On the last weekend of May, partners and representatives of the ALFA International European member firms gathered in Helsinki. For the first time, Estonia was represented, with the role being carried out by the partners of Lepmets & Nõges Law Firm, Ott Lepmets and Kristjan Nõges. Among other things, attorneys Ott Lepmets and Kristjan Nõges participated in an exciting panel discussion on the future of Software as a Service (SaaS) agreements. In addition to our firm's partners, the panel also included Dr. Georg Huber (GPK Pegger Kofler & Partner, Austria), and it was moderated by Pav Younis (Weinhold Legal, Czech Republic).

Our partner, Kristjan Nõges, commented on the event as follows: "It was an excellent opportunity to exchange ideas with true experts in the field. The choice of topics deserves praise as well since the market for Software as a Service (SaaS) agreements has quintupled in the last seven years, now surpassing the trillion-dollar mark. The panel discussed the principles of SaaS agreements, particularly in relation to the implementation of artificial intelligence and the use of large datasets, while exploring how it aligns with increasingly stringent data protection regulations. Additionally, we took a glimpse at the proposed European Union regulations in the field of taming artificial intelligence. It was a truly fascinating discussion."

What is software as a service (Saas)?

Software-as-a-Service (SaaS) is one of the three main cloud computing services. The other two are Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS). SaaS essentially refers to a turnkey software solution that is accessed over the internet and paid for based on usage or duration. Unlike traditional software purchases, this approach provides customers with more flexibility and lower operating costs. By keeping the software up-to-date and providing competent customer support, the need for a separate IT department in companies can be significantly reduced. Well-known examples of such software services include Gmail, Slack, and Office 365. In addition to user-friendliness, storing data in the cloud often offers enhanced security compared to local data storage.


Main elements of SaaS contracts

Software-as-a-Service (SaaS) agreements do not constitute a separate type of contract in Estonian legal system. Therefore, the legislator has not provided a specific template for drafting such agreements. That's why it is advisable to collaborate with specialists who understand the nature of the service being regulated. When drafting SaaS agreements, it is important to consider and carefully regulate elements such as service availability, licensing, fee structure, updates, data protection, security, and liability. Each of these elements encompasses various solutions and possibilities that need to be woven together into a coherent whole based on the client's interests. Let's take a closer look at licensing, data protection, and security as examples.


What should be considered regarding licensing?

Licensing pertains to intellectual property, which broadly refers to creations of the mind. In the context of SaaS agreements, this would encompass software code, branding, design, the look and feel of your software —essentially, what makes your software unique and contributes to its value. There is no doubt that intellectual property needs to be carefully protected, and this can be achieved through contractual means.


Additionally, consideration must be given to anything that originates from the customers of the software provider. It is common for most users of a software service to upload images or documents while utilizing the service. If the software provider intends to use these data for their own purposes, appropriate consent should be obtained. Therefore, the SaaS agreement should include clauses specifying what can be done with the data originating from the customers of the service. Furthermore, the agreement should also regulate the ownership and extent of intellectual property created as a result of using the software.


What should be considered regarding data protection and security?

When it comes to data protection and GDPR, it is understandable that some founders may roll their eyes. From the perspective of a software service provider, this topic may seem like another obstacle in conducting business. However, the importance of this issue cannot be overstated. This is exemplified by the recent fine imposed on Meta (formerly Facebook) for violating GDPR provisions, amounting to 1.2 billion dollars. Data protection is undoubtedly a field that should be considered as early as the product development phase.


The software service provider must understand when they are acting as the data controller and when they are acting as the data processor, and the obligations that come with each role. In both cases, the software service provider must have a clear overview of the personal data they collect, the purpose of the collection, and the legal basis for processing. This overview must be disclosed to the end user of the service. Systems must be in place to respond to queries related to personal data, and individuals responsible for this task must be designated.


Careful consideration should be given to how data is stored, who has access to the data, and at what intervals. What security measures are employed? What are the procedural rules in case of a data breach? Where is the data physically stored, and how will the provider respond if something happens to it? These aspects need to be thoughtfully addressed to ensure data protection and security.


Advokaadibüroo Lepmets & Nõges's attorneys can help you find the right answers to these and any other questions related to Software-as-a-Service (SaaS) agreements.