Skip to main content
Perspective:
Perspective
16 Jun 2023
5 minute read

XaaS Legal implications

What to consider when transitioning to a XaaS model

Most of these challenges can be minimized with good planning and a focus on the legal considerations. We hereunder list seven legal considerations to pay attention to for companies that envisage a move to a Xaas business model.

Identify the ongoing client agreements

Clients may have already bought products from the Xaas service provider before the transition of the latter to a Xaas business model. This agreement may include additional services or maintenance provisions. Depending on the contractual clauses, the client could be entitled to receiving these services for a determined period of time and the termination clause may not allow termination for convenience at any moment in time. Applicable legislation could also foresee an obligation to provide maintenance and repair services for a certain period of time or that spare parts need to be offered. Hence, the transition to a Xaas model may take some time and most probably requires a transition period.

Contractual relationship with the client under Xaas

Next, the format and type of the new (service) agreement to be entered into with the client will need to be identified. This will often be a more complex agreement than the terms and conditions of a sales contract. For example, as the XaaS service provider will offer services instead of products, the service levels thereof must be laid down in a comprehensible manner and in measurable terms. How important is the uptime and resolution time for the specific Xaas services? What are the remedies in case of a breach of the agreed service levels?

Subcontractors

Linked with these service levels, the Xaas service provider will likely work with subcontractors to provide services that are part of the subscription model. The contractual relationship with all subcontractors must match the contractual relationship offered to the client, for instance, with respect to liability.

Security and Data Protection

In order to ensure a continuance of the services, it is important to ensure that the appropriate security measures, such as encryption, authentication and authorization requirements, data backup, and security incident management are foreseen.

Attention must also be paid to the GDPR, as both the client and the XaaS service provider will have obligations under data protection legislation in their capacity as data controller and/or data processor.

Data ownership, localization and confidentiality

The ownership of and access to the data must also be foreseen in the contractual relationship with the client. In the context of the European Digital Strategy, several regulations such as the Data Act, Data Governance Act, Digital Services Act, etc. may have significant impact on data (access) related aspects. Xaas service providers may encounter more stringent obligations, whereas clients (users) may enjoy specific rights.

Moreover, it is also important for the client to understand where his data is stored, as well as which (data protection) legislation may apply to data stored outside of the EU. In the latter case, compliance with the provisions in the GDPR on data transfers has to be verified.

Intellectual Property Rights

Clients may have specific needs or requests, which may include the development of specific solutions or add-ons. An agreement must be reached between the XaaS service provider and the client as to who retains the intellectual property rights in these developments. While the developments may be specific to a particular client’s need, the XaaS service provider may want to use the same developments for other clients and will hence be only prepared to grant a non-exclusive license.
Contract expiration, termination and exit provisions

Since the client is no longer the owner of a product he becomes more reliant on the Xaas service provider and the continuance of his services. Therefore, it is important for the Xaas service provider to think about this, and how the agreement can be terminated in such a way that the business continuance of the client, relying on the Xaas services, is not jeopardized.

The client should in any case be given access to its own data. Ideally, the agreement will foresee provisions regarding the transition of services to another supplier and at which cost.

Explore Content

Did you find this useful?

Yes
No

Thanks for your feedback

If you would like to help improve Deloitte.com further, please complete a 3-minute survey

Your feedback is important to us

To tell us what you think, please update your settings to accept analytics and performance cookies.

Need help updating cookies?

Recommendations

ITX@your site

We focus on providing specialised and multidisciplinary experience to support your team with a diverse set of indirect tax skills, ranging from customs, ERP implementations, VAT projects, ad hoc advisory, strategy and processes, as well as recurring compliance support.
Services

The unseen risks: Export controls in the Life Science and Healthcare sector

With new technological developments in the pharmaceutical, medical and biotechnology sectors, export control requirements are becoming an increasingly essential element of trade compliance in the Life Science and Healthcare (LSHC) industry. Moreover, LSHC companies operate in many sensitive destinations that are subject to strict trade and financial sanctions, as well as complex compliance requirements.
Research
10 minute read

European VAT refund Guide 2024

The 2024 European VAT refund guide summarizes the rules and procedures to obtain a VAT refund in 32 European countries.
Analysis
5 minute read

Dispute resolution: Examination defense and mutual agreement procedure/competent authority

Deloitte takes an integrated approach to resolving transfer pricing disputes in the MAP/CA process.
Services