The use of cloud services is typically subject to a SaaS agreement, which has certain legal specificities that need to be taken into account.
A SaaS agreement is a contract under which a computer service provider offers computer programs and all related computer infrastructure to a user via the cloud, usually through a web browser. The advantage of such access to computer programs is that the user does not have to purchase, manage and maintain the underlying computer infrastructure, and does not have to worry about upgrades and the operation of the computer programs. Computer services provided under a SaaS agreement are typically standardised end-user solutions rather than tailor-made solutions.
There are several types of cloud-based solutions, depending on the level of the accompanying computing infrastructure provided by the computer service provider. In addition to SaaS, where the provider delivers everything from the server infrastructure to the final computer program, there is PaaS (platform as a service), where the provider delivers the server infrastructure and the operating system on top of it, without the final computer program and data storage, which is the responsibility of the user, and IaaS (infrastructure as a service), where the provider delivers only the server infrastructure while the user is responsible for the operating system and the final computer program.
Legal definition
The main legal element of a SaaS agreement, or any other agreement as described above, is that the use of the computer program/infrastructure is provided to the user as a service and not as a grant of the right to exploit the computer program/infrastructure under a license agreement. It is therefore not a purchase of licenses to use a computer program, but a contract for computer services.
License agreements are the conventional legal basis on which users of computer programs are granted the corresponding material copyright for the use of those computer programs. The Code of Obligations[1] regulates the key elements of a license agreement. An additional legal framework for the protection of computer programs is provided by the Computer Programs Directive,[2] which was transposed into the Slovenian legal order by the Copyright and Related Rights Act (“ZASP”).[3] The ZASP additionally gives the right to the authorized users of computer programs to reproduce, translate, adapt, modify or transform the computer program if this is necessary for the use of the computer program. An authorized user of a computer program may, without the author’s permission, observe, study or test the operation of the program in order to grasp the ideas and principles underlying any element of the program, provided that they do so in the course of downloading, displaying, executing, transmitting or storing the program to which they are authorized. At the same time, an authorized user does not need the author’s permission to reproduce the code or to translate the code form of a computer program if this is essential in order to obtain the information necessary to achieve interoperability of the independently created computer program with other programs or hardware. Consequently, as a last resort, authorized users may require the developer of a computer program to hand over the source code of the computer program in order to achieve those objectives.
However, the conclusion of a SaaS agreement turns the aforementioned legal framework on its head, since a SaaS agreement is no longer a license agreement, but a computer services agreement, to which the provisions of a contract for work apply. The provider of a SaaS solution is thus not obliged to fulfil the obligations of the licensor (e.g. liability for usability, obligation to provide instructions and notices), and the user of a computer service is not obliged to fulfil the obligations of the licensee (e.g. with regard to the exploitation of the subject matter of the license). At the same time, the users of computer services do not have the key rights conferred by the ZASP on the authorized users, and on this basis, inter alia, they cannot request the source code of a computer program.
On the other hand, in the case of a SaaS contract, it is important to pay attention to the obligations arising from the relationship based on a contract for work; the object of this type of contract is the completion of the transaction (performance obligation), where the subcontractor assumes all the risks for the successful completion of the transaction – in our case, the operation of the computer service. The provider of the computer solution has a duty to point out deficiencies in the order or other circumstances that may be relevant to the computer service (explanatory obligation). In this respect, the provider of the computer service is considered to be an expert in his field who must look after the interests of the user of the service. This means that the computer service provider must draw the user’s attention to any specific operation of the computer program or data processing or any other circumstance relating to the use of the computer program that may have an impact on the user. For example, if the computer program processes personal data in breach of the regulations, the user must be informed of this. The user, who is a lay person, must be informed of the consequences that the use of the computer service may have for them. Otherwise, the computer service provider shall be liable for any damage suffered by the user.
Computer services must be provided in accordance with the rules and professional standards for the computer service in question. This means that, in SaaS agreements, the provisions of the service level agreement (SLA), which sets out the key parameters of the provision of computer services, are particularly important, as it is the agreement between the parties as to when the computer service is deemed to have been provided in a satisfactory form. The service level agreement establishes the criteria for determining whether the computer service provider has fulfilled its obligation under the SaaS agreement in accordance with the agreed commitment and whether the end result has the characteristics set out by the parties in the agreement. In a sense, the service level agreement fills in and specifies the obligation of the computer service provider to perform the service in accordance with the agreement and the rules of the profession. This avoids a potential dispute between the parties about the final characteristics of the computer service. If these characteristics are not agreed, the computer service must have the usual characteristics, i.e. those most common in the course of business for services of the same type and in accordance with the rules of the profession, which will be more difficult to demonstrate.
