Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Play next
Top 10 SaaS Legal Issues Every Tech Leader Should Know image

Top 10 SaaS Legal Issues Every Tech Leader Should Know

S3 E7 · The Rebel Devs
Avatar
9 Plays1 month ago

🎙️ Episode Description

In this episode of Rebel Devs, hosts Tom May and Jonah May sit down with technology attorney Peter Vogel to unpack the Top 10 SaaS Legal Issues Every Tech Leader Should Know.

From data privacy and AI transparency to SOC 2 compliance, vendor accountability, and cyber insurance, this conversation exposes the hidden risks in everyday cloud and SaaS agreements. Peter brings his dual background in law and computer science to explain what every IT leader, MSP, or SaaS provider needs to include in their contracts—before a breach or compliance audit strikes.

Learn how to:

  • Protect your data across borders
  • Demand real DR and BCP test results
  • Cap annual fee increases
  • Verify vendor privacy and insurance coverage

Whether you manage infrastructure, run DevOps, or architect disaster recovery solutions, this episode will help you build stronger, safer, and legally sound SaaS partnerships.

🔗 Listen at: RebelDevs.com
💼 Guest: VogelITLaw.com
🧭 Sponsors: Different Dev www.differentdev.com | CyberFortress www.cyberfortress.com

Recommended
2025 Veeam Hackathon image
2025 Veeam Hackathon
S3 E8 · The Rebel Devs
00:57:22·9 days ago
Leveling Up with Veeam: Rick Vanover on Community, Cloud, and the Future of Data Protection image
Leveling Up with Veeam: Rick Vanover on Community, Cloud, and the Future of Data Protection
S3 E6 · The Rebel Devs
00:58:08·2 months ago
Inside the Veeam Community: Legends, Vanguards & User Groups with Madi and Safiya image
Inside the Veeam Community: Legends, Vanguards & User Groups with Madi and Safiya
S3 E5 · The Rebel Devs
00:49:42·3 months ago
Know Your Costs or Die Trying: SaaS Finance, Edge AI, and Cloud Reality with Will Baccich image
Know Your Costs or Die Trying: SaaS Finance, Edge AI, and Cloud Reality with Will Baccich
S3 E4 · The Rebel Devs
00:56:52·6 months ago
Cloud, Chaos, and Continuity: Navigating IT the Nico Stein Way image
Cloud, Chaos, and Continuity: Navigating IT the Nico Stein Way
S3 E3 · The Rebel Devs
00:59:03·7 months ago
Fast, Reliable Recovery for Veeam Backups with CloudIBR image
Fast, Reliable Recovery for Veeam Backups with CloudIBR
S3 E2 · The Rebel Devs
00:54:53·7 months ago
Rebel Devs with Maurice Kevenaar image
Rebel Devs with Maurice Kevenaar
S3 E1 · The Rebel Devs
00:25:41·10 months ago
Rebel Devs with Nathan Golden of ManageCast Technologies image
Rebel Devs with Nathan Golden of ManageCast Technologies
S2 E10 · The Rebel Devs
00:36:43·11 months ago
Rebel Devs with Karinne Bessette - Part 2 image
Rebel Devs with Karinne Bessette - Part 2
S2 E9 · The Rebel Devs
00:50:32·1 year ago
The Power of Learning Journeys with Jason Buffington from Veeam image
The Power of Learning Journeys with Jason Buffington from Veeam
S2 E8 · The Rebel Devs
00:36:06·1 year ago
Rebel Devs with Karinne Bessette image
Rebel Devs with Karinne Bessette
S2 E7 · The Rebel Devs
00:40:42·1 year ago
Rebel Devs with Maurice Kevenaar (The Veeam Hackathon 2024 Edition) image
Rebel Devs with Maurice Kevenaar (The Veeam Hackathon 2024 Edition)
S2 E6 · The Rebel Devs
00:35:23·1 year ago
Rebel Devs with Falko Banaszak image
Rebel Devs with Falko Banaszak
S2 E5 · The Rebel Devs
00:58:07·1 year ago
Rebel Devs with Jason Miller image
Rebel Devs with Jason Miller
S2 E4 · The Rebel Devs
00:42:59·1 year ago
Musings with Geoff Burke image
Musings with Geoff Burke
S2 E3 · The Rebel Devs
00:52:02·1 year ago
Rebel Devs with Geoff Burke image
Rebel Devs with Geoff Burke
S2 E2 · The Rebel Devs
00:37:42·1 year ago
Rebel Devs with Elton Carneiro image
Rebel Devs with Elton Carneiro
S2 E1 · The Rebel Devs
00:39:01·1 year ago
Yorkies and Rocket League image
Yorkies and Rocket League
S1 E12 · The Rebel Devs
00:30:44·1 year ago
Rebel Devs with Rick Byrne - Veeam Product Silos Good or Bad? image
Rebel Devs with Rick Byrne - Veeam Product Silos Good or Bad?
S1 E11 · The Rebel Devs
00:39:45·1 year ago
Who is Anthony Cusimano from ObjectFirst? image
Who is Anthony Cusimano from ObjectFirst?
S1 E10 · The Rebel Devs
00:26:32·1 year ago
Transcript

Podcast Introduction

00:00:17
Speaker
Rebel Devs podcast, a show that challenges conventional thinking in the tech industry. Each episode features conversations with solutionists who have taken unconventional approaches to problem solving, pushing the boundaries of what's possible in their respective fields.
00:00:38
Speaker
Join the devolution.

