A Software-as-a-Service agreement – or SaaS agreement for short – sets out the terms and conditions for the provision and delivery of software as a service, rather than a licence, through the cloud. The SaaS provider – also known as the software provider – remotely hosts and manages the software application and all the related data. The customer or the customer’s end users accesses the software services over the internet.   

This internet-based software delivery approach has many commercial advantages for all the parties involved. However, it can also give rise to significant financial loss for SaaS providers who may inadvertently violate data protection laws. 

Applicable Data Protection Laws

SaaS providers often process, store, and transfer large amounts of data (including personal data) across multiple jurisdictions. SaaS Providers who control or process the data of any EU citizen must comply with the EU GDPR. Similarly, SaaS Providers who offer their services to individuals in the UK must comply with the UK GDPR. 

To minimise the risk of non-compliance with the UK GDPR and/or EU GDPR, SaaS agreements should include or be accompanied by a written data processing agreement or data protection clause which outlines the rights and responsibilities of the SaaS providers and the customers. Additional data protection measures or provisions may be required to comply with data protection legislation in other jurisdictions. You should seek legal advice to ensure that your SaaS agreement complies with the applicable data protection regulatory regime(s). 

SaaS Provider: A Data Controller or Data Processor? 

Both the UK GDPR and EU GDPR impose certain obligations on data controllers and data processors. Failure to comply with such obligations may result in a heavy fine. 

The role of the SaaS provider and the customer with respect to data should be clearly set out in the SaaS agreement to establish their respective data protection responsibilities at an early stage. This enables the parties to fill in any gaps before data processing commences. It also helps to ascertain the extent to which each party is liable in the event of a data breach. 

SaaS providers can be data controllers, data processors, or both. A SaaS provider is a data controller if it decides how and why certain data is collected and processed through its website or user database. However, it is rare for SaaS providers to be data controllers because they do not usually seek to use the data for their own purposes. SaaS providers are often data processors, acting on the instructions of a customer when processing data of that customer or the customer’s clients. The distinction is not always clear cut, but the ICO provided the following helpful guidance in 2012:

”In cloud computing it will be the cloud customer who will determine the purposes for which and the manner in which any personal data are being processed. Therefore it is the cloud customer who will most likely be the data controller and therefore will have overall responsibility for complying with the DPA.”

SaaS agreements which specify that the SaaS provider is merely a data processor, and the customer is the data controller shift the burden of complying with the legal obligations imposed on controllers to the customer.  In return, the customer may seek to impose more onerous obligations on the SaaS provider than are required under the UK GDPR and/or EU GDPR. 

Assisting Customers 

SaaS providers’ minimum legal obligations towards their customers include (but are not limited to):

• assisting the customer in complying with subject rights requests;
• assisting the customer in ensuring compliance with certain controller obligations such as data security, data breach notification and data protection impact assessments (DPIAs). 
• on termination of the SaaS agreement, deleting or returning all the personal data to the customer (at the customer’s election);
• providing evidence of compliance with data protection laws  to the customer; and
• allowing the customer to undertake audits and inspections. 

Customers may seek to impose more onerous obligations on SaaS providers which could take up a significant portion of the SaaS provider’s resources. The extent to which SaaS providers are willing to assist the customers is a commercial decision. It is worth noting that SaaS providers are not obliged to deal with subject rights requests or undertaking DPIAs and terms can be drafted in the SaaS agreement, entitling the SaaS providers to be paid for their assistance.   

Engaging Sub-Processors

SaaS providers may engage sub-contractors – also known as sub-processors – to deliver the software services. Many SaaS providers use third-party cloud providers and data centres. SaaS providers acting only as processors, are legally obliged to obtain prior specific or general written authorisation from the customer who is the data controller. It may be difficult or impossible in practice to obtain the approval of all customers to a sub-processor, particularly as the commercial success of the SaaS model is predicated upon massive economies of scale. 

The SaaS agreement could facilitate the grant of the requisite authorisation to avoid any unnecessary delay or dispute in the future. Any provisions which exclude the use of sub-contractors or sub-processors should be removed and a pragmatic procedure for obtaining authorisation should be set out.  For example, a specific authorisation accompanied by a list of approved sub-processors may be provided in the SaaS agreement. 

Managing International Data Transfers 

Both the UK GDPR and EU GDPR stipulate that appropriate safeguards must be in place when transferring data outside the European Economic Area (EEA). The SaaS agreement should explain why, when, and how the SaaS provider may transfer users’ personal data internationally. It is sensible to include details on the location of any backup data, mirrored sites, or support services which may involve international transfers. 

Data Security

Both the SaaS provider and the customer are legally required to implement appropriate technical and organisational measures to protect the users’ rights against risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed. 

The level of security provided can be a contentious issue. Details of the requisite security provisions ought to be provided by the SaaS providers in the SaaS agreement as they are most likely to have the knowledge and skills to provide such information. 

Limitation of Liability 

Limitation of liability is a standard clause in a SaaS agreement. It limits the liability of the party in default of its contractual obligations. However, customers may seek to impose unlimited liabilities and indemnities on SaaS providers for breach of data protection obligations. This effectively renders the limitation of liability clause in respect of the SaaS providers redundant as it allows the customers to circumvent the general limits impose on the size of their claim and exposes the SaaS providers to a much greater financial risk than they would have for breach of the other terms of the SaaS agreement. Depending on the bargaining powers of the parties, SaaS providers can limit their liabilities to the extent permissible under applicable laws.