SaaS, ASP Agreements – HCM, ATS & Erecruitment

Human resources (HR) departments are increasingly turning to SaaS or ASP agreements for their recruitment and talent management needs.  Often referred to as software as a service, SaaS or on demand services many suppliers are now providing SaaS solutions specifically designed to assist employers with their HCM (human capital management), ATS (applicant tracking systems) and e-recruitment requirements. Here are some of the legal issues which HR professionals and suppliers need to consider when negotiating a SaaS agreement.

Third Party Access to the Software

Although the customer enters into the SaaS agreement with the supplier, quite often HCM functions will be outsourced to recruitment agencies or IT outsourcing providers. It is therefore essential that the software licence permits such third parties to access the software and services, on behalf of the customer. The supplier should specifically name such third parties in the SaaS agreement and only grant them a limited licence to access the software on behalf of the customer for the purposes of the SaaS agreement.


Third parties who are granted access to the software and services will not be bound by the terms of the SaaS agreement to the supplier, or the customer, as they are not a contractual party to the SaaS agreement.

The supplier should protect itself by requiring the customer to warrant that the customer will be liable for any acts or omissions or breaches of the SaaS agreement caused by such third parties, as if these had been caused by the customer itself.

The customer should protect itself by having a “back to back” agreement with the recruitment agency/IT outsourcing provider which mirrors the terms of the SaaS agreement and makes the third party liable to the customer for any breaches, acts or omissions.

Candidate Data & Employee Data

Names, email addresses, dates of birth, and national insurance numbers of candidates and employees will be stored and processed by the supplier on behalf of the customer. Such information is personal data under the Data Protection Act 1998. The customer must obtain consent from all employees and candidates before it processes their personal data. Consent can be obtained from candidates when they register in the customer’s database by having the candidate actively agree to the customer’s privacy policy. For employees, such consent can be obtained by employees agreeing to a data and security policy or by including suitable provisions in the employee’s employment contract.

The customer must provide information to candidates and employees about any third parties to whom their data will be passed. This should include the supplier, the supplier’s third parties (i.e. the hosting centre, remote backup provider and disaster recovery provider), the customer’s subsidiaries, recruitment agencies and IT outsourcing providers.

Data Protection – Warranties

Under UK data protection law the supplier will be the data processor and the customer will be the data controller. The supplier is obliged to process data in accordance with the customer’s instructions and should protect itself against claims from third parties that such processing was illegal. Likewise, the customer will also need to protect itself against claims from third parties caused by the supplier or its other third parties not processing data in accordance with its instructions or the SaaS agreement.


For assistance with SaaS, ASP, software on demand contracts,  SLAs or any other IT legal issues contact me at:

To register for my newsletter click here


Other related articles: