SaaS Agreements. The proliferation of Software as a Service (SaaS) products, services, platforms and applications has grown by leaps and bounds over the past decade. SaaS is a delivery and subscription model in which software is accessed via cloud, web based software. The SaaS vendor hosts maintains the software, rather than the traditional way where the software provider installs the software on the client’s local network or servers. SaaS applications can be found in every industry from healthcare, employment, oil and gas, food and beverage and marketing.

SaaS service providers [whether they serve and host the application or outsource it to a third party managed cloud provider] should do a host of things to make sure that whatever data or sensitive information is being gathered and stored in the cloud for their clients is secure.

  1. If you are outsourcing the hosting and serving of your company’s SaaS Cloud Application to a third party managed cloud provider you need to carefully read and analyze the agreement you will execute with the cloud provider to see what type of liability the managed cloud provider will accept and how much it will pay in damages in the event the cloud provider causes a breach which results in a loss or compromise of client data and in turn the client sues your company for negligence.
  2. Internally, your company should limit access to your cloud application to authorized personnel only. I would classify employees that have access to the provider’s application as “authorized employees.” These are employees who have a need to know or otherwise can access customer data or personally identifiable information (PII) to allow the SaaS Service Provider Vendor to perform its obligations under this Agreement. These individuals should also sign non-disclosure agreements prohibiting the unauthorized transfer and sale of customer user data and (PII). PII could have a broad meaning to both vendor and customer so its a good idea to list or define the types of PII that should be protected from disclosure to unauthorized employees and third parties.
  3. You should perform criminal background checks if legal in your state before employees are exposed to sensitive customer data or financial information.
  4. You should provide Corporate Security Awareness Training to employees so everyone has a heightened sense of purpose regarding customer data protection and security.
  5. I would put together a Security and Risk Management Team of highly qualified individuals to manage security risk.
  6. Incident Response Plan – What if there is a data breach or a cyber-attack? Your company should have a plan in place which details what actions you are going to take in the event disaster strikes. To this effect, how are you going to notify customers of a data breach or disaster?
  7. Data Recovery and/or Disaster Plan – Do you or your managed cloud provider have a disaster plan in place? Do you or your SaaS managed cloud provider utilize redundant and fault tolerant systems to ensure maximum up time and recover quickly from disasters. Customers are going to want to know how long it will take to retrieve their data and if it has been lost or compromised.
  8. Your company should have an effective Information Security Policy in place which needs to be assessed and updated if need be annually.
  9. Your company needs to have an effective Privacy Policy [most are found on the bottom of the home page of company websites visible to the public] so customers understand how your company collects, uses and shares customer information.
  10. Does your company perform web application testing to determine if there are any security issues or vulnerabilities that need to be fixed?
  11. Employees should be required to sign a document acknowledging they have received a copy of the company’s Security Policy.
  12. You should think about putting in place a Change Control Process to make sure that changes to the software and hardware IT infrastructure don’t severely impact production systems.
  13. Are the vendors certified that will be managing your cloud services? Certification means that the vendor takes security seriously.
  14. Are your customers’ users required to enter a password that is authenticated before permitting a user to gain access to the SaaS application and/or services.
  15. Does your managed cloud provider offer or use encryption for the data that is being stored?
  16. Who has access to sensitive customer data and how is it being stored? This sensitive information should be stored in a secure, redundant, highly available database system with access restricted to employees and personnel that are members of a contained group.
  17. If you are the SaaS vendor who in your company has access to sensitive client/customer information? You want to make sure your company can access the files but not view them. Make sure that only a select few number of employees can have access to and view sensitive customer data.
  18. You should become familiar with how hard drives which are old and no longer functional are destroyed. You should ask your managed cloud provider if old disk drives are destroyed on premises by a third party vendor.
  19. Are you offering customers any type of encryption for data transfers?
  20. Are customer files or data being backed up to a second storage system in the event disaster strikes?

This above list is not dispositive or everything a SaaS vendor should do to take security seriously and put controls, processes and procedures in place to protect sensitive customer data. With that said, do yourself a favor and hire an outside vendor, a company that is an expert in determining your company’s capabilities or vulnerabilities in managing data security and what needs to be done.

Please reach out to Andrew for a free consultation at 201-446-9643 or email him at: andrewbosin@gmail.com. www.njbusiness-attorney.com.

Leave a Comment