Using SaaS.... for SaaS - Contract Clauses to use third parties

Beth Twigger
Beth Twigger Member Posts: 2 Navigator
edited January 2022 in CS Technology
Hi GGR community! 

Long time observer, first time poster. This ones a bit of a legal conundrum, 

We are a SaaS company working with typically risk-averse clients (healthcare, banks etc) who are very strict on third-party infosecurity. Any CS tooling we've used thus far has been in-house built or on-premise solutions, but we've reached a scale where this is starting to become problematic. The primary concern is that personal data about our users will be stored processed by any SaaS solutions we choose for usage analytics/CRM/onboarding journeys etc and therefore need to be disclosed as a fourth-party, or have something in our MSA... but perhaps there is a more creative solution out there! How are other SaaS companies with similarly infosecurity-sensitive clients handling this?

Any suggestions much appreciated - thank you!!



  • Josh Loe
    Josh Loe Member Posts: 4 Seeker
    edited January 2022
    Hey Beth,

    This is an interesting question.  I'll preface with I've never run into this issue with clients, however what do you use for your CRM?  I'd imagine the same information is stored there.   Has this concern been raised by multiple customers or just a few?   I've worked with large construction firms that are very particular about how their data is stored, however, this has never come up.  If need be, just put it in your MSA and reach out to CS software companies like Gainsight or ChurnZero with this question.   The security of the system itself 2fa, IP restricted, etc. I would assume would be enough for any security issues on data.  

    Hope all goes well,
  • Brian Nicholls
    Brian Nicholls Member Posts: 7 Contributor
    edited January 2022

    @Beth Twigger, very interesting question. I work for a CS Software company myself and we often get this question. In summary, our response is that A)you have control over the data you choose to pass, so your CS software provider should work to accommodate this scenario and/or B) most organizations like yours choose to pass data to their CS software may not be considered pii (membership type, customer journey stage, or ARR as examples).

    However, I recognize this is an extremely sensitive topic and the answer is dependent upon you own unique situation. Happy to chat more if you would like OR put you touch with some companies I know that are using a CS solution and whose primary customers are healthcare/financial institutions. 

  • Chris Padfield
    Chris Padfield Member Posts: 1 Navigator
    edited February 2022
    @Beth Twigger The typical solution would be to list 3rd parties as sub processors in your DPA, and then it is whether the client has an issue with them (which they may of course). If your product is using 3rd parties (be that AWS, Twilio etc.) then there is not a significant difference but you may need to consider what sub-processors the 3rd party is using as well. Other possibilities are tools that don't store an PII in their operation (you can sometimes anonymise the user identifier for example).

    Worth saying, there are good On-Premise options as well for analytics and customer success. We offer our product as both an On-Premise appliance and SaaS solution. These days, its almost as easy to run the appliance as the SaaS solution, so might be something to consider.