4 things SMEs should look out for in SaaS terms of service (ToS)

Sign up for updatesPricingBlogProductContact us

SaaS tools have become a regular part of all of our daily workflows:

93% of CIOs are already using (or heavily considering) cloud apps. And, 54% of them already use SaaS apps for critical workflow data.

The industry is booming.

You probably have a marketing stack with a few SaaS tools to track and engage customers, and you’re probably relying on SaaS sales tools to help with conversions.

But, what exactly happens when you download that latest and greatest SaaS tool? Or, better yet, what are you actually agreeing to?

Chances are, you probably have no idea. 91% of Americans don’t read the Terms of Service before they click “agree.”
Believe it or not, those SaaS Terms of Service may have some hidden clauses and details that can hurt your business.

Let’s take a look at why you should read those lengthy Terms of Service, and go through four main things you should look for before agreeing to anything.

Understanding SaaS ToS terms

Almost all SaaS applications will come with the following.

  1. A Terms of Use/Service

  2. A Privacy Policy

  3. EULA

  4. Cookie Policy

These four staple agreements help SaaS companies outline terms, legally protect themselves, and comply with regulatory requirements. But, tucked away into the labyrinth of all of the technical terms and language lie some essential details that your company is going to want to know.

There are four important things to note about these documents.

  1. The Terms of Use/Service is a legally binding agreement between both parties. So, once you check “I agree” you agree to a legal document — which is usually enforceable outside of extreme circumstances (see Rodman vs. Safeway or Douglas vs. Talk America Inc.)

  2. The Privacy Policy is required by federal law. The nature of the Privacy Policy is fluid. GDPR, CCPA, and all of the other laws that are currently being instituted surrounding privacy (which is a hot topic right now) are changing the language and policies contained in these. So, you may be asked to review these occasionally.

  3. The EULA is similar to the ToS. The easiest way to think about these two is that the EULA only specifies the nature of the agreement between both parties to use the software. The ToS discusses the behaviors and methods that dictate the use of the software.

  4. Cookie Policy only outlines how cookies will be handled. The Privacy Policy is larger in scope.

The tricky part about all of these incredibly important — and legally binding — agreements is that most people just give it a quick browse before they install the software package. And, considering the dense language and length, most people barely digest the language at all.

After all, the SaaS company is reputable, right? What could they possibly be hiding in that Terms of Service agreement?

4 things to really pay attention to in SaaS Terms of Service

When you’re combing through that ToS, Privacy Policy, EULA, and Cookie Policy make sure to pay attention to the following sections. They could be important.

1. Make Sure You Get the Monthly Uptime in Writing

Leveraging SaaS applications redefines your daily workflows. Your business will be heavily reliant on the data contained within these SaaS apps. So, when one goes down — it can literally halt your daily operations.

Believe it or not, most SaaS apps have a minimum uptime percentage baked into their ToS. Typically this will be around 95% guaranteed uptime. But here’s the thing: if this isn’t in your SaaS providers ToS or EULA, you’re not guaranteed any uptime. So, if the SaaS app’s servers go dark for a week — there’s nothing you can do.

On average, the largest SaaS companies have 12 critical failures that cause downtime every year. And, each of these lasts for an average of 1–2 hours. That’s bad enough. But, if you don’t sign any legal contract guaranteeing uptime, anything can happen.

For context, the average cost of network downtime for business is $5,600 per minute. A single SaaS app failure can cost businesses over $1,000 a minute — especially if it’s glued to a mission-critical workflow.
In other words, get your uptime in writing.


Choose a reliable SaaS service and make sure you get the uptime in writing.

2. What’s their take on data security and privacy

You need to know four things about your data:

  • What kind of data is being collected?
  • How is that data is being protected from potential threats?
  • Where is the data being stored?
  • What happens to customer data and company data? Is it stored separately?

Most, if not all, of these answers will be listed in the privacy policy.

But, here’s the question: Why do you need to know all of this?

A common misconception is that you’re not responsible for customer (or personal) data that’s breached on your SaaS servers. Unfortunately, that’s not true.

According to GDPR — the data controller (that’s you) is responsible for data breached under the data processor (the SaaS app.) In other words, you are responsible for any customer data that is lost under the control of your SaaS provider.

And, that can be a little scary.

You need to know exactly what kind of customer data they’re going to collect, how they collect it, and where they’re storing it. Of course, it’s also nice to know what kind of security procedures, policies, and training they have in place to reduce security risks. But, you probably won’t get any of that information.

