In a recent interview, one IT professional whose company uses SaaS heavily offered some additional perspectives on the sort of rights SaaS customers should have.
One is "what we call a security or breach notification," said Ken Stineman, senior director of enterprise architecture and security at Genomic Health, which develops diagnostic tests for cancer. "We require within 48 hours that if they have a failure or lose our data, that they notify us. That's been tough to negotiate but it's required of almost all of our SaaS vendors."
Genomic also requires "evidence of ongoing security due diligence," such as access to SaaS vendors' vulnerability reports and the right to run automated tests against their services, he said.
The company has more than 20 SaaS applications, and is using a tool called Okta to manage employee access to them.
Beyond bringing in such tools to help governance efforts, Genomic has been tweaking some of its previous SaaS contracts, which may have been negotiated by a business department without much involvement from IT, in order to get the rights and protections it desires, Stineman said.
Constellation Research's Wang released a similar bill of rights report in 2009. The changes since then in the SaaS industry have been significant, he said in an interview.
"The buyers have gone from the departmental, swipe-and-buy as the primary pool to now large corporate deals," he said. "So these rights now have to be enterprise-class, meet procurement team requirements and of course new legal scrutiny."
"The small quick deals are still there that you can sign with a terms of service [agreement,]" he added. "But because most delivery is moving into the cloud, we're seeing new complexity evolve."
Chris Kanaracus covers enterprise software and general technology breaking news for The IDG News Service. Chris' email address is Chris_Kanaracus@idg.com