As society moves away from the use of on-premises software into a modern world in which software vendors offer software and services through online, hosted environments, new challenges and trends related to data use and ownership have become more prevalent. This article discusses the relevant historical background of on-premises software, the shift toward subscription-based software or software as a solution, and the new trends arising in such hosted software agreements.
On-premises software
Historically, on-premises software was the only solution available to users. A license to on-premises software grants the user the right to install the software onto their computers or systems for the user’s internal use. On-premises software is advantageous for users who enjoy controlling the use of such software, subject to the restrictions in the software agreement. However, users of on-premises software take on significant responsibilities when accessing and using the software, including full responsibility for the implementation of the software, purchasing the network infrastructure (e.g., servers, operating systems) to operate the software, purchasing and maintaining power to access and use the software, controlling any additional external databases necessary to access and use the software, and security and virus protection. Users are responsible for implementing any available updates to the on-premises software, which may be costly, to ensure its functionality meets the users’ expectations. In addition, users must maintain the integrity of the software and the safety of their systems to prevent any unauthorized access, use or alteration of the software, or they risk a vendor taking legal action against a user for misuse or misappropriation of such software.
The shift toward hosted software
Although on-premises software solutions remain widely used, in recent years, users have begun shifting toward subscription-based or software as a service solutions (collectively, hosted software) that are hosted off-site by the vendor.1 There are a multitude of reasons for this shift toward hosted software, including: (a) users pay only for the scope of the solution the user desires to use; (b) users do not have to shell out the extensive upfront costs of implementing onpremises software; (c) hosted software, unlike on-premises software, is capable of quick deployment without a long implementation process; and (d) users are not obligated to purchase and maintain the infrastructure to operate the hosted software; rather, the vendor will collaborate with the user to create the infrastructure that meets the user’s needs and will host and monitor the network to ensure the user’s access and use of the hosted software complies with the terms of the hosted software agreement. Software vendors also prefer hosted software because the subscription fees provide them with a recurring revenue stream and it gives them greater control over the software.
Legal trends arising from the shift toward hosted software
In conjunction with the rise of hosted software, certain new challenges and legal issues have become prevalent. Specifically, the following legal trends are involved in hosted software agreements: (a) the fight over data ownership (i.e., software vendors’ desire to obtain ownership rights over a user’s data); (b) users are granting licenses to their data as an alternative to transferring data ownership to software vendors; and (c) users now want to ensure they have adequate rights to claw back their data at the end of the relationship with the software vendor. The intersection of these trends is a two-way street, because software vendors have greater access to a user’s data and are aggressively moving to take advantage of such data for a multitude of purposes, including improving or adding features to the hosted software for users’ benefits. The result of these intersecting trends in the context of our discussion is that software vendors are asking for or demanding greater rights to access, aggregate, analyze and use a user’s data stored in the hosted software.
A. Data ownership
Generally, hosted software agreements between a user and a software vendor will expressly allocate data ownership to the user. For example, the agreement will likely indicate the user is the “sole and exclusive owner” of their data and/or such data is deemed confidential information (i.e., a vendor’s misuse or unauthorized disclosure of a user’s data would violate the agreement’s confidentiality obligations). This type of provision is logical since the user generated the data, then uploaded or shared the data to the hosted software, and thus the user would likely not enter into an agreement in which it relinquishes control over such data.
However, although the hosted software agreements memorialize a user’s ownership rights to their data, recently, software vendors have also been working to include certain provisions or language in the same hosted software agreements that provide the software vendor rights to access, deidentify and use such de-identified data. For example, a software vendor may include language granting the vendor the right to de-identify and commercially exploit a user’s data for the provision of the hosted software in order to create new offerings or for other related purposes.
Although it is industry standard to allow vendors the right to monitor data stored and processed within the hosted software for the purposes of providing the software or services and implementing software updates, the agreement’s language creates broad rights for a software vendor to derive and own new value (e.g., new revenue streams) from a user’s data. For instance, under a provision in the agreement, a software vendor would have the right to use a user’s data to create new software or data products that the vendor can sell as stand-alone products and/or develop as new machine learning algorithms.
