Data Protection Law
Software as a Service (SaaS) has for many years become a buzzword for startups. Individuals and companies are spending hundreds of billions on it every year, with the market size estimated to go past the trillion dollar mark in early 2030.
In this blog, we explore what a SaaS product is, how it works legally between the provider and the customer, and how it can benefit your startup.
What is SaaS?
The older among us may remember when the new version of Microsoft Word or the latest computer game was bought in-store, on a CD or other physical storage medium and manually dropped into your desktop computer or laptop. Your computer reads the disk, the files are downloaded, and the computer runs the program. No internet was necessary, and you could view (and in some cases edit) the files locally.
That type of software still exists and represents the majority of the current market. The difference now is that, given the improvements in internet download speeds, it is no longer necessary to go to the local computer store and buy a disk loaded with the software’s data. It can now be downloaded straight to your computer and installed by you. The software is self-contained on your system, and although it might require the internet to function properly (like a music streaming service or multiplayer game), it is your computer that is using its resources to perform the tasks necessary for the software to function.
SaaS, in contrast, is software that is not installed or stored on a local computer. The SaaS provider (or its subcontractor, in some cases) hosts the core software applications which are accessed by the customer remotely – no installation necessary. While in some circumstances the customer may receive a file with limited and light touch software to ensure that there is a connection between the provider’s and the customer’s networks (or to provide an interface between the local computer and the provider’s host), quite often the customer needs to do little but access a specific webpage using its internet browser.
Commercially, the model works because the SaaS provider can host one instance of the software and sell access to as many customers (or customer’s users) as its network infrastructure can support. The SaaS provider doesn’t have to account for local variations in hardware quality, or ensure compatibility with every possible device. This is because SaaS providers try to leverage the presence of the most common type of installed software: an internet browser or email application to access their software. This makes quality testing, security, enhancement and roll out easy. Moreover, the SaaS product can be run remotely using third party servers, and the data can be stored in a cloud environment. Amazon Web Services or Microsoft’s Azure are commonly known examples of robust cloud computing providers.
This means that the SaaS provider doesn’t necessarily have to scale up dramatically as its customer base increases. No more buying computers and servers and storing them in the basement of your office building – the SaaS provider can pay for as much computing power and storage space as it needs.
It follows that SaaS providers can save on its operating costs, because ideally the infrastructure needed for one client can be the same for 100 clients. These operating costs can be in part passed on in turn to customers, that benefit from a more competitive price.
In relation to the software itself, the provider retains all the control. So for example, it only has to update one version, and those versions are automatically pushed out onto the customer because it has to use the internet to access the SaaS product.
From the customer’s perspective, SaaS for startups is not just about money. SaaS products integrate well with other tools and systems you or your business is already using (a signifiant amount of SaaS products are add-ons to major products). SaaS products, given their easy to access delivery mechanism are generally marketed around making things simple. This can enhance you or your staff’s productivity without the typical investment needed to train on complex or custom software solutions used by a single company.
Due to the nature of SaaS, in return for the advantages, SaaS customers have a distinct lack of control over the software itself.
Some consequences of this lack of control are obvious. As a customer you are tied to the provider’s vision for and direction of the software. If a provider pushes an out an update that does not work for you or your business, you’re stuck (especially if you have a long-term subscription). Relatedly, because there is only the one ‘version’ of the SaaS product, there is very little scope for customisation to fit individual needs or circumstances. This is not just limited to customisation of how the software functions, but also in respect of how the hosting arrangements can be determined between the SaaS provider and its customers.
Because the data provided by the customer is hosted by the provider (or the provider’s subcontractor), there are greater risks (from the customer’s perspective) to data security. Moreover, if the SaaS product goes offline, or the provider itself is just not that great or responsive, you are paying for a solution that might not be solving anything because the SaaS product is down all the time.
SaaS for lawyers (or the legally inclined)
Anyone that wants to purchase or sell a SaaS product should have the basic legal points in mind.
In the traditional software distribution model, you purchase some software and install it on your device. Your right to use that software is subject to a licence. Intellectual property rights attach to (amongst other things) the underlying code and accordingly your right to utilise that code for your own purposes must be granted to you by the software provider. But in most circumstances, nothing else is needed from a legal perspective because you are operating the software on your device.
With SaaS, you are not utilising the code and other elements of the product in the exact same manner. Put simply, it is not your computer that is utilising the code and relying on its own resources to produce a result, rather it is the SaaS provider’s infrastructure. Accordingly, there must be an agreement in place for the provider to make available the software operating services to you (hence, software as a ‘service’) in addition to an intellectual property licence to use it.
Like in any contract for services, the customer will be committing to pay a certain amount for access to the SaaS product for a set amount of time – usually termed a ‘subscription’. Different SaaS payment models can apply to both individual users and businesses. Typically, the customer pays a subscription for each login, and can access the SaaS product (or in some cases, certain features of it) for the term of the subscription (e.g monthly or annually). When a SaaS provider is dealing with a business, the contract can be with the business and any employee/subcontractor can use the SaaS product as much as they’d like. Alternatively, a business could pay per employee. In some cases, SaaS providers allot a set number of uses of the SaaS product, that any employee can use up to the amount of uses provided under the subscription.
If you do not pay for the subscription in accordance with the SaaS contract, you can be exposed to signifigant legal liabilities. A SaaS provider could recover monies owed to it even if the customer’s access is switched off. If there is no contract in place, this is far more difficult.
A further key legal point that is often not considered is data protection. SaaS providers are processors of their customers’ (or their customers’ staff’s) personal data pursuant to Article 4(8) UK GDPR. Article 28(3) UK GDPR obliges both controllers and processors to ensure that there is a contract in place that determines how personal data is to be protected and processed only on the instructions of the controller. Customers will expect to sign up to the SaaS providers’ own contractual terms (commonly known as a Data Processor Agreement or DPA). Customers should not engage with SaaS providers that do not offer or agree to have contractual mechanisms in place to ensure that their customers are in charge of their personal data.
SaaS for startups
So where does all this leave startups? For businesses interested in pushing out a new software solution – it is a good option. It is easier and in many cases cheaper to set up, scale, and manage to point where a business is turning a healthy profit. NordVPN, a leading VPN provider using a SaaS model was founded in 2012 – a decade later it was valued at $1.6 billion USD.
For businesses or individuals that want to utilise the benefits of large-scale software solutions at a small(er)-scale price, again, it feels like a no-brainer. In 2023, it is doubtful that a startup would prefer to obtain and install an internal HR solution, when you can pay certain SaaS companies £1-3 per employee to manage their pay, holiday, sick leave, and so on. But as your startup grows into a more substantial business, SaaS may be a looser fit than internal software that be delivered by your own IT team, and tweaked to fit your business’ needs.
At EM Law, we have been advising on SaaS contracts for many years – for every business size and product. From straightforward ‘one size fits all’ contracts to contracts with multi-tier subscriptions, service level commitments, and complex usage restrictions – we can help. Please do not hesitate to get in touch via our contact us page.