Software as a Service SaaS Lawyer Andrew S. Bosin represents SaaS and Software companies drafting and negotiating and providing legal advice on SaaS Agreements, SaaS Contracts, SaaS Licensing and End User Agreements and Master Service Agreements. Andrew's SaaS law and legal practice is based just … [Read more...]
Andrew S. Bosin is a Software as a Service SaaS lawyer who provides legal advice to SaaS companies, SaaS vendors, SaaS application service providers, cloud computing companies, end-users, re-sellers and SaaS customers.
In addition, Andrew also negotiates and drafts SaaS contracts, SaaS agreements, software licenses, SaaS re-seller agreements, website terms & conditions, business deals and transactions. Andrew also represents clients helping them to understand and navigate legal issues related to SaaS Platforms, SaaS-based supply chain solutions, SaaS Analytics Applications, Indemnification Agreements, SaaS Security Applications, HeSaaS Hardware Enabled Solutions, Infrastructure as a Service (IaaS) agreements, Platform as a Service (PaaS) Application Agreements and Contracts and data security and privacy legal issues and concerns such as data breaches and cyber-attacks.
Andrew works with and provides legal advice to SaaS startups, entrepreneurs, Internet of Things (IoT) connected devices companies and manufacturers & software and technology companies doing business and located both in the United States, Europe and worldwide and in New Jersey, New York, Connecticut, Pennsylvania, Virginia, Ohio, Florida, Georgia, Texas, Alaska, California, Illinois, Idaho, North Carolina, Colorado, Utah and Seattle, Washington.
SaaS cloud computing services applications attorney Andrew S. Bosin specializes in assisting and helping clients navigate and understand SaaS Law and the various complex legal issues surrounding web based internet solutions and applications and the language and contract terms contained in SaaS Agreements, SaaS Contracts, SaaS Licensing Agreements, End User Licensing Agreements (EULA), SaaS Subscription Agreements and Master Service Agreements and the Internet of Things (IoT) wireless internet connected devices. Andrew specializes in drafting SaaS cloud agreements in plain English so the terms, conditions and language found in such contracts are easy to understand.
Andrew’s clients include companies in the areas of software, technology, internet of things (IoT), web 2.0, big data, connected devices, healthcare, saas, digital media and video, software application development, mobile application development, video game development, and internet, website and e-commerce companies and startups.
It is more than likely that some of the software you are using in your business is SaaS. So, you should be familiar with some key terms, provisions and language that is typically contained in a SaaS Agreement.
Here are some key legal issues and points to negotiate in SaaS Agreements:
The difference between SaaS based Software and Traditional Software
The two main differences are accessibility and price. With traditional software you go to the store make a one-time purchase, install the software on your computer and as long as you abide by the terms and conditions you can use the software conceivably forever. On the flipside, SaaS software is cloud based and as soon as you sign the contract and pay your fee the software is available to be accessed by an internet connection.
The other difference between SaaS and traditional software is price. While traditional software typically charges a one-time fee, the user of SaaS software will most likely pay a monthly fee to access the software. And, unlike traditional software, the user of SaaS Software does not own the software.
Access to the SaaS service is usually made available on a subscription basis, with monthly or annual plans as the most popular choices. In examining a SaaS agreement it should state in plain English what plans are being offered and what they include.
The User’s Rights To Access The Software
Prior to making a SaaS purchase, your company should sit down and discuss how many users will be accessing the software. This is because pricing is usually linked to certain key benchmarks, such as the number of users, or storage limits. So, “your” SaaS agreement should very clearly set forth the applicable benchmark. Specifically, if you want 100 users to access the software the SaaS provider could require your company to define or delineate those 100 employees as opposed to how you want to use the software which is any 100 employees at any time.
Service Level Agreements (SLA)
An important part of the SaaS Agreement is holding a SaaS provider to a minimum performance standard in connection with a SaaS agreement. An example is that the service will have an uptime percentage of 99.9%, meaning the service is guaranteed to be up, available and running live 99.9% of the time. This performance standard is known as a Service Level Agreement (SLA). You also need to have the Agreement spell out how the performance standard will be calculated.
What if the SaaS Vendor files for bankruptcy or goes out of business?
It is important to make sure that the SLA contains language that clearly states that you can export your data from your SaaS provider. This clause should also include how often and in what type of format you may access your data. The clause should also state that the vendor will assist in migrating your data, for an appropriate fee.
Who owns the Data?
If your SaaS Agreement is a Licensing Agreement rather than a Master Service Agreement it is likely that the SaaS provider will strictly limit what your company can do with all the data that will be derived from the users. This is typically the case where the SaaS Software allows the entity accessing it to modify the software and use it on line publically where users outside the company could leave their personal data in using the software such as name, address, etc. In negotiating a SaaS Agreement you want to make sure the ownership of the data is clearly spelled out and what your company can or cannot do with it. You also want to make sure that the SaaS provider is maintaining the data safely on its servers and that it is dealing with all security issues.
