Kicking off our series on topics concerning Software-as-a Service (SaaS) technology, it is important to lay a framework around the data managed by SaaS applications and issues that arise out of complex relationships among various stakeholders in the SaaS environment.

Valuations of companies are tied to revenue and growth projections,¹ and a significant portion of the value attributed to SaaS companies in particular is based on the data they handle and maintain.² This is typically equated as a combination of services provided and expected revenue growth from the value of the data itself. For example, using search engine advertising revenue as a proxy for the value of personal data, over the last 20 years advertising revenue on a per user basis has increased by 1,800%.³ This underscores the relationship between the amount of data that SaaS companies handle and corresponding valuations.

As a result, understanding the issues surrounding data management and various aspects of data ownership in the context of the SaaS environment has become all the more important.

Overview of SaaS Stakeholders

In a typical SaaS platform, various stakeholders are involved at different levels of data processing, each having their own unique roles and ownership claims with respect to at least some aspect of data that they store or process. Each of these stakeholders may access, own, consume, store, process, or otherwise interact with the user data at various layers of the data stack.

The number of stakeholders can vary greatly based on the complexity of the SaaS platform. For instance, a SaaS platform might include data from end users (e.g., personal, financial, or medical data) as well as confidential data from enterprises (e.g., employee, technical, or business confidential information). The SaaS service provider can further store the received confidential data on company systems or cloud service providers, where it is further processed using proprietary or open source software solutions. Alternatively, the processing and software solutions could be provided or handled by third party service provider(s) with access to the data on the company systems and the cloud service providers.

Geographic and Data-Specific Concerns With SaaS Platforms

The complexities of how enterprises and other entities interact with the data used by SaaS companies are amplified by geography. For example, stakeholders could be located in various geographic regions and subject to different jurisdictional laws, regulations, and expectations with respect to data ownership and management. Consequently, many issues can arise with respect to how obligations for complying with these considerations are allocated amongst stakeholders. In addition, different stakeholders can have competing interests and various obligations in relation to other parties indirectly involved in the SaaS process, affecting commercial relationships further downstream from the immediate ownership or management of the data.

Moreover, depending on the nature of the type of data, additional factors may have to be considered, such as privacy,⁴ regulatory compliance,⁵ data security,⁶ and data access and use.⁷ For example, a SaaS company dealing with EMR (electronic medical records) will have additional legal responsibilities when handling particular types of data, such as personal health information (PHI) of patients at a medical institution.⁸ Such EMR data can be subject to its own unique jurisdiction-based regulations, all of which depend on the geographical locations of the company itself plus those of the stakeholders involved. These issues are especially of concern in recent years given the significant increase in data breach activity and regulations (e.g., personal health information data or data relating to children).

Conclusion

Future articles will discuss these and other potential issues concerning ownership and management of SaaS cloud-based data, and suggest strategies and practices for SaaS companies to employ to protect their interests, innovations, and interests of their customers.

To read additional parts of the Clear Skies Through the Clouds series, please click here.

FOOTNOTES

¹ SaaS Academy, SaaS Valuation: How to Value a SaaS Company in 2022 (Accessed October 24, 2022)

² EQVISTA, SaaS Valuation: How Do You Value A SaaS Company? (Accessed October 24, 2022)

³ MiQ, In less than two decades, the value of personal data has increased by 1,800% (Accessed October 24, 2022)

⁴ SaaSholic, Why Data Protection Is So Important for SaaS (Accessed October 24, 2022)

⁵ Dachowitz, Juliet, What Every SaaS Business Should Know About Compliance (April 7, 2021)

⁶ Bhuvaneswaran, Shivasankari, 7 SaaS security risks that every business should address (October 1, 2021)

⁷ Dziuba, Anna, SaaS User Management and Access Control: Best Practices from Relevant (Accessed October 24, 2022)

⁸ U.S. Department of Health and Human Services, Guidance on HIPAA & Cloud Computing (April 15, 2022)