Illustration by Cory Thacker
Software is king. Today’s business environment relies on global platforms that are available to all users on an instantaneous basis. This environment is most obvious in the modern growth of “Software as a Service,” or SaaS. The range of SaaS offerings includes things used every day, such as email or word processing, to discrete task-specific collaboration and project management portals. The ability to immediately communicate ideas, needs and resources via the web is everywhere, expected and often demanded by project contract.
The risk accompanying these platforms lies most directly with the fact that, to work properly, SaaS involves the release of business-critical data to a third party: the SaaS provider. The control and protections for that data are often subject to complex license agreements. But, like most any contract there is often a chance to negotiate.
While no list is complete, the following points offer a few tools to assess the potential risks surrounding access, security and privacy of SaaS data. Each of these considerations is becoming a key risk management component for manufacturers, suppliers and glazing trades as more contracts require SaaS systems collaboration.
Loading data for use by an SaaS provider means that it goes outside of a company’s control. The accompanying risk of corruption or destruction of that data is real―by inadvertence or mischief. The SaaS provider must plan for ongoing backups, as well as implementation of an immediate recovery process in the event data is compromised.
The open and collaborative nature of data use in an SaaS platform is only realized where the system is operational. Uptime commitments, and remedies for loss of system access, are key components when negotiating a SaaS implementation and use license.
Sensitive business data is disclosed to the SaaS provider by using these systems. Clarifying ownership of the data and defining the scopes of responsibility in response to a perceived data loss must be clearly established up-front. In addition, SaaS systems have become valuable resources for discovery of documents and information in litigation, making clear terms defining issues of data ownership and control critical contract essentials.
Security and audits
Users rely on the ability of SaaS providers to protect the information and system infrastructure. Security updates and maintenance of security certifications are important contractual considerations. Also, depending on size and sensitivity, companies may have an interest in auditing the security and protections offered by an SaaS provider. Ask for this right at the start of the SaaS relationship, and specify the frequency of these audits.
Many SaaS providers are located internationally and may not agree to jurisdiction in a company’s domestic courts or the application of its laws. Use agreements should provide for interpretation and application of legal rights subject to the laws of your jurisdiction, and resolution in that country. Watch, too, where international treaties governing data privacy and controlling law are incorporated. It’s hard to know all the enacted terms of these national commitments.
A good relationship doesn’t always last forever. After a project ends, needs change, or an employee is terminated, the SaaS data becomes a potential problem if not controlled. How data is preserved or destroyed at these kinds of mileposts should be addressed in the initial license or user agreement.
Confidentiality of the data uploaded to a SaaS provider must be expressly spelled out. Disclosure to other parties should be prohibited. It may be necessary to address uncertainties in the user agreements regarding protections and privacy with a non-disclosure agreement.
Some SaaS systems integrate into a company’s own IT infrastructure. Ensure these access points are limited and controlled so that the company’s IT network is not exposed to an unintended vulnerability through the SaaS access.
As a place that employees use and where they interact, SaaS platforms should provide a means to administer, view and access individual user accounts within the SaaS environment. This oversight can prove crucial when questions arise regarding permissible use, appropriate observation of digital or personnel policies, and potential inadvertent disclosure of data.
As noted above, litigation and subpoenas are increasingly focusing on SaaS data. The user and license agreement should specify policies for the protection, preservation and authority for disclosure of data. Specify a sequence for notice of a demand for production or subpoena, requirements for input, and the possibility of cooperating in contesting production demands. Authority for disclosure of data should not be left solely to the discretion of the SaaS provider.