Tech & Sourcing @ Morgan Lewis


If you have been involved with SaaS agreements or agreements that are for, or are enabled by, cloud services, you have seen or even drafted provisions relating to the right to use data processed on or generated through the use of the cloud platform. With many companies—customers and providers alike—recognizing that business-related data is a valuable asset, ownership of and the rights to use such data are becoming more common discussion points during contract negotiations.

Drawing the appropriate line as to data ownership and use rights and limitations can be tricky, with the result often depending on the type of data at issue and the intended uses. Set out below are lists that highlight the types of data, and purposes of use of such data, that may be considered.

Types of Data

  • Data provided by the customer and/or its users, including personal data, customer data, and vendor data
  • “Business” data relating to the customer’s people or operations
  • System “output”
  • Operational data relating to use of the services (e.g., number of users, number of transactions, peak usage)
  • Configuration data and metadata relating to the product/systems made by the customer and/or provider
  • Platform/system operational performance data
  • Data collection that includes aggregated/de-identified data (and includes data from the provider’s other customers on the same terms)

Purposes of Data Use

  • Reporting specifics to the customer
  • General product/service improvement
  • Marketing
  • Commercialization
  • Benchmarking

In most scenarios, it should be clear to both parties that the customer owns (1) data provided by the customer and/or its users and (2) “master data” (e.g., employee, vendor, customer, and business financial data) whether inputted into or generated by the systems. Conversely, data regarding system operational performance for shared systems (e.g., availability, downtime, incidents) is generally owned by the provider.

The allocation of ownership and use of other categories of data often is driven by the type of data and its competitive nature, privacy compliance requirements, and intended use (e.g., internal improvement vs. commercialization). During the contract negotiation, there may be nuanced discussion regarding the right of the provider to create products competitive to the customer’s products using customer-generated or related data, as well as the scope and extent of aggregation and anonymization. Also, the parties will need to consider if neither of them actually has the right to allow or license the use of certain data (e.g., vendor or customer pricing), and whether such use would require consent from a third party.

As the usage of cloud solutions expands, data rights and use are getting more complicated and are sometimes still overlooked during contract negotiations. Each side—customer and provider—needs to be thoughtful of what data is at issue and what rights it wishes to protect and allow.