Much has been said about due diligence when investing in or acquiring a software-as-a-service (SaaS) business. However, the increased reliance on cloud-based technology in today's remote world makes it critically important for a SaaS customer to be able to quickly identify the important contract provisions that will lead to receiving value from the customer's technology spend. This post provides key areas of focus when you are contemplating acquiring access to technology provided as SaaS.

Before clicking "accept," your business and IT teams should consider the following questions about the proposed SaaS terms, in addition to any others unique to your situation:

1. Scope of services

  • Does the SaaS product provide all of the technical features and functionality you need?
  • Are ancillary services related to training, support, and maintenance covered?
  • Does the order form or subscription agreement clearly and precisely reflect the business deal? Does it identify the scope of services you are expecting to receive, the fees, the installation timetable, renewal options, etc.?

2. Permitted use and users

  • Is the "permitted use" as defined in the contract broad enough to encompass your current and likely future uses?
  • Can the SaaS services be accessed by the seats or machines, or from the facilities, where they will be used?
  • Are the "authorized users" defined correctly – in addition to your employees, do your independent contractors and/or customers need access?
  • Are the number of authorized users limited? Any other limitations affecting uses or users?

3. Testing and acceptance

  • How mature is the SaaS platform – has it proven itself as being stable and functional in "real world" applications?
  • Is there a need for a testing and acceptance process to identify bugs and interoperability glitches? If so, are the testing and acceptance procedures adequate to result in a successful launch?
  • How many cycles of testing and acceptance will you allow before concluding that the platform will not work and you need to terminate the agreement?

4. Warranties and service level commitments

  • What warranties will the vendor provide?
    • That the SaaS platform will perform in accordance with its technical and functional specifications?
    • That the platform does not violate any third party's intellectual property or other rights?
    • That the vendor will comply with applicable law?
    • That the platform will not contain or transmit any viruses or similar harmful code?
  • What are the key metrics the vendor needs to attain for you to conclude that you've gotten your "money's worth"?
    • System availability?
    • Response time?
    • Customer or user satisfaction?
    • Others?
  • Is the help desk open during times of day when your users will likely have questions?
  • What are the hours during which the system can be taken off line for maintenance?
  • How is a "problem" and its severity defined? What exactly will constitute "resolution" of the problem?
  • What are the remedies for service level failures?
    • Reporting to you, along with a root cause analysis and plan for correction?
    • Fee credits depending on the severity of the failure?
    • Is there a dollar amount of accumulated fee credits where you will conclude that you have not gotten your money's worth and want to terminate?
    • Are any fee credits identified as a "penalty" or "liquidated damages"?
  • For more on service level agreements, see our coverage here.

5. Data usage and security

  • Are the vendor's data security obligations consistent with the type of information to which it may have access? Are special provisions required for GDPR compliance or under HIPAA, for example?
  • Are the vendor's obligations to protect and restrict use of your confidential information in line with your general security requirements?
  • Is the information you provide to the vendor subject to any contractual restriction on disclosure?
  • Does the vendor obligate itself to perform in accordance with the data security and confidentiality requirements (for example, stating that it "will" meet the applicable requirements as opposed to stating the it will use "reasonable efforts" or that its "policy" is to comply)?
  • Are the procedures for notice, cooperation and remediation of any security breach adequate?
  • What is the vendor's disaster recovery and business continuity plan?

6. Other important vendor obligations

  • Is there a dedicated technical and customer service team at the vendor to support you?
  • Can the vendor subcontract its responsibilities? Are there any critical functions that you require the vendor to retain? Is it clear that the vendor remains ultimately responsible for its subcontractors' performance (including confidentiality and data security)?
  • How are change orders handled?
  • What is the scope of the events of force majeure that could delay or prevent the vendor's performance?
    • Are the listed events truly outside of the vendor's control, or should the vendor retain the responsibility (such as malfunctions of its equipment or internet services - other than because of a widespread problem - or breach by the vendor of a contract with one of its own service providers)?
    • Is the vendor required to notify you of a force majeure event, and use reasonable efforts to mitigate the problem?
    • Is there a point of time after which you would want to terminate the relationship even if the vendor did not technically breach?
  • Does the vendor have any responsibility for data backup? To maintain backup equipment or data centers?
  • What is the vendor's roadmap for development and improvement of the platform? Will those improvements be available to you and will there be a charge?

7. Liability caps and exclusions

  • Is the vendor's liability for breach capped at an appropriate level in view of the risks and potential damages?
  • Are the exclusions of consequential and punitive damages overly broad (for example, do they also cover "direct" damages)?
  • Are there appropriate exclusions from the liability cap, including for:
    • Liabilities resulting from the vendor's breach of its obligations related to data security and confidential information (and any other vendor obligations that you think would result in significant damages to you if breached by the vendor)?
    • Obligations to defend and indemnify you for claims and losses asserted by third parties?
    • Liabilities caused by the vendor's gross negligence or violation of law?
  • Are the caps and exclusions reciprocal to protect you as well as the vendor?
  • Is the vendor's and your insurance coverage appropriate to cover major problems (including, for the vendor, professional errors and omissions, and cyber coverage)?
  • What is the vendor's indemnification obligation? Is it adequate to protect you from likely risks?

8. Intellectual property

  • Is it clear that you retain ownership of all of your existing intellectual property and data?
  • Will the vendor be creating any interface or integration tools, or other custom software or materials? Who owns them? If the vendor retains ownership, will you have a robust license to use them - at no additional charge - even after termination?
  • Will ownership of your data change? What uses can the vendor make of your data? Is the vendor prohibited from disclosing your data to a third party without your prior written consent?
  • If you get caught up in an intellectual property dispute between the vendor and a third party, will the vendor defend and indemnify you? Is the vendor obligated to obtain rights for you to continue using the SaaS platform, or to provide a substitute or workaround at no additional charge?

9. Termination

  • Are the grounds for termination reasonable?
    • Do you receive adequate notice of any breach with an opportunity to cure if you breach?
  • Does the vendor have an unreasonably long time to cure its default?
  • Is the vendor required to return and/or destroy your data and confidential information after termination? Is the format of returned information acceptable and usable for you?
  • If termination is the result of the vendor's bankruptcy, does the contract give you the protections of §365(n) of the Bankruptcy Code?
  • Do you need any post-termination assistance to transition services to another provider?
  • Is the vendor required to return unearned fees?

10. Escrow

  • What would happen if the vendor went out of business?
  • If the platform is mission critical for you, are there alternative providers? Or do you want your vendor to put the source code and object code for the SaaS platform into escrow so you can access the code and operate the platform if the vendor is unable or unwilling to perform?
  • If you require an escrow, do the terms under which the source code is released to you cover appropriate contingencies (which might include the vendor's bankruptcy, failure to perform after notice and opportunity to cure, or the vendor being acquired by your competitor)?
  • Does your right to use the code after being released from escrow cover your anticipated needs to fully deploy the software, modify and adapt it to your requirements?

This outline is intended as a general overview of some of the issues that often arise when considering a SaaS arrangement. We hope these "thought starters" will help you formulate your own diligence plan that is tailored to your unique circumstances.

Matt Hafter is a partner in Thompson Coburn's Corporate and Securities practice group, and represents both vendors and customers in SaaS agreements and other complex technology transactions.

Originally published May 12, 2020.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.