Mailing List

Popular Articles

Recent Articles

Follow Us

Archive for March, 2017

Service Level Agreements: What is a Service-Level Agreement or “SLA” and When Do You Need One?

Written by on Thursday, March 16th, 2017

If you are in the software industry, you may have heard of a “service level agreement” or “SLA,” but do you really understand what a “service level agreement” actually is or when you might need one?

A “service level agreement” or “SLA” is a technical agreement that defines that parties’ expectations of the level of service that will be provided in a particular service provider relationship and establishes how a customer will be compensated if the service at any given time does not meet the expectations as defined in the agreement.  It is usually drafted as a schedule to another agreement such as a master service agreement (“MSA”), software services agreement (“SaaS agreement”) or hosting services agreement rather than standing alone as the sole agreement defining a relationship between two parties.  As a tech transactions and software attorney, I would expect to see a service level agreement present in any agreement involving a software as a service (“SaaS”) or hosting relationship; however, a service level agreement could be appropriate in other tech-related service relationships as well, in which metrics or standards for the delivery of the service mattered to the customer and not just the accomplishment of a particular service milestone.  For example, a “service level agreement” might be appropriate in a business relationship with a provider of IT services, in a back-up or disaster recovery relationship, or in a data service relationship–these are all scenarios where a customer might have expectations beyond merely whether a particular task was performed or not that one or both parties might want to address in a separate service level agreement.

If you are questioning why it is customary to have a “service level agreement” and not just rely on a standard warranty or material breach clause, consider this:  if an interruption in service occurs with a particular relationship and then resumes for any reason, does either the consumer or the provider really want to treat that interruption as a material breach and terminate the relationship?  In many cases, the answer is “no.”  From the provider’s perspective, the interruption may very well have affected its entire customer base, so of course, the provider doesn’t want to go out of business over a single incident.  At the same time, it is frequently not in the consumer’s best interest to treat an interruption as a material breach either.  The consumer may believe the service provider is the best provider in its industry to deliver a particular service, either because of the pricepoint, the technology or service offered, or the reputation of the particular provider.  Also, the cost in terms of time and resources of finding an alternative provider might be higher than the consumer is willing to take on at that time.  There might be no other alternative to the particular provider, or the financial costs of changing providers could be too high.  Obviously, there may be legal consequences as well in terms of the cost and expense of enforcing a warranty clause and terminating a contract for material breach that could easily dissuade a particular consumer against exercising such rights.

Thus, for all of these reasons, a “service level agreement” or “SLA” is frequently relied upon by knowledgeable service providers and customers to define the parties’ expectations about the delivery of a particular technical service and to provide an alternative mechanism for compensating service failures outside of the standard warranty/breach framework.  Where no such agreement exists, the parties often have no real expectations defined for the service, which more often than not will eventually bring a premature end to the relationship.

What types of terms should you expect to find in a “service level agreement” or “SLA”?  As with most technical agreements, it is my view that the terms in a particular service level agreement need to be tailored to the particular relationship between two parties and not just copied from a third party’s agreement, so no single set of terms will be appropriate in all cases.  For example, if you are a SaaS company and you rely on a third party to host your software, then the service level agreement you adopt needs to contemplate the service level agreement terms of the third party hosting your software and not be written independently of the hosting relationship.  If you are procuring another technical service, you should make sure that the service level agreement reflects the expectations of your business or your customer base.  If you don’t have expectations for what you are buying, then you need to do your homework and talk to an attorney, competing service providers, other businesses, etc. to understand the problems you might run into with the particular service and understand what expectations are reasonable for the particular service being procured.  The worst drafting mistake you can make in adopting a particular set of terms for a service level agreement is to simply use a third party’s terms rather than customize the terms to the particular relationship, since the third party’s terms will likely have no relevance to your relationship.  Having said this, there are some terms that are commonly found in service level agreements.  These include such concepts as as “service availability,” “exclusions,” “scheduled downtime,” “uptime,” “service level guarantee,” “service credit,” “business hours,” “priority response times,”  and “service level reporting.”