What is the duration of the Agreement and how do you terminate?
You want to make sure that before you sign a SaaS Agreement that you understand the duration of the term, how the Agreement gets renewed and how you can terminate early if need be.
Maintenance of the Software
The Agreement must clearly state which party is responsible for implementing and maintaining the service including fixing bugs and pushing updates.
hat should SaaS Software Cloud Services Vendors do to take security seriously and put controls, processes and procedures in place to protect sensitive customer data? Are you a SaaS Application Provider entering into contracts and agreements with customers and end-users but have failed to put in place an effective data security privacy protection policy, plan, procedures or guidelines? Are you a customer doing your due diligence and making sure that your company's confidential information and data will be adequately protected by a certain SaaS vendor? What are your capabilities as a SaaS vendor for protecting confidential highly sensitive customer data and information?
Failing to ensure that the appropriate security protection is in effect and in place when using cloud services could ultimately cause higher business and insurance costs and the potential loss of business. In furtherance of using a SaaS cloud computing service, customers must understand clearly what the possible security benefits and risks are that come with using a certain cloud computing application, and have a firm grasp of what security protections or plans if any, their cloud provider has put in place to protect their confidential data and/or information. For each different type of service, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) there might be different security requirements and responsibilities.
SaaS service providers [whether they serve and host the application or outsource it to a third party managed cloud provider] should do a host of things to make sure that whatever data or sensitive information is being gathered and stored in the cloud for their clients is secure.
How can you properly evaluate the security capabilities and vulnerabilities of Software as a Service SaaS Cloud Based Vendors and Service Providers. Here are few things you should consider:
- If you are outsourcing the hosting and serving of your company's SaaS Cloud Application to a third party managed cloud provider you need to carefully read and analyze the agreement you will execute with the cloud provider to see what type of liability the managed cloud provider will accept and how much it will pay in damages in the event the cloud provider causes a breach which results in a loss or compromise of client data and in turn the client sues your company for negligence.
- Internally, your company should limit access to your cloud application to authorized personnel only. I would classify employees that have access to the provider's application as "authorized employees." These are employees who have a need to know or otherwise can access customer data or personally identifiable information (PII) to allow the SaaS Service Provider Vendor to perform its obligations under this Agreement. These individuals should also sign non-disclosure agreements prohibiting the unauthorized transfer and sale of customer user data and (PII). PII could have a broad meaning to both vendor and customer so its a good idea to list or define the types of PII that should be protected from disclosure to unauthorized employees and third parties.
- You should perform criminal background checks if legal in your state before employees are exposed to sensitive customer data or financial information.
- You should provide Corporate Security Awareness Training to employees so everyone has a heightened sense of purpose regarding customer data protection and security.
- I would put together a Security and Risk Management Team of highly qualified individuals to manage security risk.
- Incident Response Plan - What if there is a data breach or a cyber-attack? Your company should have a plan in place which details what actions you are going to take in the event disaster strikes. To this effect, how are you going to notify customers of a data breach or disaster?
- Data Recovery and/or Disaster Plan - Do you or your managed cloud provider have a disaster plan in place? Do you or your SaaS managed cloud provider utilize redundant and fault tolerant systems to ensure maximum up time and recover quickly from disasters. Customers are going to want to know how long it will take to retrieve their data and if it has been lost or compromised.
- Your company should have an effective Information Security Policy in place which needs to be assessed and updated if need be annually.
- Does your company perform web application testing to determine if there are any security issues or vulnerabilities that need to be fixed?
- Employees should be required to sign a document acknowledging they have received a copy of the company’s Security Policy.
- You should think about putting in place a Change Control Process to make sure that changes to the software and hardware IT infrastructure don’t severely impact production systems.
- Are the vendors certified that will be managing your cloud services? Certification means that the vendor takes security seriously.
- Are your customers' users required to enter a password that is authenticated before permitting a user to gain access to the SaaS application and/or services.
- Does your managed cloud provider offer or use encryption for the data that is being stored?
- Who has access to sensitive customer data and how is it being stored? This sensitive information should be stored in a secure, redundant, highly available database system with access restricted to employees and personnel that are members of a contained group.
- If you are the SaaS vendor who in your company has access to sensitive client/customer information? You want to make sure your company can access the files but not view them. Make sure that only a select few number of employees can have access to and view sensitive customer data.
- You should become familiar with how hard drives which are old and no longer functional are destroyed. You should ask your managed cloud provider if old disk drives are destroyed on premises by a third party vendor.
- Are you offering customers any type of encryption for data transfers?
- Are customer files or data being backed up to a second storage system in the event disaster strikes?
