The Devil Is In The Details - Who Is The Owner Of Your Data When Using SaaS?
A mass of corporate data is moving into the cloud. Much of it is there under Software-as-a-Service solution contracts. This data being essential for daily business, SaaS contracts handsomely cover service outages and access to service. Yet data ownership under these contracts is another matter. What can companies do to avoid losing it amid the convoluted interplay of SaaS vendors, software originators and owners, cloud operators, third parties, and even jurisdictions?
The continuing debate over who exactly owns data created and stored in the cloud has both legal and technical aspects. Some experts distinguish between data created by users before uploading to the cloud and data created within a cloud platform. The former case would fall under copyright law, provided the cloud vendor is reputable. The latter case contains a number of factors that render the data ownership issue rather more complicated.
Jurisdiction also plays a role in data ownership. The Stored Communications Act (SCA) allows the US authorities to seize data stored by American companies even if they are hosted outside the USA. Many other countries have similar laws. It pays to check contracts as to applicable law and the precise domicile of stored data.
SaaS Escrow Services
A SaaS escrow service is perhaps the first solution that presents itself to preserving data ownership. But many older software source escrow services no longer provide the required level of protection. The danger arises from the escrow service storing only the software codes used in the service and from third party data hosting providers.
To cover outages, escrow services used to store only the SaaS software source codes. Data was usually stored by the SaaS provider – on its own servers or, most often, on third-party servers. If the SaaS service went insolvent, even the best data ownership protection contract could see clients lose access to data stored on these third party servers.
This puts the onus on clients to seek escrow solutions which explicitly protect their ownership of data after it has been stored and processed using software in the cloud.
Data hosting providers are not parties to contracts with SaaS vendors. This means that companies may lose data, albeit temporarily. The point to remember is that a SaaS contract provides a service: not a software licence. Without a software licence, users do not automatically retain ownership of data processed by the software in question.
That said, SaaS escrow providers are now shifting to more advanced disaster recovery methods. Most reputable ones offer data storage and backups to protect business critical data against service outages or SaaS vendor insolvency.
Where companies opt for escrow contracts, they should negotiate data backups at suitably close intervals and scrutinise agreements to ensure their data remains theirs whatever might happen.
The Nondisclosure Loophole
Many SaaS and escrow vendors offer nondisclosure agreements. These address data protection, but can offer a false sense of security. What an NDA’s data protection terms cover is not the ownership of data, but rather aspects like commercial confidentiality and personal particulars. Data security, recoverability, and ownership are not part of the average NDA. It thus makes sense for companies to seek specific data ownership guarantees or turn to alternative vendors.
Now, there are SaaS escrow services out there, which focus on protecting client companies’ data together with SaaS vendors’ software and hold both the source code and client's data so that they can be brought back up to speed if the SaaS vendor disappears. Another thing to note is that SaaS escrows also legally transfer ownership of the client's data to the client. So, if they don't originally own it, they can if the transfer is facilitated through a SaaS Escrow.
They are ideal for companies needing to protect their data and guarantee access to it whatever happens. Your company does not need to tamper with the software source code, which is copied on the escrow provider’s servers. Any source code needs installation and tweaking to be utilised. You only need it to be imported in compatible software. Hence, the best advice is to contract for frequent backups and for data to be stored in exportable formats. This allows easy switching to other SaaS services.
It also makes sense to include insurance and vendor financial reporting provisions in contracts. These would give companies early warning of any financial issues emerging at SaaS providers and hence give them due notice of the need to act in protection of their data. Clauses allowing companies to transfer their data at any time and at their sole discretion cover such eventualities.
Source: Statista (https://www.statista.com/statistics/500572/worldwide-cloud-computing-services-usage/)
Software Functionality: Good and Bad
Many SaaS vendors obscure their software’s core technology. Instead, they highlight only the software’s basic functions at the expense of detail on what it can really do. All usable IT technology can perform multiple tasks. What guarantees that among them is not the leaking of data to third parties, allowing them to claim ownership over those data?
A paradox can serve as an example of just this. The fairly widely offered class of services known as online content checking promise to examine data for originality. What the data’s owners scarcely realise, however, is that they can lose ownership to it to the very checkers! Some online content checking contracts state this plainly enough. Yet unwillingness to wade through the small print in the Terms & Conditions can often force the data’s owners into ceding their property.
Contracts that do not state explicitly that SaaS clients own all data entered and withdrawn into and from the service expose these data to potential future ownership claims. This also applies to data migration from one SaaS vendor to another: it pays to cover data ownership from end to end in perpetuity.
What should come across from the above is that careful scrutiny of any SaaS service (not licence) agreement is a necessary chore. If provisions do not match a company’s requirements, it can seek reasonable amendments or look elsewhere. This elsewhere could mean an escrow service that runs a complete parallel copy of the SaaS and data subject to the same precautions. Contracts ought to protect as much against service outages and vendor bankruptcy, as against users losing ownership over data they entrust to SaaS in good faith.
Jorge Sagastume is a Vice President at EscrowTech International, Inc. with 12 years of experience protecting IP and earning the trust of the greatest companies in the world. Jorge has been invited to speak on IP issues by foreign governments and international agencies. You can connect with Jorge on LinkedIn at https://www.linkedin.com/in/jorgesagastume