The bottom line is that if you are on either side of a technical service relationship, it is important to consider whether a service level agreement might be advisable to define the parties’ expectations for the relationship beyond just whether or not a particular service is performed.  There are no single set of terms that should be adopted in all scenarios, but you need to be knowledgeable enough about what you are buying or selling to develop clear expectations in advance of the commencement of the relationship.  As a SaaS company, you are both a buyer and seller of services, and therefore it would be prudent to define expectations for the service not only with your customers but also with your service providers, so that you obtain the services required to meet your customer’s expectations as well.

Share On Facebook
Share On Twitter
Share On Google Plus
Share On Linkedin

Category: Software Agreement Drafting  |  Comments Off on Service Level Agreements: What is a Service-Level Agreement or “SLA” and When Do You Need One?

Recent Software Class Actions Provide Valuable Lesson on Why SaaS Contracts Should Be Drafted to Fit Company’s Business Model

Written by on Friday, March 10th, 2017

When SaaS companies and start-ups first contact me, they are often doing so with the idea that there are a few really well SaaS template contracts circulating in the SaaS industry and they seeking the” right” attorney to provide that industry-standard template to them.  Alternatively, they contact me telling me that they’ve already put together a draft SaaS contract, and that they just want me to look over and “bless” what they’ve already written based on a particular SaaS company’s contract available for download on the Internet.

In these cases, which are the norm rather than the exception, I often encounter significant push-back when I first suggest to them that they are approaching the SaaS contract drafting process entirely the wrong way.  I always explain that a well-drafted SaaS contract should be tailored to their specific business model, and then I proceed to ask them a number of questions about their business model, which they generally aren’t prepared to answer.  They often then proceed to get frustrated by all the questions about their business, when all they are actually looking for is the “right” contract template.

If you are in the SaaS industry and have created your customer contract in a similar fashion, or committed the other common software contracting “sin” of caving into pressure exerted by a potential customer and just agreed to their standard agreement terms because you wanted to close a deal with them, then you may want to consider the example of recent litigation against an industry leader, which adopted contract language which was then alleged not to match the company’s business practices.

The litigation at issue involves class action suits against the McAfee brand security software: Williamson v. McAfee, Inc.,  No. 5:14cv00158 (N.D. Cal. Aug. 30, 2016) and Kirby v. McAfee, Inc., No. 5:14cv02475 (N.D. Cal. May 29, 2014).  Both cases focus on the company’s business practices surrounding its use of automatic renewal clauses–a standard practice widely adopted throughout the SaaS industry.  The litigation is ongoing: while the court granted final approval of a settlement in both cases, an appeal has been filed.  (See posted notice).

The particular contract clause at issue in the Williamson case is a common clause routinely included in SaaS contracts that stated at autorenewal customers would be charged the “then-current” price for the product.  However, the Williamson complaint alleged that the actual practice of the company was to charge customers upon autorenewal a higher price for the product than the price that the customer could have purchased the product for elsewhere.

The particular contract clauses at issue in the Kirby case stated that customer would be automatically enrolled in the autorenewal program and that a customer’s credit or debit card could be charged at autorenewal even after it had expired.  The Kirby complaint alleged that the actual practice of the company was to import into its billing system updated customer credit or debit card information provided by Visa or MasterCard rather than procuring a new authorization from client when the prior authorization became invalid, and to charge the customer at autorenewal at a higher price than originally paid without the customer’s express consent.

While there are a number of allegations made against McAfee in these class action suits, a fundamental problem alleged was that the terms of service binding the customer did not match the company’s actual business practices, and that the customer did not provide consent to the company’s actual autorenewal practices.

While these particular suits were filed against McAfee, the business practices alleged in these cases are perhaps the current standard of conduct for today’s software industry.  Furthermore, I would argue that more often than not terms of service are adopted by companies without any consideration whatsoever of the actual technology and business model for the software or SaaS product, so it is probably rare for the terms of service to match the company’s actual business practices.  Thus, it is my assertion that these cases provide an excellent primer of the risks of adopting terms of service that do not match the actual practices of the business.  It’s still not clear what the ultimate price tag on this matter will reach on the part of the company, but it’s clear it will be multiple millions of dollars in costs and expenses.

