Q&A With SaaS Lawyer Chip Cooper: How to handle data security in my enterprise SaaS agreement?

As a SaaS lawyer, I’ve been asked a lot of questions about SaaS agreements and SaaS reseller agreements. This Q&A is based on actual conversations as a SaaS lawyer with clients.

Q: How to handle data security in my enterprise SaaS agreement?

The issue of data security in an enterprise (or corporate) SaaS agreement is usually a highly negotiated issue.

This is because the enterprise customer for SaaS services wants maximum protection for data security. The enterprise customer wants its data processed and archived in the SaaS vendor’s servers (in the cloud) to be secure.

Maximum protection usually means shifting all of the risk to the SaaS vendor. And if the risk shifting is successful, it means that the SaaS vendor will be responsible for any and all security breaches, and perhaps even to the extent of indemnifying the customer.

The effect of this risk shifting is to make the SaaS vendor an insurer against all losses attributable to a security breach. Being an insurer is OK, IF the vendor’s pricing model takes this risk into account. So far in my practice, I’ve not seen a single SaaS vendor price its services to include an insurance “premium” so to speak.

One way for SaaS vendors to deal with the issue is to agree to a standard for data security. The standard could be general in nature, such as compliance with reasonable data security measures that are generally followed in the industry. Or, the standard may be more specific, such as standard set by the EU Safe Harbor. Or the parties could agree to a very specific negotiated standard. The key to this approach is that once the standard is agreed upon, the SaaS vendor should agree to be responsible for a security breach only if it’s enabled by the vendor’s failure to comply with the standard.

A related issue is who is responsible for data breach responsibilities when there is a security breach. Breach notification may be prohibitively expensive, so this is an important issue that’s part of the overall issue of data security.

Go to our SaaS lawyer page.

Copyright © 2011 Chip Cooper

This article is provided for educational and informative purposes only. This information does not constitute legal advice, and should not be construed as such.

WANT TO USE THIS ARTICLE IN YOUR BLOG OR WEBSITE? You may, as long as you reprint the article in its entirety with live links and include this blurb with it:

From SaaS Attorney, Internet Attorney Chip Cooper: “SaaS Startups – You know how frustrating it is to find a top-rated SaaS attorney who can help you set up your business… on a budget? I solve this. I do this with my SaaS Marketer Pro online platform that empowers you to generate your SaaS Agreement and winning strategies by leveraging my experience as a top-rated SaaS Attorney, Internet Attorney. Top-quality results, fast, hassle-free, and on a budget.” ==> http://www.digicontracts.com/