Reviewing terms and conditions when one acquires a software or SaaS application is not a pleasant experience. In fact, the entrepreneur often tends to think that IT is a supporting function, and that the review of those terms and conditions is an unnecessary waste of time. However, these conditions are likely to have many pitfalls which, in the absence of specific skills, are admittedly very difficult to detect. Let us take a few examples:
a) Software licensing
The so-called “software licensing” relates to the general terms and conditions applicable to software installed on premise, whether in the form of a download or an installation by an integrator. As such, the risks are more limited than those that may exist in the context of a SaaS application, since the contractor retains control of the software and the data to be processed. However, the pitfalls do exist. Among these, one should for instance consider the following ten points :
- Will the license be broad enough to cover my needs?
- Am I entitled to test the software for a certain number of days for free or for a modest price, to make sure it meets my expectations?
- Does the software come with a warranty that allows me to ask for the supplier’s support in case of problems and, if so, for how many months do I benefit from this warranty?
- Does the supplier represent and warrant that it holds all rights, title and interest to the software and that it will indemnify me in the event of a breach of this warranty?
- Are updates included in the license fee ? Am I entitled to benefit from them automatically?
- What is the term of the contract? Assuming it is concluded for several years, is the supplier entitled to increase the licence fee on a yearly basis and, if so, to what extent? Can I terminate the contract in the event of a price increase?
- Is support and maintenance included in the license agreement? If not, is it possible to benefit from it and for what price (bearing in mind that the price of the annual maintenance generally equals 18-22% of the license fee)? What is the extent of this support (8/5, 24/5, 24/24)?
- Are there relevant provisions related to the effects upon termination of the contract to ensure business continuity without the risk of dependence on the supplier (so-called lock in effect)?
- Am I entitled to benefit from supplier’s support upon termination to migrate to another vendor? Will such support ne provided for free and, if not, under what conditions?
- Assuming that the software is operationally critical, is the conclusion of an escrow agreement enabling the source code to be used in the event of the supplier’s insolvency or cease of activities, for example, conceivable? If it is, do I have the necessary skills internally to exploit this source code or can I easily obtain them?
b) SaaS agreements
While it has many advantages over a software licensing agreement, the use of a SaaS application involves greater risks for the entrepreneur, since it requires data to be outsourced to a third party that will have control over it (except in the special cases of the private cloud, generally reserved for large companies). This outsourcing is bound to numerous pitfalls to avoid. In addition to the elements mentioned above in relation to software licensing, which are applicable in the context of SaaS agreements to a large extent, the entrepreneur will be well advised to consider, for example, the following ten points:
- Do the general terms and conditions include a service level agreement (SLA)?
- What is the availability rate of the application? The more operationally important the application is, the higher this rate should be; in any case, a rate below 99.5% should no longer be accepted today.
- What is the periodicity of this availability rate? Is it calculated per month or per quarter? Assuming that the availability rate amounts to 99.9% over a month, this means that the duration of unavailability can only be of thirty minutes over a month; however, if this rate is calculated on a quarterly basis, this means that the duration of unavailability can exceed two hours in a row, without entitling the customer to complain about it in any way.
- Assuming that the expected availability rate is not achieved, what are the consequences for the supplier? Providing for a rate without attaching any penalty in the event of a breach is ultimately tantamount to guaranteeing nothing. The agreement should therefore provide for consequences if this rate is not complied with, generally referred in the form of service credits.
- What are the hours during which I can benefit from my supplier’s technical support? While support provided Monday through Friday from 8am to 5pm will be sufficient in many cases, 24/7 support may be necessary when the application in question is of critical operational importance to ensure business continuity.
- What is the language in which the support will be provided? It is indeed fundamental that the people providing technical support speak the language of the teams likely to use it;
- What are the channels through which I can inform my provider of a technical problem? While issuing a ticket by sending an email is standard, this channel can be unsatisfactory when the incident is at a critical level (traditionally referred to as P1), an assumption in which having the possibility to call a specific person directly is considered important.
- When I raise an incident, how soon can I expect a response, or even how long will it take to be resolved? Although suppliers are generally reluctant to make any commitment in terms of resolution before having carried out a root cause analysis, it is important to ensure that the incident is not left unsolved and that, for incidents with a possible operational impact, a temporary workaround is quickly put in place within a pre-agreed timeframe.
- As my data will be outsourced, it is important to ensure that sufficient security controls are in place given the level of sensitivity of the data entrusted to the supplier. Certain certifications, such as the ISO27001 standard, may be expected.
- Finally, for the same reasons, it is important to ensure that a data processing agreement is in place with the supplier. In most cases, you as an entrepreneur will in fact be considered as the data controller; as a result, you will be accountable to ensure that the supplier, acting as a data processor, complies with the applicable data protection provisions, potentially including the GDPR if applicable.
This is just a collection of a few clauses worthy of attention. The examples could be multiplied. In the era of Big Data and the advent of related technologies such as the Internet of Things (IoT) or Artificial Intelligence (AI), many issues are emerging, such as those relating to data ownership, guarantees and liabilities to name a few. From supporting functions, these technologies are increasingly taking an operational turn, which is why their contractualization and the related issues are becoming increasingly important. It is easy to understand that in view of the complexity of the subject, reading these clauses without the required expertise often indeed is a waste of time for the entrepreneur.
WILHELM Avocats SA has an extensive experience in the drafting and negotiation of IT agreements, from the simplest to the most complex. If you wish to avoid the many pitfalls involved with IT agreements that might be detrimental to your business, please do not hesitate to contact us. We will be happy to help you make sure that what you sign for is what you want, without any unpleasant surprises.