AI is no longer just for big tech companies. Businesses of all sizes are now using AI tools to improve their operations and services. One popular way to access these tools is through providers of AI as a service (AIaaS). AIaaS providers, as with traditional SaaS providers, provide AI-backed products over the cloud just like you would use email or file storage online.
While AIaaS is convenient and flexible, it raises important legal questions: who owns the data? Who is responsible if something goes wrong? And how does a business protect intellectual property created by an AIaaS product?
In this blog, we will break down what AIaaS agreements are all about and what you should keep in mind when signing one.
What is an AI as a service agreement?
Simply put: an AIaaS agreement is a contract between a provider of AI tools and a business customer using them, normally through a cloud-based platform. This contract sets out the terms under which the AI services are offered, similar to a software as a service (SaaS) agreement but with some unique features due to the nature of AI.
The agreement will typically cover things like what the AI system does, how it will be accessed, pricing and payment, support, service levels and how data will be handled.
Because AI systems often rely on customer data to function, these contracts also need to address issues like data ownership, intellectual property rights, liability and how decisions made by the AI can be explained.
Benefits and challenges of AIaaS
| BENEFITS | CHALLENGES |
|---|---|
| Cost-effective access to AI capabilities | Data protection and privacy concerns |
| Scalable and flexible infrastructure | Intellectual property (IP) rights |
| Rapid deployment and time-to-market | Liability and risk allocation complexities |
| Reduced need for in-house expertise | Termination rights and vendor lock-in |
| Access to latest AI tools and updates | Compliance with evolving regulations and standards |
| Easy integration with existing systems | Potential bias and lack of transparency in AI models |
Legal considerations to keep in mind
Data protection and privacy
AI systems often rely on large amounts of data to function, some of which may be personal data which would trigger the obligation to comply with data protection laws like the UK GDPR. It is important to make sure that the AIaaS agreement clearly sets out how data will be collected, used, shared and protected.
Some of the questions to consider:
- Is the personal data being transferred outside of the UK or EU?
- Who is the data controller and data processor?
- Where will the personal data be stored?
AIaaS providers are usually data processors over certain types of personal data. For example, any personal data uploaded to an AIaaS product is most likely going to be processed by the AIaaS provider in its capacity as a data processor. In that circumstance, it would be a UK GDPR requirement for the AIaaS agreement to incorporate certain terms applicable to the processing by the AIaaS provider.
However, if the AIaaS provider wishes to use that personal data for its own purposes, that is likely to shift it to the role as a data controller. This has both contractual and UK GDPR implications.
If the parties have a say in the purpose for which that personal data is processed, they can be ‘joint controllers’. There are different contractual requirements that apply to the use of data processors and sharing between joint controllers. Moreover, if the customer and the AIaaS provider are independent data controllers, it may be wise to enter into a data sharing agreement. The UK’s data protection regulator, the ICO, has issued important guidance on agreements between data controllers – see the Data Sharing Code of Practice.
This is just a single example where data protection can quickly get complicated where AI tools are used. For any business, it is crucial to consider the data protection implications of AIaaS products from the outset.
Intellectual property (IP) rights
Intellectual property is one of the most important and often trickiest aspects of any AIaaS agreement. That is because AI tools do not just analyse data, they can also use existing data (which can be subject to intellectual property rights) to create new and valuable outputs such as reports, images or software codes which may carry significant commercial value. It is therefore essential to be clear from the start about who owns what.
In general, there are three key categories to think about:
1. The AI tool
This is the tool or platform provided by the AIaaS provider. It will almost always remain the provider’s IP and the customer is granted a license to use it under certain conditions. The agreement should set out what the customer is allowed to do with the tool, such as whether they can customise it, integrate it with their other systems or use beyond a specific project.
2. AI input data
This is the data that customer feeds into the AI system. It may include customer records, internal documents or other materials. It can also include the commands (or ‘prompts’) entered by users of an AIaaS product. These prompts may contain such materials or, more simply, consist of text that may (a) already be subject to an IP right, such as copyright or trade secrets or (b) become subject to IP rights once created.
Typically, the customer retains ownership of their own input data, but the agreement should clearly state that to avoid the risk of any confusion.
A key point to watch is whether the provider wants to use the customer’s input data to improve or “train” their AI system. Training refers in general terms to the processes by which AI models can learn about the world in order to produce more accurate or realistic outputs. For example, if an AI model has been provided with 1000s of images of cats, it can learn to produce a new image of a cat that is realistic.
In certain contexts, the training process could mean that the customer loses control over their IP.
That said, the use of input data can be very important to AI developers. There are technical and legal mechanisms that can be put in place by developers to ensure that it is used responsibly and in a way that benefits everyone.
If a customer wants to permit training, the customer should think carefully about:
- whether any personal or sensitive data is involved
- if the data will be anonymised
- whether such use aligns with the business’ policies or other legal obligations
For example, from an IP perspective, a business could have a specific licence to use a copyright-protected work, such as an image or a book. However, it may not have the right to upload the work to an AI tool (whether or not that work would be used for training purposes). Doing so could result in significant liability for the business, and, if the AIaaS agreement doesn’t cover this scenario, bad news for the AIaaS developer as well (through no fault of its own!).