This problem amplifies when you’re using a SaaS as your CRM solution. It’s going to consume and store tons of your customer data. And, it can be alarming to lose control of your customer data as it sits in your SaaS provider’s servers. If there’s a breach, your customers are going to blame you. And, you’ll lose revenue and loyalty. In fact, 64% of customers say that they will never do business again with a company who lost their data. But, you need that CRM to continue to deliver superior results to your customers.

Does this sound worrying? You’re not alone. A survey conducted by Ping Identity showed that 43% of respondents said that security was their primary concern preventing them from adopting more SaaS solutions.

There’s no easy answer here. You need to rally your IT team and seriously pour over your potential SaaS providers privacy policy. Most SaaS providers aren’t going to accept consequential damages liability. It’s not in their best interest. And, this can put you in a tricky situation.

How to ensure data security, then?

Try to discuss liability with your SaaS provider. You want them to take some of the burden in the case of a breach. Under GDPR, the data processor can be fined. But, we haven’t seen this action take en masse (as of yet.) Really, you should choose a reliable partner, discuss their data security standards, ensure that they are compliant, and try to leverage some liability onto them.

3. Their GDPR and CCPA compliance

Try to discuss liability with your SaaS provider. You want them to take some of the burden in the case of a breach. Under GDPR, the data processor can be fined. But, we haven’t seen this action take en masse (as of yet.) Really, you should choose a reliable partner, discuss their data security standards, ensure that they are compliant, and try to leverage some liability onto them.

Speaking of data, privacy, and security — you need to be aware of the SaaS solution’s GDPR and CCPA compliance. What kinds of compliance procedures does they have in place? Are they following GDPR guidelines? Does their privacy policy meet the standards of GDPR?

These are questions you shouldn’t be asking. You should be answering them. If your data processor isn’t complying with GDPR — you’re going to be held responsible for any issues.

GDPR is already in effect and being enforced since May 2018. And, companies had until January 2020 to get CCPA compliant.

And, don’t expect your SaaS provider to automatically be GDPR compliant. Over half of all major organizations have no GDPR policy in place (and an alarming percentage of them have no plans to implement one).

Have your law team and compliance team look over the privacy policy for GDPR compliance. If their privacy policy isn’t GDPR compliant, you can’t expect their business to be.

And, check their CCPA compliance. It may be a year away, but reliable SaaS providers should already be following most (if not all) CCPA guidelines.

Best practices for data compliance?

Make sure that your SaaS provider is GDPR compliant — both in writing and in action.

4. What they do in case of bankruptcy, departure, or data loss

Let’s say that a SaaS app has excellent security procedures, is perfectly compliant, and you feel comfortable handing over customer (and company) data to them. Great! But, what happens when the nature of your relationship changes? Let’s say that they go bankrupt or you leave the provider after a few months. What happens to your data?

If you leave, will they give you the data in native format? How do they handle large-scale data transfers?

This subject weaves into hybrid cloud management, internal policies, and employee education. But, the larger question still remains — what does the SaaS provider do with your data.

The answer isn’t always so simple.

In fact, the answer can be terrifying. 58% of companies have experienced SaaS data loss. And, 52% of them don’t even back up their SaaS data!

But, let’s your SaaS company gives you the option of deletion or transfer upon termination. The data they give you back often isn’t structured, and you may find it difficult to decipher and translate back into your cloud structure — much less use it meaningfully.

You should always have a contingency plan. And, you should be storing local (or multi-cloud) to prevent any potential damages.

So, what happens upon bankruptcy? Great question!

Usually, nothing good.

When Naravinx went out of business, everyone was trying to pull data out as fast as possible. And, according to Kent Christensen — consultant at Datalink “Some folks made it, others didn’t”.

Bankruptcy is the worst-case scenario. But, you should be prepared for it. Even if your provider is one of the massive solutions on the market.

How to deal with potential data loss?

Have a robust data management solution. You want to have copies of all critical data housed by cloud providers. You can use hybrid, local, or other cloud solutions. But, you need some contingency plans.

Final thoughts

Yes. We know. Those Terms of Service, EULA agreements, and privacy policies may be boring. But, they’re important. The world of SaaS is still growing. And, many businesses aren’t aware of how much data responsibility they keep when they sign off with a SaaS service. You may not control the data, but you will definitely take the fall for any breaches.

Stéphane Cohen, founder of Rewhiz

Want to know when the next version of Rewhiz goes live?


Gapps Experts
19 West 34th Street, 
Suite 1018



Brought to you by Gapps Experts, Rewhiz is the only free SaaS management platform that allows tech-savvy SMEs to control their SaaS carbon footprint. Stay tuned for our product updates!

© 2020 Gapps Experts. All rights reserved.

Sign up for product updates