Drafting Software Hosting Agreements: Service Availability...

Drafting Software Hosting Agreements: Service

Availability, Performance, Data Security, and Other

Key Provisions From U.S. and European Perspectives

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.

THURSDAY, JULY 25, 2019

Presenting a live 90-minute webinar with interactive Q&A

Laura Berton, Partner, Fieldfisher, Palo Alto, Calif.

Kristie D. Prinz, Principal, The Prinz Law Office, Palo Alto, Calif.

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-961-8499 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail [email protected] immediately so we can address

the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 2.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

© 2018-9 The Prinz Law Office and Fieldfisher LLP.

A US/European perspective on

DRAFTING SOFTWARE HOSTING AGREEMENTS

(Service Availability, Performance, Data Security, Other Key Provisions)

Laura Berton Kristie D. Prinz

Fieldfisher The Prinz Law Office

Silicon Valley, CA Silicon Valley, CA


The Prinz Law Office Silicon Valley

6

T: +1 (408) 884-3577E: [email protected]

Kristie Prinz is a California-licensed software, digital health, technologytransactions, and IP attorney in Silicon Valley. For more than 20 years, herpractice has focused on providing technical & IP focused businesstransactions advice to early stage start-ups and mid-market companies inthe software, SaaS, technology, and digital health industries. She regularlyadvises both U.S. based and international companies.

Kristie is the author of the Silicon Valley Software Law Blog and a frequentspeaker on software, SaaS, technology & IP transactions issues. Shegraduated from Vanderbilt Law School and is also licensed to practice law inthe state of Georgia.


Fieldfisher Silicon Valley

7

Laura Berton is an European IP &Tech transactions lawyer based full-time inSilicon Valley. Over the past 15 years she has represented a wide array ofcompanies in complex business transactions, innovative technology licensingand other technology-related contracts such as outsourcing, Cloud, SaaS,software development, digital, e-commerce and data protection.

She also often works with GCs helping them navigate their move into newjurisdictions, smoothing the expansion process and adaptation to local legalpractices. She has extensive experience of coordinating and managing foreigncounsel and advising on multi-jurisdiction IP and technology projects. Laura isalso the transatlantic "Brexit" lead for Fieldfisher in Silicon Valley advising USclients on the commercial and legal consequences of the exit of the UnitedKingdom from the European Union. Laura has also been named a “rising star”in IP in Super Lawyers.

T: +1 (650) 276 6039E: [email protected]


US vs EU – Quick compare and contrast

8

• United States of America

– Federal Republic

– 50 states

– 1 common language (for the most part)

– Federal (US-wide) and state laws

• European Union

– Economic and political union

– 28 member states

– 24 official languages

– Regulations (EU-wide), Directives (EU-wide +

national imp.) and national laws


French Law Tips

9

French contract

law reform 2016

Negotiate in good faith

Duty of confidentiality

Behave ethically

Duty to inform


Software Hosting Models

10

1. Software licensor offers optional in-house hosting as a separate service to

software licensees

2. Software licensor resells or outsources hosting to software licensees

3. Software licensee outsources hosting to third party host

4. SaaS provider includes hosting as part of bundled SaaS service package


Comparing & Contrasting Hosting Models

11

1. Hosting in case of Software License

a) Customer has procured intellectual property rights in the software,

typically to download, install, and use the software on local hardware

in accordance with the terms of a defined license.

b) Customer has options:

• can self-host the software

• can outsource the hosting of the software

• can procure hosting through the provider and make hosting

changes at any time.


Comparing & Contrasting Hosting Models

12

2. Hosting in case of SaaS contract:

a) Customer has procured no intellectual property rights in the software itself

but only has procured rights to access and use the software through the

platform.

b) Customer is captive to the platform. If customer is unhappy with hosting,

customer will require an entirely new solution.

c) In Silicon Valley, not unusual to see SaaS providers relying on hosting

relationships where there is either no hosting agreement or a very

inadequate hosting agreement.


