Archive for December, 2013

SaaS Agreements – SLAs – Business Continuity and Escrow Agents

SaaS customers are increasingly asking for disaster recover provisions to be included within the terms of a SaaS agreement to ensure that they have access to their data and continuity of service if a problem arises at the SaaS supplier’s data centre. The costs of providing disaster recovery used to be prohibitive, due to the requirement of having mirrored servers and transferring data, however there is now a new market opening up with former escrow providers offering a variety of disaster recovery options at affordable prices.

Disaster Recovery

Disaster recovery sets out the processes and procedures to be followed in the event of a SaaS supplier’s software or customer data no longer being available. This is commonly due to a problem at the SaaS supplier’s third party data centre.

The most common problems are usually caused by:

  • physical damage to the data centre; or
  • insolvency of the party operating the data centre.

However, disaster recover does not cover the situation where the SaaS supplier itself becomes insolvent. In these circumstances a SaaS customer will have no right to access its data and backups at the data centre, as it is not a party to the hosting agreement between the data centre and the SaaS supplier.


In the past, SaaS customers used escrow agreements to enable a third party – an escrow agent – to hold a copy of a SaaS supplier’s software (the source code) on behalf of the SaaS customer and SaaS supplier. The source code would be released to the SaaS customer if the SaaS supplier became insolvent or unable to continue to provide the SaaS services. This did not however actually ensure business continuity as SaaS customers did not generally have the technical know-how to understand and use the source code. Accordingly escrow agreements are rarely used today.

Alternative to Escrow

Many escrow providers, such as the NCC and Iron Mountain have amended the services they offer to SaaS suppliers and SaaS customers. They have replaced traditional escrow services with service continuity options which on the most basic level permit the escrow agent to step in and take over the SaaS provider’s hosting obligations, if the SaaS provider becomes insolvent or unable to provide the SaaS services. The escrow agent provides the SaaS customer with continuity of the SaaS service by hosting the SaaS software and data either:

  • at an alternative data centre, if there are issues at third party data centre; or
  • at the existing data centre in the event of the insolvency of the SaaS supplier.

For example. A SaaS customer enters into a SaaS agreement with a SaaS supplier who is hosting the SaaS service via AWS (Amazon Web Services). The SaaS supplier becomes insolvent and AWS stops hosting the SaaS services. However, if the SaaS customer had included a service continuity option in the SaaS agreement with the SaaS supplier, the escrow agent would simply have replaced the SaaS supplier in relation to the AWS hosting and the SaaS services would have continued uninterrupted.

Advantages for the SaaS Customer

There is no immediate need for the SaaS customer to obtain copies of the source code, data and find a new hosting provider. The SaaS services will continue to run uninterrupted without any loss of service which is very important if the service is being used for a business critical function. The SaaS customer will have time to transition to a new SaaS supplier and service and will also have the peace of mind that the SaaS service will not be interrupted in the interim.

Advantages for the SaaS Supplier

Providing for this type of service in your SLA offers reassurance to your SaaS customers. By proactively approaching the issues of business continuity you will have a competitive advantage over other SaaS supplier sand it will help you build trust into your customer relationship.


This is just one of the services offered by such former escrow agents. SaaS suppliers should consider discussing this option with customers in order to deal with their concerns over continuity of service, when signing up new business and/or negotiating a SaaS agreement.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles:

SaaS Agreements – Data Protection – Update on the EU Draft Data Protection Regulation

SaaS suppliers should be aware of the recent changes made by the EU Parliament to the draft EU Data Protection Regulation (Regulation). If this amended version of the Regulation becomes law next year the obligations of SaaS suppliers who process personal data on behalf of customers will radically change. A summary of the current main proposed provisions is set out below.


The proposed fine for breaching data protection law will be increased to the higher of:

  • 5% of annual worldwide turnover; or
  • €100 million

Currently the maximum UK fine for a breach of data protection law is £500,000.

Data Protection Officer

A data protection officer must be appointed where:

  • a SaaS supplier processes the personal data of more than 5,000 individuals in any consecutive 12 month period; or
  • special categories of data, location data, data relating to children, or employee data in large scale filing systems is processed.

The data protection officer must be appointed for:

  • a minimum of 2 years; and
  • meet specific minimum requirements set out in the Regulation.

Notification of Data Protection Breaches

SaaS suppliers must notify breaches of data protection law without undue delay.

Data Processor Obligations

The obligations and duties of SaaS suppliers (data processors) have been more specifically defined. For example SaaS suppliers should:

  • only employ staff who have given confidentiality undertakings or commitments;
  • obtain permission from SaaS customers (data controllers) before employing a sub-processor i.e. using a third party hosting centre;
  • ensure that security measures are implemented; and
  • maintain documentation of all processing operations.

Data Transfers – Prism

The transfer of an individual’s personal data to third parties has been restricted in light of recent revelations about the NSA and Prism. No transfer of personal data will be permitted in relation to a third country court decision or administrative authority (i.e. under the Patriot Act or FISA) if this does not comply with a mutual legal assistance treaty or an international agreement.

Additionally, individuals will have the right to know if their personal data has been disclosed to a public authority.

Territorial Scope

The Regulation will apply to companies located outside of the EU whenever they process the personal data of individuals located in the EU. This means that if a UK SaaS supplier uses a data centre located outside of the EU to host EU SaaS customer data the provisions of the new Regulation will apply to both the SaaS provider and the data centre. For example if a SaaS supplier uses Microsoft to host EU customer data both will be directly subject to EU data protection law.

Right to be Forgotten

This has been changed to the right to be erased. This right will not apply to data which cannot be erased due to the type of storage technology used, provided that the technology was installed prior to the Regulation coming into force.


The above is a summary of the current status of the draft Regulation. The Regulation may be amended before it becomes law in 2014 and SaaS suppliers should continue to monitor the position to ensure they are ready to adapt their existing procedures and compliance regimes to comply with any change in their legal obligations.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To learn more about SaaS and cloud computing join me at the Berlin CloudConf 2013 on 5th of December.

To register for my newsletter click here



Other related articles:

Bodle Law
Assign a menu in the Left Menu options.
Assign a menu in the Right Menu options.

This website uses cookies. You may not use this website, unless you agree to our use of cookies. For further details about the cookies we use please visit our Cookie Policy

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.