Legal Matters with Peter Vogel

00:00:41
Speaker
Well, hey there, RebelDevs listener. Welcome to the show. I'm excited for today's show. It's a little different than what we normally do. We typically are Veeam-focused and DR-focused as well, but today we're gonna take a little different slant. We're gonna talk to a good friend of ours, Peter Vogel, about some legal matters, which is great.
00:01:01
Speaker
And before I get there, my name is Tom May, your host, and I'm excited to just delve into things a little bit more today. With me as always is my partner in crime, Jonah May.
00:01:13
Speaker
Hey, Jonah. What's going on here? ah Well, I am creating registration pages for some bug events we're doing here in about a month. Oh, there we go. So now when we air this after the event, you all will probably miss it. But the good news is if you miss the June road show, which the Texas bug will be in Austin, Houston and Dallas, don't worry. He will be hitting the road again in November. So go ahead and check out that website. What is our website over there, Jonah, again? It is tx.vmuser.greek.
00:01:46
Speaker
There we go. All right. And our special guest today, Peter Vogel. I will let the man introduce himself. Peter, good morning. Yeah. Thank you, Tom. Introduction. Thanks for the opportunity to join you and Jonah this morning.
00:02:00
Speaker
um Even though I'm a lawyer, in spite of the fact that I'm a lawyer, before I studied law, I had a career as a computer programmer. I have a master's in computer science, worked on a PhD, and then went to law school, but I never intended to be lawyer.
00:02:14
Speaker
But I've ended up being a lawyer for many years, and my law practice is limited to representing buyers and sellers, information technology, and internet services. And I've had cases in 38 states, including ah all kinds of software development, and intellectual property.
00:02:30
Speaker
And then the other end my practice is transactional. Negotiate contracts, including software agreements and things like that. And um I'm happy to join the discussion today. So thanks for inviting me.
00:02:43
Speaker
Oh, absolutely. Love having you here. And Peter and I met ah probably about the time of my company, Different Dev, being around maybe a year or so. We had some basic legal um things in place that got us up and going. And I spoke to a colleague of mine as we were looking at different statements of work, and he introduced me to Peter.
00:03:05
Speaker
And what was really interesting was having a different legal mind that was really wrapped around i t So in looking for the podcast, sometimes we like to take Veeam a little bit further. And I thought today it would be great to talk about some things that I think many of the listeners deal with.
00:03:22
Speaker
We have end users listening that want to know all things

Understanding Cloud Contracts

00:03:25
Speaker
Veeam. Maybe that's not their topic. typical route is dealing with legal but i'm sure that they have to either provide a service or receive a service i think that'll hit the marks there for more of our executive folks definitely recommend that getting in touch with peter and we'll get that at the end of the show it'll be in the show notes as well but uh we were going to talk about you know the top 10 as a service issues peter you've spoken on this before why is this an important topic for us
00:03:53
Speaker
Well, I think the reality, Tom, and this is really critical as to where we are in 2025, is every single company, every business around the world relies on cloud computing. except And all cloud computing is a is a is a yeah is based on the contractual terms of buy and as the privacy policies, and yet virtually nobody ever reads them. I've actually gone around the country over the years and taken a poll about who reads them. And I would say it's about 1% of the people ever take the time to read online terms.
00:04:31
Speaker
So that's why this is so critical because it affects every business. Gotcha. Are you kind of referencing like when I get my iPhone and it tells me terms of service? Is that what we're talking about or is it a little bit matter?
00:04:45
Speaker
No, that's that's a good example, but I think the other is maybe even better. And it's one I like to consider and that is you're We all give our location away on all our devices.
00:04:59
Speaker
So, for instance, one of the things I like to include in a lot of my speeches is a Google map of New York City when you fly into LaGuardia and then you get in an Uber and it's the roadways green.
00:05:11
Speaker
You know, it's moving yellow, not so much. And then if it's red, you don't go that way. Well, where does that information come from? It comes from all the cell phones and all the vehicles on all the roadways because people don't care.
00:05:24
Speaker
But nobody takes the time to read what are the but it contractual terms they're giving away their location is about. That's why it becomes important. Imprival.
00:05:35
Speaker
side of that. A wise man once told me if it's free, you're probably the product. I'm taking it you would subscribe to that thought process. Something like that. Well, but we live in a time, I think, and ah I'm glad you use the example of your cell phone because between the Android and the Apple, ah those products are things that everybody relies on too to help us figure out, navigate from one location to another, and also keeps track of all our phone calls. So from a litigation standpoint, the amount of evidence that we have on our cell devices is crazy.
00:06:13
Speaker
And most people don't care that they give away that right to ownership of the data. ah Yeah, no, that's crazy. um I myself battled that having a background in IT security was as more and more things went online, as more and more things were tracking.
00:06:30
Speaker
In the beginning, I was so anti-everything and I realized I couldn't function. So I kind of had to come up with this personal mindset of how much is acceptable to me. And today's probably the first time that I've done a retrospective myself where I go back and think, well,
00:06:47
Speaker
it's been a slope of giving away more and more and more because now I don't need to think about it. And I guess that's partly because at least in the DR world, we're so tied to security. It used to be prevent the intrusion.
00:07:00
Speaker
And now when we couple in disaster recovery, the number one reason we recover from a disaster is because of a security incident. So we kind of take this thought crosses up.
00:07:11
Speaker
It's not an, if it's, it's a when that the event happens, we just recover, but, Now that I think about it, how much am I giving away while I can recover?
00:07:21
Speaker
Is it good that my data is out there? So I'm excited to dive into this a little bit more for sure. But it's also where is your data? I mean, your software is a service agreement, like for instance, there are, and I'm sure there are people on this call that do this very thing.
00:07:37
Speaker
um Amazon AWS offers, among other things, Office 365. So instead of having and your data go directly through to Microsoft, which you could do, the option is you go through AWS. So then you've got a layer on top of what is your relationship with Microsoft and what rights do you have to get your data in their version of Office 365 versus if you had a direct license with Microsoft.
00:08:06
Speaker
I'm not saying there's a right or wrong. I'm just saying it's more complicated than most people say. Yeah, and one of the reasons I brought my cell phone sometimes is it's a hostage situation.
00:08:18
Speaker
I want Google Maps. Well, then I have to succumb to what Google says because I want that I need that and yet I've given them a cart launch to where I almost don't read what it says about Google.
00:08:33
Speaker
If I'm sitting at my desk and I'm going to purchase a service, I'm much more into my cus into that agreement, but even still to a limit. Like if I go with an online HR package and I'm not going to name names because I really don't have an opinion one way or the other.
00:08:48
Speaker
If I decide that that's the right thing for me, if I had software locally, And I say, I need this to be a cloud-driven app. Well, I need that. I want that. Well, hell, what are they running? I'm just going to basically say, go ahead for it. So ah this is really just, we haven't even gotten into the top 10 list here and my brain's already racing in there.