Of particular importance to the user of a computer service is the way in which the data is processed and accessed, since in a SaaS regime the computer service provider has full control over the processing, storage and access to the data processed by the service. The user of a computer service should thus pay attention to the way the data is processed and who has access to it. If this user data constitutes intellectual property, trade secrets or personal data, these provisions are even more important.
The regulation of material copyright is slightly less crucial in SaaS agreements than in licensing agreements, as less material copyright needs to be transferred to the user in a SaaS agreement than in a licensing agreement, because the user needs less material copyright to access the computer services than in a licensing agreement, where the reproduction right is particularly crucial. In SaaS agreements, the user does not install or operate the computer program in any way, and only the bare right to use the computer program is crucial for the user. If the SaaS agreement does not contain these provisions, the general rule is that the non-exclusive rights transferred are those rights and to the extent that they are essential to achieve the purpose of the contract (in our case, the use of cloud computing software) and for the territory of Slovenia.
SaaS agreements are usually concluded for a fixed period of time, where a monthly or annual subscription fee is charged for the use of the computer services. In this context, it is important to pay attention to which of the services are covered by a given subscription fee and, in particular, to the manner in which the SaaS agreement is renewed or terminated. In principle, an automatic renewal of a contract is valid under Slovenian law if it is agreed and executed in a legally valid manner. The parties may also agree on specific termination or withdrawal rights.
The contractual parties should pay attention to the provisions on customer warranties, as these must be adapted to the provision of the computer services in question in SaaS agreements. Providers usually guarantee the adequacy and performance of the services in accordance with the terms of the service level agreement, the possession of the relevant intellectual property rights and, as a last resort, the compliance of the services with certain standards or regulation, while users, on the other hand, guarantee the compliant use of the services. Provisions on limitation of liability and possible claims for breach of obligations must be derived from the contractual obligations and warranties of the parties, which are specific to SaaS agreements.
Brief summary for IT professionals
Increasingly popular cloud-based computer services are supported by SaaS agreements, which have a specific legal nature and benefit the providers of such solutions in certain segments.
If the developer of a computer program chooses to offer the program as a cloud-based service, this may avoid the rights of users to interfere with the computer program in order to achieve the purposes and interoperability of the program. Therefore, the computer service provider does not have to hand over the source code of the computer program to the authorized user.
In SaaS agreements, however, computer service providers should take care to provide the user with sufficient information about the functionalities and operation of the computer service and to draw attention to any specific features and circumstances that may be relevant for the user. The most important part of the SaaS agreement in terms of content is the service level agreement, in which the provider and the user agree on the level of service to be provided. The provisions of this contract are important both for determining the proper performance of the SaaS agreement and for any breach of warranties and obligations and consequent liability of the service provider.
Since the computer service provider has full control over the operation of the computer program and the processing and storage of data in a SaaS regime, the provider must first of all explain such operation to the user and obtain the user’s consent thereto. However, the user must take care as to how their data processed by the computer service are processed and accessed, in particular if the data constitute intellectual property, trade secrets or personal data.
In order to use a computer program under a SaaS agreement, the user must have at least the minimum material copyright. The transfer of the material copyright to the user does not constitute the essential subject matter of the agreement, as is the case with a license agreement.
Automatic renewal of subscriptions to computer services is permissible and valid if agreed in an appropriate manner. The parties should also pay attention to the provisions on warranties and liability, which should be tailored to the provision of the cloud-based computer service.
[1] Code of Obligations (Official Gazette of the Republic of Slovenia, No. 83/01, as amended, Slo. Obligacijski zakonik).
[2] Directive 2009/24/EC of the European Parliament and of the Council of 23 April 2009 on the legal protection of computer programs.
[3] Copyright and Related Rights Act (Official Gazette of the Republic of Slovenia, No. 16/07, as amended, Slo. Zakon o avtorski in sorodnih pravicah, “ZASP”).