Focus of Presentation

13

1. For the purposes of this presentation, we will assume the scenario of an

outsourced or third party host providing services to a software licensee.

2. However, many of the same issues will exist in the case of:

a) Software licensor offering optional in-house hosting as a separate service

to software licensees.

b) SaaS provider including hosting as part of a bundled service package.


Contract structure

14

Difference between IT contracts and other contracts: Length and importance of schedules

Main body of the contract:

Scope of services Warranties/obligations Project Management IPR Charges Liability Indemnities Rights and Remedies Term and termination Usual boiler plates


Contract structure

15

Schedules:

Service Levels

Project plan

Software and specifications

Charges (depending on complexity level)

Change control procedure

Acceptance tests and process

Data Privacy: processing, personal data and data subjects

Host’s network and information systems security

Exit


Contract structure

16

ServiceDescription

Service Level

Service GuaranteesL

egal rights

/Enfo

rcem

ents

Gove

rnance

Monito

ring &

Contr

ol

Pra

ctic

al R

em

edie

s

Budgeting


How to negotiate?

17

What happens when you enter into a contract?


Negotiating Key Terms - Scope of services

18

In addition to hosting, what services are provided?

Security

What does the supplier offer?

Legal requirements re the content of the data?

Maintenance

Helpdesk

Disaster Recovery

Statistics

Service Levels:

Defined response time and remedy time (in the correct time zone)

Uptime requirements

o Availability

o Scheduled maintenance v Unscheduled maintenance


Negotiating Key Terms - Implementation

19

1. Discuss and set expectations about the implementation process in order to

avoid future disputes

a) Host and customer responsibilities and deadlines for completion;

b) Interdependencies with other suppliers (and how they should work

together)

and any consequences (impact on costs, timetable etc.) for failure to meet

the defined responsibilities.

c) Implementation schedule with specific dates for each milestone,

and consequences for failure to comply (e.g. Liquidated damages,

termination rights etc.)

Penalties v Liquidated damages


Negotiating Key Terms - Implementation

20

d) Define successful completion (or acceptance) of each milestone, including

any testing required and testing process;

customer approval process or deemed acceptance after time-lapse;

how acceptance is to be communicated and recorded.

e) Fees due throughout implementation process and during the term of the

agreement.

Some payments may be linked to milestones completion;

Consider early payment and termination

Consider investment costs and when these are recouped (i.e. set up

fees may be waved if customer commits for a minimum term).

Consider additional costs caused by delay, change of laws etc. and

which party should bear those.


Negotiating Key Terms/Implementation

21

2. Ensuring customer provides:

a) Verification of specific license rights granted to licensee

b) Verification of software licensor’s recommended hardware and operating specifications

c) Verification of technical support service and maintenance services to be provided contractually by licensor to licensee


Access Rights

22

Require compliance by customer and users with access to the platform with host’s

Acceptable Use Policy (“AUP”)

1. AUP will define a code of conduct and any parameters for use of its host

platform

2. Host will want to carefully define

a) any consequences to the customer or users for violations of the AUP

such as suspension of individual users from platform

b) when a particular violation rises to level of a material breach and if

termination is possible for repeated but non material breaches.

c) Consider that different countries will have different unlawful

practices (e.g. unlawful activities, free speech v incitement to hatred,

data privacy etc.)


Ownership

23

1. Discuss and set out who owns rights in the software and the data inputted.

2. Discuss and agree IP ownership of any new copyright materials (if applicable)

3. Define and procure customer consent to any potential use of the data if necessary

(i.e. data mining)

4. Ensure that the above reflected appropriately in warranties, assignement, licences

and indemnities.

European copyright laws are not exactly the same as US copyright laws so

spell out what you want and agree rather than relying on implied terms.


