Jakub Lewandowski, global data governance officer at Commvault, addresses the key questions that organisations should bear in mind when it comes to choosing a SaaS provider

Software-as-a-service (SaaS) models are rapidly becoming the solution of choice for small- and medium-sized enterprises (SMEs) looking to take advantage of subscription-based options that make it easy to implement new capabilities as business needs change. Enabling businesses to simply pay for what they need and use, the SaaS ecosystem makes it possible for SMEs to leverage cloud-based services and enterprise-grade software, and compete on a par with much larger companies.

It’s this affordability and flexibility that is driving SMEs to consider moving data and applications from their on-site infrastructure to centrally located services on a cloud-based network — so much so that worldwide spending on SaaS services is predicted to hit $176.6bn in 2022.

With more SMEs investing in more SaaS solutions, getting to grips with licensing terms and pricing metrics is just one of the challenges decision-makers face when looking to select a SaaS vendor. Entrusting data and applications from their own environment to an outside entity will also raise a host of concerns around important business-critical issues such as data governance, security, and compliance.

To determine if a vendor is going to be the right fit for their business, decision-makers should ideally work through a comprehensive evaluation checklist that is focused on appraising five key areas.

1. Does the SaaS solution meet all identified – and future – business needs?

Ideally, a provider should have mechanisms in place to evaluate the business’s needs and use cases for the current data environment, so that their solution can be tailored to these requirements and easily adapted as business needs evolve.

Asking questions around how the SaaS solution will be scaled to support growing volumes of processed data will deliver valuable insights on potential future usage costs, or pricing tiers that may kick-in as a result. All of this will help deliver a more accurate value analysis of the solution for the organisation over the long term. While the initial focus may well be around initiating support systems for end-users such as Microsoft 365 or CRM systems, decision-makers should also think outside the box and evaluate what other options are on offer.

In addition to data backup and security systems for local and cloud environments, advanced tool systems that can process data and offer AI-based data analysis will help ensure the solution is future-proofed to support evolving business needs. Having the ability to build a service catalogue, and understand the vendor’s future roadmap for services, will help determine if the right synergies exist for an lasting and enduring value-add partnership.

2. What are the contract terms?

Undertaking a detailed review of the service contract prior to signing will help eliminate any possibility of encountering unexpected or additional costs down the line. This evaluation should also feature an examination of all contract termination conditions to avoid any potential vendor lock-in risk.

As part of this process, decision-makers will need to clarify when and how their business can terminate, check the fine print on how ‘service credits’ will be applied as compensation when SLAs are missed, and agree on who monitors SLA delivery performance and how reporting is undertaken.

3. What must be considered from a legal standpoint?

Prior to signing a contract, it’s important to verify if the proposed solution complies with any specific industry, regulatory, or legal requirements. This will be especially key for organisations operating in the banking, finance, insurance, and telecoms sectors. All SMEs are advised to check that a solution adheres to all national cyber security standards or guidelines that apply today, or are on the horizon.

When it comes to signing the contract, many providers will employ a clickwrap or click-through process that approves a specific version of the contract document and acceptance of all contractual terms with a mouse click. However, some organisations may well require a more traditional contract signing process and a provider should be able to accommodate requests to sign contracts via an electronic signature or on paper.

4. Who owns the data?

Senior decision-makers should double-check contract terms to ensure their organisation maintains ownership of its data throughout the contract. In particular, senior teams will need to be fully conversant with any data processing descriptions so that they can be fully confident about who and how personal data is processed.

When it comes to who has legal responsibility for data entrusted to the provider, it is essential to define specifically who bears responsibility and who will be held accountable. This is vital as SaaS services often run on infrastructure and platforms provided by other entities and so the contract may mention third-party contracts. In these ‘shared responsibility’ scenarios, clarifying who is responsible for what and having a graphical representation of all shared responsibilities will be helpful.

5. Is the solution compliant?

The ideal SaaS solution will deliver support for critical compliance objectives such as GDPR and UK-GDPR. For example, ideally a backup solution should prevent end-users from moving data outside of the cloud and enable the granular management of data retention periods. It’s also advisable to check whether a separate contract will be required to cover the processing of personal data.

Assessing where data is stored and establishing if a potential supplier meets all regulatory standards required by the organisation – for example, SOC2 compliance, or HIPPA as well as GDPR – is vital before committing to using a service.

Navigating and optimising SaaS usage

As digital transformation drives more SMEs to invest in SaaS services, key stakeholders will need to become adept at evaluating the suitability of SaaS vendors to ensure that their digitalisation journey is cost-effective, safe and generates anticipated outcomes.

Undertaking a detailed assessment of a provider’s credentials and clearly defining data ownership; success metrics; and legal and compliance implications will help ensure that any risks associated with the introduction of an external SaaS provider are minimised. This will also help towards choosing the right SaaS solution to fully address business needs, today and into the future.

Related:

Empowering procurement leaders to invest in the right tools for innovation — Simon Whatson, vice-president at Efficio, discusses how procurement leaders can be empowered to invest in the right tools for innovation.

Putting the trust back in software testing in 2022 — Christian Brink Frederiksen, co-founder and CEO of Leapwork, discusses how trust can be placed back into software testing.