
Standard SaaS Policy for Handling Security Breaches - grassypatch
I&#x27;m working to finalize a deal with a potential customer to use our SaaS product, but they have a request to alter the Master Agreement around security breaches.  They feel if our software is hacked into and their data is compromised, this could potentially cause them irreparable harm and should be compensated.  
I feel like this is unreasonable if a SaaS is making reasonable efforts to maintain security to begin with.  Even if we spent billions of dollars on security, there will always be a possibility that the system could get hacked and our customers&#x27; data could be compromised.  Taking on such a concession just sounds highly unreasonable.<p>I am wondering if anyone has advice on how to explain to the customer why such a concession cannot be provided. I&#x27;m hoping I can provide a convincing response that can allow them to rationalize with their request not being a fair one.  Any advice is greatly appreciated.
======
jorangreef
Firstly, be sure to draft the agreement from first principles rather than
reworking another agreement, especially not an agreement provided by the
counterparty. This may go some way to save you from toxic clauses creeping in.
Also, offer to do the work of drafting the agreement yourself, or pay for and
manage the lawyer yourself.

Secondly, positively reiterate again the obligations around data security and
confidentiality that you are already willing to provide, and which are
industry standard, and leave it at that. You do not need to convince them that
their request is unreasonable. You are right, you definitely should not be
responsible for compensating them for "irreparable harm". By definition,
"irreparable harm" cannot be corrected through monetary compensation in any
event. The agreement should protect both parties equally as far as
confidential information goes. The agreement should enforce limited liability
for the safety of both parties.

------
brudgers
A potential customer that finds your terms and conditions unreasonable is not
a potential customer because the value proposition that your service provides
does not meet their needs.

My suggestion: recommend that the prospect consider obtaining a bond against
the consequences of data loss. The cost of the bond plus overhead and profit
can be added to the cost of the service for the customer once the customer has
determined what type of bonds are available in the market and which type and
level meets their business needs for compensation in the event of a breach.

Obviously, the prospect would pay the costs associated with any measures a
bonding company might require to make your service bondable as well. I'd
recommend cash up front. It shows that that the prospect is serious.

Good luck.