Fees and Payment Terms

24

No “one size fits all” structure:

1. Ensure flexible fee structure that permits billing on:

on a bandwidth basis for hosting (and possibility to increase or decrease

usage); and

hourly rate basis for services like implementation and technical support

(include rate card and expense policy)

2. Discuss and agree what the fees are based on:

time commitment (i.e. length of contract),

minimum spend or growth etc.

if so consider impact of early termination or renewal on price

3. Define clear fee and payment terms (in order to minimize risk of future

disputes) and use worked examples and NOT just a formula if the calculation

is complex (and test the formula yourself).


Fees and Payment Terms

25

4. Anticipate and define process for implementing future fee increases or discounts

when using new technologies.

5. Define when and how fees will be invoiced and due. For set-up, link fees to

milestone completion.

6. Define consequences of late payments for each type of fee (e.g. interest

charges, suspension of access or termination).

In the UK consider Late Payment Act.

7. Consider if set off (vs service credits or liquidated damages) or withholding

rights are appropriate.


Warranties

26

Contract terms can be a condition, a warranty or a so-called intermediate term. Each may have a different impact on remedies available to the non-defaulting party for their breach.

Breach of condition: non defaulting party can terminate the contract and claim damages (or affirm the contract) - irrespective of the nature or consequences of the breach, i.e. even with little loss or damage by reason of the breach

Breach of warranty: non defaulting party can only claim damages (cannot terminate the contract)

Breach of intermediate term: remedy will depend on consequences of the breach.


Warranties

27

1. Agree performance expectations, e.g.

“Host warrants that the services will be performed in a professional,workmanlike manner in accordance with generally accepted industrystandards.”

OR

“Best Industry Practice” defined as “the exercise of that degree ofprofessionalism, skill, diligence, prudence and foresight which wouldreasonably and ordinarily be expected from a highly skilled andexperienced person or an internationally recognized supplier engaged inthe same type of activity under the same or similar circumstances”

2. Ensure that you frame your warranties correctly, i.e. for the Servicesprovided and refrain from agreeing to warranties outside the scope ofhosting services that go to performance of software


Warranties

28

3. Consider IPR warranties on each side: “[x] warrants that the IPRs in [theservices/software] infringe any third party's IPRs” – and appropriate remedy forbreach of such warranties.

4. Consider whether obligations in relation to servers/hosting are necessary and whatthese should be, e.g. Operate according to documentation (to be reviewed indetail and validated by the IT team) and any other specifications

5. Require customer warranty regarding the performance of obligations undercontract such as the obligation of customer and users to comply with theAcceptable Use Policy

.5. Carefully define remedy in event of any breach of warranty:

Would such remedy be the customer’s sole remedy? E.g. claim for damagesor termination

Would the remedy be to re-perform the service, replace a product (ifapplicable) or pay a refund?

How does it interact with Service Levels?


Limits on Liability

29

There is no standard limit of liability, consider:

a) Actual risk and potential loss on both sides

b) Who controls and can effectively manage or reduce these risks.

c) The fees paid/payable for the services but also how essential the

software is for your business.

d) Insurance available.

Consider the actual consequences of a breach and your plan B is the various

scenarios (i.e. software unavailable for 1 h, 24h or longer, or if data is lost,

whether it is customer facing, or key software etc.)


Limits on Liability

30

Often, the host’s liability will be capped at multiple of fees paid or payable

months’ fees paid x [x]

Seek unlimited liability (or super caps) for some violations such as IP

infringement, AUP, Confidentiality and Data Privacy/Data Security.

Consider which losses should be excluded

Specifically set out recoverable losses (to avoid the direct and indirect loss

debate), e.g. replacement provider, management time, procurement costs etc.

List all damages that you would expect and agree to recover.


French Law Tips

31

Under French contract law, only damages that are direct and foreseeable at the time of the

conclusion of the contract can be recovered

French Direct damages exclude indirect, special, incidental and

punitive damages

However, it is necessary to expressly exclude loss of

profits, income, revenue etc.

Therefore, in a French contract, there is not need to specifically exclude or limit these damages.

Similarly, they cannot be included in a contract.


