Who owns your data? SaaS contract security, privacy red flags

Nearly every organization in the world depends on software as a service (SaaS). Medium- to large-sized companies can have more than 130 SaaS applications and for those employing more than 10,000 people, that number might exceed 400. When data is stored in so many places and handled by many parties, it’s not uncommon for security issues to arise, especially if the contracts with the providers have not been negotiated properly.

It recently happened to Bloomtech co-founder Austen Allred, who found himself unable to export his company’s data from Slack without agreeing to a new, costly contract. While the situation was ultimately resolved, it highlighted the potential complications associated with data stored on SaaS platforms, serving as a cautionary tale for other businesses.

“SaaS was supposed to be: I give you money with my right hand, and I take a software as a service with my left hand,” says Shiva Nathan, CEO of app development startup Onymos. “But I have to give money and data for the software as a service to work.”

This opens the door to challenges related to data management. In Bloomtech’s case, it was an issue of access to data, but other problems can be related to privacy, compliance, and data sovereignty. This is why companies that use SaaS solutions need to take proper security measures, pay attention to contract language, and involve security teams in the procurement process whenever possible. “You don’t want to be held hostage by a SaaS provider that you’ve given your data to,” Nathan tells CSO. “If you’re sitting in the C-suite, data is the number one priority in 2024, and probably the next few years till we get our act together. Data is so important that people have to start worrying about it.”

Think of data availability and exit strategy from the start

Before using a SaaS solution, organizations need to know exactly what they want and carefully evaluate the terms and services provided by the vendor. These documents can be riddled with problems — they are long and have convoluted language, which makes the act of reading them daunting and impractical. “Click-through agreements are the bane of the software industry,” Nathan says. “You don’t find click-through agreements when you buy a car or anything else.”

Behind that legalese there are often critical details that can significantly impact how an organization uses the service. Andrei Dumitru, co-chair at the Institute of Operational Privacy Design, says that before striking a deal with a SaaS provider, organizations need to establish an exit strategy. “It is important to ensure data can be taken out at a known and manageable cost and in a portable format that can be used with an alternative service,” he says.

Key questions to consider here include whether there’s a grace period for data retrieval and if there’s a definite process for deleting data to prevent it from remaining on the provider’s servers. End-of-contract obligations should outline the data export format, which can help a company have a smoother transition to an alternative service. “Companies should have a clear understanding of the costs and time frame of taking the data out,” Dumitru says. “In general, it’s free to put data in, but very expensive to take data out of a SaaS.”

Another key aspect companies need to know is whether they can have full control of their data and what happens to it. “How was your data defined in the Terms of Service? Who owns it? Who controls it? How is it going to be used?” are some of the questions that should be asked, Nathan says.

Zegal co-founder Daniel Walker agrees. “Go through the terms with a fine-tooth comb. It’s wise to set up your own data backups so you’re not entirely reliant on the SaaS provider.”

Alternatively, organizations could opt for locally deployed solutions that offer the same functionalities. Security and IT teams could work together to identify providers that offer no-data architecture and full ownership over licensed source code.

Bad contract language to pay attention to

Typically, contracts serve the vendor’s interests, so companies that want to use SaaS solutions must be mindful of the red flags that can be hidden in legalese. Walker remembers a case his company worked on a few years ago that involved a rapidly expanding organization that decided to integrate a SaaS solution for customer relationship management. This company failed to fully understand the contract it signed. “The contract was vague on several critical points, particularly regarding the terms of service and data handling policies,” Walker says.

A few months after the agreement came into effect, the SaaS provider announced changes to the terms, altering the data usage rights and introducing additional fees for features the client had come to rely on. “The new terms not only imposed unexpected costs but also raised concerns about the security and privacy of customer data,” Walker says. “The vague original contract gave the company little leverage to contest these changes or seek alternatives without incurring substantial losses.”

Recently, some SaaS providers have taken advantage of the complex contract language to get more money from customers. “It’s a recent and a very ‘vile’ trend in our industry to keep security features behind an additional paywall,” says Eyal Manor, VP of product management at Check Point Software Technologies. “Putting basic security features behind a more expensive contract feels like asking people to pay extra to add seat belts to their cars.”

Manor sees several concerning situations, in addition to data access in exchange for money. “For example, some software companies won’t audit logins or allow you to use SSO without a more expensive product,” he says.

