SaaS T&Cs — Explanation and Negotiation Ease Assessment

Gartner's
Highest Risk Terms "Ease of
Explanation of the Term and Details on the Risk Presented Negotiating"
to Negotiate
Assessment*

•
Pilot Sometimes a pilot or trial period is offered to test run a solution; however,
"Try Before You Buy" sometimes auto-start language is added where the real term of 12 months
or longer automatically starts once the trial period is over, without providing
any notice to the customer.

Full Disclosure of ALL Terms Providers may refuse to furnish their contractual terms and conditions
and Conditions during the and/or order forms, until customers are ready to commit; placing an
evaluation enormous amount of risk on prospective customers. Although many

Ensure all Terms and
Conditions in the
Present/Proposed Contract
•
providers represent the terms to be standard, as suggested the terms at
least in this Toolkit can often be improved. However, without seeing what
the terms in both the master service agreement, service-level agreements
(SLAs), policies, exhibits, and order forms are, commercial risk will be high.
Some of these are only available online, and it is not obvious where. Some
providers resist providing those, waiting until the need for the SaaS offering
is high and time is limited, severely restricting the customer's leverage.
Customers could experience surprises as a result of terms and conditions
being incorporated within a URL link; URL links may not be properly
reviewed, and/or terms and conditions on a linked document can/may

•
cannot diminish possibly change without prior notice. Even if the SaaS provider commits to
no material diminishment of the URL terms, it will be very difficult for
customers to establish the baseline from their contract signing date, if
these have changed multiple times during the agreement terms. It is also
important to ensure that these urn terms cannot materially diminish on the
renewal term either, for this could potentially result in a lowering of the
value delivered, at a time when most SaaS customers have little ability to
switch and therefore little leverage.
Line Item Pricing Often providers lump all subscription costs together, combining not only the

•
fees for multiple different modules, which may have varying usage
requirements, but also bundling costs for separately charged elements of
the service, such as storage, service and support, sandboxes etc. This not
only makes it difficult to properly analyze pricing per service line, it also
creates a risk of overpaying or transparent costs, if the units for one service
needed to be increased, but the others did not.

•
Upfront Payments Providers typically levy charges on contract signing rather than when used.
Some encourage customers to pay, not just one year but for multiple years
upfront — on contract signing. Some offer significant discounts if large
percentages are paid upfront. Paying for multiple years upfront means
more risk at stake for buyers if the provider fails to perform.

•
Variable Pricing Although many SaaS providers market the capabilities as "elastic" and
"usage-based," the reality of nearly all SaaS contracts is that the elasticity
is only one way: upward. If customers reduce the number of units used in
any one month, then they rarely pay less.

Payment Holiday Providers tend to require payment on contract signing and not based on

•
implementation schedules. For SaaS capabilities that will be live in a short
period i.e., less than 3 months — this is reasonable. However, if you
anticipate lengthier implementation periods then there is a risk that
subscriptions will be paid on the entire anticipated estate, while no usage
benefit is being derived.

*Based on the degree of difficulty the term may be to negotiate — Degree of Difficulty: Easy (Green), Medium (Yellow) or Difficult (Red).