German Law Tips

32

Forget US limitation of liability language

Liability for gross negligence cannot be excluded or limited, and liability for slight

negligence can only be limited to typical and foreseeable damages in the case of a violation

of material contractual duties

Liability for intent (“Vorsatz”) can never be excluded in a

German contract

A US clause that is void is less than a valid EU clause


Indemnification Obligations

33

1. Ensure that any indemnifications are specific to what you are able to control,i.e. IP, Data Privacy, Confidentiality, violations of the AUP, misappropriation oftrade secrets but not for all breaches of contract.

2. Consider whether to indemnify only in relation to third party claims or not andalso for claims arising from employee acts and omissions.

“Host agrees to indemnify, defend, and hold harmless customer for any loss,liability, damage, award, judgement, or expense arising from any [third party]claim arising from [an employee act or omission] including reasonable legal costs”

3. Define conditions of the indemnification, whether parties have a duty tomitigate their losses and whether the indemnification is capped.

“[x] shall promptly notify [x] in writing of the existence of the potential claim forindemnification, grant [x] the right to control the defense of all such claims,and shall fully cooperate in the defense.”

4. Limit indemnifications to scope of available insurance coverage


Insurance

34

1. Anticipate insurance requirements and procure insurance in advance of

commencing negotiations

a) Buy what is affordable and if a customer demands more than is

maintained, require customer to absorb costs of additional insurance.

b) Consider which risks are worth insuring through the host or the customer.

c) Refrain from agreeing to maintain insurance that is not already in place.

2. Ensure insurance is flowed down to any contractor or outsourced service

provider.

3. If a customer insists on additional insurance outside of these parameters that is

agreed to, contemplate in contract the fact that contractors or outsourced

services providers will not already have the additional insurance and seek

exclusion from requirements


Service Level Agreement (“SLA”)

35

Overview

Parties to agree service levels necessary to meet customer’s needs, since

service level delivery is critical to use of hosted software

Sets expectations regarding the level of service host can provide as a normal

service and possibly what is possible as a “platinum service”

Preserves customer relationship by providing process for compensating

services failures without the necessity of treating them as material breach

Host will usually prefer to refrain from including responsiveness or performance guaranties about service and will want the focus to be only on uptime and technical support, whereas customer will want more thorough service levels.



36

1. Distinguish responsiveness from resolution.

2. Agree categorization of problem levels (e.g., critical, important, minor).

3. Performance (speed, bandwidth)

4. Uptime Guaranty

a) Host shall maintain an uptime service level of X% measured monthly

b) Consider what exclusions to uptime guaranty should be negotiated (i.e.

scheduled maintenance, notice periods for maintenance, business hours

in which countries)



37

5. Consider if the host can provide this service level on its own or depends on a third

party?

Is the service outsourced to third party host?

If so what does the SLA with the third party host look like? And who is

responsible for failures?

Is the guaranty is realistic (i.e. if outsourced host, does due diligence and

contract with the host ensure that the host can actually meet the terms

proposed?)



38

6. Technical Support Responses

a) Consider whether response times should be treated as a goal or a

requirement, or a commitment v an endeavor

b) Set manageable technical support expectations

c) Control the assignment of urgency level

a) Carefully define any First Tier Support/ Second Tier Support Issues to limit

support responsibility only to hosting and not to support issues outside the

scope of hosting services


Service Level Credits

39

Sample Clause: In the event that Host fails to meet the service level guaranty inany term or applicable renewal period, Customer will be entitled to a credit in theamount of $X applied to the applicable renewal period.

a) Consider whether any service credit provided is clearly defined and easy to

apply

b) Address whether the payment of a service credit is an acknowledgement that

a material breach occurred or the sole remedy if a service failure arises

c) Are there consequences for multiple service credits during a term?

d) In addition to the formula for calculating service credits add an example of the

calculation to make sure that it works

e) Should there be a limit to the amount of service credits payable?

f) Can the service credit be deducted from fees? If so, when can it be

deducted?


Confidentiality

40

1. Agree to the commencement and end of confidentiality obligations and what constitute

confidential information.