Critical Issues in Service Agreements

00:09:10
Speaker
um Jonah, what are your kind of thoughts on this, if you will? ah It sounds like a very nuanced conversation. You know, I don't know what's that. Thankfully, it's a world I've really had to live in.
00:09:24
Speaker
Well, I mean, you're out there. I'm sure over the years you've used different softwares and in there. And so I almost wonder when it comes to that software, I mean, how do you feel when you're clicking through and whatnot? Yeah.
00:09:41
Speaker
i I mean, i personally like to self-host where I can. i mean, I know the industry is moving towards SaaS, but, you know, in some ways I like to have the own peace of mind that I hold the data.
00:09:53
Speaker
On the other hand, it's kind of nice to know, hey, if something happens, you know, I'm not the one who's responsible necessarily. Right. Okay. Well, it'll be interesting to get into this top 10 list that we have here.
00:10:07
Speaker
And what I would say is as we look through, I kind of feel David Letterman-ish, if you will. um Some of our listeners may not remember the days, but back when us dinosaurs roamed the world and we didn't have subscription services, we had David Letterman in this infamous top 10 list.
00:10:25
Speaker
So we're going to dive into that here in just a moment. Well, everybody, it's ready to roll into that fun top 10 list. And when I say fun, it's pretty awesome here.
00:10:39
Speaker
So I'm going to feed up the number one here so I can feel important. And, uh, and maybe Jonah will bounce back and forth. I'll announce number one. Peter can talk us about it. We'll chit chat and we'll run through.
00:10:50
Speaker
And so here we go. Number one on the list. And, uh, I'll pause here. Peter, are these in any particular order when you list out number one? Are you saying this is the top thing or are they just kind of all important?
00:11:05
Speaker
I think they're all important. I just there's no particular order in which this these exist. I just wanted to make sure I captured all the important topics. So thanks for asking. I think that's important.
00:11:16
Speaker
Great. Yeah, I wanted to have this big dramatic run-in, and I thought, well, what if I put the best one out there first? Do we need to go? So without further ado, number one, customer must get a copy of vendor's audit reports from the American Institute of Certified Public Accountants, System and Organizational Controls, or International Standards Organizations.
00:11:38
Speaker
Folks, that's AICPA, which I haven't really touched on, but these other two, SOC and ISO, to verify cybersecurity and National Institute of Standards and Technology missed certifications.
00:11:51
Speaker
Folks, this is everything we do in DR. I can tell you that. So Peter, tell us, what does this mean?
00:12:01
Speaker
Well, what happens is people sign software as a service agreements to get software as a service. And that's what the XAAS refers to. It's any kind of service that's being provided on the cloud.
00:12:13
Speaker
And what happens is you don't always get a copy of that report. But you need to ask for it to find out if this service you're providing is really adequate. Like, for instance, a few years ago, I had a large health ah hospital that was acquiring a new software ah system, software service.
00:12:33
Speaker
And... um I said to the assistant general counsel, have you read the SOC 2 report? And she said, no, I haven't read it. The InfoSec people have read it and they told me it's okay.
00:12:46
Speaker
And I said, well, you should read the first 26 pages because you will understand that. You're not going to understand anything else, but you'll know that. And it helps you understand what kind of security is in place.
00:12:57
Speaker
Another thing that goes along with that is a few years ago, was helping a large national marketing company And they wanted the software system vendor to provide $5 million dollars worth of cyber insurance.
00:13:11
Speaker
Well, after reading the report, we found out the vendor had $15 million dollars worth of coverage. So we upped it in the and our agreement, making sure we got all the coverage. So there are things like that you can find in the reports. And if you're doing if you're doing business with the Fed government, you have to use NIST standards.
00:13:28
Speaker
um There's also FedRAMP and a tax ramp if you're in Texas, where you if you're doing business with the state or the federal government, you have to make sure that there's a compliance with all of these ah SOP 2, FITU reports and everything as well.
00:13:45
Speaker
Some of our vendors, I mean, actually have dedicated sales teams to FedRAMP and TextRAMP and whatever state ramp you're in. It just even seems to be a sales specialty in there.
00:13:56
Speaker
um I've dealt with companies that are looking to do business, say, with me and SOC. And I always laugh because it's... um when we're reviewing their vendors, if you will, to choose something, sometimes we'll go ahead and we'll get a SOC certificate and they'll be like, well, what does this mean?
