The digital revolution has fundamentally changed the perception of ownership of products and services. If in the past a commercial transaction focused on the sale of a tangible asset or a permanent software license, today Software as a Service (SaaS) models blur the boundaries of ownership and contract. Instead of a sale, the customer "subscribes" to use the service; instead of a tangible asset, it gets access to a remote system located on the service provider's servers somewhere in an unknown location. This technological change raises serious legal questions, to the extent that they are not properly regulated in the use agreements, such as what are the customer's rights when the system contains its critical business information? Who actually owns the data that is created during the use? Does the customer have rights to the system updates that were made especially for it or even to the system updates that were created as a result of the system's training on its data? and more.
One of the most complex challenges in SaaS agreements is distinguishing between ownership of the software, including improvements and updates thereof, and ownership of the information fed into it. While the Courts in Israel have found that software remains the intellectual property of the supplier and that the customer receives only a license to use, the issue of ownership of the information itself is not self-evident and depends on the contractual wording. When a customer feeds sensitive or personal information, including customer data, employee data, or operational intellectual property, into a SaaS system, it is effectively entrusting one of its most important business assets to the service provider, while the ownership of the software itself remains in the hands of the provider.
This is even more valid due to the legal obligations that apply to the owner of a database and one who uses personal information of another. In Israel, under the Privacy Protection Law and the regulations thereunder, there are clear obligations imposed on the owner of a database and on the one who processes information on its behalf - where the customer using the SaaS system is defined by law as "database owner", and continues to bear the legal responsibility, even if the information is physically stored by the provider on servers outside of its control, similar to the European GDPR regulation. The legal significance for business customers is that even if the information is "in the cloud", the law considers the customer to be responsible for ensuring that the information is protected and the customer may find itself breaking the law if he does not have real control that allows it to prevent the breach.
Moreover, in the absence of a clear contractual definition of data rights, some SaaS providers tend to include terms that grant them a license to use customer data for purposes such as system training, product development, statistical analysis, or improving algorithms, as well as the right to use subcontractors and transfer data between jurisdictions. In some cases, this situation may constitute a breach of the privacy protection and information security obligations imposed on the customer, contaminate the customer IP and even create a risk of exposing trade secrets.
Therefore, the engagement agreement is not only a technical document but also a legal document which correct wording by an expert lawyer is vital in order to meet legal requirements. Beyond the issue of data ownership and legal obligations regarding privacy and even AI, there are many other issues that an experienced lawyer will be able to handle, such as preventing "contamination" of IP, handling case of a system failure or even the failure of the supplier, obligations to report irregular events, and more. In an era where data and IP are the most valuable assets, protecting such begins with a set of agreements that must be correctly built.