2. Consider exceptions to such confidentiality obligation (i.e. use of any outside

contractors for any service such as hosting, disaster recovery, etc.) and define how

exceptions will be handled.

3. Consider remedies as specific performance (injunction) in case of breach as damages

do not always constitute adequate remedy.

4. If any possibility of personal health information (PHI) being uploaded to host platform,

ensure that it has met obligation under HIPAA to enter into a business associate

agreement with customer.

5. Overlap with Trade Secrets and Data Privacy


Data Privacy

41

USv

EU


US Data Protection

42

• Tech Industry has lobbied in the past year for data privacy legislation to bepassed in Congress, but no action has yet been taken. Proponents of a federalbill seek pre-emption of state privacy laws, specifically the California ConsumerPrivacy Act, which was passed by California in 2018.

• The absence of federal data privacy legislation has not prevented federalregulation on data privacy. The Federal Trade Commission (“FTC”) has beenaggressively regulating software and technology companies on data protectionissues. The FTC has deemed that failure to protect data is an:

• Unfair or deceptive act or practice in or affecting commerce in violation ofSection 5(a) of the Federal Trade Commission Act.

• Violation of Safeguards Rule of Section 509(3)(A) of Gramm-Leach-BlileyAct, 15. U.S.C. Section 6809(3)(A), where company is in the business ofproviding software or software services that include any financial oraccounting functionality.


California Privacy Protection

43

• California is first state to pass its own comprehensive data privacy legislation. Atleast 15 other states are currently considering data privacy bills.

• California Consumer Privacy Act (“CCPA”) is set to go into effect on January 1,2020

• The law applies to for-profit entities “doing business” in California that either:a) Have a gross annual revenue in excess of $25 millionb) Annually buy, receive for commercial purposes, sell or share for

commercial purposes, personal information of 50,000 or moreCalifornia consumers, households or devices; or

c) Derive 50% or more of annual revenues from selling Californiaconsumers’ personal information.

• It also applies to any businesses thata) Control, or are controlled by a for-profit entity meeting the above

definition, orb) Share common branding with a for-profit entity meeting the above

definition.


California Privacy Principles

44

Principles Recognized by the CCPA:

• The right of Californians to know what personal information is being collected about them.

• The right of Californians to know whether their personal information is sold or disclosed and to whom.

• The right of Californians to say no to the sale of personal information.

• The right of Californians to access their personal information.

• The right of Californians to equal service and price, even if they exercise their privacy rights.


European Data Protection Principles

45

Principles from previous law:

Lawful, fair and transparent (tell people how you will use their data)

Purpose limitation (only use data for specified purposes)

Data minimisation (only collect the data you need for specific purposes)

Accuracy (keep data accurate and up to date)

Storage limitation (only keep data for as long as you need it for the specified

purpose)

Integrity and confidentiality (keep it secure)

New principles of accountability, privacy by design & privacy by default


What is data processing?

46

Processing of personal data means:

Any operation or set of operations which is performed upon personal data

Whether or not by automatic means

Including: collection, recording, organization, storage, adaptation or alteration,

retrieval, consultation, use, disclosure by transmission, dissemination or otherwise

making available, alignment or combination, blocking, erasure or destruction

Any use of personal data is potentially considered a processing operation.


What is personal data?

47

What is Personal data?

• Any information relating to a directly or indirectly identifiable individual (the “data

subject”)

• Includes obviously personal data – e.g. name, contact details, identification number,

etc.

• Also less obviously personal data – e.g. IP addresses, cookies etc. and generally any

information specific to a person’s physical, physiological, mental, economic, cultural

or social identity.

• It is a subjective test and therefore the definition of personal data is very broad

• Differs from Personally Identifiable Information (PII) in the US which only deals

with data that actually identifies a person as compared with data that is

identifiable, e.g. in Europe location data or online identifiers like web tracking tools

would be classified as Personal Data, whereas in the US such information is not

considered personal information.


What is personal data?

