
Hello, SaaS | Personal Information | Have you moved?
- Tutorial
On September 1, a law on the storage of personal data comes into force in Russia, which obliges foreign companies that own, including mail services, social networks and search engines, to place personal data of Russian users exclusively on servers in Russia. Russian companies that store data on servers abroad are also required to comply with the requirements of the Law. Today I again talked with lawyers from Zarcin & Partners and decided to put in order 2 things - what to do with the SaaS startup Dental Cloud in general and how to formalize contractual relationships with clients in the SaaS paradigm. A post with examples, and as it turned out, even leaders do not have everything!

Contractual relations
Not so long ago, Lyudmila Kharitonova and IWe have already discussed the topic and today we will touch on the issue superficially and in essence. Today there are two models of contractual execution within the Saas service:
License agreement - under which a non-exclusive license for the product is presented to the User. A similar approach, in our opinion, is the most fair. Saas service is software to which remote access is provided and which is used by the User independently to achieve the desired result. The copyright holder does not provide services to the User i.e. does not actively interact with the User.
For example, in Dental Cloud we use just such a model ( Offer Agreement), but with one caveat - we provide services for access to a pair of login password, but we transfer the rights to the software.
Service agreement - in many ways this design is based on the translation of the term Saas - software as a service.
But with such a model, the transfer of rights to software, which according to the Civil Code should be executed through a license agreement, remains outside the scope. The service agreement is applied by one of the popular systems - MySklad .
It is worth paying attention to the obvious advantages of using the licensed model:
Personal data
On the issue of transferring or not, I am sure that comments are not needed if you want to be in the legal field and not let your users down. According to PD, in general, in any SaaS service, 2 categories of personal data are processed:
In order for the Saas service to comply with the legislation on personal data, it is necessary
The privacy policy is an integral document that should establish the goals and principles of data processing, and contain information about the implemented requirements for the protection of personal data. Today, only a small part of the Privacy Policy meets the requirements of the law. As a rule, the Privacy Policy only quotes the norms of law and does not contain any individual data.
For example, Bitrix 1C privacy policy contains a specific list of implemented protection methods (but in a rather limited form).
In addition, it is necessary to carry out a number of internal measures to protect PD:
Starting September 1, 2015, new requirements for PD processing will be introduced, which will affect all Internet services. New requirements establish that during the collection of personal data, the operator must ensure the recording, systematization, accumulation, storage, updating, retrieval of personal data of Russian citizens using a database on the territory of the Russian Federation. How this norm will be applied is still unclear since it has a number of possible interpretations, but it is obvious that:
What to do if your service lives on the side of the partner provider? Additional agreements arise between the parties and we have already considered this case .
Users
In fact, SaaS service vendors are partially responsible for the work of users with their data, and more and more they are concerned about the procedure for protecting personal data. Each user must independently organize the work in accordance with the requirements of the law. My personal position on working with users in organizing such work is to help and recommend our friends .
* - note
1152-FZ established that the concept of processing includes any action (operation) or a combination of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification ( updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
Previous materials of the author

Contractual relations
Not so long ago, Lyudmila Kharitonova and IWe have already discussed the topic and today we will touch on the issue superficially and in essence. Today there are two models of contractual execution within the Saas service:
License agreement - under which a non-exclusive license for the product is presented to the User. A similar approach, in our opinion, is the most fair. Saas service is software to which remote access is provided and which is used by the User independently to achieve the desired result. The copyright holder does not provide services to the User i.e. does not actively interact with the User.
For example, in Dental Cloud we use just such a model ( Offer Agreement), but with one caveat - we provide services for access to a pair of login password, but we transfer the rights to the software.
Service agreement - in many ways this design is based on the translation of the term Saas - software as a service.
But with such a model, the transfer of rights to software, which according to the Civil Code should be executed through a license agreement, remains outside the scope. The service agreement is applied by one of the popular systems - MySklad .
It is worth paying attention to the obvious advantages of using the licensed model:
- Payments under a license agreement are taxed at a VAT rate of 0% (and payments under a service agreement are taxed at a total VAT rate of 18%);
- There is a possibility of limiting liability in the framework of providing software on an “as is” basis. Within the framework of the contract for the provision of services, it is impossible to limit your liability since the contractor must provide a quality service.
Personal data
On the issue of transferring or not, I am sure that comments are not needed if you want to be in the legal field and not let your users down. According to PD, in general, in any SaaS service, 2 categories of personal data are processed:
- PD of direct Users (which they enter during Registration);
- PD that Users enter and process through the Saas service. Directly, the Saas service does not work with this data group, but stores it, which means it processes according to the laws of the law. - see Note
In order for the Saas service to comply with the legislation on personal data, it is necessary
- Obtain consent from the User to process his PD. Consent must comply with Art. 9 Federal Law “On Personal Data”;
- Describe the Privacy Policy - which describes the procedure for protecting all personal and other data.
The privacy policy is an integral document that should establish the goals and principles of data processing, and contain information about the implemented requirements for the protection of personal data. Today, only a small part of the Privacy Policy meets the requirements of the law. As a rule, the Privacy Policy only quotes the norms of law and does not contain any individual data.
For example, Bitrix 1C privacy policy contains a specific list of implemented protection methods (but in a rather limited form).
- Uses RSA encryption in Bitrix 1C Products.
- Provides two-step authentication for account access if necessary.
- Protects authorized sessions.
- Constantly improving methods of collecting, storing and processing data.
In addition, it is necessary to carry out a number of internal measures to protect PD:
- appoint a person responsible for organizing PD processing;
- to develop internal documents for processing PD;
- carry out internal control and (or) audit of compliance of PD processing with legal requirements;
- familiarization of employees directly involved in the processing of personal data with the provisions of the legislation of the Russian Federation on personal data and internal documents of the Saas service.
Starting September 1, 2015, new requirements for PD processing will be introduced, which will affect all Internet services. New requirements establish that during the collection of personal data, the operator must ensure the recording, systematization, accumulation, storage, updating, retrieval of personal data of Russian citizens using a database on the territory of the Russian Federation. How this norm will be applied is still unclear since it has a number of possible interpretations, but it is obvious that:
- when collecting it is necessary to ask for citizenship of the subject of PD;
- ensure the storage of personal data of citizens of the Russian Federation on the territory of the Russian Federation.
What to do if your service lives on the side of the partner provider? Additional agreements arise between the parties and we have already considered this case .
Users
In fact, SaaS service vendors are partially responsible for the work of users with their data, and more and more they are concerned about the procedure for protecting personal data. Each user must independently organize the work in accordance with the requirements of the law. My personal position on working with users in organizing such work is to help and recommend our friends .
* - note
1152-FZ established that the concept of processing includes any action (operation) or a combination of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification ( updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
Previous materials of the author