Page 1 of 7
SaaS T&Cs — Explanation and Negotiation Ease Assessment
Highest Risk Terms
to Negotiate
Price Holds for Additional
Future Functionality
Required
Improved Unit Pricing
Pricing Metric Definitions
Pricing Metric Change
Protections (Term &
Renewal)
Variable "Metric" Counts
Based on Functionality
(i.e., Different Unit Counts
per Module/Service Line)
Lock-In for Downward Metric
Fluctuation at Renewal
Functionality Descriptions &
Protections (Term &
Renewal)
Bundling Protection (Term &
Renewal)
*Based on the degree of difficulty the term may be to negotiate — Degree of Difficulty: Easy (Green), Medium (Yellow) or Difficult (Red).
Gartner's
"Ease of
Explanation of the Term and Details on the Risk Presented Negotiating"
Assessment*
Customers must conduct a functionality assessment prior to negotiations.
The greatest amount of leverage customers have is prior to signing the first
•
deal. Although many buyers assume they will have leverage when adding
new service lines, unless they are prepared to do a new competitive bid
this leverage is usually diminished. If you want to add new service lines
with the same provider, unless these are service lines they also require
references for, then the discounts offered are often considerably lower than
on the initial deal, or what might be achieved for net new customers.
Customers may need to increase metric counts, sometimes significantly
•
during the contract term. Without improved price performance (lower
pricing for higher unit volumes), SaaS customers will usually pay the same
unit price even with significantly higher volume commitments. This is
because the SaaS provider will see no need to reduce price points, as
there is low risk of customers switching once the term has begun.
•
Contracts should include clear pricing metric definitions (e.g., user,
employee, transaction, spend volume). This establishes what you will need
to count or measure for future payments, and there should be absolutely
no ambiguity about this. Where there is ambiguity, customers find
themselves exposed to costs that they did not budget for.
The pricing metric should be protected during the term of the agreement,
•
but also on the renewal term, so that you can do at least one renewal using
the same pricing metric. If the SaaS provider changes the pricing
mechanism, many SaaS contracts would only require the customer to be
informed 60 days before the renewal. A change in metric can significantly
alter the costs, and it would be extremely difficult for customers to switch
functionalities and providers in 60 days.
•
SaaS providers tend to put proposals together using the unit count base of
what was supplied to them without informing customers that there is the
ability to alter the counts by module. The base metric number should be
alterable according to differing usage requirements across the different
functionalities or modules being subscribed to avoid overpaying.
SaaS contracts do not typically allow downward fluctuation in unit counts
resulting in reduced payments. SaaS customers often feel that they have
•
the opportunity to reduce volumes on renewal terms. However, most price
cap or protection clauses require customers to renew in the same volumes
as they had in the prior deal, thereby negating any ability to reduce the
costs. If reductions are made and price protection is not valid, then SaaS
providers typically increase the unit cost to effectively make up the
difference.
The standard language in most SaaS contracts states that the functionality
or capability may not materially diminish during the contract term; however,
equally many lack any baseline of what functionality and capability is
indeed included. Some refer to documentation via website links, which can
•
change during the contract term, making it difficult to baseline what
functionality was in included when you initially signed the contract. Others,
simply refer to order forms which note the current service line name (e.g.,
Microsoft Office 365 E4, or Workday HCM and CCHCM) but do not provide
customers with any detail on what functionality is included in these
bundles. This leaves customers relying on presales information, which is
often deemed contractually invalid in the entire agreement clause, and may
not in some cases be documented.
•
SaaS providers may attempt to rebundle functionality into new or different
service lines. Sometimes this results in higher costs for the same
capabilities, or a requirement to purchase new service lines to get
something you have already subscribed to, or anticipated as a subscription
benefit.
Page 2 of 7
SaaS T&Cs — Explanation and Negotiation Ease Assessment
Gartner's
Highest Risk Terms "Ease of
Explanation of the Term and Details on the Risk Presented Negotiating"
to Negotiate
Assessment*
Test and Development Many SaaS providers offer a test and development (sandbox) environment
(Sandboxing Fees) so changes can be tested against an exact mirror of customer data,

•
configurations and code. Although some only provide the sandbox during
initial implementation for free and then take it away. Other providers offer
multiple sandbox types, some for configuration only, others for full
production — which may give you a copy of the data. How and if these are
charged for varies considerably by provider. If you are expecting this to be
included within the subscription fees, but discover it is not, then it can lead
to unbudgeted additional costs.
Renewal Price Cap SaaS is offered based on a subscription model. With subscriptions, there is
Protections no ability to continue to use the offering unless a contract is renewed.
Leverage at the renewal period is often significantly lower than it was on

•
the initial deal because of the switching costs. Therefore, embedding price
protections for renewal into the initial agreement is vital for customers to
avoid unreasonable, unilateral price hikes. In many markets, SaaS
providers are hungry for customers and are offering compelling discounts
to get initial deals. However, without renewal price protection, there is the
risk that these discounts will disappear on the renewal term. Some
providers offer no price protection at all, others suggest prices can increase
up to 7%-15% on renewal terms.
Exchange Rights When IT procurement enters into SaaS contracts, they often subscribe to a
number of service lines, as requested by stakeholders. In some cases,

•
because of changing stakeholder priorities, the need for those service lines
might change. Instead of what you subscribed to from one supplier, you
might instead require a different service line from that same provider.
However, unless any exchange language has been negotiated, it will
usually not be possible to trade in the investment made in undeployed or
unwanted one service line toward another. This means you could be
paying for shelfware as a service.
Support Capabilities and As a standard, most SaaS subscriptions include basic customer support.
SLAs However, the support may be as basic as email help or an FAQ list, or
have worryingly low SLAs such as 2-day response time to incident
notification. For support more consistent with many enterprise

•
expectations, providers' 'Premium Support' offerings may need to be
purchased, at a considerable additional unbudgeted cost (often ranging
from 5%-20% of the subscription fees). Examples of services typically
offered as Premium Support include SaaS environment optimization, 24/7
phone support, and a technical account manager, SLAs with penalties.
Even when Premium Support is purchased, some SaaS contracts do not
include the terms of the program in the agreement, and if they do there is
often no penalty if service levels are missed, making the payments less
effective than anticipated.

