Archive for May, 2012

SaaS Agreements – SLA – Terms to Include

The following issues should always be included in any SLA, regardless of the type of SaaS product and services being supplied.


Clearly define times for all of your actions. Business hours and days need to be carefully defined, particularly if you have customers outside of the UK, or your maintenance and support staff are located across the globe.


If your SaaS agreement includes non-English speaking customers specify in which languages you provide support.


Customers expect to be given a guarantee of the availability of the SaaS product and services. This usually ranges from 95 – 99.9%, depending on the type of services being provided. It will also largely depend upon the availability guaranteed by any third party data centre you use to host your SaaS products and services.

When stating the level of availability of the SaaS products and services specify how and when availability will be measured, remembering to exclude any down-times for maintenance from the calculation.

Customer Support

Provide a short description of the support that you will provide to customers. This should include details about how you can be contacted and the way in which you will respond to, and fix software problems. Specify severity levels and state times for responding to and fixing software problems, remembering to differentiate between problems (errors that can be reproduced) and bugs.


Set out the times and days when you will carry out maintenance. Distinguish between regular maintenance and emergency maintenance, as you may need to install emergency patches and carry out emergency repairs at any time. State whether or not any prior notice will be given. Any downtime caused by you carrying out scheduled or emergency maintenance should be excluded from the calculation of availability.

Specify whether or not upgrades are included in the services. Will they be free of charge, or are they only provided upon payment of an additional fee? Are upgrades mandatory or voluntary? Also identify what is actually included in an “upgrade”.


Briefly describe the security provisions that you have in place at your data centre and internally within your organisation. These should include:

  • Details of data centre security structure and infrastructure;
  • Details of the firewalls and cryptology you use;
  • Any obligation to notify the customer of security breaches;
  • Restrictions on access to passwords;
  • Information about virus protection mechanisms.

Other Issues

Other provisions that you could consider including in your SLA are:

Commercial Considerations

The above is a general guide to the terms to include in a SLA for a SaaS agreement. The degree of detail that you provide will largely depend upon the following:

  • The type of SaaS products and services you are supplying;
  • How much the customer pays for the SaaS product and services;
  • Whether the SaaS product is business critical i.e. online banking;
  • What is standard in that particular business area.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles:

Website Legal Requirements – Cookies – New Guidelines

From the 26th of May 2012 the UK Information Commissioners Office (ICO) will start prosecuting companies for breaches of the Privacy and Electronic Communications (Amendment) Regulations. These set out the obligations of website operators to provide users with information about cookies and obtain their consent when using cookies. Failure to comply with the rules can result in a fine of up to £500,000.

What is a Cookie?

Cookies are small text files placed on a user’s computer which record online activity. The majority of websites use cookies to measure visits and the use of websites (analytics cookies). Cookies are often also used to save user names, passwords and user preferences to make repeated use of a website more comfortable for the user. However, increasingly cookies are being used to collect information about users for the purposes of targeted marketing.

The New Rules

The new rules apply to the use of all cookies or similar technologies for storing information such as flash cookies, web beacons or bugs. No distinction is made between different types of cookies in the rules. They apply to both session and persistent cookies and first party and third party cookies.


Consent must be freely given, specific and informed, unless the cookie is ‘necessary’ for the delivery of the service, for example, where the cookie takes the user from a product page to a payment page. This generally means that a user needs to “opt in” to the use of cookies.

The more specific the consent is the less likely it is that you will be in breach of the rule.  For example, if you obtain consent before the cookie is set you will have specific consent. If you rely on implied consent you will need to show that the user has taken some positive action to imply consent. The UK Chamber of Commerce has provided some suggested wording for use on websites.

Cookie Information

Clear and comprehensive information about the type of cookies being used and the purposes for which these are being set must be provided. The UK Chamber of Commerce suggests categorising cookies into 4 groups – strictly necessary, performance, functionality and targeting/ or advertising cookies.

Who do the Rules Apply to?

The Regulations do not define who is responsible for complying with the rules so primarily it is the person/company setting the cookie. Where third party cookies are used both parties will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent.

Organisations based in the UK will be subject to the rules even if their website is hosted outside of the UK. If organisations are based outside of the EU but their websites are designed or products and/or services are directed at EU customers they should provide information and choices about cookies that comply with the rules.

Guidance on How to Comply with the New Rules

The ICO has issued non-binding guidance suggesting ways in which consent to the setting of cookies can be obtained and the International Chamber of Commerce (ICC) UK’s guidance also suggests various methods for complying with the notice requirements. A summary of these suggestions and some examples from the guides have been set out below.

  • Terms and Conditions: When users sign-up for using a website, consent to the use of cookies should be obtained on registration, specifically or by reference to a privacy policy, cookie policy or terms and conditions. This does not however cover the problem of obtaining consent from existing users.
  • Banners /Footers: Where websites have cookies built into the landing page the use of cookies should be highlighted in a prominent place on the landing page i.e. via a banner – as on the ICO home page,  or in a footer or information box – as on the website.
  • Pop-ups: Each time a cookie is to be set a pop-up will inform the user. By continuing to use the website, the user will be deemed to have consented to the cookie. However in practice, these are not a very practical solution, particularly where numerous cookies are used.
  • Settings /Features: Where users can choose preferences when using a website for example via the use of videos that remember how users personalise their interaction, these settings/feature could be used to obtain consent.

Additionally, the Internet Advertising Bureau Europe (IAB) has developed a voluntary code using the display of an icon on a website whenever an advert tracks a users’ behaviour. By clicking on the icon the user can switch off behavioural adverts. However this only apples to the adverts of companies who are members of the scheme.

How to Avoid Fines

Despite the impending May deadline, many companies have not taken any action to amend their websites and are simply waiting to see what happens. In light of the guidance from the ICO this is not advisable.

You should be carrying out a cookie audit, if you have not already done so to review the use of cookies on your website. You will need to assess what type of cookies you use, how long they are being used and remove any redundant or unnecessary cookies.

Thereafter you should update the information you provide about cookies in your privacy policy or create a separate cookie policy, ensuring that this information is easy to find on your website. You need to state the type of cookies you use, why you use them and how users can opt out of you using such cookies.

You also need to review the steps that you take to obtain consent to any cookies you use. How and when the consent is obtained. Is it implied, or specific. Also do not forget to provide information about any third party cookies that are placed and provide links to information about these that third parties may provide.

Enforcement by the ICO

From 26th May 2012 you must comply with the new rules and the ICO will start taking formal action. The ICO has stated that they will be selective. For example, they have clearly indicated that they are unlikely to prosecute companies who only use analytic cookies and will concentrate on websites where no steps have been taken towards collecting consent or where particularly intrusive cookies are used.


Irene Bodle is an IT lawyer specialising in Internet Law and SaaS Agreements with over 10 years experience in the IT sector. If you require assistance with any Internet Law, SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles:

Bodle Law
Assign a menu in the Left Menu options.
Assign a menu in the Right Menu options.

This website uses cookies. You may not use this website, unless you agree to our use of cookies. For further details about the cookies we use please visit our Cookie Policy

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.