Minimizing Risk with Amazon Web Services

Published on JD Supra on November 12, 2020

It has become commonplace for providers to use Amazon Web Services (AWS) to offer their software as a service (SaaS) solutions to both consumer and business customers. The AWS offerings can help a SaaS provider cost effectively maintain and scale its SaaS solution while providing reliability and security to its customers. However, the use of AWS offerings comes with certain obligations on SaaS providers. Accordingly, SaaS providers must consider how to meet those obligations while growing their customer base and generating revenue.

When purchasing AWS services, a SaaS provider agrees to the AWS Customer Agreement, applicable AWS Service Terms, and other AWS standard policies, including AWS’ Privacy Notice and Acceptable Use Policy. In so doing, the SaaS provider assumes potential liability to AWS for its end users’ acts and omissions: “You are responsible for End Users’ use of Your Content and the Service Offerings.” AWS Customer Agreement updated June 30, 2020, Section 4.5. The SaaS provider also agrees that its service terms will be consistent with the AWS Customer Agreement: “You will ensure that all End Users comply with your obligations under this Agreement and that the terms of your agreement with each End User are consistent with this Agreement.” Ibid. Given that the penalty for failure to comply with these obligations include suspension and termination, SaaS providers are wise to have a mechanism to flow down these obligations to their customers.

Minimizing Compliance Risk in the B2C Market

In the context of a business-to-consumer (B2C) SaaS solution, a SaaS provider easily can flow down obligations under the AWS Customer Agreement to its B2C customers. The SaaS provider should consider updating its online service terms to:

  • Require B2C customers to agree to comply with the AWS Customer Agreement, including a link to the agreement
  • Require the B2C customers to be responsible and indemnify the SaaS provider for their breach of the AWS Customer Agreement
  • Permit the SaaS provider to immediately suspend or terminate a B2C customer’s access to the SaaS solution if a breach of the AWS Customer Agreement is suspected or occurs

Of course, the enforceability of the SaaS provider’s online service terms will depend on the law of the applicable jurisdiction. Because it is unlikely that the SaaS provider will pursue legal action against a B2C customer, the SaaS provider will most likely retain most, if not all, of the risk of liability to AWS. In the B2C context, the most effective way to minimize such risk may be to actively monitor use of the SaaS solution and immediately suspend or terminate a B2C customer’s access if a breach of the AWS Customer Agreement is suspected or occurs.

Minimizing Compliance Risk in the B2B Market

The business-to-business (B2B) context is more complex. While some B2B customers will agree to online service terms, the savvy B2B customer will require a negotiated, written agreement. The SaaS provider can include a provision in the agreement that the B2B customer agrees to comply with and indemnify the SaaS provider for the customer’s breach of the AWS Customer Agreement, including the applicable AWS URL in the agreement. However, the B2B customer may object on a few grounds.

The first argument a B2B customer may make is that the SaaS provider’s obligations to its third-party service providers are part of the SaaS provider’s cost of doing business and not the B2B customer’s responsibility – financial or otherwise. SaaS providers have been using third-party service providers like AWS for as long as there have been SaaS solutions. Why should AWS be treated differently? The SaaS provider should consider whether it can argue that using AWS has lowered the cost of the providing the SaaS solution or improved the quality of the SaaS solution such that the customer is benefitting from the use of AWS and should therefore assume some of the potential responsibility.

In addition, a savvy B2B customer may argue that it cannot agree to the terms of the AWS Customer Agreement because AWS can update its terms at any time without notice to the B2B customer: Indeed the AWS Customer Agreement states, “we may modify this Agreement (including any Policies) at any time by posting a revised version on the AWS Site or by otherwise notifying you [SaaS provider]…” Ibid, Section 12. The SaaS provider may be able to convince the B2B customer to agree to the then-current version of the AWS Customer Agreement, including that version as an exhibit to the agreement. While that approach will provide the SaaS provider with some protections, it will not guarantee that the SaaS provider’s agreement remains “consistent” with the AWS Customer Agreement nor will it protect against risks that may arise from significant changes to these terms.

In these situations, the SaaS provider will need to be more creative. The SaaS provider must review all the current applicable AWS terms and include consistent terms in its agreements. Because the interests of the SaaS provider and AWS – and all other third-party service providers – generally should align, including consistent provisions should protect the SaaS provider, AWS and all other third-party service providers. The SaaS provider should consider requiring its B2B customers to agree to:

  • Comply with applicable law and the terms of any applicable agreement or service terms
  • Not use the SaaS solution for illegal, harmful or fraudulent activity, to violate the security or integrity of any system or device, to make unwanted network connections or to send unsolicited communications
  • Ensure that its content does not infringe any intellectual property rights and is not fraudulent, harmful or offensive.
  • Not infringe, misuse or misappropriate the intellectual property of the SaaS provider or its third-party service providers
  • Consent to any processing of the customer’s information as necessary to provide the SaaS solution and for any other reasons for which the information is processed, including the processing location
  • Agree to the SaaS provider having robust monitoring, takedown, suspension and termination rights in the event of a breach or a suspected breach, security risks, adverse system impact and potential legal liability
  • Agree to the SaaS provider’s acceptable use policy as updated from time to time by the SaaS provider, giving it an avenue to flow down any updated AWS terms to its customers

As in the B2C context, the most effective way to minimize the risk of incurring liability to AWS for violations may be to actively monitor use of the SaaS solution and immediately suspend or terminate a B2B customer’s access if a breach is suspected or occurs.

Conclusion

By being flexible about how to flow down AWS terms to its customers – whether B2C or B2B – the savvy SaaS provider can help ensure its compliance with the AWS terms without unduly impeding its own customer relationships, facilitating more – and better – relationships with its customers.