Thursday, June 12, 2008

The Good, Bad, and the Ugly of SaaS Terms of Service, Licenses, and Contracts

Did you read your contract carefully before signing on with your SaaS provider? This blog entry shows you why it is important. Mixed in with some good stuff are some bad terms, and even down right ugly terms of use. Some vendors assert full rights to use and sublicense your private data! That's right, for the privilege of using their SaaS application, you throw in the rights for the use of your private data. Caveat Emptor!

The Analysis

This blog entry is a roll-up of an analysis I did of the Terms of Use for 8 different SaaS products. The products varied widely - some for the enterprise, others for the consumer. What the analysis showed is that there is little consistency across the legal documents governing the use of these services. It also showed some alarming terms that some of the sites demand.

I have picked out just the highlights to present here. The full analysis is available for download at the end of this post, but I warn you, it is quite boring.

Notice: I am an employee of Oracle, but this blog does not represent the views of my employer.

The Good

The following are the bright spots in the collection of ToS:

  • Netsuite: there are reports that this company has onerous licensing practices, but I see no evidence that. Of the 8 contracts I reviewed, Netsuite's is by far the best written and the most consumer friendly. They have the best data retention policies and termination procedures.
  • Boomi, Netsuite, Taleo: offer warranties for the various aspects of their systems, and not just "as-is". (see Boomi item 6.1, Netsuite section 3, Taleo item 11)
  • All but Concur: all of these services affirm that you own the data that you upload. This is key. However, there are a couple of vendors that reserve too many rights to use your data, see below.
  • Boomi, Coghead, Netsuite, Salesforce, Taleo: these companies indemnify the customer in cases where the application is found to infringe on a 3rd party's IP, and the customer is sued. Taleo is the only vendor of the 8 that does not demand to be indemnified in return from someone suing them for your use of the system.

The Bad

The following are terms that you should be wary of when entering into a service contract. Try to negotiate better terms:

  • Box.net, Coghead, Concur, Salesforce, Taleo, Zoho: these companies have contracts that can change at any time without any notice. In a way, this could be the ugliest line item of them all because the company could write in whatever nasty thing they want. But I will leave it at "bad" until one of the companies does something evil with it. (see Box.net item A, Coghead item 6.2, Concur item 8, SFDC item 21, Zoho item Mod ToS)
  • Salesforce, Taleo: have a line item that allows the company to advertise your name as a customer, merely by signing up for a paid account. Customer references should be earned, not mandated. (SFDC item 1, Taleo 7.1)
  • Salesforce: prohibits direct competitors from using the Service. But at the rate SFDC is expanding offerings, will you become a competitor tomorrow? For example, anyone that offers software development tools became a competitor when they launched force.com. (see SFDC item 2)

The Ugly

The following is the list of contract terms that are unacceptable. I would not recommend using the following services unless you negotiate better contract terms. [Update:to be clear, I don't think these companies are out to do evil, I am merely sounding the alarm to their contract terms]

  • Box.net: [Update: Box.net has fixed this issue in their contract, by narrowing dramatically the scope of their rights to your content] by uploading content that you own to this service you are giving Box.net an irrevocable license to use, copy, create derivative works of, sublicense, etc etc of your content. Think about that. The only redeeming argument is that this contract is for personal, not business use. But they put this item in there for a reason - why? Imagine uploading your personal pictures and then seeing one in the next promotional campaign for Taco Bell. This could happen because Box.net has the right to sublicense as they wish. (see section D)
  • Coghead: if Coghead terminates your account, you have just 2 days to send written notice to request your data. Otherwise they can permanently delete all of your data. What's the rush? (item 7.3)
  • Concur: (caveat: this is the Trial license, which can only be assumed to match closely the production license) has the most worrisome contract as it relates to your data. It is the only one that has no explicit line to indicate that you still own your data (filed business expenses, in this case). But it does have a line saying that Concur has an irrevocable right to use that data - this includes your personal data and financial info! Why is this in the contract? This seems quite broad for data that is of utmost sensitivity. (see item 5)

Links to the Terms of Service

The following is a list of links for you to inspect the contracts for yourself:

Box.net http://box.net/static/html/terms.html

Boomi: http://www.boomi.com/application/Boomi+Master+Subscription+Agreement-Online.pdf

Coghead: https://www.coghead.com/user/register?plan=Pro

Concur (Trial license): http://www.concur.com/register/Concur-Expense-Trial.php

Netsuite: http://www.netsuite.com/portal/pdf/tos.pdf

Salesforce: http://www.salesforce.com/company/msa.jsp

Taleo: http://www.taleo.com/solutions/licensing-terms.php

Zoho: http://www.zoho.com/terms.html

Raw Analysis

The following link provides you with the spreadsheet I built while analyzing the licenses. The spreadsheet contains the list of common license clauses with pointers into the documents on where to find those clauses.

What it shows most of all is the lack of commonality across all of the licenses. Each document has a lot of variance.

Download: SaaS "Terms of Service" Analysis Spreadsheet

Account Suspension/Termination and the Deletion of Data

I found that the process by which accounts are suspended (reversible) or terminated (irreversible) wildly inconsistent and mostly incorrect in my opinion. Because termination is also coupled with data deletion, this process needs to be well understood and incredibly fair to the consumer. My next blog entry will focus on this part of the contract, and establishing a reference workflow.

6 comments:

kendraott said...

Kendra from Box.net here - thank you for bringing this matter to our attention. I wanted to clarify a few points and point out that our Terms of Service are in place for the complete protection of our users.

In regards to the statement: "Box.net: by uploading content that you own to this service you are giving Box.net an irrevocable license to use, copy, create derivative works of, sublicense, etc etc of your content," it should be also noted that "You further agree to and hereby do grant, and you represent and warrant that you have the right to grant, Box.net..." The point being that *you have the right to grant* permission, not that you explicitly do. We have never sub-licensed a users information, and never would without said permissions. Also notable in our terms is that "Box.net does not claim any ownership rights in any User Content."

Know that have contacted and are working with our lawyers now to draft clarifying changes to the Terms and wording. Again, we appreciate your attention to the matter and will be in touch with an update.

Please feel free to contact me directly with any questions or concerns.

Kendra
kendra@box.net

Peter Laird said...

Kendra - appreciate the comment, and it should be noted that I have been a Box.net user for years. Love the service, just was surprised by the terms. No doubt you have always done the right thing, but that section is concerning.

The fact that you are looking into immediately means a lot. Keep up the good work.

Cheers - PJL

Rob said...

What do you guys think about Intaact's contract terms?

Chris said...

Great post Peter. Curious if you've looked at SLAs? That's always a tricky one for SaaS, even more so for PaaS

Peter Laird said...

Chris -

Yes it is very important, and I found only 2 of the vendors promising an SLA - Netsuite and Boomi. I should have called this out in the "Good" section.

Netsuite's SLA is part of its warranty (look at item 3.2), and is expressed in detail at the end of the Netsuite ToS. It currently is stated to be 99.5%.

Boomi also provides an SLA (see item 2.2 in their ToS), with the details available here. They currently offer 99.99% uptime.

Both Netsuite and Boomi offer credits in case the SLA is not met.

PJL

Peter Laird said...

Rob -

I couldn't find a publicly available ToS for Intacct. If you have one, and are able to share it (check the Confidentiality clause), I would like to see it. Send to laird_peter at yahoo dot com. Thanks!

PJL