IACCM Contract Management Forum

« view all forum posts
2015-01-15 16:11:27

Limitations of Liability (LoL) in subscription software (SaaS) agreements

Does anyone have experience of the negotiating cap tolerances and carve outs on the LoL within subscription software (SaaS) agreements? Also, in general do people experience a different approach to a the limitation on breaches of security in contrast with the general limitations? I'm interested in those agreements governed by the laws of UK, and France.
 •   2015-01-28 18:04:55
Speaking at a high level only, some clients will demand higher liability caps for breaches of information security, whereas we on the vendor side resist what we see as unreasonable levels. My view is that some clients are overreaching with their information protection contract terms. Calling for unlimited liability for breaches, for example, seems to ignore the reality that it's virtually impossible for any provider to thwart all threats. Some of the terms I see have clauses requiring the vendor to notify the client of all "potential" or "suspected" breaches. How could we even begin to put a box around what that means? Why ask the vendor to comply with HIPAA-related rules when the contract is being performed wholly in Europe and is therefore subject to European rules?
 •  Deutsche Bank  •   2015-02-02 05:14:48
I've generally found vendors to be highly resistant to negotiating ANY terms in SaaS agreements unless there is truly significant amounts of spend and the promise of increasing volumes. In particular, with one very large SaaS vendor last year we were told that they would never now sign up to the LOLs that they agreed five years ago in relation to security. In general I think that the industry is moving more and more towards a one size fits all model which will make any carve outs more difficult to obtain.
 •   2015-02-02 10:07:54
Greg raises a fair point. When purchasing prepackaged services, it is reasonable to expect a different risk tolerance from the provider than when purchasing the software as a product. It may not be feasible to price the risk of a dozen different sets of terms and/or delivery models.

On a corollary point, I have attended at least one presentation on the subject of SaaS (and other XaaS offerings) where the speaker recommended to a mostly buy side audience that a provider's software license incorporated into the SaaS document be rejected. To the extent that an XaaS offering involves a limited right to use software, even if it's not a local copy on a desktop, I still would advocate for inclusion of some license terms. A license might be necessary to comply with any third party license requirements.
 •   2015-02-03 21:28:33
I have found for the liability portion of SAAS contracts one truly has to determine 1st the confidentiality / security level of the data being distributed in the cloud

I've been able to include in T & C's as well as SLA agreements notification of breach and within 24 hours and to provide mitigation strategies.

Limitation of the liability in most cases I've experienced is the total sum of both the contracted value or at least 5Million this also depends on the type of data and impact to the organization e.g. privacy
 •  Binadox  •   2017-01-21 06:52:58
Software as a service is a agreement model in which software is licensed on a subscription basis. You want to know about negotiation of SaaS then follow this link.: www.binadox.com/
Replies: 5
Filter by category
Operations & Capabilities
Organization & People
Strategy & Management Tools