SaaS Agreements – SLA – Security Issues

As a SaaS supplier you will have noticed the increasing concerns about security voiced by SaaS customers. Your SaaS agreement should therefore provide comfort to your customer by including security provisions in the service level agreement (SLA). The specific matters you should consider including are set out below.


The persons able to access the hosting centre should be very limited and the individuals should be defined. Access should only be allowed for hardware and software maintenance. A record of all visits should be logged, which can be easily achieved if swipe cards are used. Remember that when using a third party hosting centre, access will be controlled by, and should reflect, the terms of your hosting agreement with the hosting centre.

Physical Security

This should prevent unauthorised access to the hosting centre to prevent damage, loss or theft to hardware and software. Surveillance of the hosting centre is essential and details of whether or not this is 24 x 7, via video camera, watchmen or electronic alarm systems should be included in the SLA. Within the hosting centre itself, racks themselves should be separately secured.

Hosting Environment Security

In order to provide a continuous service to customers, the hosting centre must have:

  • an uninterrupted power supply;
  • a dual power source;
  • air conditioning; and
  • fire and flood detection systems.

Server Security

In order to protect your servers, you should use:

  • up to date virus protection;
  • up to date security patches; and
  • firewalls.

Data Security

In order to protect customer data you should set out:

  • how, where and when data will be backed up;
  • how often data will be backed up;
  • where backups will be stored; and
  • when discs/tapes will be rotated.

ISO 27001 Certification

ISO 27001 is an internationally recognised security certification which is often required by SaaS customers who are looking for assurance that adequate levels of data security are in place to protect their data. Having this certification demonstrates to customers your commitment to data security by confirming that you comply with “best practice” security management.

Disaster Recovery

Is this offered at all, consider whether is it included in your standard subscription fee, or if a premium will be charged. Also, remember that your disaster recovery centre should be physically remote from your hosting centre, and with a different provider.

Commercial Considerations

The level of security obligations offered to SaaS customers will depend upon:

  • how much a customer pays for the SaaS solution, maintenance and support;
  • whether the SaaS application is business critical i.e. online banking;
  • what is standard in that particular business area.


Ensure that your SaaS agreement contains appropriate security obligations applicable to your customer, for example using up to date virus programmes. Exclude liability for any security breaches which are caused by something beyond your control or an act, omission or breach of your customer’s security obligations under the SaaS agreement.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: