This article is written by Atchaya J, pursuing Diploma in Advanced Contract Drafting, Negotiation, and Dispute Resolution from LawSikho. The article has been edited by Zigishu Singh (Associate, LawSikho) and Ruchika Mohapatra (Associate, LawSikho).
Rapid technological developments have given birth to advanced software. But the development that has occurred in accessing these softwares is even more remarkable. Recent years have witnessed the evolution of new categories of business models – Software as a Service (SaaS), Platform as a Service (Paas) and Infrastructure as a Service (“IaaS). Let us understand how these differ from software licensing and their legal considerations.
What is a PaaS agreement?
Platform as a Service (“PaaS”), in layman’s terms, is a cloud platform (inclusive of hardware, software and infrastructure) provided by a cloud service provider for developers to develop, run and manage applications. Developers can easily do all this without incurring the cost, complexity, or inflexibility of building and maintaining an on-premise platform. The PaaS provider hosts everything, and the customer pays a fixed fee or subscription fee (subscription model) for the resources they use and the number of users. Servers, networks, storage, operating system software, databases, development tools- all of these remain a responsibility of the PaaS provider and are hosted at their data centre. Amazon Web Services (AWS), Google Cloud, IBM Cloud and Microsoft Azure are some of the globally leading cloud service providers.
A PaaS agreement binds a vendor (the cloud service provider) and buyer (the customer/client/subscriber who accesses the cloud platform) in pursuance of the PaaS agreement. The objective of a PaaS Agreement is to govern the customer’s right to access and use the PaaS application for a definite period of time. Since every PaaS application and customer is different, there cannot be a straight jacket drafting strategy for the PaaS agreement. Currently, there is no specific regulation for cloud computing in India. Also, no license is required to provide cloud services. A locally incorporated cloud service provider must comply with the general corporate laws, tax laws, labour laws, data privacy laws, etc.
Difference between PaaS Agreement and a licensing agreement
The single most common issue in a software agreement is the confusion between a licensing agreement and a Saas, Paas or IaaS agreement. Most of the time, the clients themselves are unaware of which model they are working under, or which model to opt for. In a software licensing model, the software is physically delivered to the client to be downloaded, installed, run and operated on on-premise hardware. The software itself is delivered as a tangible product. Whereas in the PaaS model, there is no physical delivery. As discussed, the platform offered as a service is accessible through the cloud and all the hosting is done by the cloud service provider through their data centres.
Lack of awareness gives rise to contractual issues more often. It is not uncommon to see a company offering SaaS, PaaS or IaaS and have a software licensing model instead. Since these two models are very distinct, their clauses from maintenance to data security, payment to termination differ in all aspects. It is critical for both client and their legal team to understand all the related aspects before entering into a software agreement.
Growing relevance of PaaS
Paas comes with its own pros and cons, which plays a vital role for lawyers to keep in mind while drafting a Paas agreement. As discussed, the PaaS Agreement differs from a license agreement and any template form may not suit the needs of the vendor. Hence, it is critical that the vendor gets an IT Asset Management study report from the customer and discusses it with the legal team before finalizing an agreement.
It is the responsibility of the legal professional to understand the technical as well as the financial aspects of the deal to come up with the best negotiation. Technically, PaaS is growing in relevance despite having some cons of its own. PaaS is fast and easy to get an application up and running. It is also easy to create and delete resources in PaaS, so you can use it for specific events without paying for the whole month.
Cost-wise, it is beneficial to use PaaS as: (a) there is no need to pay for a full-time system or IT admin; and (b) developers can use plenty of DevOps tools or collaborative tools or use API(Application Programming Interface) marketplace service plugins easily. On the other hand, there is a lack of control with PaaS. Unless the PaaS in question is an open-source code, it is difficult to migrate it to another cloud. In addition to this vendor lock-in, security is a critical issue with PaaS. Vendors claiming to have the most robust defences against viruses, malware or denial of service attacks are mostly lying. The best practice is to undertake due diligence and find out the vendor’s disaster recovery architecture and time objectives. In light of these technicalities, let us see how drafters can avoid a few common errors committed while drafting a PaaS Agreement.
