third parties (i.e. the hosting centre, remote backup provider and disaster recovery provider), the customer’s subsidiaries, recruitment agencies and IT outsourcing providers.

Data Protection – Warranties

Under UK data protection law the supplier will be the data processor and the customer will be the data controller. The supplier is obliged to process data in accordance with the customer’s instructions and should protect itself against claims from third parties that such processing was illegal. Likewise, the customer will also need to protect itself against claims from third parties caused by the supplier or its other third parties not processing data in accordance with its instructions or the SaaS agreement.

Help

For assistance with SaaS, ASP, software on demand contracts,  SLAs or any other IT legal issues contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS, ASP Agreements – FAQs – Disaster Recovery

Do I need disaster recovery provisions in a SaaS agreement?

Disaster Recovery

Disaster recovery sets out the processes and procedures to be followed in the event of SaaS software, or customer data, no longer being accessible due to a problem with the technology infrastructure at the supplier’s data centre.

For example if there is a power cut, flood or fire at the data centre, the server on which the software is running will no longer function and the customer will no longer have full access to the software and its data. If the customer is using the software for a live website, the website will cease to function correctly, or possibly at all.

Supplier Obligations

The disaster recovery provisions of a SaaS agreement should be set out in the SLA and should as a minimum, include the following supplier obligations in the event of a disaster:

  • customers must be notified of the disaster;
  • any third parties used for disaster recovery should be identified;
  • the estimated time for restoring the servers and access to the software and services should be specified; and
  • details should be given about the supplier’s testing procedures i.e. how often its disaster recovery processes are tested.

Costs

The extent and speed of the disaster recovery offered by the supplier will depend upon the fee charged for this service. Suppliers often include the costs of basic disaster recovery in their licence fees. In addition, or as an alternative, they may offer higher levels of disaster recovery for additional fees. The faster and more individual the disaster recovery process is, the higher the fees.

If the supplier does not provide any disaster recovery services, or the customer is not satisfied with the disaster recovery offered, it should consider setting up its own disaster recovery procedure with a third party, particularly if a disaster would be business critical i.e. for a customer providing online banking services.

Avoiding Disasters

The most common disaster recovery risks are power failure, physical damage to the data centre or data and insolvency.

Power Failure

To minimise the risk of a power failure causing the servers to fail, ensure that the data centre has a continuous power supply (UPS) and power regulators to prevent fluctuations or interruptions in the power supply.

Backups

If the SaaS agreement includes backup of customer data, the regularity, media used for backups and storage should be set out in the SLA.  Backups should not be stored at the same physical location as the servers on which the data is being processed.

Encryption

The media on which customer data is backed up should be encrypted. Particularly, if backups are to be physically sent to the customer, or moved to another data centre in the event of a disaster.

Access to Data

In the event that the data centre or a third party making backups of customer data becomes insolvent, the customer usually has no right to access its data and backups. Provisions should be included in the SLA to give the customer the right to access its data and backups in such circumstances.

Help

For assistance with any disaster recover issues, SLA, SaaS, ASP, software on demand contracts or any other IT legal issues contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

 

SaaS, ASP Agreements – FAQs – Confidential Information

What confidentiality provisions need to be included in a SaaS agreement?

Define Confidential Information

Parties will obtain and have access to the business critical information of each other as a result of entering into a  SaaS Agreement. For example, they may have access to customer lists, banking information, IPR, source code and object code or business secrets and processes. Confidential information should be defined in the SaaS agreement to make clear what is, and what is not, confidential. Do not simply refer to documents which are “marked as confidential” or “which should be treated as confidential”. Not all confidential information exists in a physical format, particularly in a SaaS scenario – so do not restrict your definition to just documents.

Restrictions on Disclosure

Confidential information should not be passed on to third parties or used by either party for any purpose other than performing their duties under the SaaS agreement. However, under certain circumstance parties may be legally required to disclose confidential information to a third party and such disclosure must be permitted. Additionally, employees and agents of the parties (accountants, sub-contractors) may need access to the confidential information for the purposes of the SaaS agreement. Such disclosure should be permitted, but must be restricted to named or defined groups of sub-contractors i.e. the supplier’s hosting provider or the customer’s named IT outsourcing providers. Disclosure to competitors of either party should be specifically prohibited. If any third parties are to have access to a party’s confidential information they must be bound by the same confidentiality duties as the party disclosing the information to them.

Return or Destruction of Data

Once the SaaS agreement is terminated, or expires, all confidential information of each party should be returned or destroyed. Confirmation of destruction of data should be required in writing. This is particularly important in relation to any personal data, as under the Data Protection Act 1998 no personal data should be kept longer than necessary. The length for which such personal data may be stored will depend upon the type of data and the purposes for which it was collected and stored.

Freedom of Information Request – FOI

If the customer is a public authority or another body subject to FOIs, both the supplier and the customer will need to comply with any requests for releases of information within strict time limits. Provisions should be added to the SaaS agreement to give the supplier control over what is, and what is not, released to prevent third parties having access to its confidential information pursuant to such requests.

Subject Access Request – SAR

Similar provisions are contained in the Data Protection Act 1998 which allow data subjects to request a copy of the personal data held on them which the supplier is processing on behalf of the customer. The request is made to the customer, who will need to ensure that there are provisions in the SaaS agreement obliging the supplier to release appropriate data.

Audit Rights

Sometimes customer’s will have a regulatory duty (i.e. under the FSA) to check the supplier’s security structures and data storage systems. Any third parties used by the customer during the audit should be bound by the confidentiality provisions of the SaaS agreement before being permitted access to any confidential information.  This can be easily achieved by having the third party sign a non-disclosure agreement.

Help

For assistance with any confidentiality issues, SaaS, ASP, software on demand contracts or any other IT legal issues contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

 

  
Bodle Law
Assign a menu in the Left Menu options.
Assign a menu in the Right Menu options.

This website uses cookies. You may not use this website, unless you agree to our use of cookies. For further details about the cookies we use please visit our Cookie Policy

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close