00:14:15
Speaker
um They'll even come to my company and say, do you have a SOC? And in full disclosure, no, I don't have a SOC. ah My data center is in a um data center that has its own SOC and access to customer data. Well, we really don't have customer data in that.
00:14:30
Speaker
Whereas we might use like a ConnectWise or something, which That maintains everything that we have. But, you know, if I'm touching their data, moving their data, it would be of much more concern. So maybe like a cloud provider might be important where they're doing their backups and they're doing recoveries.
00:14:47
Speaker
So interesting that i see people even asking for these and they don't understand the basic premise of what it is and who holds what. Well, let me also refine that a little bit more. The AICPA SOC report, there are actually three different types.
00:15:05
Speaker
There's a type one, which is done whenever the party wants to do it. The type two, which is done annually. And the type three, which is completely useless because the auditors don't do anything. They just say, this is what the vendor says that they provide and they just sign off. So if you get a SOC report, it provides you really no benefits.
00:15:26
Speaker
Gotcha. Well, I think we're getting ready to move over to number two here. So number two, data locality. Hugely important for us in DR, especially for those of us that are in the media and have to deal with GDPR.
00:15:42
Speaker
um Peter, definitely speak this. I'm sure that each state probably has its own um data protection rights. I know California was kind of the first out of the gate, but where are we with this concept?
00:15:57
Speaker
Well, in this context, the bigger issue really is what country it's in because it's the federal laws of different countries. And it's something that I kind refer to as internet jurisdiction. And that is, it's the local law, whatever it is, that controls how data is used.
00:16:15
Speaker
And you can negotiate in the software as a service agreement, the location of your data. So for instance, in the banking industry in the United States, All data must be in the united in stored in the United States.
00:16:28
Speaker
So if you sign an agreement to get software as a service, you need to pay a premium to make sure that data is in the U.S. If you don't pay that extra premium, the cloud provider can put the data anywhere. And then if you have a problem, you may not be able to get the data because the local laws may cause a problem for you.
00:16:49
Speaker
Okay, yeah, no, it makes sense. John, do you fall into this kind of trap in your world, if you will, of where's my data and does it matter? Yeah, but very commonly the one we see is Europe, people trying to stay within our Norway or Amsterdam data centers because a GDPR if they're based out of a European country.
00:17:10
Speaker
It's interesting here because I have some vendors that I've worked with in the past and let's say and data recovery. Let's say they're in Europe and absolutely their data stays in Europe.
00:17:23
Speaker
But let's say this customer creates a monitoring system where they're like, listen, we can hook into your backup system. We can get some report data from you so we can call where your backups are, when the last time they've occurred and so on and so forth.
00:17:37
Speaker
But our systems reside in the U.S., Peter, if I'm bound by like a GDPR, do you... I've often thought this was a gray area because the customer saying, no, no, no, no no I don't ever take their data here. Their backups still remain overseas or in that location.
00:17:53
Speaker
I'm just gaining report information and displaying it from a system running in the U.S. Do you think that's something people need to be concerned with? um Is it a gray area or is that just like a, hey, you know, this is something...
00:18:08
Speaker
absolutely should not be done well. I mean, what do you think about those sorts of weird transactions? i
00:18:16
Speaker
I think your characterization gray area is pretty good. It's not black and white. Because the laws and the enforcement of GDPR are very different if you are located in the EU than if you're outside of the EU.
00:18:30
Speaker
And that's true with other countries as well. For instance, there are privacy laws and all kinds of things in China that are different. So if your data is in China, it's controlled by Chinese law or Russian law or whatever the law is on where the cloud provider puts the data.
00:18:46
Speaker
And so you have to be mindful of how is it protected? And I think ah citizens of the EU do have a concern about making sure that that data is being protected so that they have the GDPR protection that they expect.
00:19:00
Speaker
Oh, okay. Gray area. That's kind of every time I deal with those EU folks, I'm like, wow, we do feel a lot of gray areas here. um So it kind of confirms what I was thinking about.

