Failures and security in a SaaS contract - how to secure it?

A SaaS contract defines the obligations of the service provider and the customer. But how far does the responsibility of the software company really extend? In the event of a failure, data loss or cyber attack, who bears the consequences? Poor contractual risk distribution can be costly.

Here's what you need to know to secure your contract.

What are the consequences to be expected within the SaaS contract in the event of a failure?

The SaaS provider generally guarantees a level of availability via a SLA (Service Level Agreement). This document sets out the accessibility rate of the service (e.g. 99.9%), response times and compensation in case of non-compliance. The SaaS provider is responsible for the proper hosting of its service. He must ensure that he has solid contractual guarantees with his own host in order to limit his exposure to risks.

The following points should be checked in the contract between the SaaS publisher and the customer.

On the client side :

• Verify the SLA commitments in figures.
• See if financial penalties are planned and the penalties for a repeated SLA breach.
• Anticipate the impacts of a prolonged interruption on your business.

On the supplier side :

• Define realistic and achievable KPIs.
• Manage your liability to avoid excessive compensation - it is important to provide a good balance between SLA penalties and limitation of liability clauses.
• Provide exclusions in case of force majeure or customer fault.

Who pays for data loss?

Data backup is a sensitive issue. A SaaS provider is always required to back up data due to the nature of its service. A SaaS contract should specify who is responsible for maintaining and retrieving information in the event of an incident.

On the client side :

• Check if the service provider is committed to regular backups.
• In general, make sure that the reversibility of the data is provided for in the contract.
• Maintain independent copies if the information is critical. The SaaS provider must allow you to perform this backup at any time.

On the supplier side :

• Clearly indicate how often and how long backups should be retained.
• Limit your liability in case of accidental deletion by the customer.
• Plan a procedure for returning data at the end of the contract.

Who is responsible in the event of a cyber attack?

A computer attack can lead to data theft or an interruption of service. The SaaS provider always has a security obligation, but its scope varies according to the contract. It must guarantee a level of protection that meets the industry standard, and ensure the monitoring of its infrastructure, access management and the protection of customer data. However, the responsibility of the service provider depends on the contractual commitments precisely defined in the contract.

On the client side :

• Check the security measures in place (encryption, access control, etc.) and make sure that they correspond to your standards.
• See if an early notification requirement is in place.
• Verify the extent of your right to audit, especially in case of emergency.

On the supplier side :

• If you have a security certification, be sure to maintain the standards.
• Establish an incident response plan to minimize the impact. This document can be provided to the customer upon request.

I can help you negotiate or draft a SaaS contract integrating security clauses adapted to regulatory requirements and the specific risks of your business.