Negotiating SaaS Agreements: Key Contract

Provisions and Protections

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.

TUESDAY, NOVEMBER 6, 2018

Presenting a live 90-minute webinar with interactive Q&A

Beth A. Fulkerson, Partner, Culhane Meadows Haughian & Walsh, Chicago

Nathan Leong, Lead Counsel, U.S. Health & Life Sciences Legal, Microsoft, Chicago

David W. Tollen, Founder, Tech Contracts Academy, San Francisco

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-961-8499 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail sound@straffordpub.com immediately so we can address

the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 2.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

David W. Tollen

Training on drafting and negotiating IT agreements – for lawyers and

businesspeople

david@TechContracts.com

www.TechContracts.com

415-278-0950 x1

San Francisco

IT contracts and privacy; expert witness services

david@SycamoreLegal.com

www.SycamoreLegal.com

415-278-0950 x1

San Francisco

Additional Resources

▪ Tech Contracts Academy™: training on drafting & negotiating IT contracts, TechContracts.com

▪ The Tech Contracts Handbook: easy, simple, comprehensive

▪ TechContracts.com: free resources – sample language, articles, etc.

▪ Sycamore Legal, P.C.: legal services re IT contracts, expert witness servicesSycamoreLegal.com

6

OutlineDATA TERMS IN IT CONTRACTS

1. Data “Ownership” and its Limits

2. Data Control

3. Data Security

4. A Few Customer Concerns re Data Breach Indemnities

7

Data “Ownership”The problem: you can’t really own data

What to do about ownership?

• Ownership Acknowledgement – or assignment if applicable

• IP-Related “Confirmations”

❑ Valuable property

❑ Trade secrets

❑ Original compilation under copyright

❑ Substantial resources collecting, managing, compiling – under copyright

Plus ownership of derived data & derivative works …

TRADESECRET!

8

Data Control Issue #1:Restrictions on Use

▪ Solely to serve customer

▪ For vendor purposes too

❑Analysis & reporting

❑Improving products/services

❑Publication and sale

• Restrictions on marketing w/ data

• Aggregate data

❑De-Identified: all PII removed

❑Truly Anonymized: PII removed an no key/code available to recreate it

9

Data Control Issue #2:Restrictions on Use

• Subcontractor & employee access

• Customer access

• Moving data

• Termination and deletion of data

• Compliance w/ applicable law

❑GDPR

❑Other privacy laws: GLBA, HIPAA, FCRA, etc.

10

Data Control Issue #3:E-Discovery

• E-Discovery

❑ Making sure the vendor doesn’t get you in trouble by deleting relevant data

❑ Making sure your opponent in litigation can’t subpoena the vendor This is you, in trouble with

the court over e-discovery. (Not really, but

it isn’t pretty.)

11

Data Security

• Technical Security: big kahuna

• Audits & Testing: SOC-1/SSAE-16, SOC-2, SOC-3, ISO 270001 –outside CPA professionals

• Background Checks: for employees and contractors

• Data Breach Response

12

Data Breach Indemnity and theFault Problem

When the breach happens, and possibly through much of the litigation, no one knows who’s at fault. Is the vendor indemnifying the customer’s negligence?

• Clunky fault-based indemnity?

• Clunky indemnity based on whose computersheld data?

• Indemnity w/ limit of liability?

• Customer as indemnitor?

• No indemnity?

13

© 2018Tech Contracts Academy™

LLC

Graphics courtesy of Pixabay: www.Pixabay.com

14

Cloud Contracts, Industry Trends

linkedin.com/in/nathanleong

Cloud Contract Topics

linkedin.com/in/nathanleong

16

Customers expect

• Control over who has access to their data.

• Provider’s access to data to require customer’s authorization.

• Their data to be permanently deleted or taken with them at the end of the subscription.

What Cloud Providers should offer• Choice and transparency on where customer data is stored.

• Understandable and strict policies of what we will – and will NOT – use customer data for.

• To defend customer’s rights and privacy – ensuring due process is followed – when responding to law

enforcement requests.

• A variety of tools to extract customer data and for litigation hold / eDiscovery needs.

• To delete customer data after the service is terminated or expired.

