Software-as-a-Service (“SaaS”) is a delivery model in which software features, applications and services are made available to customers via the Internet, typically hosted on a cloud platform and where customers are charged for consumption of the services on a subscription basis. This delivery model contrasts with software licence model which is delivered either in physical form or downloaded via the internet.
Over the past decade, the SaaS model has included very popular services as examples of its success, including Office 365, Dropbox, Slack, and Salesforce.
At risk of stating the obvious, the subject matter of the services or features being made available to a paying customer should be clear. Also, to which parties (single or multiple) such services will be made available, to the subscriber only, its employees, or other third party users?
Whether the SaaS are made available to business users or private consumers may determine if the local consumer protection laws, such as the Malaysian Consumer Protection Act 1999, will apply.
The agreement should address the payment obligations of the customers, i.e. when is payment due – whether time based (monthly or upfront) or consumption based (by units or usage), how payment should be made (credit card, bank transfer or through a payment portal), renewal and recurrence of the subscription, and the consequences of not making timely payment (temporary suspension, or automatic termination of the users account and data).
In a traditional software license, the licensee purchases the software and is granted a right to download, copy and/or install and use the software on their own devices. With SaaS agreements, the services are typically accessed by users through a website or platform hosted on the internet.
As such, users will not possess a copy of the software providing the service and will typically only be granted a non-exclusive, non-transferable, and revocable license to access and use the service, rather than a license for the software or application itself.
In certain situations, the users should also grant the service provider a license to use any of their user generated content necessary to provide the service. Ownership of the user generated content should also be considered.
In a typical SaaS business, the service provider will be expected to make available the subscribed services for a minimum amount of time (eg 99.5% of the time for 365 days a year). This commitment should of course exclude:
- scheduled downtimes for maintenance, which should be done during off-peak hours and communicated to the users in advance;
- and general outages caused by events beyond one’s control, eg. Natural disasters and thirdp-party failures.
Another common feature in SaaS business models will be to set out how quickly the service provider will respond to troubleshoot problems that arise, and the mandated response times depending on severity levels.
Data ownership and protection
Enforcement of the Personal Data Protection Act 2010 (“PDPA”) has commenced in Malaysia (see link here). From the other side of the globe, the General Data Protection Regulations (“GDPR”) has come into force in the European Union, which may even affect businesses outside of Europe (see link here).
As such, both service providers and users will need to put in sufficient thought into the flow of personal data and data protection policies, particularly when the services might be hosted on third-party cloud platforms.
Service providers that will receive personal data from users will want to ensure that the users have obtained the consent from the relevant data subjects. Further, the data subjects should be informed of what their personal data will be used for, including:
- if it will be shared with third parties, and if yes which third parties; and
- if the data subjects will be subjected to targeted advertising and marketing.
The treatment and use of the data upon termination of the business relationship will also need to be considered. It is vital that personal data is not kept for longer than necessary, and the GDPR will further grant to data subjects to “right to be forgotten”, i.e. the right to request that their personal data be deleted from the data user’s database.