Moreover, these cases demonstrate the importance of consent to having an effective autorenewal clause.  State laws applicable to these cases did require the procurement of clear and conspicuous consent to autorenewal, which McAfee is alleged not to have had in these particular sets of facts.  Obviously, any deficiency with consent could have easily been addressed through the adoption of better business practices and terms that would demonstrate clear customer consent in compliance with applicable state laws.

The bottom line is that terms of service should not be adopted by a SaaS company without a thorough consideration of the technology, the business model, and the business practices of the company.  Even common business concepts like autorenewal accepted across the board within the industry may lead to costly lawsuits if insufficient consideration of business practices is contemplated in conjunction with the drafting of terms of service.

 

Share On Facebook
Share On Twitter
Share On Google Plus
Share On Linkedin

Category: Litigation, Software Agreement Drafting, Software Litigation  |  Comments Off on Recent Software Class Actions Provide Valuable Lesson on Why SaaS Contracts Should Be Drafted to Fit Company’s Business Model

Recent FTC Enforcement Actions Should Serve as Warning to Software Industry about Privacy Practices

Written by on Wednesday, March 8th, 2017

If your software company is like most, you have probably spent little or no time contemplating what needs to be in your company’s privacy policy.  In fact,  what your company is currently calling its privacy policy was likely copied from a third party website years ago and never given much thought since.  Meanwhile, your company is likely collecting and aggregating user data and looking for new opportunities to monetize it.  Sound familiar?

Well, if this is your company’s situation, you may want to rethink how you are operating in light of recent enforcement action by the FTC on corporate data collection practices.

On February 6, 2017, the FTC announced that VIZIO, Inc. had agreed to pay $2.2 million to settle charges by the FTC and Office of the New Jersey Attorney General that it installed software on its TVs to collect data regarding consumer viewing without their knowledge or consent.  In its complaint against VIZIO, the FTC alleged that VIZIO had manufactured televisions that continuously tracked consumer viewing on the television and transmitted this information back to VIZIO, and also had remotely installed the same proprietary software on previously sold televisions.  In addition to collecting information about consumer viewing, the FTC alleged in its complaint that the software had collected information about the television, IP address, wired and wireless MAC addresses, WiFi signal strength, and nearby WiFi access points.  The FTC further alleged in its complaint that VIZIO had then entered into third party contracts to sell the data collected to third parties for the purpose of measuring the audience, analyzing advertising effectiveness, and targeting advertising to particular consumers.  While VIZIO’s contracts had provided only aggregate data to the third parties, those contracts did provide segmented demographic information by sex, age, income marital status, household size, education, home information, and household value.  According to the FTC Complaint, VIZIO did make a privacy policy available on its website, but the only onscreen notifications provided to consumers were vague and timed out after 30 seconds, never sufficiently informing consumers as to VIZIO’s data collection practices with the software installed on their televisions.   The FTC alleged that VIZIO’s actions in deceptively omitting material facts constituted deceptive acts or unfair practices prohibited by Section 5(a) of the FTC Act.

In the stipulated order, VIZIO was ordered to take all the following actions before collecting any further data from consumers:

  • Prominently disclose to consumers “separate and apart” from the privacy policy specifics on the data to be collected, what would be shared with third parties, the categories of third parties who would receive the data, and the purpose for which the third parties would receive the data.
  • Obtain affirmative express consent from consumers at the time of disclosure and upon any material changes.
  • Provide instructions at the time of obtaining consent to how consumers may revoke consent.

The stipulated order then gave specific guidelines on what would constitute “prominent” disclosure

The stipulated order also required the destruction of the previously collected data, the mandated creation of an internal privacy program meeting certain requirements, and third party oversight going forward regarding the privacy controls in place at the company.

Clearly, the FTC intended to send a message to the software industry about the collection of consumer data in the case of this particular enforcement action.

However, the FTC’s recent enforcement activities against software companies did not end with VIZIO.  In a separate statement, the FTC announced settlements with three other companies in the industry over allegations that they had made deceptive statements in their privacy policies about their participation in an international privacy program.  The companies charged in those cases were, Sentinel Labs, Inc., a software company providing endpoint protection software to enterprise customers; SpyChatter, Inc., a company marketing a private messaging app; and Vir2us, Inc., a distributor of cybersecurity software.  The FTC alleged in each complaint that the companies violated the FTC Act by making deceptive statements about their participation in privacy programs.  Attached are the complaints against Sentinel Labs, SpyChatter, and Vir2us.   In these cases, the proposed settlements merely prohibited the companies from making further misrepresentations about their participation in third party privacy or security programs, but are not final orders and still subject to possible amendment.