Privacy & Controllinkedin.com/in/nathanleong

17

Use of Customer Data

“Customer Data will be used only to provide Customer

the Online Services including purposes compatible with

providing those services. Microsoft will not use Customer

Data or derive information from it for any advertising or

similar commercial purposes. As between the parties,

Customer retains all right, title and interest in and to

Customer Data. Microsoft acquires no rights in Customer

Data, other than the rights Customer grants to Microsoft

to provide the Online Services to Customer. This

paragraph does not affect Microsoft’s rights in software or

services Microsoft licenses to Customer.”

http://www.microsoftvolumelicensing.com

linkedin.com/in/nathanleong

18

Disclosure of Customer Data

Microsoft will not disclose Customer Data outside of

Microsoft or its controlled subsidiaries and affiliates except

(1) as Customer directs, (2) as described in the OST, or

(3) as required by law.

Microsoft will not provide any third party: (a) direct, indirect,

blanket or unfettered access to Customer Data; (b) platform

encryption keys used to secure Customer Data or the

ability to break such encryption; or (c) access to Customer

Data if Microsoft is aware that the data is to be used for

purposes other than those stated in the third party’s

request.

http://www.microsoftvolumelicensing.com

linkedin.com/in/nathanleong

19

What Cloud Providers should offer

• State-of-the-art physical security measures.

• Data encryption across all communications stages.

• Incident response team to mitigate threats and attacks available 24/7.

• Built-in data protection tools and encryption capabilities e.g. bring/manage your own keys.

• Third party security certifications and attestations e.g. SOC, ISO, HITRUST.

Customers expect

• Customer data to be safeguarded using state-of-the-art security technology and processes.

• Customer data to be encrypted in transit and at rest.

Securitylinkedin.com/in/nathanleong

20

What Cloud Providers should offer

• Comply with laws applicable to the cloud service provider; shared responsibility mapping.

• Industry leadership in pursuing compliance with the latest data privacy and security standards.

• Global infrastructure that enables customers to meet their compliance requirements.

• Independent audits to certify compliance with international, local, and industry standards e.g. SOC,

ISO, HITRUST, PCI, .

Customers expect

• Compliance with applicable laws

• Cloud services that comply with international standards and applicable regulatory requirements.

• Access to certifications for each of their provider’s cloud services.

Compliancelinkedin.com/in/nathanleong

21

HIPAA / HITECH Act FERPA

FedRAMP

Moderate

ITAR2

GxP

21 CFR Part 11

Section 508 VPAT

SOC 1

Type 2

CSA STAR

Self-Assessment

Singapore

MTCS

UK

G-Cloud

Australia

IRAP/CCSL

Japan

FISC

China

DJCP1New Zealand

GCIO

China

GB 180301

EU

Model Clauses

EU

ENISA IAFArgentina PDPA Japan

CS Mark Gold

SP 800-1712

Japan

My Number Act

FIPS 140-2

GLBA

Spain

ENS

FFIEC

China

TRUCS1

SOC 2

Type 2

Canada

Privacy Laws

EU-US

Privacy Shield

CJIS2DoD DISA

SRG Level 22DoD DISA

SRG Level 42IRS 10752

HITRUST

CSF

GLO

BA

L

ISO 27001 ISO 27017ISO 27018

WCAG 2.0

AA

DoD DISA

SRG Level 52DFARS2

CIS Benchmark

Netherlands

NEN 7510

Germany

IDW PS 951

EU

GDPR

EU EN

301 549

Netherlands

BIR 2012

CSA CCM ISO 20000-11

US

GO

VIN

DU

ST

RY

REG

ION

AL

NIST CSF

Compliance Certifications and Attestations

linkedin.com/in/nathanleong

22

Software-as-a-Service Agreements:

Warranties, Indemnities, Limitations of

Liability and SLAs

Beth Fulkerson, Partner

bfulkerson@culhanemeadows.com

Hybrid IP plus service provider

Be prepared to argue about caps

and understand data breach insurance

Support, uptime, penalties

Transition services, escrow

Outline

Warranties

Indemnities and LoL

Service Level Agreements

Other important provisions

24

Warranties

Mutual: standard good standing and authority clauses

Mutual: compliance with applicable laws

Provider: all necessary rights

Provider: will disclose any necessary third party licenses

Provider: all necessary expertise to perform services

Provider: *Services will conform to specs in Documentation*

Provider: Services will not introduce viruses

Provider: no disabling mechanisms

25

WarrantiesProvider: compliance with specific statutes, if applicable, i.e., HIPAA