AI and Data Security

00:19:11
Speaker
And i know the people often ask me which ask me, would you work in this particular zone? where I'm always thinking, well, yes, but there's so many implications over there.
00:19:20
Speaker
I remember I worked for a law firm at one day and we had offices in Beijing. and I can't get into the specifics all, but even the ability to do business in China required something. If I remember where like a local company had to be a part of it, there had to be so many local national citizens that would own a portion of that business.
00:19:42
Speaker
And then the outside entity could have a portion of that. So that way it was still say a Chinese company or whatnot. And people much smarter than me got into that. That didn't even get into the data things. um I mean, pretty much the idea, I think it was anything that is running around in China may or may not have been subject to Chinese listening ins, if you will. I definitely know when I've done business in Moscow, that was a thing, you know, data had to be stored locally.
00:20:11
Speaker
unencrypted and then it went off to wherever it needed to go and the thought process there was well that allowed mother russia to be able to listen and look at anything they wanted to um i don't know that they specifically came out and said it but that was kind of the the thought process there on it so um definitely thank jonah are you ready to tear t up into the next bullet point here for us Vendor needs to provide details about all AI and generative AI tools he used or added to the as-a-service.
00:20:45
Speaker
Well, let me say this. um I'll say it in the worst way possible. the That AI is not new. It's been around for 40 plus years, and there is artificial intelligence software all over the place.
00:21:00
Speaker
But in 2025, what we're seeing is front page news about Chad CPT, Claude, Copilot, whatever the vendor products are. And so what I normally do is when I'm negotiating a cloud software as a service agreement, I always put a requirement that the vendor tell the customer anytime they add a new artificial intelligence tool or identify all the artificial intelligence software that's available or being used by them.
00:21:32
Speaker
They don't always agree to it, but it's a good thing to ask for it.
00:21:43
Speaker
Yeah, I found a project where we were working where AI worked wonderfully to create some reports. So we had some PDF dumps. We had some ah spreadsheets that come in and we really needed to kind of compile and call the data.
00:21:59
Speaker
And really what we were able to do, which was interesting, was we could have set it all into chat GPT, which I felt really would have violated our customer. We would have been pumping server names and whatnot and over there.
00:22:12
Speaker
But rather than do that, what I think we ended up doing was we basically took the data that we retrieved, we scrubbed it out and put some sample data in with a smaller subset.
00:22:24
Speaker
We injected it into ChatGPT and we said, based off of this, this and this, ChatGPT, write me some code to be able to do these things. And we didn't blindly run code. We actually looked through it and brought it local and said, oh, OK, we can see that it's doing this, this, this, this and this.
00:22:42
Speaker
And then we went ahead with the real documents. We ran it. If it worked or didn't, we went back, reprompted it, generated the code, came back. So in this instance, no customer data was exposed.
00:22:53
Speaker
It was pretty clear. But I don't think a lot of companies are really wrapping their heads around um their employees' use of it. how how um common it is and what's being up and i'm hoping more and more companies take the time like we all have to take uh basic security awareness training i think we need to take some ai awareness training in there as well my wife was telling me that there were rumors at her company that uh people were doing video interviews and they were running chat GPT just on the side.
00:23:26
Speaker
And basically chat GPT was ruining the interview process. And then I read an article today that it's ruining higher education. We finally moved to where remote learning is a thing where we can do online tests and such.
00:23:39
Speaker
And people are now taking that and they're popping it in through chat GPT. So Jonah, you have some experience with the whole online learning more so than I did when I took it. It was just take the test. But aren't there some safeguards in place when when I read an article like that and I read what Peter writes here?
00:23:56
Speaker
Is that something you think higher education is grappling with? I think it's a struggle for them, especially because it's very hard, I think, for them to figure out when it's AI generated and when it's not for a lot of the content. You know, you have a lot of the typical plagiarism tools, which have updated to reflect whether or not they think a submitted text is AI.
00:24:19
Speaker
But at the same time, a lot of the schools also propose using things like Grammarly and Grammarly AI to help you check all of your papers before you submit them. So if you have it go through and help you with conciseness and grammar and so on, it sometimes ends up sounding like an AI and flagging you as potentially written by an AI.
00:24:38
Speaker
What a logic loop there, huh? Use AI to help you and then get in trouble for using AI. So, wow, that's kind of such a deep topic. It almost deserves its own little breakout session here.
00:24:52
Speaker
So I'm going to move on to number four. Vendor must identify all other third party software as a service products. provided and by which companies and on what cloud services, all services are provided. That was a mouthful for me, folks. Sorry about that.
00:25:11
Speaker
So it's that. I've already talked about that little bit, and that is um if you can go to Amazon Web Services, AWS, and get Office 365, you don't really have a direct relationship with Microsoft.
00:25:29
Speaker
So let's say that you want to get emails that you have from last year. You have to go through Amazon. You're not dealing directly because you don't have a direct relationship with Microsoft.
00:25:40
Speaker
So it's really important that you get an idea about who you are dealing with. Just because you signed contract with one vendor, software a service vendor, that doesn't mean that's who's providing the service.
00:25:51
Speaker
And I'll give you another example. Amazon also... artificial intelligence as a service. You want to use that. And you know who their biggest customer is? LexisNexis.
00:26:03
Speaker
And LexisNexis doesn't say anything on their website about the fact that they're using AWS artificial intelligence as a service. So we have these things where there's, you sign up with one company and indeed you're actually using the software of another one.
00:26:20
Speaker
I once had a boss probably 10 years ago now tell all the engineering staff that one day your engineering skills will not be as valued because you have to transition from being the knowledge expert in all of your areas to being a vendor manager and having a higher level picture.
00:26:40
Speaker
And I don't think many of us believed it at the time. But with what you're describing, i really do see that being a thing where while I might want a LexisNexis because I know what that product is used for, and back in the day I probably knew how to install it, interface it, act to it, use it online, etc.
00:26:58
Speaker
I think what I hear you saying is, well, you have to peek under the hood a little bit more. Because if I'm using Microsoft 365 on Amazon and I have a problem, well, Microsoft Direct, I go and chat them right in my little console, Microsoft engages and goes.
00:27:14
Speaker
Well, now I have this layering and that really affects my delivery to my customer. Going back to my ITIL days where, you know, I have a service level agreement with my customer.
00:27:25
Speaker
but then I need an operational level agreement with my vendor to make sure I can deliver my SLA. It gets very convoluted if they're kind of hiding some of these things in there. How do I really deliver?
00:27:37
Speaker
Who is my support channel? And that just brings scary to whole new level for service delivery. So service providers out there, if you're using different products, um let's say you're using Beam Data Cloud, that's one that's all available.
00:27:50
Speaker
new and emerging here with Veeam. And they tell us, hey, we're going to be the engine. We're going to be the transport. You can be the support. Well, what happens when Veeam data cloud goes down? What happens when other things break? And while Veeam, we love them and they tell us 12 nines with this whole Veeam data vault, question is, is when it goes sideways, what is their response to you so you can respond to your customer? And If you're making that cloud to VDC, beyond just the technical ease, I think you need to think about your support structures and response.
00:28:24
Speaker
And that's really my big takeaway in there. um All right, Jonah, number five. When terminating, the customer should have the ability to decide the format of how its data will be returned and when and the right to verify data is accurate before the vendor deletes all data.
00:28:47
Speaker
Yeah, um in most software as service agreements, the vendor includes some kind of provision that says whenever we terminate, we'll just provide you the data in a format we want, that is the vendor wants, put it in.
00:29:05
Speaker
or And then within 30 days, they'll delete the data. Well, if for whatever reason, it's in a format that's not helpful to you, you should be able to decide. And I'll tell you, most most software as a service vendors are willing to do that, to let the customer decide the format of the data.
00:29:25
Speaker
And then also have a written agreement that the data is accurate, because if it gets deleted before the the customer has a chance to validate it, then the data is gone.