3. AI output data
This is the data generated or produced by the AI tool. Customers will usually want full rights to use and reuse this output as they see fit.
While market is still developing in this area, many agreements give the customer ownership of the output.
However, some providers may want to retain certain rights over the output or seek to use it to improve their systems or services, as discussed above.
To avoid surprises, the agreement should clearly spell out:
- who owns the output
- what rights each party has in relation to it
- any restrictions on how it can be used
Liability and risk allocation
AI brings exciting opportunities, but it is not risk-free. Because AI system can make unpredictable or automated decisions, it is important to define who is responsible if something goes wrong.
For example, who is responsible if the AI produces an incorrect result that causes financial loss, if the AI misuses personal data or if AI decision leads to, for example, discrimination? An AIaaS agreement should set clear rules on liability, including limits on how much each party can be held responsible for and what types of losses are covered or excluded.
Termination rights
Termination clauses are an important part of any AIaaS agreement. Common reasons to include termination rights are: a party breaching the agreement and failing to remedy the problem within a specified time frame, the service not meeting agreed performance standards or the insolvency of either party. It is also important to cover what happens after termination.
Pricing
AIaaS tends to be priced either on a pay-per-use or subscription basis. Subscriptions normally have usage limits that reset each month or a set number of uses each month, with the customer paying for the excess.
For most AIaaS providers, this model reflects the cost that the provider incurs each time its customers use the underlying AI model made available by one of the leading AI companies. For example, the amount of computational resources that the AI model dedicates to a particular query is reducible to a “token” – each token will usually have a very low price (less than a penny), but longer queries such as a paragraph-length prompt will use hundreds if not thousands of tokens each time.
If it is pay-per-use model, the customer will be picking up the token cost in addition to the fee for the provider’s services in making the AIaaS product available. Subscriptions with caps can reflect a middle position depending on what the price is.
It is key that the AIaaS agreement clearly defines what constitutes “use” of the service to avoid ambiguity as to what the customer has to pay for or otherwise can’t go beyond. By setting this out, the customer can avoid additional costs.
However, given the rapidly decreasing costs of using AI models, it is becoming more common to see unlimited subscriptions or at least more expensive “tiers” with unlimited usage, typically charged on a per-account basis.
In short, there are many different commercial approaches taken by AIaaS providers. No matter what a customer signs up to pay, getting it right in the AIaaS agreement can limit the possibility of significant additional costs.
Advantages of having an AIaaS agreement
AIaaS providers give you access to powerful tools without the hassle of building or running AI yourself. But just as important as the technology is having an agreement between the parties.
A well-drafted AIaaS agreement helps both parties understand what they are signing up for, protects their interests if things do not go as planned and allow you to focus on using the technology to grow your business.
FAQ
Is AIaaS same as SaaS?
Both AIaaS and SaaS are cloud-based models that give users access to software over the internet. They main difference is that AIaaS specifically provides access to AI tools and capabilities (like machine learning or natural language processing), whereas SaaS can refer to any kind of software (such as email or accounting platform).
What are common AIaaS services?
AIaaS offers lots of different tools. Here are some popular types you might encounter:
Machine learning
Machine learning (ML) helps systems learn from data and make predictions or decisions.
Businesses use it to:
- predict customer behaviour
- detect fraud or unusual activity
- automate complex decisions (e.g. in insurance or recruitment)
Natural language processing
Natural learning processing (NLP) allows AI to understand and generate human language.
It is used to:
- power chatbots and virtual assistants
- analyse customer feedback or social media
- extract key information from documents
Computer vision and image recognition
Computer vision allows systems to “see” and analyse images or video.
It is used for:
interpreting medical scans
facial recognition and ID verification
quality control in manufacturing
Generative AI
Generative AI creates new content such as images, text or audio, based on the data it has been trained on.
Business use it to:
- write content or reports
- generate designs or advertising materials
- produce software code
What are the alternatives to AIaaS?
AIaaS, fundamentally, is just another type of software. That means that it can work in many different settings. An alternative to AIaaS can be to purchase the AI product and install it on systems or servers controlled by you.
Most businesses will not have access to the necessary computational power required, however. So a further alternative to AIaaS can be an AI product deployed on an internal cloud environment that is hosted by a third party but fully controlled by the customer. In certain settings, a local cloud environment can reduce some of the risks around responsibility, data protection, IP and confidentiality. It depends on the customer’s needs and resources; in many cases fully remote AIaaS is a fully secure and lower cost solution to the needs of most SMEs.
Conclusion
AIaaS agreements are becoming crucial part of doing business. They allow companies to use AI tools without needing to build or manage the technology themselves. However, AI brings unique challenges and therefore having a clear and well-drafted contract is essential.
At EM Law, we are experts in drafting and negotiating AIaaS agreements, including where AI tools are integrated with third-party software using APIs. Whether you are a provider or a user of AI services, we have got you covered.
If you have any questions about AIaaS agreements or AI more generally, please reach out to Neil Williamson or Colin Lambertus. We would be happy to help you navigate this exciting space.
