SaaS Agreements – Terms and Conditions – Risk Assessment

SaaS customers often complain that the security provisions in SaaS agreements are inadequate and lack transparency. Following a risk assessment, often using external auditors and regulators, SaaS customers often ask SaaS suppliers to add numerous additional terms and warranties to their SaaS terms. By including the security provisions set out below in your standard SaaS agreement, SaaS suppliers can avoid having more rigorous provisions imposed upon them.

Right to Audit

SaaS customers increasingly want, or need, to check a SaaS supplier’s compliance with the security provisions contained in the service level agreement (SLA) for regulatory or data protection reasons. SaaS suppliers should allow SaaS customers (or their authorised third party) limited rights to carry out such security checks. These should be restricted to annual checks where reasonable written notice is given and the audit should take place during business hours.


Currently there is no harmonised security standard or certification available for SaaS suppliers. The STAR certification programme, backed by the British Standards Institute (BSI), was launched last year. Certification is based upon implementation of ISO 27001 and criteria set by the Cloud Security Alliance (CSA). The certification process provides an independent and technology neutral assessment of a SaaS supplier’s security standards.

SaaS suppliers need to demonstrate that they meet ISO 27001 on security management generally, as well as the criteria contained in the CSA’s Cloud Control Matrix (CCM), which includes:

  • risk management;
  • resiliency and security architecture;
  • facility security;
  • information security; and
  • operations management.

Once certified, SaaS suppliers are listed on the CSA STAR Registry as ‘Star Certified’ and can use the CSA STAR Certification logo.


Maintaining a good reputation for data security is essential to a SaaS supplier. If security breaches have taken place in the past and attracted negative publicity, it is unlikely that potential SaaS customers will place any trust in a SaaS supplier’s ability to keep their data secure. SaaS suppliers should have an incident response plan in place before a security breach occurs. This should set out the procedures to be followed in the event of a security breach thus enabling the SaaS supplier to deal with the business impact of the breach and to mitigate any potential damage to reputation.


Increasingly SaaS customers are requiring confirmation in the terms of the SaaS agreement that the SaaS supplier has appropriate cyber insurance in place. Such insurance covers the liability of the SaaS supplier to third parties and SaaS customers for claims arising out of the activities and conduct of the SaaS supplier in providing the SaaS services.

Such cyber insurance should cover the following risks:

  • damage to hardware and/or software;
  • loss or damage to data or computer records;
  • infringement of the intellectual property rights of third parties;
  • breaches of data protection law;
  • defects in computer programmes;
  • physical damage to customer property;
  • injury to visitors.


By obtaining security certification SaaS suppliers will obtain a valuable marketing tool which can be used to differentiate them from competitors. Also by having appropriate cyber insurance in place and an incident response plan SaaS suppliers will be able show SaaS customers the priority that they place on the security of data and that ongoing measures are really being taken to protect Customer data.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

Speaker at the Berlin CloudConf 2013.

To register for my newsletter click here


Other related articles: