We acted for a supplier of a high risk SaaS and managed service offering, supplied to a major corporation (for its own benefit and the benefit of its broader corporate group). It was to be used by the counterparty for the purposes of compliance and interconnection with various Government EDI initiatives like SuperStream and Peppol e-invoicing.
The deal required an in-depth understanding of:
- those Government initiatives and their regulatory frameworks (for context and to assess particular risks to be addressed in that regard); and
- the separate regulatory framework in which the counterparty operated.
It then involved negotiating complex liability, indemnity, warranty, data privacy/security and insurance positions in an attempt to achieve a fair outcome, in a context where the SaaS fees charged by our client (“rewards”) were not high, but the SaaS’ purpose/use was deemed very high (top tier) risk by the counterparty. This meant that the counterparty wished to pass those risks through to the client, in many cases on an unlimited basis, including for various matters that were potentially beyond our client’s control. Of course, this was unpalatable for our client particularly given the “reward” was not high and risk premiums could not be effectively added.
One complexity was the fair allocation of liability for failure of third party hosting infrastructure, where the counterparty could have used its own instance (of that hosting infrastructure) to host the data, but chose (for cost minimisation reasons) to use our client’s instance. It then demanded that our client accept all liability (again, in many cases on an uncapped basis) for any security/privacy breach or other breach of the agreement that was caused by the hosting infrastructure provider, on the basis that it was out client’s instance being used, so it held the contract with that provider (even though its ability to recover from the hosting infrastructure provider was extremely limited).
The matter also involved working closely with the client on risk mitigation strategies including dealing with the client’s insurance brokers to fully assess the client’s insurance position on the residual risks arising from the negotiated liability and indemnity provisions.
After the main agreement was executed, we were then involved in negotiating various amendments and modules (eg, for SaaS, managed services, professional services etc respectively) setting out further provisions relating to those specific service types to be supplied and then also in negotiating orders under those modules (setting out the specific service scope, fees etc and legal overrides specific to the particular order). We were then engaged to prepare client-internal template modules and orders flagging issues to be addressed at module/order level for the purposes of ongoing risk mitigation by the client’s business representatives who would be executing further orders from time to time.
Finally, the agreement was then replicated (with necessary amendments) for a subsidiary of the counterparty, that was being spun off. This necessitated renegotiation of the complex corporate group benefit provisions of the original agreement and considering the risks associated with potential further flow-through of rights under the agreement to the new corporate group that had acquired the subsidiary.