This above list is not dispositive or everything a SaaS vendor should do to take security seriously and put controls, processes and procedures in place to protect sensitive customer data. With that said, do yourself a favor and hire an outside vendor a company that is an expert in determining your company's capabilities or vulnerabilities in managing data security and what needs to be done.
Please call SaaS Attorney Andrew S. Bosin, Esq. for a free legal consultation at 201-446-9643.
Experienced SaaS Lawyer Andrew S. Bosin represents clients on SaaS Software business and legal issues, challenges, liabilities and implications and questions concerning data security contract language and clauses for SaaS service vendors, specifically issues concerning breach of contract, vendor provider liability and indemnification, contractual terms and language, contract damages, data security storage concerns, drafting and negotiating data security clauses, security breach standards protocols procedures, remediation for a security breach, audit of the service provider’s facilities and practices, data ownership and privacy protection, data security management, processing of personal information by the service provider, standard of care, highly sensitive information, encryption, cloud storage, data hack, data breach, return or destruction of personal property, safeguards put in place by the SaaS Vendor, issues with HIPAA and HITECH, the manner in which Personal Information is used, stored, processed, collected, accessed, disposed of and disclosed.
SaaS Cloud Lawyer Andrew S. Bosin, Esq. is located in New Jersey just outside of New York City and has a nationwide SaaS Software Licensing Law Firm serving clients in New Jersey, New York, Buffalo, Queens, Manhattan, New York City, Westchester County, Islip, Oyster Bay, Rochester, Utica, New Rochelle, Tonawanda, White Plains, Binghamton, Saratoga Springs, Rockland County, Brooklyn, Long Island, Albany, Syracuse, Suffolk County, Nassau County, Bronx, Staten Island, Allentown, Scranton, Lancaster, Harrisburg, State College, College Station, Boston, Hartford, Providence, Connecticut, Atlanta, Chicago, Washington D.C., Dallas, Florida, Ohio, California, Austin, Texas, Maryland, North Carolina, Massachusetts, Colorado, Utah, Oregon, San Antonio, Austin, San Diego, Los Angeles, Silicon Valley, San Francisco, Houston, Salt Lake City, Toledo, Akron, Dayton, Provo, Portland, San Jose, Miami, Tampa, St. Petersburg, Ft. Lauderdale, West Palm Beach, Broward County, Dade County, Newark, Delaware, College Park, MD, Cook County, Phoenix, Denver, Boulder, Ft. Collins, Nashville, Memphis, Kansas City, Raleigh, Charlotte, Indianapolis, Boise, Eugene, Manchester, Burlington, Philadelphia, Pittsburgh, Pennsylvania, Vermont, Rhode Island, Boca Raton, Arlington, Virginia, Alexandria, Virginia, Reston, McLean, Cambridge, Quincy, Riverside, San Bernadino, Minneapolis, St. Louis, Cleveland, Columbus, Baltimore, Sacramento, Cincinnati, Orlando, Las Vegas, Round Rock, San Marcos, Louisville, Richmond, Tempe, Southbend, Bloomington, Knoxville, Oxford, Tuscon, Long Beach, Ames, Ft. Collins, Lawrence, Blacksburg, Charlottesville, Champaign, Oklahoma City, Birmingham, Salt Lake City, Baltimore, Mobile, Alabama, Utah, Washington, Seattle, Oregon, Portland, Eugene, Sacramento, Pittsburgh, Wake County, King County, Redmond, Kirkland, Bellevue, San Mateo County, Contra Costa County, Cupertino, Los Gatos, Sunnyvale, Mecklenburg County, Jacksonville, Gainesville, Boynton Beach, Orange County, Palo Alto, Harris County, Waco, Columbia, Missouri, Tarrant County, Bucks County, Lehigh County, Bethlehem, Pennsylvania, Burlington, Portland, Maine, Manchester, Concord, Nashua, Cambridge, London, Paris, UK, England, Dublin, Scotland, Edinborough, Amsterdam, Germany, Munich, Berlin, Madrid, EU, European Union, Spain, Austria, Vienna, Geneva.
Most things in life are governed by a set of rules. Whether playing bridge or in a softball league, there are things you can and cannot do. So why would it be any different if you were involved in a business with other partners? Wouldn’t you want a set of defined rules, a playbook which from the … [Read more...]
Why it is crucial to retain an experienced employment attorney such as Andrew Bosin to assess and explain your legal rights to you? In NJ, an employee has no right to termination pay upon separation from their employer. Upon separation, an employee would be entitled to severance pay based on … [Read more...]
Clients come to me with many different types of severance packages. This is because not only is every company different, but also because the severance might derive from a layoff, termination or when someone quits their job and triggers severance. Unless the circumstances surrounding an employee … [Read more...]
If you are presently bound by an employment agreement and speaking to a prospective new employer, you should stop and have an experienced employment attorney look at your agreement to make sure that your contact with the new company doesn’t violate any provisions in it. It is perfectly legal to go … [Read more...]