Are Your SaaS Agreements Bullet-proof, or Leaky Buckets? 6 Key Questions from Tech Attorney Chip Cooper
Categories: Operations and Legal
Chip Cooper, one of the expert moderators for SoftwareCEO's forums, is a knowledgeable and candid source of legal guidance for software companies. He's been focused on software law since 1982, and works with software, SaaS, and IT companies regarding intellectual property, licensing, SaaS and reseller agreements, marketing and distribution transactions, privacy, and website legal compliance.
His website, Digital Contracts, is a wonderful source. Cooper is also Of Counsel to the Atlanta corporate law firm of Jones & Haley P.C., and he has written two books in the field: "Law And The Software Marketer: How To Develop A Legal Protection Game Plan," and "Software Distribution: How To Develop a Successful Marketing Plan."
We always enjoy our conversations with Cooper, because he's refreshingly free of legal mumbo-jumbo, and he has a knack for getting to the point quickly. Here are six key questions you should ask yourself about your software company's SaaS agreements:
Question #1: What’s the difference between an affiliate agreement and a reseller agreement?
"This is almost always where I begin a conversation," Cooper says. "The typical client doesn't have a terrific appreciation of the difference of SaaS models, and these are really the only two.
"Under an affiliate or agent arrangement, the affiliate agent drives traffic to the software vendor, or principal, and the principal makes the sale and pays a commission back to the agent. The seller is in complete control.
"With the reseller model, the seller grants reseller rights, and then the reseller enters into the transaction with the customer. The reseller collects the money and pays back to the seller. The reseller can determine the end-user price.
"Nowadays, what we're seeing is typically a hybrid of these two models. Often the reseller is an agent for the box, but not for the license, which remains with the seller -- much like cell phones."
Question #2: Where does your software reside?
"With a SaaS reseller agreement, the software could be on the developer's server or it could be on the reseller's server via linking," says Cooper. "This is an important distinction. If it's on the reseller’s server, the service provider (SP) -- in other words, the developer -- relinquishes control.
"Obviously, this is a fundamental question that needs to be answered. In my experience, at least 95 percent of the time the software resides on the SP's server -- the ISV that developed the application. Why? Control. If the software resides on your server, you're in control of maintenance, error fixing, and so on.
"But in some cases, where the control is shifting, we can set up an exclusive relationship for a well-defined market, where the reseller handles the translation, version control, localization and so on. Usually, the ISV then sends them source code.
"In these arrangements, because the service is licensing rather than selling, they can apply restrictions in terms of geography, or platform, or business type, or some other defined market; this is called 'Field of Use.'"
Question #3: How do users access the service?
"Do users access the service -- that is, the software that is being sold as a service -- through the reseller's site via linking, or directly from your site?" asks Cooper. "How do users access the service, physically?
"Do they go to your website and link to the server, or does the reseller provide the login? Once I as the provider have been paid, I issue the keys. So there's no question on the part of the customer who he purchased the software from.
"But if it's indirect, it means there's some kind of linking, from the reseller's server to the ISV's; the old-fashioned way to do it is through framing technology, but that's not the method of choice. Nowadays there seems to be a preference for virtual servers, and if you're thinking seriously about private labeling, this is pretty much the way you have to do it.
"While the indirect method doesn't provide any legal protection, it can give you access to a much more powerful reseller, someone who already has a vast stable of existing customers. If both parties are beginners, then private labeling usually doesn't come up. But if you've got a well-established reseller, it becomes more important."
Question #4: How does the SaaS provider protect itself?
"In any SaaS deal, data security is a key issue," says Cooper. "The sensitivity of that issue depends on how the end-user ultimately contracts for the service. If it's a click-wrap agreement, there can be conditions in there that make it very clear that the user is taking some risks in terms of hacking, and so on.
"In any case, the reseller is going to want the SP to be responsible, legally, for any unauthorized access or hack. The effect of that is to impose an insurer obligation on the SP. But regardless of the level of security implemented, it can still be hacked. Any network can be hacked.
"If the SP is led to agree that it will be responsible for breach notification -- and there's additional liability for any failure to send them -- then the SP becomes an insurer. That's about as scary as it can get."
If you find yourself in this situation, where you are in effect being asked to provide insurance for your software, Cooper says there are two possible protections:
"The first option is to say you'll agree to a certain standard, and the standard is put into the agreement. Thus, the SP is liable only if there is failure to comply with the standard. There's a big difference between agreeing to be responsible for maintaining a standard, versus being responsible for any hack that may happen.