What conclusions should you as a software company take away from the FTC’s recent enforcement activities against software companies?  Clearly, the FTC is cognizant of the trends in the software industry to monetize data collected from software, to adopt privacy policies without actually customizing them to the practices of their particular company, and to bury privacy notices on websites without actually obtaining clear end user consent to actual business data collection practices.  So, if your company is like most in this space, you are on notice that your practices need to change.  Your privacy policy needs to be customized to the business practices of your particular company, which means that you actually need to take the time to consider each and every piece of information that you are collecting from the public and disclose what you are doing with it.  If your customers expect you to be a part of an international privacy program before they do business with you, you need to actually take the steps requirement to receive the appropriate certification from that organization before you advise consumers and the public that you are a member.  And if your software collects information, you need to make sure that not only your customers but also the parties from whom the information is collected have given their clear consent to your collection practices.  A privacy policy buried in your website is probably not sufficient to cover you legally.

If you do not change your privacy practices, you are on notice that you may soon be hearing from the FTC.

Share On Facebook
Share On Twitter
Share On Google Plus
Share On Linkedin

Category: FTC Regulation  |  Comments Off on Recent FTC Enforcement Actions Should Serve as Warning to Software Industry about Privacy Practices

SaaS Contracts: Is Your SaaS Contract Extending Your Sales Cycle?

Written by on Friday, March 3rd, 2017

The average sales contract being signed by a SaaS company has nothing to do with the technology being sold and fails to include all of the key contract terms that need to be in a SaaS contract.  Thus, not only does the poor nature of the contract complicate the process of signing up new customers to use the product, but it also dramatically increases the risk that your company will end up in a dispute with the customer that does sign your contract.

What can be done by SaaS companies to ensure that their contracts are not creating more business problems than they solve?  The Silicon Valley Software Law Blog’s Author and Attorney Kristie Prinz will be presenting a
webinar addressing these and other important issues on March 24, 2017.  The webinar will address such questions asJEL28958-Prinz, Kristie

  • What makes an effective SaaS customer contract?
  • What terms should SaaS customers expect?
  • Common challenges with customer negotiations.
  • What drafting problems frequently result in stalled contract negotiations? Customer disputes?
  • How can better drafting close deals faster? Avoid subsequent customer disputes?

Tickets are still available to attend this webinar, and the program will be appropriate for lawyers and businesspeople alike.  To sign up, please click on the following link: https://www.eventbrite.com/e/best-practices-for-drafting-saas-contracts-that-reduce-the-customer-sales-cycle-avoid-disputes-tickets-29989175431.

Share On Facebook
Share On Twitter
Share On Google Plus
Share On Linkedin

Category: Upcoming Speaking Engagements  |  Comments Off on SaaS Contracts: Is Your SaaS Contract Extending Your Sales Cycle?

Copyright 2008-2017 The Prinz Law Office.

The Prinz Law Office | Silicon Valley, CA | Los Angeles, CA | Orange County, CA | San Diego, CA | Atlanta, GA | Tel: 1.800.884.2124

Mailing Address: 117 Bernal Rd., Suite 70-110, San Jose, CA 95119. Silicon Valley Office: 2033 Gateway Place, 5th Floor, San Jose, CA 95110 (408) 884-2854. Los Angeles Office: 3110 Main St., Building C, Santa Monica, CA 90405. (310) 907-9218. Orange County Office: 100 Spectrum Center Drive, 9th Floor, Irvine, CA 92618. (949)236-6777. San Diego Office: 4455 Murphy Canyon Road, Suite 100, San Diego, CA 92123. (619)354-2727. Atlanta Office: 1000 Parkwood Circle, Suite 900 Atlanta, Georgia 30339. (404)479-2470

Serving Silicon Valley, San Jose, San Francisco, Santa Cruz, Los Angeles, Irvine, Anaheim, Orange County, Santa Monica, Silicon Beach, Santa Barbara, San Diego, Sacramento, Atlanta. Licensed in California & Georgia.