Who Owns SaaS Data?

Software as a Service solutions are growing fast. Gartner forecasts end-user spending on public cloud services to reach $482 billion in 2022, with $172 billion of that in SaaS alone (22% YOY). With our growing reliance on the cloud and SaaS, it becomes increasingly important to pay attention to the details embodied in agreements. Think about your organization’s exposure if your vendor has a data breach. What happens if there are outages? And an issue we’ll review today, who owns the SaaS data? The best place to start is a review of your your software license agreements.

YOUR Data

The short answer is that you probably own the data you create. In most cases, you store your data in a cloud-based system, but the cloud service provider controls it. Your service level agreements (SLAs) define your company’s ownership and ability to retrieve the data on the vendor’s servers. Every SaaS SLA is important and should be fully reviewed by stakeholders before signing. SaaS vendors typically allow you to export your data or back it up. SaaS contracts also outline contingencies for collecting your data if the vendor goes out of business. Note, making sure that you protect your data and is increasingly difficult as legal processes have kept up with technology.

The Value of Your Data

Data stored in SaaS applications represent historical records (snapshots) of business patterns. Besides being essential for compliance, historical data gives us a chance to improve many aspects of our organizations: marketing, sales, operations, finance, product development, and more. Tracking changes lets us monitor causes and effects. Especially with the emergence of machine learning, having more data for pattern recognition is useful.

SLA Notes

The SLA is one of the most important things to consider when signing up for a SaaS offering. Most service providers write the SLA keeping their own best interests in mind, which makes it critical to evaluate the agreement (as mentioned already). An SLA is like a mini-insurance policy for outsourcing. SaaS vendors are responsible for the security of their platform, such as infrastructure and security. Check your SLA for provisions about vendor responsibilities regarding support, updates, and security. You’ll also want guarantees of service, like uptime and performance.

GDPR & Compliance

The General Data Protection Regulation (GDPR) is a privacy and security law passed by the European Union (EU) in 2018. It sets obligations onto organizations worldwide regarding data collection for people in the EU. By design, GDPR alters how organizations handle information from users. Potentially large fines and reputational damage await those who violate the rules. What does this mean? If you’re a SaaS provider, you have to comply…

Although there is no GDPR federal equivalent in the United States, it’s on the horizon. The California Privacy Rights Act (CPRA), for example, takes effect in January 2023, with a “look back” to January 2022. As a result, if you’re managing data in the U.S., you’re most likely going to face some form of compliance (you know, California is the world’s seventh largest economy!). CCPA requires that users be able to easily submit a Do Not Sell (DNS) request from anywhere they consume your content. You see these little cookie consent popups on many websites today. Who owns the data? Well, it appears you’re renting it from your users! Pay heed…

So Who Owns SaaS Data?

We’ll answer the question of SaaS data ownership from three viewpoints.

If you’re a consumer, in many cases, you do. That is, new privacy regulations give control back to you. You can opt out of all the cookie tracking and cryptic ways your data is collected and repurposed. GDPR paved this road.

If you’re a SaaS customer, in nearly all cases, you own your data. The asterisk on that statement is that you need to read the agreements before signing to make sure you do. Look for provisions about security, local backups, retention policies, and termination (if you leave, you want to be able to take your data elsewhere).

If you’re a SaaS provider, be smart. Your system adds value to user data, but you shouldn’t claim ownership. When Instagram employed user posts for marketing, it earned them a PR nightmare. To avoid last minute development projects, consider GDPR and CCPA as foundational tools for where the market is headed. Write fair SLAs — you’ll be glad you did.