Software as a Service (SaaS), instead of on-premises software licencing, continues to grow as a model. It is sometimes referred to as ‘on-demand software’, and was formerly referred to as “software plus services” by Microsoft. In a nutshell SaaS is a software licencing and delivery model in which software is licenced on a subscription basis and is centrally hosted by the provider. It exists on the cloud as opposed to being installed on the customer’s on-premises computing system. Read more about cloud computing in our blog.

Software as a Service is a growth area

SaaS has grown its share of the global enterprise software market from less than 2% in 2009 to 23% in 2019. By 2022, the global SaaS market is expected to be worth $140.63 billion. For customers, the service can offer greater access, convenience, and flexibility at a lower cost. And for vendors, it is easier, faster, and less expensive to roll out and sell to customers compared with traditional on-premises software development.

Common characteristics of SaaS arrangements

  • The service software is not installed or stored on the customer’s computer systems. The SaaS provider (or its subcontractor) hosts core SaaS software applications. While the customer may receive limited client-side software to aid connectivity to the provider’s network, the customer accesses the provider’s software remotely on the internet or another public, private, or hybrid public and private cloud network.
  • The SaaS services and infrastructure are managed by or for the SaaS provider and shared by multiple customers. Each SaaS customer accesses the service applications remotely from various client devices, but does not configure, manage, or control the underlying cloud infrastructure.
  • Service customization is limited. The software configuration is largely or entirely uniform throughout the provider’s customer base.
  • The supplier maintains the service software and provides service support subject to service levels. SaaS agreement maintenance and support provisions typically specify service levels and standards for the provision of support. Service levels define how well the provider needs to perform and are often accompanied by service credits if the provider fails to maintain certain service level standards.
  • Service fees accrue and are payable on a recurring, periodic basis. Fees may be based on provider subscription rates, the volume of customer use, or both.

Is Software as a Service More Cost Effective?

SaaS deployments are more cost effective (at least initially) than on-premise installations. SaaS customers generally pay a flat monthly fee per user for the software. SaaS implementations are also cheaper because companies don’t have to buy additional hardware or infrastructure to make the software work, so there are no capital expenditures with SaaS. You also generally don’t have to hire consultants to get the software installed as you often have to with traditional enterprise software. (There are exceptions to that generalization. For details, see Stephanie Overby’s article, “The Truth About On-Demand CRM.”) SaaS customers like the idea of a low up-front investment and a predictable expense stream, even though the cost advantages of the SaaS model may be counter-intuitive after three to five years of monthly fees.

Commercial risks in Software as a Service

Suppliers have quite understandably been marketing the potential benefits of usage-based payment models offered as part of cloud services. However, this carries an upside risk for customers if their usage of the services exceeds their expectations and budgeting. One of the key risks here is storage. If customers pay extra for more storage, they need to be certain they have policies in place to control increases in storage of information and data. Businesses need to think clearly about how long they really need to keep information (there is a clear link to legal obligations under data protection).

The most common approach now is a committed term of 1 to 3 years when signing up to an enterprise SaaS service. Suppliers want to be able to recognise revenue in their accounts and customers want to have a good degree of stability in their ICT delivery arrangements.

The commercial and contractual models for cloud service provision transfer risks back to customers, as compared to the outsourcing business model. Customers need to be able to manage a range of service delivery arrangements and to cope with the integration demands arising from using multiple cloud services. Customers need to be self-aware regarding their own capabilities to manage these risks. This may involve changes to business processes and cultures that ensure cloud services are used as efficiently as possible.

Cloud service provision, through its emphasis on standardised and commodity ICT, mean that ICT delivery organisations must work within the constraints of a standardised service offering. Businesses need to design and adopt processes that make the best use of the cloud service as it stands. A number of the traditional outsourcing providers provide consultancy-type services to assist cloud services users in these activities.

Data escrow

Software as a service data escrow is the process of keeping a copy of critical software-as-a-service application data with an independent third party. Similar to source code escrow, where critical software source code is stored with an independent third party, SaaS data escrow applies the same logic to the data within a SaaS application. It allows companies to protect and insure all the data that resides within SaaS applications, protecting against data loss.

There are many and varied reasons for considering SaaS data escrow including concerns about vendor bankruptcy, unplanned service outages, and potential data loss or corruption. Many businesses either ensure that they are complying with their data governance standards or try to enhance their reporting and business analytics against their SaaS data.

SaaS in the financial services sector

Firms subject to regulation by the Financial Conduct Authority (FCA) also have to comply with FCA security requirements.  The FCA has jurisdiction over data security breaches committed by financial services firms and continues the policy of its predecessor, the Financial Services Authority (FSA), in this area. The FCA actively pursues firms that fail to have adequate systems and controls in place to protect their customers’ confidential details from being lost or stolen. For example, in 2018 it fined Tesco Bank over £16 million for failures relating to a cyber-attack.

Under the regulatory regime applying to financial institutions, firms have a responsibility to assess the risks of data loss and take reasonable steps to minimise the risks of this loss occurring. In this context, reasonable steps are deemed to be those that are proportionate to the nature, skill and complexity of the operations taking place.

Although the obligations of a financial institution are no different whether data is stored in a cloud or not, the cloud presents certain challenges in managing third-party suppliers who are responsible for handling such data within a cloud environment. At the centre of this is who has access to the data. It is easier to establish in more traditional models of service provision where the data is and who has access to it at any given time. This is more of a challenge in cloud service provision models.

The FCA has issued guidance to clarify the requirements on firms when outsourcing to the cloud and other third-party IT services. It sees the cloud as encompassing a range of IT services provided in various formats over the internet. This includes, for example, private, public or hybrid cloud, as well as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

Here to help

SaaS is ubiquitous and any business looking to use or deploy IT solutions today will encounter it. The COVID-19 pandemic has accelerated the already fast-paced adoption of cloud computing by everyone from start-ups to multinationals. A key issue for customer and supplier is ensuring that the correct contractual and commercial agreements are in place to safeguard value for money but also that the software meets the specific needs of the customer. Software development for companies used to be highly bespoke and whilst SaaS creates opportunities for speed of access and off-premises maintenance, it also has the potential to leave a customer the victim of over-standardisation i.e. one-size fits all software solutions that don’t meet the customer’s business needs.

EM law specialises in technology and contract law. Get in touch if you need advice on a SaaS agreement or have any questions on the above.