Privacy and Compliance in Agreements

00:29:36
Speaker
And that customer may be in very bad shape as a result.
00:29:41
Speaker
Yeah, i and I know that we get into the right to be forgotten and those sorts of things. And it was interesting because I remember transitioning through in disaster recovery where none of that was specified in the contract.
00:29:57
Speaker
In the early days, it was just, we protected your data. We put your data somewhere. And when someone went exit, it was almost like a gentleman's agreement of, well, we'll return your data.
00:30:08
Speaker
And sometimes when a customer leaves, they're maybe not in the most pleasant ah disposition, if you will. And they become quite demanding, knowing that the relationship has soured.
00:30:20
Speaker
And back in those days, it was just a Well, you need to be nice to me. I'm trying to help you stop being so demanding. And I'm glad that we're seeing more things in writing with that regard.
00:30:32
Speaker
um Number six here. I get the easy one, Jonah. Vendor needs to prove compliance with all state, federal, and international privacy laws.
00:30:43
Speaker
Well, what we see is, first of all, The privacy policies are usually separated from the terms of service, although they're linked together on most websites.
00:30:57
Speaker
um And in the United States, the Federal Trade Commission controls privacy. And under their rules, a website does not need to have a privacy policy. But if they have one, it has to be in compliance with the Federal Trade Commission regulations.
00:31:12
Speaker
And so you also then had the California Consumer Privacy Act in states with different laws. And so the privacy obligations of the vendor ah become very important. But if the vendor doesn't include all of that, then that's a problem. If you ask them to, generally they will, but they ought to be making a warranty that they're to compliance with all the federal and international laws because ah want you don't want to be inviolated of any of those laws by being a customer.
00:31:47
Speaker
Now that's interesting. So but now the compliance of who I'm using affects my compliance. That's just scary. Now they've got your data.
00:32:00
Speaker
They've got your data. Think about it from a standpoint of healthcare care with HIPAA. If they have all your HIPAA data, you've got to be in compliance with the federal laws and they got it. ah Because under the HIPAA laws, if you're the covered entity, the hospital, and they're a business associate because they're they have access to your data, they've got to be in compliance with the laws.
00:32:25
Speaker
No, it makes sense. We used to have to do ah like business agreements with HIPAA companies where was like, no, I'm not HIPAA certified, but I will promise and solemnly swear that I will follow HIPAA practices such as clean desk policies and whatnot.
00:32:43
Speaker
um Because while I'm protecting their data in VR, I'm not really doing anything with it other than storing it and giving it back. So...
00:32:53
Speaker
um I know HIPAA is famous for having things like clean desk policies. You won't have passwords related and out. Well, I don't really have the customer's passwords, but I still have to swear if I do, I'm not going to write it on a post-it note and put it on my screen. So um that's interesting.
00:33:09
Speaker
Seven here, Jonah, you're going to get. And I think this is like probably the holy grail of this list for our listeners right here. Yet vendor must provide copies of vendors business continuity plan, incident response plan, successful annual and biannual disaster recovery testing to verify DR works properly and proof that IRP has been tested, including tabletop scenarios.
00:33:36
Speaker
Well, one of the realities that I found a few years ago was one of my clients was using a software as a service vendor and we had a disaster. And there was the data was not recovered properly.
00:33:50
Speaker
And what we found out was even though the vendor said in their software as a service online terms that they would do two tests every year, they had not had a successful DR test in three years.
00:34:05
Speaker
So, what I routinely do is negotiate contracts and say that the vendor will, and in most contracts say that they'll do ah a DR test like two or three times a year.
00:34:18
Speaker
but And if you want a copy, you have to ask for it. Well, I put a requirement that you don't have to ask when it happens. You ask in advance when you sign up that every time they have a DR test, they'll provide it to you.
00:34:30
Speaker
And of course, I think, as you pointed out, one of the critical things is that in dealing with business continuity plans and incident response plans, that they need to be tested properly to make sure that we have, you know, they're in place.
00:34:47
Speaker
Well, and I think to our listener, they're normally the ones providing that service. So often i have the... the the The onus of the one providing it, so I'm the backup company and I'm going to provide it to my customer, am I regularly doing the tests so they have compliance? So I imagine a scenario where this customer is providing a service to somebody and says, we do these tests quarterly, let's say.
00:35:19
Speaker
They come into my company and we say, we'll provide it to you quarterly. do we ever really hand back the results over to say, here they are, this is what they were.
00:35:32
Speaker
Were they good, bad, or ugly? So that way the other customer has ah compliance. I know many providers in the DR world just go, Well, you can have up to so many a year. You just have to ask us to do it. And we're seeing the shift, especially with products like Veeam Recovery, Orchestrator, or Cloud IBR, where we know that we have to do it.
00:35:53
Speaker
We know that we have to provide it. So you know what? These products add on to the regular DR, and now we can build it and spin it and test it and report it back, and we bring compliance to it. Now we just need human eyes. Was it red, green, or yellow, so to speak? Greens are good.
00:36:10
Speaker
We move on. They have their compliance and it's there. So listeners, again, i think Peter's point here really shows you if you're in the DR world, set it for years, you're early as good as your last test.
00:36:22
Speaker
Make sure that you are providing that over to your customer. and giving it to them. um My takeaway is as a I'm not really a DR provider, I'm more architectural consulting, but I do manage some customers as well, fractionally on their DR team.

