SaaS, ASP Agreements – FAQs – Confidential Information

What confidentiality provisions need to be included in a SaaS agreement?

Define Confidential Information

Parties will obtain and have access to the business critical information of each other as a result of entering into a  SaaS Agreement. For example, they may have access to customer lists, banking information, IPR, source code and object code or business secrets and processes. Confidential information should be defined in the SaaS agreement to make clear what is, and what is not, confidential. Do not simply refer to documents which are “marked as confidential” or “which should be treated as confidential”. Not all confidential information exists in a physical format, particularly in a SaaS scenario – so do not restrict your definition to just documents.

Restrictions on Disclosure

Confidential information should not be passed on to third parties or used by either party for any purpose other than performing their duties under the SaaS agreement. However, under certain circumstance parties may be legally required to disclose confidential information to a third party and such disclosure must be permitted. Additionally, employees and agents of the parties (accountants, sub-contractors) may need access to the confidential information for the purposes of the SaaS agreement. Such disclosure should be permitted, but must be restricted to named or defined groups of sub-contractors i.e. the supplier’s hosting provider or the customer’s named IT outsourcing providers. Disclosure to competitors of either party should be specifically prohibited. If any third parties are to have access to a party’s confidential information they must be bound by the same confidentiality duties as the party disclosing the information to them.

Return or Destruction of Data

Once the SaaS agreement is terminated, or expires, all confidential information of each party should be returned or destroyed. Confirmation of destruction of data should be required in writing. This is particularly important in relation to any personal data, as under the Data Protection Act 1998 no personal data should be kept longer than necessary. The length for which such personal data may be stored will depend upon the type of data and the purposes for which it was collected and stored.

Freedom of Information Request – FOI

If the customer is a public authority or another body subject to FOIs, both the supplier and the customer will need to comply with any requests for releases of information within strict time limits. Provisions should be added to the SaaS agreement to give the supplier control over what is, and what is not, released to prevent third parties having access to its confidential information pursuant to such requests.

Subject Access Request – SAR

Similar provisions are contained in the Data Protection Act 1998 which allow data subjects to request a copy of the personal data held on them which the supplier is processing on behalf of the customer. The request is made to the customer, who will need to ensure that there are provisions in the SaaS agreement obliging the supplier to release appropriate data.

Audit Rights

Sometimes customer’s will have a regulatory duty (i.e. under the FSA) to check the supplier’s security structures and data storage systems. Any third parties used by the customer during the audit should be bound by the confidentiality provisions of the SaaS agreement before being permitted access to any confidential information.  This can be easily achieved by having the third party sign a non-disclosure agreement.


For assistance with any confidentiality issues, SaaS, ASP, software on demand contracts or any other IT legal issues contact me at:

To register for my newsletter click here


Other related articles: