Abhijit Murthy B.Tech(Biotech), M.Sc(UK), LLB, PG Diploma in Cyber Laws


NRI selling Property

The following discussion highlights certain key elements that every Software-as-a-Service (SaaS) company compulsorily should be included in its agreement with its end users. A significant point to be observed is that a SaaS agreement differs from a Licensing Agreement.
A SaaS agreement may be inclusive of heavy service elements, or it may simply be given access to users to products that can have an alternate form of licensing. A simple difference is that the involvement of physical hardware components to be installed by the user; required in a licensing agreement, not required in a SaaS agreement.
The list is not exhaustive, but for the purpose of lexical brevity, the following aspects are key elements in my considered view:

Privacy Policies pertaining to SaaS

One of the leading concerns today is that of the Privacy Policies being so inscrutable. According to a research poll conducted by, 20% of the Americans say that they always (9%) or often (13%) read these policies before agreeing to them, and nearly 36% say they never read them. Thus, the onus of liability rests solely on the company rendering the service in order to ensure a faux pas moment does not arise because of a legal leak in the Privacy Policy.
If a SaaS service is collecting personal data, then it is a legal necessity to have a Privacy Policy in place. There are many countries and regions that have laws ensuring these laws are strictly followed and that includes:

  • The European Union: General Data Protection Act (GDPR)
  • California: The California Online Privacy Protection Act (CCPA)
  • Canada: The Personal Information Protection and Electronic Documents Act (PIPEDA)

Since almost all SaaS agreements require the collection of at least personal identifying information, it mandates that a strict privacy policy is in place to provide specific relief to both the service provider and the user. The costs involved in lax policies and non-compliance is high wherein humungous fines are imposed on firms that fail to comply in collecting GDPR compliant data (Gal & Aviv, 2021).

Terms of Use Agreements for a SaaS (ToU)

A well-drafted type of this agreement acts as an agent that legally binds your company and your customers. A well-known Latin maxim ‘ignorantia juris non-excusat’ explicitly points out the fact that a consumer, on more than occasion, feigning ignorance about the ToU is more than just a convenient way to get out of liability arising out of their violation of the ToU. A few clauses to be included are:

  • Copyright and intellectual property rights.
  • Handling of the consumers’ data by the system.
  • Laws governing the contract, restrictions, and limitations of use.
  • Licensing information.
  • Business contact information.

An important aspect that needs to be kept in mind while drafting the ToU is that the legal jargon is toned to the level of a layman.

Liability Clause

The most important aspect here is to frame the agreement in a manner that limits the liability of the service provider, and if possible completely absolves the service provider of any liability. Legally speaking, every SaaS transaction is covered under the ambit of a liability model that is only limited to the extent of damages caused by the service provider to the client itself. Therefore, all such agreements should have an embedded contractual risk model whose sole purpose is to mitigate the threat of actual risks.

Let us now carefully examine the case of limited liability of a popular SaaS provider Paytm. In the event of a fraud occurring to a consumer, there are certain limited liability clauses that work for both parties i.e. the consumer and Paytm (henceforth referred to as the ‘issuer’).

  • In case the fraud happened due to the erroneous nature of the customer, for instance, clicking on potentially harmful links that compromise the credentials of the customer, then the issuer is not held liable.
  • In case the fraud happened because of the involvement of a third party having malicious intentions, then certain remedies such as blocking and reversal of the transaction if reported within 24 hours are available.

Another company Upstox, a major trading platform, has now recently fallen victim to such a cyber attack wherein 25 lakh user credentials have been leaked and are now up for sale on the dark web. It is yet another example of how a perfectly drafted SaaS agreement can now bail the service provider out of legal hassles arising out of the situation. The above company now has to follow the SOP of the instructions and guidelines laid down by the RBI in the circular RBI/2018-2019/55 issued from FMRD.FMID.07/14.03.027/2018-19.

Now, however, according to the RBI circular RBI/2017-18/109 issued from DCBR.BPD. (PCB/RCB). Cir.No.06/12.05.001/2017-18, the burden of proving the customer liability lies with the issuer. This calls for even more robust pointers in the Limitation of Liability provisions.

  • The amount of direct damages is capped that either party may have to pay another.
  • Totally severe any indirect types of damages.
  • Indemnity obligations from the cap are exempted.
  • If possible add a provision that ensures a higher cap for the service provider’s data breach liability.

Now it would be quite unethical on the customer’s part to think that the company is wholly and solely responsible in the event of a data breach that arises out of hacking attacks. In a recent event, about 550 million Facebook account details were hacked and the database was uploaded on a darknet website. In such cases, the onus of proving damages incurred lies on the customer to prove that these damages were a direct result of the data leak associated with Facebook. It would be quite surreal since one cannot exactly point out and attribute misuse of personal information solely to one company’s data breach event. Thus, there is absolutely no liability on the company in an event of a data breach as a result of hacking (Borders, 2021).

Intellectual property in user-generated content

In the event that an app or software allows the users to create their own content, a license needs to be obtained from the users enabling the service provider to use the content. This enables the provider to minimize the risk associated with the license by categorically and explicitly stating whether or not the customer is authorized to transfer any of the licensed rights (Bowen, 2021). A well-drafted agreement contains specific provisions under which the customer should be aware of
1. Specifically, enumerated limitations of the license and
2. Any deviations from the standard limitations shall tantamount to breach of agreement thereby preventing any ambiguity from arising (Bowen, 2021).