Vendor Responsibilities and Negotiations

00:36:39
Speaker
I put those tools in place and give them to my end customer so they don't have to ask for it. And I think that's what we all need to do is kind of go to that next level. We're just going to give it to the customer.
00:36:50
Speaker
Jonah, you work for a service provider. What do you see as a provider and with your customers?
00:37:00
Speaker
muted I think DR testing is the bane of just about every customer's exist existence, right? I mean, we have a number of our customers that have the capability of doing biannual DR tests with us, and most don't even use the functionality.
00:37:17
Speaker
I don't know if it's because they're not required to by current compliance and auditors or if they're just behind on their own things. But there's always a lot of complexity involved.
00:37:28
Speaker
And people even tend to get frustrated when it doesn't go exactly to plan, especially when it's their first few tests, you know, not understanding they don't necessarily want it to go exactly to plan. You know, we want to find the gotchas so that we can plan for them for a real disaster.
00:37:45
Speaker
Well, I think this ties into our next one here, and I get into this with different dev quite often, is cyber insurance. So number eight is vendor must provide copies of cyber insurance policies with minimum coverage. So, Peter, most contracts, and you hit on this a little bit, say, I will have something in place.
00:38:04
Speaker
And it's a one-liner and we have a $3 million dollars plan. Boom. You're saying provide copies of that. I mean, is that normal that one of your vendors will provide that to them or do they consider that confidential?
00:38:17
Speaker
no No, most of the software as a service vendors will actually provide copies of their all of their insurance. There are some standard forms where they show how much coverage they have and what and what is included. Because as we all know, I think this is one of the problems with insurance.
00:38:34
Speaker
The insurance companies are in the business of not paying claims. I think we all know that. And so what we also need to know is different companies have different types of cyber insurance.
00:38:47
Speaker
Some are included in the CGL, some are errors and admissions, and others are just in what's referred to as cyber insurance. And so you need to make sure that whatever the vendor is providing, that there is cyber coverage.
00:39:01
Speaker
And so if you make a requirement in your agreement, and I didn't say this, but let me make a, just simplify it. um A few years ago, I got a Stripe credit card ah purchase agreement.
00:39:16
Speaker
long. And I had to look at 37 online terms to figure out what put in that six pages. So most people don't take the time to do that, but most vendors are willing to negotiate the things we're talking about today.
00:39:30
Speaker
And cyber insurance is, in 2025, is a very common feature that most vendors will provide the details. no That's good to know. i In my world at DifferentDev, I've kind of walked through some clients and we've been in a sales pitch and they'll be like, well, we're the smartest backup people ever.
00:39:51
Speaker
We know Veeam better than you. We know everything in the world. And here you go. Why do we need you? And I point to what you're saying here with cyber insurance and the phrase that you said they don't like to pay i mean they're not in the business of paying so i'm often like imagine a world where you do all your smart things you goof something up and the cyber carrier goes well well tough luck you were supposed to do something i often say why not bring in a third party such as myself
00:40:22
Speaker
Let us go through best practices. Let us drill through it. Let us look at it. And while we may not see an exact copy of your cyber insurance, it will help their positioning and the fact that when it comes to their due diligence, they say, well, we were smart people.
00:40:36
Speaker
We went ahead and tried to do something. And guess what? We even hired this other firm to be able to help us with it. So I think that gives them better positioning because really, I hate to say it, I don't like insurance companies. It's just a battle.
00:40:51
Speaker
And it was easy for them in the beginning to sell cyber insurance. And now I think it's going to happen on such a higher brand scale where it's going to need to be utilized that now they're getting more and more um pointed on what brings compliance for payouts.
00:41:08
Speaker
um And, hey, I know that we're we're coming to the end of our time here soon, so I'm going to try to turbocharge us here. I'll go with number nine. Jonah, you hit 10, but I'm gonna say annual increase of fees should be limited to 3% to 5% or negotiate between vendor and customer.
00:41:24
Speaker
Help me understand that one. Well, what happens is generally software as a service agreements don't have an annual increase. They just say it will increase. What I'm saying is when you negotiate your purchase order, that you ought to limit it.
00:41:38
Speaker
But in 3% to 5% range is very common. So you shouldn't let the vendor go too far. But vendors that are unwilling to go to 3% to 5%, you can say we'll negotiate at the end of the period. The problem, of course, is if the customer gets an increase of more than...
00:41:54
Speaker
a reasonable amount, are they going to want to migrate to another sir software as a service? And thats there's nothing simple about that because you can't just migrate that easily. And it takes a long time and costs a lot of money. So the migration away is part of the problem.
00:42:11
Speaker
Yeah, no, I go through that all the time. I think one of my vendors did 6% this year. And I was like, okay, okay. you're pushing it at 6%. And then this was my first year with them and it's become lifeblood to us.
00:42:24
Speaker
I really don't know what we would use with it this other ah alternative because it's so on point. And I started wondering, ooh, what's next year gonna look like? Or even worse, I'm like, well, what if they said 12%, 25%, 50%? At a certain point, even if you can't replace it, I guess you're just going back to slide rulers or something. But my goodness, number 10, Jonah.
00:42:47
Speaker
Vendor must give customer at least 90 days advance notice of changes to all online terms, including privacy policy, and the customer can unilaterally terminate if the new terms are unacceptable with no financial penalty to the customer.
00:43:02
Speaker
This is something that actually I find vendors are willing to negotiate. The software as a service vendors do this all the time. The problem is, as I just pointed out, is if they change the online terms of privacy policy and you don't like it and you can terminate,
00:43:18
Speaker
How could anybody migrate away from a software as a service in 90 days? Usually takes six months or a year. And so the vendors, I think that's why the vendors are willing to negotiate this because they don't see that the customer can migrate away very easily.
00:43:33
Speaker
But if there are unreasonable terms that you really don't like, you might want to get away from the vendor. I think, Tom, that was kind of one of the examples you gave before. No, absolutely. And I mean, so this has been a really great list. I think the listener probably came in and went, ah oh, law, does this really apply? And I think as we've spoken through, this touches upon all of our lives.
00:43:54
Speaker
You say that we can negotiate. So if I'm going to go with random software person and I need to negotiate something, I mean, besides just talking to you, what what would I do to even open a negotiation with one of these companies?
00:44:10
Speaker
I don't know that Apple is going to negotiate with me on the right terms and conditions of the App Store or PeopleSoft or AWS, but you said many are willing to talk. i mean, where would you even go to find out contacts to do something like that?
00:44:23
Speaker
Well, because most people don't look at the online terms and don't study them at all or don't look at the privacy policy. My experience has been virtually everyone, including Microsoft, will negotiate if it's something that is reasonable, that they that they have an unreasonable provision. Like, for instance, I did an agreement for...
00:44:46
Speaker
ah a large international company a few years ago with ah Amazon. And one in an um they gave us their standard online terms. And I came up with like a three-page addendum where I changed certain online terms.
00:45:02
Speaker
And they agreed to every single change I had except one, which I thought was really fascinating. And that was they said in their contract that they would send notice under the contract by fax.
00:45:15
Speaker
So I turned to my client. I said, do you even have a fax? And they went, no. And then though what they said was, well, ah Amazon has to have fax. But by the time we got the final version, they deleted fax because it just impractical. So there are silly things like that where you find it's out of date and it doesn't make any sense because nobody has a fax in 2025.