48


Security

49

Implement “appropriate” technical and organizational security measures and set

expectations about:

Physical security of the hardware and storage of data

Level and type of encryption

State of the art security measures

Costs of implementation

Risk (vulnerabilities, to data subjects etc.)

Include obligations to report breaches immediately, comply with applicable state data

breach laws

Consider whether customer audit rights are appropriate, necessary and appropriate

(depending on platform and infrastructure)

Consider asking (beyond the contractual warranties) for the host’s CEO to each year

warrant the security of the system.


Security

50

Set customer expectations about the purging of data after relationship ends

Agree a plan in case of security breach or attempted security breach

Back up and Disaster Recovery

Set customer expectations about standard backup and storage

practices and procedures

Reassure customer that host has a well-defined and sufficient disaster

recovery plan in place that will allow fast recovery in a disaster

Establish timetable for the recovery implementation


US Data Security

51

• In U.S., SOC 2 compliance has become minimum industry requirement for a service provider

• SOC 2 certification was developed by the American Institute of CPAs (AICPA) and established criteria for managing customer data based on five “trust service principles”

1. Security: Network/application firewalls, Two-factor Authentication, Intrusion detection

2. Availability: Performance monitoring, Disaster recovery, Security incident handling

3. Processing Integrity: Quality assurance, Processing monitoring4. Confidentiality: Encryption, Access Controls, Network application

firewalls5. Privacy: Access control, Two-factor authentication, Encryption

• SOC 2 certification issued by outside auditors. Assessment of service provider’s degree of compliance with trust service principles


US Data Security

52

• At the federal level, the FTC has articulated through a series of enforcementactions a set of minimum data security requirements to comply with Section 5(a) ofthe Federal Trade Commission Act; also published guide for businesses: Startwith Security: Lessons Learned from FTC Cases

• Protection of Electronic Personal Health Information (“PHI”) is subject to thenational data security standards established by the HIPAA Security Rule located at45 CFR Part 160 and Subparts A and C of Part 164• HIPAA Security Risk Assessment Tool has been developed jointly by the

Office of the National Coordinator for Health Information Technology (“ONC”)and the U.S. Department of Health & Human Services (“HHS”) Office for CivilRights (“OCR”)

• National Institute of Standards and Technology (“NIST”) HIPAA Security RuleToolkit

• Protection of customer information by business deemed to be “financial institution” is subject to the national data security standards established by Safeguards Rule located at 16 CFR Part 314


European Data Security

53

The NIS Directive has potential impact on:

any operator of essential services (“OES”) in businesses that rely on IT systems in the following sectors: energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, digital infrastructure; and

on certain providers of online marketplaces, online search engines and cloud computing services (Digital Service Providers (“DSPs”)).

EU customers who are OESs or DSPs must ensure that their host complies with security and incident-reporting obligations under national legislation.


Term and Termination

54

1. Term and Termination

Consider set up length v. commitment for the BAU services

Longer term v automatic renewal (impact on pricing)

Suspension Define reasons why customer would be suspended and the

process for suspension

Define process for resuming services

If customer decides to transition of platform during a

suspension, define how that will work

Set customer expectations for how long after suspension data

will be purged from host platform


Term and Termination

55

Termination: Who can terminate and why?

Termination for which breaches Is the host allow to terminate for convenience When would the customer be allowed to terminate for

convenience and will early termination payment be necessary. Length of notice required.

Event of Business Closure or Bankruptcy of Host

Set customer expectations about notification of any changewith business and the continued availability of transitioningservices

Define process for cessation of hosting services and timetablefor purging of data


Consequences of Termination

56

2. Consequences of Termination

Deletion of data or transfer of data? In what format will thetransitioned data be provided?

Are transitioning services made available, and if so, for how longafter termination.

Scope and fees of transitioning services available to customer.

Will a new provider need to be involved in the process and whatrequirements will be made on new provider? and on the exitingprovider?


Thank you and questions

57

Drafting Software Hosting Agreements: Service Availability...

Documents

Transcript of Drafting Software Hosting Agreements: Service Availability...