Provider: data security

Subscriber: has all necessary rights to data

26

Covenants / Responsibilities

Subscriber: is the data controller

Subscriber: oversees the project which is facilitated by the Services

Subscriber: authorized users and passwords

Subscriber: will not create derivative works of Services

Subscriber: grants limited license to process data

27

Indemnities and Limitation of Liability

INDEMNITIES:

Provider: breach of warranty, breach of agreement, with carveout for claims resulting from acts or omissions of Subscriber

Provider: infringement

Subscriber: breach of warranty, breach of agreement, Subscrib – focus on data and misrepresentations to data subjects

LIMITATION OF LIABILITY:

Mutual: No consequential damages except for indemnification or gross negligence or willful misconduct. Direct damages capped at fees (multiple and time period TBD) except for indemnification, gross negligence, willful misconduct or breach of confidentiality

Some providers try to cap indemnity exposure

28

Insurance

Each Party agrees to maintain, at its sole cost and expense, policies of insurance providing coverage for its general and professional liability (and any other coverage as may be applicable) throughout the Term of this Agreement.

29

Insurance

Service Provider shall, at its own expense, procure and maintain in full force and effect during the term of this Agreement, policies of insurance, of the types and in the minimum amounts as follows, with responsible insurance carriers duly qualified in those states (locations) where the Services are to be performed, covering the operations of Service Provider, pursuant to this Agreement: commercial general liability (CHF 1’000’000 per occurrence, CHF 2’000’000 aggregate); workers’ compensation (statutory limits) and employers’ liability (CHF 500’000 per accident); and, professional liability (CHF 1’000’000 per occurrence, CHF 1’000’000 aggregate). Subscriber shall be named as an additional insured in such policies. The liability policy shall be primary without right of contribution from any insurance by Subscriber. Such policies shall require that Subscriber be given no less than thirty (30) calendar days prior written notice of any cancellation thereof or material change therein. Subscriber shall have the right to request an adjustment of the limits of liability for commercial general liability and professional liability insurance as Service Provider’s exposure to Subscriber increases. Service Provider shall provide Subscriber with certificates of insurance evidencing all of the above coverage, including all special requirements specifically noted above, and shall provide Subscriber with certificates of insurance evidencing renewal or substitution of such insurance thirty (30) calendar days prior to the effective date of such renewal or substitution.

30

Service Level Agreement (SLA)

Storage / bandwidth / transactions units

Fees per unit, usually tiered

Availability / uptime / maintenance

Server response time

Technical support

Severity levels and response time

Training

Credits / penalties / liquidated damages

31

Transition

Transition services, if provided, are provided on a time and materials basis.

Escrow – software and related material placed into escrow for Subscriber in the event Service Provider is unable to fulfill obligations

Step-in Rights – Subscriber has right to perform Services itself (or have Services performed by a third party) if Provider is at least temporarily unable to

32

33

What Cloud Providers should offer

• Enterprise-grade, financially-backed uptime commitment.

• Adherence to industry standards, best practices and certifications.

• Robust disaster recovery, backup and archiving, and monitoring and management tools.

• Service health information, including planned maintenance.

Customers expect

• Data and services to be available when they need them.

• Tools to build and manage their critical business applications and data.

Reliability, SLAs, Warrantieslinkedin.com/in/nathanleong

34

What Cloud Providers should offer

• Uncapped IP defend and protection obligation for third party claims, inclusive of CSP’s IP and

IP used to deliver the cloud service.

• Similar customer obligation for customer data and third-party IP hosted on the cloud.

• Reasonable mutual liability cap, rationally related to subscription spend.

• Transparency about insurance and risk management program, financial stability.

Customers expect

• Financial responsibility for customer data.

• Often heightened concern about post-breach liability apportionment between parties.

• Insurance commitments by cloud provider.

Liabilitylinkedin.com/in/nathanleong

35

Resources

http://www.microsoftvolumelicensing.com

http://www.microsoft.com/trustcenter/

http://www.microsoftcloudassurance.com/

http://aka.ms/transparencyhub

http://enterprise.microsoft.com/en-us/customer-stories/

36