SaaS Agreements – FAQs – Prism

In light of recent and ongoing “prism” revelations, SaaS suppliers are having to deal with numerous queries about the safety of SaaS customer data. Many customers mistakenly believe that by using a non-US data centre their SaaS customer data is safe against disclosure to the US authorities. Below is a summary of the most common concerns being raised by SaaS customers.

Continue reading

SaaS Agreements – FAQs – Data Controller

It is important for a SaaS supplier to understand the legal obligations imposed upon a data controller when negotiating a SaaS agreement as the duties of a data controller are not the same as the duties of a data processor. In a SaaS relationship the supplier is always the data processor of the SaaS customer. The SaaS customer is always the data controller. Below is a summary of the obligations of a data controller.

Continue reading

SaaS Agreements – IPR – Software Patents

The issue of software patents has recently been highlighted by a proposal to change German patent and copyright law. The proposal recommends preventing computer software being registered as a patent, arguing that computer software should only be protected using copyright law, as this is sufficient to protect a software developer’s rights. In light of the current German proposal, below is a brief summary of patent and copyright law in relation to SaaS software in the UK, Germany and non-EU countries.

Continue reading

SaaS Agreements – Data Protection – Prism and US Laws

SaaS suppliers should be aware of relevant US laws when outsourcing SaaS services (data storage and hosting) to US companies or companies located in the USA. SaaS customers are becoming increasingly concerned about outsourcing in the USA following media reports about “Prism”. Namely, that the National Security Agency (NSA) accesses personal data stored on the servers of Microsoft, Apple, Google, Yahoo, Facebook and a few other major US public companies. Below is a summary of the most relevant US laws that SaaS suppliers should be aware of.

Continue reading

SaaS Agreements – Data Protection – HIPAA

On January 25th 2013, the US Department of Health and Human Services modified the rules of the Health Insurance Portability and Accountability Act 1996 (“HIPAA”). HIPAA applies to any SaaS suppliers who process protected health information (“PHI”) on behalf of customers to whom the Act applies, regardless of whether or not the SaaS supplier is located in the USA.

Continue reading

SaaS Agreements – FAQs – Applicable Law and Jurisdiction

It is important to understand the difference between applicable law and applicable jurisdiction when negotiating a SaaS agreement. Applicable law specifies which country’s laws will apply to your SaaS agreement. Jurisdiction specifies which courts will have authority to deal with a dispute. Usually a UK SaaS agreement will specify the laws of England and Wales as the applicable law and the courts of England will have jurisdiction.

Continue reading

SaaS Agreements – FAQs – Source Code

When negotiating a SaaS agreement you will come across the terms source code, object code and open source. What is the difference if any between source code, object code and open source?

Source Code

Source code is the version of a computer programme (SaaS software) that exists prior to the software being ready to compile and run on a computer. The source code consists of a number of statements created in a text form by a programmer. These statements are saved in a named file and are called the source code.

Continue reading

SaaS Agreements – Data Protection – Safe Harbor Still Adequate

Recently, the Department of Commerce’s International Trade Administration (ITA) – a US government body – published a document confirming that any SaaS suppliers based in the US (and/or SaaS suppliers using a data centre located in the US) who are “safe harbor” registered must be recognised as having an “adequate” level of data protection. The ITA rejected the view that EU data protection authorities can unilaterally refuse to recognise safe harbor certification as a valid means of demonstrating that a SaaS supplier based in the US (and/or SaaS suppliers using a data centre located in the US) has an adequate level of data protection.

Continue reading