Episode Reflection and Engagement

00:45:38
Speaker
Yeah, it's funny. i When I worked for the law firm, that was one of the things we had to maintain were fax servers. And this was like 2015, 2016. And I was like, God, we have to have a fax. And it was like, well, certain jurisdictions, you have to be able to take fax to be legally served. So I'm guessing that's going away, which I'm happy because that was like the worst thing ever to go ahead and protect.
00:46:02
Speaker
um Peter, I want to thank you for coming on today and just kind of give you some last thoughts. Make your plugs. Guys, if you're out there listening, I've worked with Peter and i know we all get scary about doctor bills and lawyer bills, but I could tell you from my own personal experience with Peter and I'm definitely not a paid person by Peter to to basically um busk for him, if you will. But Peter was so up, went with our business, reviewing whatever little things we had, rewrote our entire world from terms and conditions to contracts at just an amazing rate. Like I could not believe his professionalism and delivery.
00:46:45
Speaker
Like to get the level of resume that we got with Peter and the advice we had was just mind blowing because I think if I walked into just a general counsel, I would have been lost for hours and cost. And he was just so on point. So I kind of, and talking up here, Peter, but I think you can say it more when you leave and I can. So, um, please, you know, how do we get in touch with you and any thoughts here?
00:47:10
Speaker
Well, I'll tell you, thank you very much for your kind words. And it's, of course, been an honor to represent you and your business. um And thank you and Jonah for this discussion today.
00:47:21
Speaker
um So to find me, I am on the internet at VogelITlaw.com for information technology. So it's VogelITlaw.com. And um I welcome anybody to reach out to me. I'd be happy to take a look. The other place to look is on LinkedIn, which I spend a lot of time there and I have a lot of contacts on LinkedIn.
00:47:43
Speaker
So that's another place to find me as well it for Peter Vogel on LinkedIn. So thanks for the opportunity to be part of this discussion. I'm glad you found this software as a service ah discussion of value and I hope your audience does as well.
00:47:58
Speaker
No, absolutely. And I hope we can at some point in the future have you back to go over those contracts that you have. You have a top 10 list for contracts. I was browsing through it as well. And I was like, no, actually, that I think is a very on point thing here.
00:48:12
Speaker
um Jonah, go ahead. Give us your plug, your information and whatnot. Like tell us. ah I mean, first off, I got to say, yeah, all of that's really relevant. I mean, this has been beneficial to me, just especially like you mentioned earlier, as we're getting more into the SaaS backup offerings where, you know, maybe myself as a Veeam service provider is not necessarily self-hosting the backup software anymore and offering a private or hybrid cloud to customers, but rather consuming something like a Veeam data cloud and reselling additional value add-in services on top of that.
00:48:46
Speaker
You know, it's all been great to consider. So, you know, You need help. You know, you need a secondary data center spin up into. You need help with some BCDR. CyberFortress, we're a platinum BCSP. You can find us at cyberfortress.com.
00:49:01
Speaker
All right, and I'll play us out. We're at differentdev.com to find us. All these contacts are going to be in our show notes, so if you're listening to us, check out rebeldevs.com. The episode's up there with all of our show notes. If you're listening on Spotify or wherever you like Apple Podcasts, show notes will have all these contacts in for ease.
00:49:20
Speaker
um different dev we're going to take care of all of your backup and disaster recovery needs we're typically not hosting data we do sometimes but we're more of just your um intelligence if you will you probably can't afford a cio if you're listening to us or you're a mega shop like i said and you have smart people you need that third party eye so we're going to take care of everything related to dr we're going to do business impact analysis bcdr We're going to go ahead and do disaster recovery plans.
00:49:48
Speaker
We're going to audit through and make sure what you think you are doing, you're actually doing. And we're going to keep you advised of the latest tread trends. So go ahead, reach out to us. And gentlemen, I thank you for joining us today.
00:50:01
Speaker
And everyone else, we'll see you next time we see you. Thank you.
00:50:10
Speaker
or just starting out, the Rebel Devs podcast is a must listen. So join us. Comment, share, and subscribe. Be part of the Rebel Devs.