Software-as-a-Service (SaaS) contracts: classification and options

With the implementation of the Digital Content Directive (Directive (EU) 2019/770), consumer contracts for digital products will be governed by the new Sections 327 to 327s of the German Civil Code (BGB) from 1 January 2022. SaaS contracts are also covered if they are concluded between companies and consumers (B2C). This article aims to provide an overview of SaaS applications, their benefits and their legal classification.

What is SaaS?

Software-as-a-Service is based on the principle that the software and IT infrastructure are operated and used by an external IT service provider. There are numerous use cases, from the office and video conferencing applications mentioned above to solutions for human resources, customer relationship management and financial management.

Together with Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS), Software-as-a-Service is referred to as Everything-as-a-Service. SaaS, IaaS and PaaS can be seen as a pyramid and can be differentiated accordingly.

The lowest level is Infrastructure-as-a-Service. Here, providers only provide the basic infrastructure (e.g. computing power, storage). Users operate everything else independently. Examples are AWS or Microsoft Azure.

Platform-as-a-Service is at the centre of the pyramid. The main target group is programmers who are provided with a platform on which they can develop their own applications without having to manage the necessary infrastructure themselves. Examples of PaaS include Google App Engine and Heroku. SaaS applications are at the top of the pyramid. Users are provided with a complete and comprehensive product. Control over the product is therefore entirely with the provider.

Advantages of SaaS contracts

There are many advantages to using SaaS products. The acquisition costs for SaaS products are generally lower than for on-premises solutions, and there is often the option of pay-as-you-go billing.

SaaS software is also easier to use than on-premises solutions: there is no software to install, maintain, service or update. This is all done by the provider. Infrastructure requirements are also much lower, with an Internet connection and a standard browser usually all that is needed.

Legal categorisation of the SaaS contract

Before answering specific questions, such as contract drafting, liability or warranty, the legal nature of SaaS contracts must first be clarified.

Legal nature of the SaaS contract: contract for work, contract for services or lease?

The following areas of law are relevant in the context of a SaaS contract: the law governing contracts for work and services, §§ 631 et seq. BGB, service contract law, §§ 611 ff. BGB and tenancy law, §§ 535 ff. BGB.

In contrast to a contract for services, a contract for work and labour also owes a result in addition to the performance of the work. For example, a result may be owed in the case of data migration, software implementation or customisation of software. In such cases, the provider should not only attempt to carry out a data migration, for example, but should actually do so.

Purely acting in accordance with the terms of the service contract may be owed, for example, in the case of training on the software. The provider only has to organise the training of suitably qualified personnel, but is not responsible for any success, such as the participants understanding and being able to use the software.

However, the core of a SaaS contract is the law of tenancy. This view is also shared by the German Federal Court of Justice (BGH, judgement of 15 November 2006 - XII ZR 120/04). The provision of software for use is most comparable to the transfer of possession under landlord and tenant law. This has long been controversial because tenancy law requires that the tenant obtains possession of an item and that the landlord relinquishes this possession completely. In a SaaS contract, however, the software remains in the possession of the supplier, who merely allows it to be used. Furthermore, software is not a 'thing' in the legal sense. However, in the view of the Federal Court of Justice, this temporary transfer of use is so similar to the rules and purpose of tenancy law that it forms the main component of a SaaS contract.

SaaS contracts are therefore often mixed contracts, which raises the question of which area of law (e.g. construction law or tenancy law) should be applied. In principle, the law applicable to the specific part of the service should be applied, e.g. works law for the data migration and tenancy law for the provision of the software. If the contract as a whole is affected, or if a part of the service cannot be meaningfully separated, the law that forms the centre of gravity of the contract, usually landlord and tenant law, is applied uniformly. Thus, for example, in the event of a service interruption, the specific law will be applied (e.g. construction law if there is a defect in the data migration), whereas the termination of a SaaS contract is usually governed by lease law.

Drafting SaaS contracts

As is often the case with contract drafting, there are many potential pitfalls in the SaaS sector. Without claiming to be exhaustive, the following are some of the issues we frequently encounter in our advisory practice.

In general, SaaS contracts are provided as pre-formulated contracts and therefore fall within the scope of the General Terms and Conditions (Allgemeine Geschäftsbedingungen - AGB) pursuant to Sections 305 to 310 of the German Civil Code (Bürgerliches Gesetzbuch - BGB). One of the consequences of this is that an invalid clause is replaced by the statutory provision (no reduction to maintain validity). Care should therefore be taken when using US contracts as a template for SaaS contracts.

For example, US SaaS contracts often contain drastic disclaimers that contradict the nuances of German law. If such a version is merely translated and subjected to German law, these disclaimers are likely to be invalid, with the result that only the statutory liability regime applies. German law allows limitations in cases of strict liability (§ 536a BGB, e.g. unintentional programming errors) or simple negligence (exception: breach of cardinal obligations). Intentional or grossly negligent behaviour as well as injury to life, body or health cannot be excluded from liability (§§ 307, 309 BGB). The same applies if the provider has given a guarantee or has generally limited liability.

You should also check the service description carefully. This describes the capabilities and functions of the software and thus defines the scope of the services owed. A precise service description can therefore also specify the scope of liability.

Service level agreement (SLA) for SaaS contracts

Another important part of a SaaS contract is the Service Level Agreement (SLA). This includes provisions on the availability of the software, accessibility of support, response and problem resolution times, maintenance windows and, where applicable, rights to minimise costs. As the provision of software is usually subject to rental law, the availability of the software is a key element of the SLA. In principle, the lessor owes the uninterrupted provision of the leased object within the framework of a rental agreement. This can rarely be guaranteed to the same extent in SaaS contracts. The availability of the software and the consequences of its non-availability should therefore be specifically agreed.

Special issue: data protection in SaaS contracts

SaaS contracts generally constitute order processing pursuant to Art. 28 GDPR and therefore require an order processing agreement. There is an obligation to ensure technical and organisational measures to adequately protect personal data. When using SaaS applications, the user's data is processed and the user (or his employer) is generally responsible for this data.

However, as the software is operated and managed by the provider, the provider acts as the user's processor and is contractually responsible for ensuring data security. In addition, an adequate level of data protection must be ensured when data is processed outside the European Economic Area or a third country whose level of data protection has been declared by the European Commission to be comparable to that of the EU. The "Schrems 2" ruling of the European Court of Justice must therefore often be taken into account when using SaaS.

SaaS products, like other online services, often use cookies. There are no specific rules for SaaS contracts. The principle remains that no personal data should be processed without justification. Without consent, only strictly necessary cookies or other tools that store or access information on the user's device may be used. In Germany, this requirement of Art. 5 para. 3 ePrivacy Directive was initially implemented inadequately and only referred to the existing Section 15 para. 3 TMG, which led to years of legal uncertainty. The new Section 25 TTDSG correctly implements the requirement of the ePrivacy Directive.

Conclusion & outlook

SaaS solutions are growing in popularity and use. They have great potential and represent a convenient and cost-effective solution for users. The implementation of the Digital Content Directive will provide greater clarity in the B2C sector. B2B contracts, on the other hand, will continue to require a case-by-case approach, with many details - from the content of the service to liability and warranty issues - to be considered.