True-Up or Audit Protections
•
Most providers' standard practice is to insert rights surrounding the ability
to conduct periodic metric count verifications. This places a great deal of
unknown risk on the customer because "periodic" can mean many different
things to different providers.

Dependencies on Local In some cases, SaaS implementations require local installations of client

Installation of Client Software
•
software for example, ActiveX components, or have dependencies on other
software. If this is the case, then it is critical to document what the
minimum/optimal technical requirements are and how much notice will be
provided if these are changing to avoid malfunctions or exposure to
unbudgeted costs to upgrade on premises software.

*Based on the degree of difficulty the term may be to negotiate — Degree of Difficulty: Easy (Green), Medium (Yellow) or Difficult (Red).

Page 3 of 7
SaaS T&Cs — Explanation and Negotiation Ease Assessment
Highest Risk Terms
to Negotiate
Divestiture/Acquisition
Protections
Data Access Protections
Data Confidentiality and
Intellectual Property
Protections
Data Privacy Protections
*Based on the degree of difficulty the term may be to negotiate — Degree of Difficulty: Easy (Green), Medium (Yellow) or Difficult (Red).
Gartner's
"Ease of
Explanation of the Term and Details on the Risk Presented Negotiating"
Assessment*
In the event of a merger, acquisition or corporate reorganization, a
•
customer would want an "assignment" language included to reassign the
agreement in its entirety, or in part. If not, then there is a risk that you
would not be able to benefit from economies of scale in a merger situation.
Equally in a divestiture you may end up paying for subscriptions that are no
longer required.
The availability and access to your customer data should be a given. Some
SaaS providers limit the amount of data that can be downloaded in a 24-
•
hour period, others might stipulate that they can decide if you are
downloading too much or too frequently and inhibit downloads. If you do
not have access to your data when you need it, you are at a significant
disadvantage, with much higher risks should you encounter data loss. If
there is a cost for data access (not recommended), it is often unexpected
and unbudgeted.
Customer data should always be treated as sensitive in nature and
completely confidential, unless otherwise explicitly expressed by the
customer. This is particularly the case if you are putting highly sensitive
confidential information into a SaaS provider's offering, as it the case with
for e.g., Board of Directors portal SaaS offerings (see "Market Guide for
•
Board Portals," G00261135), but also increasingly important if you are
using a SaaS provider for innovative, digital or mode 2 projects. In these
cases it is certainly prudent to ensure clauses protect your intellectual
property sufficiently (see "Predicts 2015: The Digital Revolution Expands
the Strategic Importance of IT Procurement and Asset Management,"
G00270935). Additionally, we see some providers use aggregate
anonymized customer data to enhance the service or provide market
intelligence and trends, but if this is provided to the customers based on
using their data then it should never be a charged service.
Data privacy, much like security below, is not something you can
exclusively rely upon the contract to govern (see "Regulatory Compliance
Alone Cannot Mitigate Risk," G00269987). What you might need will vary
from country to country and industry to industry. Some countries and even
U.S. states have more austere laws related to data sovereignty, and
industries have different privacy requirements. In the U.S. in healthcare,
Health Insurance Portability and Accountability Act (HIPAA)/Health
Information Technology for Economic and Clinical Health (HITECH) is most
likely applicable. In U.S. in education, the Family Educational Rights and
•
Privacy Act (FERPA) is your most relevant legal requirement. In U.S.
financial services, focus on the privacy elements of the Gramm-Leach-
Bliley Act (GLBA). See "Hype Cycle for Privacy, 2014," G00258968. Not all
SaaS providers will comply with each of these industry requirements, and
many, because they will not guarantee where the data is at any one point,
may not comply with regional requirements. Note that if data privacy
requirements are not met you may not be able to avail of a SaaS offering,
and may need to look for other options such as hosting. The business
impact of not complying with U.S. privacy laws varies. Depending on the
industry, the state and the specific law, impact can include multimillion-
dollar fines, 20 years of imposed third-party privacy audits, loss of business
license or substantial reputation damage. A privacy violation could also be
an administrative offense that goes unnoticed. Qualified legal advice is
necessary to determine the business impact in any given state and sector.
Page 4 of 7
SaaS T&Cs — Explanation and Negotiation Ease Assessment
Highest Risk Terms
to Negotiate
Data Security Protections
Disaster Recovery
Management SLA
Storage Limitations and
Transparency of Storage
Consumption
Notification of Data Breach
Uptime SLA Protections
Uptime SLA - Measurement
Frequency
Uptime SLA - Scheduled
Downtime