"The second option is to buy a new type of insurance, called cyber security insurance. For any service provider entering into reseller channels, you need to consider this as an ultimate backstop."
Question #5: How does the SaaS Provider protect its relationship with the end-users?
"If you've got a SaaS reseller, the reseller contracts with the end-user for the purchase of the service," Cooper says. "This raises the question, how does the SaaS provider protect its relationship with the end-users?
"There are four reasons to be in privity of contract with end-users, rather than issuing a sublicense: Server security; acceptable use; intellectual property protection; and expiration or termination of the reseller agreement.
"Service providers ought to be wondering how they're going to maintain control of customers that were originated by the reseller. At some point the reseller relationship is going to expire, or it's going to terminate; it isn't going to last forever. What happens to the customers? Does the SP have some opportunity to keep them?
"Every time I deal with a new client, one of the first questions is, 'How in the world do I protect the relationship with the end-user customers, since the reseller is interfacing with them directly? If that agreement ever terminates, I'd at least like to have a shot at saving those customers.'
"The vast majority of my clients are ISVs who have had some success selling directly, and are now ready to expand through resellers. I tell them, we need to be very careful about managing control of end-user security.
"You need contractual obligations to be able to shut off any malicious behavior on the part of end-users. You need to be able to control acceptable use, to stop activities such as spamming and pornography. Plus, you've got your own intellectual property that could be at risk.
"Let's say someone is stealing your IP; you can sue the hell out of them for copyright infringement, but it's also helpful to have a contract, so that you can sue them for breach of contract -- and you clearly have the right to shut them out of the system. If you don't have that right, you could conceivably have an issue protecting your intellectual property.
"The way we have seen this work out is with a three-party agreement, generally referred to as a back-end service provider agreement. These have been used fairly universally over the past few years by hosting farms. This concept has basically ported over to the SaaS world.
"The reseller presents the click-wrap agreement, and it's a three-party agreement that binds the end-user and the SP and the reseller -- and it distinguishes between all three. Obviously, at the same time, you want to establish that both the SP and reseller have some rights of access to the customer. The argument may be hot and heavy, but at least that sets up the negotiation."
Question #6: What type of SaaS agreement should you use?
"In terms of technology, as far as the legal piece is concerned, we are in SaaS 2.0," says Cooper. "A few years back, 1.0 was all about setting up the SaaS model -- the basic relationship between providers and customers.
"Now we're seeing a lot of questions from SPs that say, "I'd like to set up reseller channels, but what in the heck do I do?' It's a little more tricky in that we're delivering a service rather than a product.
"Resellers were a staple in the software industry back in the '80s: Everyone wanted to sign up VARs and do national distribution agreements; that was how you got your software into the market. In those days, ISVs became familiar with those agreements.
"However, with the new generation of software, where everyone seems to be moving to the web-based model, people really don't have that experience of knowing how to do reseller deals. They're casting around, asking, 'Where do I start?' A lot of people don't have a clue.
"The basic starting point for an SP who is dealing directly with customers is an agreement presented in a scroll box; this is the 'click-wrap' agreement. Contract administration is easy; click, and it's done.
"By the way, your click-wrap must default to 'No,' so that the end-user must click 'Yes.' Without that, it's probably going to render the agreement unenforceable.
"The other party -- the end-user, in this case -- must take some kind of step to acknowledge the agreement; the legal term is 'unambiguous manifestation of assent.' If the check box is already done, the affirmative step hasn't been taken, and there's no evidence. The most conservative way is to force the end-user to scroll through the agreement before he can click.
"However there are certain customers who just won't click. You need some agreements in place if you're going to reel these customers in. One option is a written form, or perhaps your same contract, with a little different lead-in language and a signature box at the end. It's potentially open for negotiation, but the basis is there.
"If you're dealing with the corporate or enterprise market, they often will not sign, and typically won't even go for the click-wrap in written form. They are extremely concerned about data security, service level agreements, plus more. You need a more comprehensive document; it needs to have the things they want to see."
Special Bonus for SoftwareCEO subscribers:
On his Digital Contracts website, Chip Cooper sells a product called SaaS Marketer Pro, an impressive library of downloadable and customizable legal documents for the software industry, many of them specific to SaaS. (Plus, you get direct email access to Chip Cooper.) When you buy SaaS Marketer Pro, Chip provides a bonus video, but he's allowed us to offer that to our paid subscribers with no further obligation; here's the link.