What confidentiality provisions need to be included in a SaaS agreement?
Define Confidential Information
Parties will obtain and have access to the business critical information of each other as a result of entering into a SaaS Agreement. For example, they may have access to customer lists, banking information, IPR, source code and object code or business secrets and processes. Confidential information should be defined in the SaaS agreement to make clear what is, and what is not, confidential. Do not simply refer to documents which are “marked as confidential” or “which should be treated as confidential”. Not all confidential information exists in a physical format, particularly in a SaaS scenario – so do not restrict your definition to just documents.
Restrictions on Disclosure
Confidential information should not be passed on to third parties or used by either party for any purpose other than performing their duties under the SaaS agreement. However, under certain circumstance parties may be legally required to disclose confidential information to a third party and such disclosure must be permitted. Additionally, employees and agents of the parties (accountants, sub-contractors) may need access to the confidential information for the purposes of the SaaS agreement. Such disclosure should be permitted, but must be restricted to named or defined groups of sub-contractors i.e. the supplier’s hosting provider or the customer’s named IT outsourcing providers. Disclosure to competitors of either party should be specifically prohibited. If any third parties are to have access to a party’s confidential information they must be bound by the same confidentiality duties as the party disclosing the information to them.
Return or Destruction of Data
Once the SaaS agreement is terminated, or expires, all confidential information of each party should be returned or destroyed. Confirmation of destruction of data should be required in writing. This is particularly important in relation to any personal data, as under the Data Protection Act 1998 no personal data should be kept longer than necessary. The length for which such personal data may be stored will depend upon the type of data and the purposes for which it was collected and stored.
Freedom of Information Request – FOI
If the customer is a public authority or another body subject to FOIs, both the supplier and the customer will need to comply with any requests for releases of information within strict time limits. Provisions should be added to the SaaS agreement to give the supplier control over what is, and what is not, released to prevent third parties having access to its confidential information pursuant to such requests.
Subject Access Request – SAR
Similar provisions are contained in the Data Protection Act 1998 which allow data subjects to request a copy of the personal data held on them which the supplier is processing on behalf of the customer. The request is made to the customer, who will need to ensure that there are provisions in the SaaS agreement obliging the supplier to release appropriate data.
Sometimes customer’s will have a regulatory duty (i.e. under the FSA) to check the supplier’s security structures and data storage systems. Any third parties used by the customer during the audit should be bound by the confidentiality provisions of the SaaS agreement before being permitted access to any confidential information. This can be easily achieved by having the third party sign a non-disclosure agreement.
For assistance with any confidentiality issues, SaaS, ASP, software on demand contracts or any other IT legal issues contact me at:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – FAQs – What is SaaS?
- SaaS Agreements – FAQs – What is a SLA?
- SaaS Agreements – FAQs – EU Model Clauses
- SaaS Agreements – FAQs – Prism
- SaaS Agreements – FAQs – Security
- SaaS Agreements – FAQs – Software Licence
- SaaS Agreements – FAQs – Source Code
- SaaS Agreements – FAQs – Escrow
- SaaS Agreements – FAQs – IPR and Intellectual Property
- SaaS Agreements – FAQs – Confidential Information
- SaaS Agreements – FAQs – Data Protection
- SaaS Agreements – FAQs – Applicable Law and Jurisdiction
- SaaS Agreements – SaaS, Software on Demand, Confused?
- SaaS Agreements – Cloud Computing and the Legal Cloud
- SaaS Agreements – Cloud based Technology and Services