*Based on the degree of difficulty the term may be to negotiate — Degree of Difficulty: Easy (Green), Medium (Yellow) or Difficult (Red).
Gartner's
"Ease of
Explanation of the Term and Details on the Risk Presented Negotiating"
Assessment*
Data security is also not something you can govern exclusively through a
contract. SaaS providers contract terms here are very variable and often
lacking (see "Everything You Know About SaaS Security Is Wrong,"
•
G00260951; "A Public Cloud Risk Model: Accepting Cloud Risk Is OK,
Ignoring Cloud Risk Is Tragic," G00261246; "Customized Security and Risk
Attachments in Cloud Contracts Protect Against Critical Risks,"
G00259714; "Cloud Contracts Need Security Service Levels to Better
Manage Risk," G00247574). There is more on cloud security risks than can
be adequately documented in this Toolkit and we recommend the above
notes to start framing the issue. Ultimately however, the risk is that the
???????????????
The inclusion of disaster recovery service levels is not standard in SaaS
agreement, but helps create reasonable expectations about maintenance
•
of service operations availability following the occurrence of a disaster that
either partially or completely disrupts provider data center operations. Once
again, disaster recovery is something that the SaaS provider is responsible
for, but for which the customer is accountable if a disaster occurs, and the
data cannot be recovered effectively. Many SaaS agreements have very
general wording around disaster recovery obligations, without
commitments back by SLA.
•
You may come across some SaaS providers that have limits on the
amount of data storage that comes with a subscription. If you do not know
the limits, or costs of incremental storage, and are not made aware of your
consumption you can face unbudgeted cost exposure.
Data breach is often a key concern voiced when moving to the cloud.
Contract language should be explicit to state the vendor's obligations,
timelines, responsibilities and/or damages associated with data breach.
•
Repercussions vary according to the sensitivity of data. Knowing how
sensitive is the data you will be storing in the cloud, and what will be the
financial or reputational repercussions of breach, as well as the time frame
for any contractual obligations to inform about personal data, is required
before negotiating any notification of data breach clause. In some
jurisdictions, if personal information is breached, then you may have as
little as 48 hours to inform — that means that the SaaS provider needs to
tell you immediately.
•
Solution availability is critical for SaaS applications because it is the
lifeblood of the solution. Some providers offer SLAs as a website link, or as
is sometimes do not offer them at all. Without any obligation to keep the
capability available, you could be paying for a service that is not delivering
to your expectations, and have little or no recourse.
•
The frequency of measurement is important because SLAs averaged over
a quarter or year, are less effective than monthly measurements.
Provider SLA calculations exclude scheduled downtime, but the precise
•
length of these scheduled downtimes and the amount of warning you will
get for them will vary considerably. Some SaaS providers give as little as 8
hours warning, which is insufficient for scheduled downtime, and others do
not "time- box" the amount of time available for scheduled downtime or
stipulate maintenance windows when it might occur leading to SLA
commitments being less effective than you may have initially anticipated.
Page 5 of 7
SaaS T&Cs — Explanation and Negotiation Ease Assessment
Gartner's
Highest Risk Terms "Ease of
Explanation of the Term and Details on the Risk Presented Negotiating"
to Negotiate
Assessment*
Uptime SLA Penalties- SLAs must include remedies or penalties if they are not met. SLAs that do

•
Credits not trigger anything if they are missed are not worth having, as SLAs are in
place to motivate the provider to offer you the service that you paid for. If
nothing happens, and they are purely aspirational, then you have no
leverage to improve the service. Penalties for SaaS contracts are not
uniform or standardized. The level of credits is not standardized and is
often capped.
Uptime SLA Penalties - To be most effective SLAs must include remedies that enable you to

•
Termination terminate the contract for breach on the supplier side, if the SLAs are
missed persistently or chronically. Continuing credits are not effective if the
service continues to be below what you had expected when you agreed the
payment schedule. More bad service added to the end of the agreement,
or more credits with no ability to cancel future months or years of payment
obligation, is not effective.
System Performance SLA The SaaS performance, or time it takes for a user's screen to "load" is

SLA Penalty Reporting
•
critical for end user satisfaction. Especially as SaaS applications can be
still 'up' or 'available' but if there are 10 seconds between each page
refresh, the experience is very much below expectation. Slow screen
refresh hinders productivity and/or gives the appearance of the system
being "down."
Many SaaS contracts leave it to the customer to report downtime or any