To prevent some of these issues, the companies using SaaS solutions should make sure that the contracts are clear. Any vague language in this area “could lead to headaches down the line,” Walker says. “If it’s not crystal clear that your organization retains ownership of its data, that’s a big red flag.”

All this legalese can sound confusing, but generative AI can help, says Manor. “Fun fact: you can ask these tools to check things in the terms of service,” he explains. “For example, asking something like ‘Can the company resell my data if I use this app?’ leads to a pretty easily readable answer.”

If there are sections in the contract that require amendments, organizations should take the time to discuss those with the SaaS provider. “Always negotiate terms, seek legal advice to protect your interests and minimize risks,” says Nigel Gibbons, director and senior advisor at NCC Group.

A contract is more than mere formality; it is essential. “It’s not just paperwork,” Walker says. “It’s your safety net — it ensures that the SaaS provider has skin in the game when it comes to keeping your data safe.”

Pay attention to privacy and security compliance

Compliance is, without a doubt, another stringent issue companies that use SaaS solutions need to pay attention to. Some of the rules they need to follow are included in the European Union’s GDPR and California’s CCPA, but new ones keep emerging in different geographical locations. Organizations need to make sure that the SaaS solutions they use keep up with everything that’s happening on this front.

“Currency with compliance is one of the fastest growing challenges, as compliance standards and regulations are becoming so dynamic,” NCC’s Gibbons says. To address this, organizations need to make sure they use the right tools and have the right people in place to monitor changes in legislation and adapt their compliance strategies accordingly.

Companies that operate across borders must navigate complex regulatory landscapes, ensuring compliance with varying laws and standards in each jurisdiction, which often requires specialized knowledge and strategies. “For example, if you’re storing data in a country that allows government access to data for national security reasons, but you’re from a country with stricter privacy protections, you could find yourself in a pickle,” Zegal’s Walker says.

While large SaaS providers have started to offer more local data storage options, the problem is not solved entirely. “In Europe, at least, there is still work to be done to create an ecosystem of SaaS alternatives that could compete with the established platforms overseas and fulfill sovereignty requirements,” Dumitru says.

When considering adopting a SaaS application, companies should aim for “a cautious approach,” as Gibbons put it, which involves vetting providers for compliance and security, making regular application assessments, and paying attention to every detail.

Involve the security team in procurement

Most experts say that security teams need to play a central role in the procurement process of SaaS solutions whenever possible. This would allow companies to ensure that vendors meet high standards for security, data protection and compliance. “This involves checking for organizational compliance such as recognized security certifications like ISO 27001 or SOC 2, encryption practices, and adherence to regulations such as GDPR or HIPAA,” Gibbons says. 

Security teams can assess vendors’ policies on data handling, incident response, data regionalization, and privacy. They can evaluate a service-level agreement for things like availability and security metrics. They can also scrutinize the vendor’s security culture and practices, including third-party audits, and confirm features like multifactor authentication and data recovery. Ideally, companies should do real-time security assessments of these products, and be as thorough as possible. “For high-risk SaaS solutions vendors may be subjected to a red teaming exercise for robustness,” Gibbons says.

Dumitru concurs. “While few SaaS will agree to be pen tested, it is still a question worth asking,” he says. “It is a good sign if a SaaS is able to answer all the data protection and information security questions and gives details on how it protects the data, ensures availability, and disaster recovery.”

Sadly, though, according to Manor, including security teams in the procurement process is not very practical in many cases. “A lot of the SaaS used today follows the Product Lead Growth methodology, which allows a user to use the product for free before buying, or for very cheap,” Manor adds. “As such, many SaaS services are being used in the organization before it gets to the procurement phase, and then it might be too late to back down.”

One way to address this is to have security teams keep an eye on SaaS products at all times, not just during the procurement process. “Oversight of the SaaS used is more important than gatekeeping what is going to be used,” Manor says. “The right thing to do, usually, is to use a product that helps you track risk of different SaaS services in use in your organization.”

Another avenue would be to look for more ethical SaaS providers. “The better solution to the problem is to reinvent SaaS one service at a time,” Nathan says. “Have [vendors say] we will provide you the software as a service on the data that you own and control wherever you keep the data, and we will not see the data. That’s the new thing that’s coming up, and in five years, I think that software as a service will be reinvented.”