One such example of Dropbox’s policy can be observed. It has a very lucid and clear policy that states that the user shall grant Dropbox a license to use those photos i.e. put them into a folder, store and share them as per user-generated requests

To sum it up, two parts are essential to be included in such an agreement:

Jurisdictional and remedial clauses in a SaaS Agreement:

A major empirical problem in any such agreement is that of the jurisdictional scope of the operation of the agreement. In any service, a thorough legal mechanism to deal with the deficiency of service should be in place to solve any disputes arising out of it. Each SaaS Agreement is tailor-made with a majority of the portion based on the varying geographical preferences of the client. Thus, in case of a dispute, the language of the resolution of the dispute must be mentioned specified aforehand. The bare reading of the clause shall begin resembling something like this, “This Agreement shall be governed and construed under the laws of India. Any dispute arising out of or in relation to this Agreement shall be submitted to the sole jurisdiction of the court of law at_________”.

Any dispute is subjected to an Arbitration clause that states that an amicable solution shall be found via the mode of Arbitration first. Only after Arbitration, are both parties free to approach the appropriate court. The arbitration shall be governed under the provisions of the Arbitration and Conciliation Act, 1996. A mandatory Force Majeure clause also is included that absolves the service provider of any liabilities from deficiency of services in events such as acts of nature, electrical failure, disturbance, riots, equipment failures, and internet failures to name a few (Pandey, 2021).

Digital payments have taken over our lives in a manner that could not have been fathomed just two years back. It has eliminated the need for plastic currency and physical currency to such an extent that even the tiniest amounts are now being made online. Though this has helped many of us to make payments effortlessly and seamlessly, it has proven to be a double-edged sword that has brought along with it many risks. Here are the top five ways to ensure that you are not scammed of your hard-earned money in the new digital world.

Beware of Phishing

Phishing is a term that is generally used in the domain of cyber space. A gentlemen X, while browsing a popular social media site, came across an offer that he found interesting. He immediately clicked on the link that directed him to another E-shopping portal (Also Read AI technology driven e-commerce platforms) that was a household name. He browsed through the goods, selected the products and proceeded to the payments section. Satisfied that he had made a good deal, he was now waiting patiently for the order to arrive. Alas, to his utter shock, the very next day that he got up in the morning, he found that his whole bank account had been drained. X had unfortunately fallen victim to the most common cyber fraud; Phishing. He was made to believe that he was on a legitimate site whereas in reality, that site as nothing but a replica of the original one. He had entered all his banking details that led to the perpetrators gain access of his accounts and withdraw all the funds.

Solution: Never click on eternal links to a website. Ensure that the address is typed in manually in the address bar of the browser.

OTP Scams

It is one the most common methods of scamming wherein a significant chunk of the population has fallen victim to. The common modus operandi involves calling the victim up and creating a make-believe story that their cards or accounts have been blocked and in order for them to start using them again, they would need to provide a simple OTP that they would be getting on their mobile phone. The victim innocently gives their OTP and within a matter of seconds, the funds are transferred to the criminal’s account leaving no trace.


  • NEVER EVER give your OTP or bank card details to anyone on the phone or in person.
  • If you ever happen to receive such calls, make a note of the number and lodge a complaint with the nearest Cyber Cell Police Station

Identity Scams

A novel and unique approach wherein the perpetrator gains access to your identity details including photos and social media handles. Your identity is then set up which is then used to inadvertently cause nuisance in your social circle by spamming their inboxes with obscene material. Not only that, they also might very well have gained access, through social engineering, to all your accounts thereby having control of your bank accounts which is then used to siphon off money.

Solution: Beware of entering your credentials on any app or website that is found suspicious. Do not use an outdated anti-virus software.

SIM cloning scams

Another approach that involves making a duplicate yet functional SIM card. The process is fairly simple. The criminals target a particular segment of people who are highly active on social media flaunting their wealth and assets. They will have special hardware that will enable them to use the phone number provided there on such websites. Once the SIM is cloned, all OTPs shall then be sent to the clone SIM through which all the bank accounts are then drained.

Solution: Always ensure that your banking phone numbers are never ever disclosed on social media. Also, once the SIM is cloned, the original SIM becomes defunct. Keep an eye on your network. If it is down for more than half an hour, then immediately contact the service provider and ensure that your cards are all blocked to avoid further damage. Avoid all digital payments in the due course till the issue is resolved.

Card Skimming Scams

One of the most prevalent scams present both online and offline. A person X went to the ATM to withdraw amount. He was able to make the transaction but to his shock found out the very next day that his whole bank balance was emptied off. This happened because the scamsters used a skimmer that could make a copy of the card and its PIN that then was used to make both online ( using digital payments mode) and offline purchases.

Solution: Ensure that you don’t swipe your cards at suspicious looking ATMs. One of the key ways to identifying this is that the machine will have a protrusion in the card well and will be having a friction that will be much greater than the normal swipe well. Also, the keypads of the ATM shall be slightly bulged and will have paint on them instead of embossed keys.   

Follow the above five rules strictly while making digital payments and stay safe.