•
other SLA violations, and require the customer to provide a significant
amount of detail about how they were impacted, where, for how long etc.
This usually has to be provided within a time limited period such as 15
days from the incident, which places a great deal of administrative burden
on the customer as well as risks of a possible "missed incident," not being
appropriately credited.
Data on Termination Customers do not want to be left beholden to a SaaS provider because
they cannot get access to their data. SaaS providers usually give data back

•
to customers within 30 days of termination, but many will not stipulate the
format of the data. It is helpful to know the file format (flat file, relational
database management system, spreadsheet, XML, original format or
current application service provider format) you require the data to be in so
there are no surprises. Many SaaS providers also stipulate that after the 30
days has elapsed a provider can delete the data. This can be risky if you
have any problems getting the data out.
Exit Assistance If a provider breaches the contract, then it is optimal for customers to have

•
some sort of exit assistance built within the contract upfront so they do not
face any unknowns if a breach does occur. If not, they will find themselves
scrambling at the last minute to quickly switch offerings with a great deal of
productivity loss. If the provider doesn't breach, but you feel you may need
assistance on exit those services can be expensive if only contracted for
when needed, as you would typically have little leverage.

•
Suspension/Turn-Off Often times providers will add in protective languages surrounding receipt
Protections of payments stating if payments are not received that services will or can
be suspended, to ensure they will receive prompt payment for service.
However, on the flip side this gives a tremendous amount of leverage to
the provider should a dispute arise.
Termination for Convenience Some SaaS customers aim to avert risk by including a termination for

•
convenience clause, which would enable them to exit all payment
obligations with 30 days/notice, if they no longer wanted the service.
Although this sounds desirable, we hardly ever see it offered to SaaS
customers unless they are not receiving any discounts on subscriptions.
Even then it will be difficult, as SaaS providers are trying to ensure
predictability of revenue.

*Based on the degree of difficulty the term may be to negotiate — Degree of Difficulty: Easy (Green), Medium (Yellow) or Difficult (Red).

Page 6 of 7
SaaS T&Cs — Explanation and Negotiation Ease Assessment
Gartner's
Highest Risk Terms "Ease of
Explanation of the Term and Details on the Risk Presented Negotiating"
to Negotiate
Assessment*
Auto Renewal Many SaaS providers embed auto-renewal clauses within their contracts
and many customers sign the contract without realizing they are even
included. Gartner is not against auto-renewals, as some customers like

•
them — fearing that if they don't have them they may have disruptions in
service. However, customers must look out for the renewal stipulations to
properly plan their needs/usage and strategy. Some customers don't like
auto-renewals because they feel it erodes negotiation leverage if there is
new demand. If you have auto-renewal clauses and you forgot about those
and didn't terminate, then you may be liable for another full term of fees,
and have no opportunity to leverage any switching possibility on the
renewal to improve the deal.

•
Provider Renewal Many SaaS contracts suggest that either party can terminate with 30 days'
Termination Notice notice prior to a renewal. While it is unlikely that your provider would
terminate you, 30 days would not be enough time for most buyers to find a
replacement, and is therefore risky.

Liability Limitations Nearly all SaaS providers will limit liabilities to a maximum of the prior 12
months of fees, and this is only for direct damages, not consequential

•
damages. This limitation is because of the scaled nature of the business
model, as if there is a problem with the SaaS capability, it would be
affecting hundreds or thousands of customers, if not more, not just one.
The risk here is that if the SaaS provider lost your data for e.g., the
coverage would be a small fraction of your real cost and reputational
damage.
Subcontractors Some SaaS providers use subcontractors, or may use other cloud
providers for infrastructure services, or platform as a service e.g., Amazon
AWS or Microsoft Azure. It is imperative that the SaaS provider takes

•
responsibility for those subcontractors and that the terms of the SaaS
contract govern, over all others. In some cases, SaaS providers are not
responsible for any failings from subcontractors or infrastructure providers,
and if the customer is concerned with the for e.g., IaaS performance, then
they have to negotiate with the subcontractor or IaaS provider. Since you
would have no relationship or leverage with these providers typically, this is
not desirable.

•
Escalation Process This is often missing from SaaS contracts, but there should be a well-
defined escalation process to resolve disputes.

*Based on the degree of difficulty the term may be to negotiate — Degree of Difficulty: Easy (Green), Medium (Yellow) or Difficult (Red).

Page 7 of 7