If your app is like most SaaS applications and businesses, your service allows the user to upload their own content.
This means that there are unique intellectual property terms that you need to include as a result, and measures need to be put in place to curtail accounts that abuse this ability.
In addition, since you're running the application in the cloud, your users' information is often stored somewhere different to where you or they might be based.
For example, you may operate from the US, but 80% of your users are in India. Or, you may be based in New Zealand, but your users are primarily the US, and their data is stored by a cloud storage provider in the UK.
Clause 1: Intellectual property in user-generated content
If your app has the ability to allow your users to create their own content of some kind, you need to obtain a license from your users for your app to use that content.
Basically, your users grant you a license to use and display the content they create on our platform. Since they created that content, they own it, but they're granting you permission to use that content.
Your "Terms" agreement need to explicitly state that your user gives you this license.
One example is Dropbox. If a Dropbox user uploads a photo they took, Dropbox's Terms of Service outlines that the user will grant Dropbox a license to use those photos i.e. store them, put them into folders, and share them as per user requests.
Here's another example from Google Drive:
In the example above you can see that the user grants Google (and those they work with) a worldwide license to use the user-generated content in various ways, and they also state what they will use that content for.
- Explicitly state what you can do with the user-generated content; and
- Tell the user what you'll use it for (i.e. your services).
Clause 2: Cloud storage and data security
Cloud storage is one of the primary ways in which a SaaS business operates, by keeping user data in the cloud.
One of the legal issues that you need to consider is how you will keep your users' information secure, particularly if you are using a third-party cloud storage vendor, like Amazon AWS.
When your users sign up to your service, your app will collect information about them that will be stored either by a cloud storage service that you run or by that external provider.
But what happens if that external provider has a data leak? Who is responsible to your users, you or them?
Like Amazon, most cloud storage services do not guarantee that user data will be kept and limit their liability in the case of a loss.
- The types of information that you will collect;
- How you will keep it secure;
- Any third parties who will be holding the information on your behalf (e.g. cloud storage provider);
- What you will do with that information and in what circumstances you will release it;
- How the user can review the information you hold on them; and
- How the user can change or delete that information.
Clause 3: Prevent abusive accounts
The next clause that you need to include is a clause for preventing abusive accounts, and what response will be taken if an account is misusing your app.
It's common practice to include a "suspension" or "termination" clause where you can stop providing your app services to a user at any point if they breach your terms or are disruptive to other users.
You can see that SurveyMonkey's clause is quite broad, which leaves them able to respond quickly to abusive users who breach their terms or cause problems for other users.
Here's an example of Dropbox's Acceptable Use Policy page:
Dropbox has included a list of all of the types of behavior that they do not accept.
Consider which of the above may apply to your app and which things a user might be able to do.
Clause 4: Limitation of Liability
Make sure that you limit your liability to things that you are in control of.
If your users are able to upload information such as pictures to your service, they may be uploading illegal information or images, or things that violate the intellectual property rights of a third party, such as uploading copyrighted material.
You can see that in the Salesforce section the user grants an indemnity to Salesforce if a third party brings a claim against Salesforce, or if user-generated content violates a law.
They also give an indemnity back the other way to reassure their users that Salesforce will defend the user if a third party claims that the user is breaching their IP rights by using Salesforce.
Clause 5: Governing Law
As your service may be used around the world, it's important to clearly state which country's law will govern the contract.
There are two parts to these provisions: governing law (the law that will be used to decide the dispute) and jurisdiction (where the dispute will be decided).
The jurisdiction is usually in the country or state where the business is based.
Governing law is different:
- Usually, if you're in Australia, you'll want your section to say that Australian law applies
- Or, if you're based in California, you would want the Californian law to apply. However, sometimes the law in another state in the US is more favorable to businesses, such as Delaware.
Courts usually look for some connection between the business owner or the customers, and the state or country that has been chosen as governing law. Another factor is that cases looking at corporate behavior (i.e. if you are being sued), they must usually be decided in the state of incorporation.
It's also important to state that your legal agreement is the only contract between you and your users.
Have a look at this example from Dropbox that shows their governing law and entire agreement provisions:
You need to include a similar term that's tailor-made to you and your location.
- Definitions of key terms
- Subscription information (including fees, access, and how modifications will be made or new features added); and
- Customer support information.