SaaS Agreements – Data Protection – Cyber Security Issues

SaaS Customers are increasingly raising questions about the security provisions that SaaS suppliers include in their SaaS agreements and insisting on including onerous rights of audit to monitor and check compliance. Under the UK’s Data Protection Act (DPA) SaaS customers (data controllers) are required to take appropriate technical and organisational measures to prevent the:

  • unauthorised or unlawful processing of personal data; and
  • accidental loss, destruction or damage to personal data.

In order to comply with these duties and avoid substantial fines SaaS customers need to ensure that SaaS suppliers have adequate security measures in place to prevent data protection breaches from occurring.

Due Diligence and Auditing

SaaS customers, particularly government departments and/or customers processing sensitive or financial data of customers are commonly carrying out due diligence on a SaaS supplier’s security systems at the pre-contractual stage. This will include ensuring that the SaaS customer has the right to check the SaaS supplier’s security measures and its on-going compliance with the security provisions of the SaaS agreement during the term of the agreement.

Information Security Officer

Both SaaS suppliers and SaaS customers should consider appointing an information security officer to assess their cyber risks. Once appointed the information security officer will be able to deal with any security issues when they arise, at the pre or post contractual stage. Without an information security officer many organisations will lack sufficient knowledge or understanding of actual cyber security risks. SaaS customers will be unable to carry out a proper due diligence and SaaS suppliers will be unable to respond adequately to customer queries. This will result in the customer and supplier spending unnecessary time on the negotiation of the SaaS agreement.

Hackers are increasingly accessing online data (in particular online payment details) and using new methods to do so. An information security officer once appointed could monitor and detect such problems, keep up to date on the latest security countermeasures, deal with queries (not just in the SaaS contracting process but also from concerned data subjects – customers) and report to management on a regular basis.

Notification and Response to Cyber Breaches

Both SaaS suppliers and SaaS customers need to have obligations to inform each other of security breaches (such as hacking) in order for both parties to deal with the issue in a timely manner. If there is a slow rate of detection the potential for the scope of the data breach (and fines) increases. Also, once a party has been notified of the breach, the incident needs to be quickly contained to limit any further potential damage.


One of the most common causes of security breaches is the use of inappropriate passwords such as the use of “password”. Both the SaaS supplier and the SaaS customer should have adequate systems in place to monitor and prevent the use of such passwords. Systems and procedures should also be in place for the regular changing of passwords to minimise the risks of a security breach via misuse/use of unsuitable passwords.


These are just some of the general security issues that SaaS customers and suppliers should consider when entering into a SaaS agreement. There are many other issues which also need to be taken into account depending on the business sector in which the customer operates and the types of data that the SaaS supplier is processing.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: