What data security provisions need to be included in a SaaS agreement?
Customer’s Security Obligations
These should be set out in the software licence. Access to the software and services should not be permitted to third parties without prior authorisation from the supplier. The customer should provide the following warranties:
- existence of adequate security measure to ensure access to the software and services does not breach the terms of the SaaS agreement
- relevant confidentiality provisions relating to the use and access to passwords required for accessing the software and services
- the obligation to notify the supplier of all security breaches, unauthorised access to the software and services and misuse of passwords
- provision of indemnities for breaches of the above warranties
Supplier’s Security Obligations
These should be set out in the software licence and in the service level agreement (SLA). The supplier’s obligations will be more extensive than the customer’s obligations due to the nature of a SaaS agreement and the inherent risks of operating over the Internet. The following provisions should be included:
- details of the firewalls and cryptology used
- obligation of the supplier to notify the customer of security breaches or data loss
- details of the data centre security structure
- restrictions on access to passwords
- information about virus protection mechanisms
Additionally the supplier should reserve the right to suspend access to the software and services if there is a security breach in order to ensure the integrity or security of the software and services.
Sometimes customer’s will have a regulatory duty (i.e. under the FSA) to check the supplier’s security structures and systems and that the supplier is complying with its contractual security obligations. If an audit right is granted the following issues should be covered in the SaaS agreement:
- frequency of the audits
- payment for the supplier’s time and assistance with audits
- the supplier’s right to be given copies of audit reports
- confidentiality provisions relating to access to the supplier’s IPRs, data and infrastructures and disclosure of such to third parties
- whether or not the supplier has any obligation to make changes to the software and services following an audit
For assistance with any security issues, SaaS, ASP, software on demand contracts or any other IT legal issues contact me at:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – FAQs – What is SaaS?
- SaaS Agreements – FAQs – What is a SLA?
- SaaS Agreements – FAQs – Prism
- SaaS Agreements – FAQs – Software Licence
- SaaS Agreements – FAQs – Source Code
- SaaS Agreements – FAQs – Escrow
- SaaS Agreements – FAQs – IPR and Intellectual Property
- SaaS Agreements – FAQs – Confidential Information
- SaaS Agreements – FAQs – Data Protection
- SaaS Agreements – FAQs – Applicable Law and Jurisdiction
- SaaS Agreements – SaaS, Software on Demand, Confused?
- SaaS Agreements – Cloud Computing and the Legal Cloud
- SaaS Agreements – Cloud based Technology and Services