In response to a software vendor’s attempt at obtaining broad rights to a user’s data, there are various approaches a user can take to protect themselves and their rights to such data, including (a) expressly restricting the vendor’s access and use of the user’s data to the limited purpose of providing the contracted software or services; (b) granting the software vendor a right to extract, de-identify and commercially exploit de-identified user data for the vendor’s commercial purposes, provided that the vendor compensates the user either in the form of actual payment or discounted subscription fees for the hosted software; or (c) granting the software vendor a right to extract, de-identify and commercially exploit de-identified user data for the vendor’s commercial purposes, provided that the vendor grants the user a nonexclusive, perpetual and irrevocable license to use any products or services created by such deidentified data.
B. Data licensing
Users tend to reject the notion of software vendors owning their data in any manner and generally will push back on the transfer of data ownership to vendors. However, if a user is unable to thwart the software vendor’s desire to access and use the deidentified data stored or processed using the hosted software, a good alternative to transferring data ownership is to grant software vendors a limited license to the user’s data that restricts the vendor’s use of such data to certain limited, agreed-upon uses. Unlike the transfer of data ownership, granting a limited license to the user’s data retains the user’s right to control their data. Specifically, the user may revoke the data license subject to the terms of the license, prohibit the software vendor from transferring or selling the user’s data, restrict access to the data to certain geographical areas, and/ or limit the purposes in which the software vendor may access or use such data. The permitted uses of a user’s data will likely vary depending on the user’s risk tolerance levels and the sensitivity of the data. The limited license may permit a software vendor to use a user’s data for any purposes the vendor desires or may limit such permitted uses to only those necessary to monitor and update the hosted software for the provision of services to the user. In addition, the terms of a data license may require that the vendor pay the user compensation or royalties for the vendor’s use and misuse of the user’s data or the creation of new products from the user’s data.
Once a user determines that granting the software vendor a limited license to their data is the best approach to push the deal to closure, the user should consider modifying the applicable definition in the hosted software agreement (generally defined as “user data” or “customer data”) to include downstream derivatives that may be developed from the user’s data. A broad definition of user data or customer data ensures the user will retain the rights to their current data while establishing rights to any new products or services created from the data.
C. Clawback
Another growing trend is that users now include clawback provisions in hosted software agreements. Clawback provisions grant users the right to retrieve or claw back their data from the software vendor at the expiration or termination of the relationship. Clawback provisions protect users from vendors’ continued use of their data after the termination or expiration of the relationship. Typically, clawback provisions will expressly terminate the license to the user’s data provided under the hosted software agreement upon the termination or expiration of the user and vendor’s relationship and obligate the vendor to destroy or permanently erase all copies of the user’s data that the vendor controls at the time of such termination or expiration.
Although clawback provisions provide some certainty for a future return of data, vendors may not have the capability to delete or destroy a user’s data. Generally, hosted software solutions take snapshots of the hosted environment (including the user data contained in the environment) and save the snapshots to the vendor’s archives or backups, making it burdensome for the vendor to delete the archived user data. If a hosted software agreement grants the vendor the right to retain archived data, users should make sure the agreement (a) extends any applicable confidentiality obligations to the archived data for as long as the vendor retains such data, (b) restricts the vendor’s use of archived data to the lawful purposes for such archival (i.e., statutory retention requirements and/or disaster relief plans), and/or (c) sets a reasonable period for the deletion of the archived data once the archival purposes have been fulfilled.
Another key consideration when including a clawback provision in a hosted software agreement is ensuring the vendor remains able to identify the data it receives from the user. If the vendor is incapable of identifying the applicable data from other users’ data, the user will be unable to retrieve their data from the vendor at the termination or expiration of the relationship. However, clawback provisions are not without risk — in order to comply with such obligations, vendors must maintain the user’s data in an identifiable format that creates risk of accidental identification. In addition, users must conduct a risk analysis and weigh the pros and cons of allowing a vendor to retain their data in an identifiable format for the purpose of the user retrieving the data at a later date.
Conclusion
In this post-on-premises world in which users generate and upload their data to a hosted software environment, vendors are increasingly more aggressive in trying to obtain rights and/or ownership to the user’s data. Users of such hosted software should view their data as a commodity and protect their rights to the data and derivatives of such data by restricting the vendor’s access to and use of their data through a limited license and, if applicable, express clawback provisions in the hosted software agreement.
1 While there are distinctions between hosted software and SaaS solutions, for the purposes of this article the concepts and issues of such solutions are similar enough that this article treats all the solutions the same.
