The use of software as a service (SaaS) is pervasive among businesses. Some of the key characteristics of SaaS are:
- the software application is hosted on third-party servers
- the software application is accessed via the internet
- the software code itself is not licensed to the user
- instead, access to the software is licensed for a subscription term
These SaaS arrangements have evolved beyond access to a singular software application – e.g. a word processing application like Microsoft Word or Google Docs. Instead, SaaS products are often packaged “solutions”. For example, an electronic health record SaaS product is likely to include not only the core functionality of the software but also services that are offered by third parties, such as efax services, push notification or texting services, analytics services, support and configuration services, and ticketing systems. Moreover, the solution itself is unlikely to be hosted on the vendor’s own computing infrastructure. It is much more likely to find that the SaaS product is hosted on Amazon Web Services (AWS), Google Cloud Platform, Microsoft Azure or other third party infrastructure. In some cases, the vendor of the SaaS product is actually a reseller.
Therefore, in the modern SaaS arrangement there may be many organizations who are supplying a component to the overall solution. This “supply chain” creates additional complexity when attempting to negotiate privacy, security and liability provisions with the vendor of the solution. The situation becomes even more complex when the supply chain is opaque and/or involves international data transfers. In some jurisdictions, such as the EU, there has been an effort led by regulators to try to standardize baseline provisions that must be flowed through the supply chain. Not so in Canada.
On May 27, 2022, I have the privilege of speaking to the International Association of Privacy Professionals about “supply chain” issues in cloud computing contracts – particularly SaaS products. One theme is that in the absence of meaningful assistance from Canadian federal and provincial governments or Canadian Privacy Commissioners to standardize provisions that comply with Canadian law, all but the largest Canadian organizations are left in an asymmetrical relationship with SaaS providers and have to rely on a mix of contractual and non-contractual measures to attempt to satisfy (as nearly as possible) the accountability requirements expected of subscribers to SaaS products under Canadian law. In particular, I’ll be discussing select supply chain issues in a SaaS Contract. I’m making may handout available here.