Making the move to a SaaS application in 2014? If so, there are several crucial questions you should be discussing with your team before you’re ready to trade in an on-premise application for a SaaS app. Many of these questions should obviously be focused on data, specifically retaining control of your data. Below are some basic checkmarks to ensure your data stays under your control.

Terms of Service: Who can see my data?

When you put your data in a SaaS system, you are automatically guaranteeing that someone who doesn’t work for you can—and will—access your data. The only questions are who, when and why.

The key phrase to look for in a terms of service document is the “principle of least privilege,” which means that only those employees who must have access to data do have access to it. Sounds simple, but it’s actually pretty rare among SaaS startups, who often manage data access on the honor system.

If the TOS doesn’t mention the principle of least privilege, ask about it explicitly from sales or support contacts.

Key questions to ask about provider access:

  • Which SaaS provider employees have access to my data?
  • Under what circumstances are the provider’s employees allowed to look at my data?
  • How much of my data is indexed for search?

Terms of Service: Who can share my data?

There are two key questions you should be asking about provider sharing rights:

  • Is my data ever shared with a third-party without my explicit permission?
  • If my data is shared, how is it anonymized?

If your SaaS is free but supported by advertising, it means the app provider is either monitoring your use of the app to better target ads at you, monitoring your use of the app to sell that usage data to other advertisers, or both. Some of this targeting may involve more than just how you use the app, but what data you store in it.

Your SaaS terms of service should be explicit about what data and activities are tracked, what aspects of the tracked data is shared, whom that data is shared with and, above all, how the tracked data is anonymized so your specific information is not handed out in an identifiable manner.

Terms of Service: Can I export/download my data?

Just because you’ve moved a critical business application to the cloud doesn’t mean you shouldn’t worry about vendor lock-in. You SaaS provider’s terms of services should explicitly state that you own the data you create and store in their application. The provider should also back up that ownership concession by giving you an easy means of exporting your data, and doing so in a usable, non-proprietary format.

Key questions to ask before you sign an agreement:

  • Who owns the data created in your SaaS app?
  • Can you export the data created in your SaaS app?
  • If you export your data, in what formats is it available?

SLA or walk away!

A SaaS app is only as good as its service level agreement. First off, your cloud solution must have an SLA. If it doesn’t, it can’t be trusted. “No SLA? Walk away.”

The three must-haves:

  1. An uptime guarantee of at least 99.9% for every month, not year
  2. Compensation for failing to meet uptime guarantees
  3. Requirement of notice to any changes to the SLA

What are the access controls?

What are the different access levels that your employees can have?

For many SaaS apps, all user accounts are created equal. Enterprise-grade SaaS apps almost always support an administrator-level account type, which has more privileges than an end-user. This means your employees can configure and maintain portions of the SaaS app without involving the provider’s support staff. Find out what the access levels are and what privileges they enjoy.

If the SaaS app has an SLA, what uptime level does it promise? Anything less than 99.9% availability should be a non-starter. If that threshold isn’t met, you should get credits against your monthly bill discounting you for poor service.

Watch out for:

  1. Excessive “permitted” downtime (more than 10 hours per month)
  2. No promise of downtime warning (need at least 48 hours notice)
  3. Compensation limits of less than ⅓ your total service cost per month

Sometimes a service needs to be taken down for regular maintenance. The SLA should guarantee you get at least 48 hours notice of these outages, and that the downtime will be less than 10 hours per month. Don’t trust an SLA that caps your compensation limits below one-third of your service cost.

As a side note, remember that the need for a cloud-to-cloud backup provider is often considered only after a company experiences data loss in a SaaS app so be sure to look into your options before you notice data missing from your application.

Want to know what else to look out for? Check out part two of “How to Retain Control of Your SaaS Data” and if you’ve got data control questions you explicitly ask of your SaaS providers, leave them in the comments section below.