Common errors to avoid while drafting a PaaS
Ambiguous agreement terms
An effective PaaS agreement should contain the key elements and address customer-specific issues instead of having general terms. These elements must be clearly defined and consistent throughout the agreement as:
- “Platform” – The software platform offered, including the software, services, applications, utilities, databases etc.
- “Professional Services” or “Services” – Detailed description of the services with fees agreed upon by the parties for the same.
- “Software” – Inclusion of all software, related integration, implementation and configuration coding, updates etc.
- “Update” – Any update, patch, new release and/or new version of the platform or service.
- “Client” – The entity buying the Platform as a Service from the vendor named the Client on the signature page.
- “Deliverable” – Definition of the deliverable expressly designated as a deliverable in an applicable order.
Failure to clearly define or negotiate these elements may render the agreement and lead to an unwanted dispute in the later stage. For instance, an ambiguous “Update” definition may not include ‘the new version of the Platform’. The client/customer may end up paying an extra fee to incorporate the update. Such issues may not arise with a better and clear definition in the agreement.
Risky data security provisions
Data Management and Security play a vital role in PaaS than in most software licenses. Here, the Subscriber may upload their data or create user-generated content (UGC). Questions such as (a) who owns the data uploaded in the application, (b) what is the nature of the, how will the data be uploaded, (c) what is the permission/license required to incorporate UGC; must be answered clearly through “Data Security” provisions. These provisions should align with the IT Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Indian Privacy Laws“) in India. Since a PaaS Agreement is likely to take place between two global parties or interact with global third-party users, region-specific and important global data privacy legislations are important to comply with such as:
- General Data Protection Regulation (GDPR),
- California Online Privacy Protection Act (CalOPPA),
- Children’s Online Privacy Protection Act (COPPA),
- EU Cookies Directive.
Imprecise payment terms
Cloud platform service agreement involves a lot of confusion regarding the payment term. One should avoid the error of including a standard clause. Most of the time pricing terms are not considered as part of the overall drafting. For instance, the vendor is offering a multi-user service model. The agreement for such must include a detailed price schedule. The subscriber should not end up paying for all the users, just because the price schedule for all the users was included as an attachment instead of being part of the agreement itself. While drafting, the legal professional must not be kept in the dark regarding the fees to be charged apart from the subscription fee. A flat fee rate for an add-on service will make only sense if such an aspect is incorporated as a clause in the agreement. Another issue that often arises is adding irrelevant fees to the price schedule.
Unclear proprietary and intellectual property rights
Generally, it’s rare for a Subscriber to obtain any IP rights over the platform accessed. However, it is extremely crucial that the parties confirm the chain of title to the Intellectual Property in the application prior to entering a PaaS agreement. There should not be any ambiguity where the Subscriber ends up breaching a third party’s intellectual property rights at the outset. Any new modification or improvement made to the platform may result in new intellectual property. An agreement incorporating all these aspects is an indicator of a good agreement with mitigated risk elements.
Not limiting liability
It is important to include a “Limitation of Liability” clause that limits the liability of the vendor to the customer. It should incorporate all the issues from loss relating to installation, use or operation of the platform, amount of liability, liability with third parties etc. Almost often, liability becomes the heart of the dispute between the parties. Especially in the PaaS model where the delivery is virtual and no on-premise installation takes place, parties may tend to assume their own escape from liability. It is crucial to include these expressly in the agreement.
A PaaS Agreement differs from a SaaS or IaaS Agreement. One cannot incorporate clauses from a software licensing agreement into a PaaS Agreement. Understanding the PaaS model is the first crucial step in the process of drafting a good PaaS agreement. One cannot get started with drafting before understanding the technical, economical and financial aspects of the model. Thus, the terms of PaaS contracts must be considered carefully along with the above-discussed aspects, common errors and the applicable laws. PaaS contracts are certainly not something that is suitable for a one size fits all approach. It must be negotiated and drafted catering to client needs individually.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: