Software as a Service (SaaS) contracts are incredibly popular. The subscription model makes cutting-edge software more available to businesses than ever before. However, few organizations know what to look for in these lengthy contracts - let alone how to negotiate them.
One clause that I don't accept in SaaS contracts is a Limitation of Liability clause that caps any and all liability to the value of the contract (or some multiple thereof). I don't accept this because there is one glaring and hot-button theory of liability which, if it manifests, will far-and-away exceed the value of the contract, and leave you holding the bag: Data Privacy.
Data Privacy. What About It?
Most SaaS platforms use, process, transmit, and store vast amounts of data. Often, the class of data handled is 'personally identifiable information' ("PII") - information which, on its own or in conjunction with any other information, can be used to identify a particular person.
PII is the subject of the many emerging data privacy laws, like the General Data Protection Regulations (GDPR) and California Consumer Privacy Act (CCPA), and the penalties for violating the rights of 'Data Subjects' are severe.
What Does this Have to do with SaaS Agreements?
Because the penalties for violating data privacy laws like the GDPR and CCPA can be so severe, SaaS providers typically include a cap on their liability in their contracts, Terms of Use, and End User License Agreements (EULAs). Otherwise, for example, if the SaaS provider suffered a data breach, your customers would come after you for violating their data privacy rights, and you would look to the SaaS provider for restitution.
With the Limitation of Liability clause, however, their liability to you would be capped, and your business would be responsible for the balance of liability to your customers.
Accordingly, I don't accept blanket limits on liability on SaaS contracts. I also won't accept anything less than express carveouts for:
Breach of confidentiality obligations
Breach of expressly-defined data security obligations
Negligence (not "gross negligence")
Third party claims arising from data breaches and data privacy laws; and
Third party intellectual property claims.
Bottom Line
GDPR fines are as high as 4x global annual revenue, and the average cost of meeting mere reporting requirements of a data breach is $750,000. If your SaaS provider is responsible for you incurring this kind of liability, it's not fair for them to say that you can't collect more than the value of the SaaS contract.
Need reviewing and negotiating your SaaS contracts? Out-House Attorneys has a dedicated Contract Overflow Support service that helps you review, negotiate, and manage your contracts company-wide. Contact us today.
The information provided on this website does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience of the reader, user or browser.