This checklist identifies common negotiating points to consider when entering into a Software as a Service (SaaS) agreement.

Pre-Agreement Due Diligence

Prior to entering into an agreement, the customer may choose to vet its prospective providers.

• During this stage, customer could use a self-created internal questionnaire to help identify and negotiate the elimination of gaps in a prospective provider’s services. If requested by customer, provider should be conservative with supplying security-related materials and information on past security incidents.

Service Availability

It’s common for provider to make a commitment that its service will be available for a percentage of time (e.g., 99.9%) during a certain time measurement period (e.g., week, month, or quarter). 

• The time measurement period impacts the overall service availability calculation. As such, a longer time measurement period is beneficial to the provider, whereas a shorter time period benefits the customer.
• ‍Provider may seek to include various outages in the availability calculation, such as planned maintenance or event’s outside provider’s control. Conversely, customer may request to obtain a written schedule of provider’s planned downtime and require the provider to constantly monitor its servers to detect downtime.‍
• Customer may want to consider the software "unavailable" if there is severe performance degradation, whereas provider may seek to define "unavailable" only as the inability to access or use the software.

Service Response Times

This provision refers to how quickly the provider will respond to a service issue raised by the customer.

• A common negotiation point under this provision is the definition of "response." Generally, customer will want to consider a “response” occurring when provider corrects the issue, whereas provider will seek to establish its response time the moment it responds to customer’s complaint.

Remedies for Service Level Failures

When service availability levels are not met, customers may seek remedies through this provision. Common remedies include fee reductions or service credits.

• Under this provision, customer may seek to include past outages that already received service credits in availability calculations, whereas provider will seek to remove these outages.

Force Majeure

Parties look to this commitment when one party cannot perform a contractual obligation due to the occurrence of an event beyond that party’s control.

• ‍Provider may seek to broaden this clause to include events that could disrupt operations. Conversely, customer may seek to limit excuses for provider to perform, as well as make clear that a force majeure event does not relieve the provider of its obligations.

Data Security

This provision tends to specify minimum security measures which the service provider must promise to deploy. 

• ‍Customer may seek provider to match its own data security policies, whereas provider will likely resist security obligations that require burdensome steps or separate maintenance of the customer's service.

Notification of Security Issues

In the event of a data security incident, this commitment details the breach notification process.

• Common points for negotiation are (i) which party provides notice to the customer's employees and customers and, (ii) which party bears the cost of this notification. Generally, the customer will want to have sole control over its notice and require provider to reimburse for customer's expenses incurred in giving notice of any security breach for which the provider is partially or fully responsible. Whereas the provider, may seek to retain the right to provide notice of security breaches as necessary to comply with applicable laws and maintain that the customer is responsible for all costs of notification.

Disaster Recovery and Business Continuity

In the event a provider’s software or customer data is no longer available, this provision sets out the processes to be followed. 

• ‍Customer may seek to ensure provider’s back-up practices are consistent with customer’s practices and require the provider to make the software available even during a disaster.
• ‍Provider may specify that its policy is governed by an internal document that the may be amended at any time.

Use of Customer Information

• It is common for customer to limit provider's use of its data, except as necessary to provide the software services or perform contractual obligations. Provider may, however, demonstrate that analysis of customer's data is necessary to provide increasingly better software product and service. It's possible that provider also demonstrates that effective use of the software depend's on the ancillary use of customer data. For example, provider may need to aggregate the data to provide data trending and analysis to customer.

Data Conversion and Transition

This provision provides details regarding customer’s data that is imported into provider's software.

• Generally, the customer will seek to have the provider convert the data at no cost, whereas the provider may seek the customer to incur the costs.
• Once the agreement has terminated, customer may require provider to return its data in a specified format and destroy all remaining customer information.

Insurance

Details on the party’s insurance policy coverage.

• Customer may require provider to carry insurance that covers damages arising from the negligence or intentional acts, where as provider may refrain to purchase additional insurance coverage for a single customer and maintain that its coverage for general liability is adequate.

Indemnification

An obligation of one party to compensate the loss incurred to the other party due to the acts of the indemnitor.

• Customer may require provider to indemnify against claims arising from security obligations, whereas provider may seek to reject obligations or cap its liability for unintentional security breaches.

Limitation of Liability

Limits the amount of exposure a company faces in the event a lawsuit is filed or another claim is made.

• Generally, customer will seek to remove exclusions from this provision. For example, customer may want to remove exclusions for breach of confidentiality or data security obligations, claims for which the provider is insured, and costs payable under the parties' respective indemnification obligations.
• Whereas provider may focus on limiting its liability to either the total amount of customer fees paid under the agreement and seek to exclude customer's lost revenues, lost profits, and certain other damages.

License / Access Grant and Fees

Defines the limits of what customer may do with provider’s software and at what cost.

• Customer may seek to broaden the definition of "permitted users," whereas provider may seek to limit software use to customer's internal purposes only. It's common to include a right to add or remove a user with a corresponding adjustment of the license fees.
• Customer may seek to lock in recurring license fees for a fixed period of time or adopt a price escalation clause to determine future price increases.
• Provider may require additional fees for data storage in excess of a specified base amount.

Term

• Generally, subscription terms are more favorable to the provider, as they lock in a customer for a set period of time. In this event, customer may seek to limit its commitment up to a few months or a year.

Warranties

• Provider may seek to limit its warranty commitments to the software service's material compliance with its documentation. On the other hand, customer may require additional warranties, such as warranties of non-infringement of third-party intellectual property rights and require the provider to not suspend or disrupt service, even if provider alleges that customer has breached the agreement.