Intellectual Property Due Diligence: Acquisition of a Software-as-a-Service Business

Many customers now access software through the cloud or through the Software-as-a-Service (SaaS) model in which a provider or third party hosts software that may be accessed and used by multiple customers. The SaaS model tends to provide costs savings to customers by minimizing outlays for on-site and backup servers, other equipment and resources required to host their own copies of installed software. SaaS customers typically pay recurring monthly or annual fees to access and use the SaaS software, which also helps defray up-front costs associated with a traditional installed software license model that often entails a significant front-loaded license fee, costs for hardware and services for installation, upkeep and eventual replacement due to technological developments and system requirements. SaaS companies have also become popular targets of acquisitions, because of their recurring revenue, high growth rate, and relatively high margin in addition to overall industry and technological growth trends and acquirors often view the software and technology underlying a SaaS business as one of the principal assets driving such acquisitions.

Those involved in a due diligence review for the acquisition of a SaaS business (the Target) need to understand the value and risk associated with the Target’s use of intellectual property (IP) and this article provides a practical, higher level guide for conducting IP due diligence (IP diligence) in a SaaS business acquisition transaction.

IP BASICS

Proprietary technology relevant to SaaS businesses may be protected through copyright, trade secret, trademark rights, and in some instances, patent rights. In addition, the Target may also hold domain name registrations and social media accounts (which, although not typically considered IP, are often included in the IP diligence review) and rights in data such as customer data.

Copyrights

Copyrights secure the rights of authors in their original works of authorship that are fixed in a tangible medium of expression. In most instances, source code qualifies for copyright protection as a literary work. (17 U.S.C. § 102. 1 Nimmer on Copyright § 2A.10 (2017).) In the U.S., registration of a particular work with the U.S. Copyright Office (USCO) is not necessary until the copyright owner wishes to assert a copyright infringement action against a third party. If the owner chooses to register its copyright in software, generally they must submit at least a portion of the source code to the USCO. As a result, SaaS companies may decide to initially refrain from registering their software and instead rely on other forms of IP protection.

Trade Secrets

Trade secrets are a means of protecting proprietary information that has value because it is not generally known to others, which may include a company’s source code. In the U.S., if the owner has taken reasonable precautions to protect the secrecy of such valuable confidential information, it may potentially be protectable as a trade secret under state and/or federal law. (1-1 Trade Secrets: Law and Practice § 1.02 (2017).) Companies relying on trade secret protection typically seek to maintain their rights through contractual nondisclosure obligations and by restricting access to the information. For instance, SaaS companies often take care to limit access to source code, adopt security measures to restrict and protect access and require those exposed to source code to agree to binding non-disclosure obligations.

Trademarks

The term “trademark” generally refers to a word or design used to indicate the source of goods or services. (15 USC §1127.) In the U.S., owners may, but are not required to, apply to register a mark for federal protection with the United States Patent and Trademark Office (USPTO) in order to obtain certain advantages or may choose to register a mark on a state-by-state basis. Since trademark rights are acquired through use of the trademark in commerce in connection with the applicable goods or services, an unregistered mark may still be protected under common law based on such usage.

Patents

At a basic level, patents protect inventions that are useful, novel, and not obvious and entitle the owner to exclude others from practicing the patented invention during the term of the patent. (35 U.S.C. §271.) Patentability of software/SaaS-related technology is an area of law that is still evolving and the currently-applicable analysis involves numerous subtleties. Generally, software itself is not considered patentable subject matter. (Morgan D. Rosenberg & Richard J. Apley, Patentability of Business Methods, Software and Other Methods (2017 Edition) § 1.01 (Matthew Bender).) Nevertheless, SaaS businesses may have developed technologies implementing or involving software in ways that are capable of patent protection that form part of the value of the Target.

Domain Names & Social Media

Domain names are internet addresses registered by entering into an agreement with one of several hundred qualified registrars. Domain name registrations are typically viewed as contract rights (rather than IP rights owned by a Target entity) and simply registering a domain name and using it as an address does not generate trademark rights in the domain name. (2-7A Gilson on Trademarks § 7A.03 (2017).) Social media accounts are subject to the terms of the applicable user agreement with the platform provider (many of which include restrictions on transfers or prohibit sales of such accounts) and are also generally viewed as contract rights.

Data

SaaS companies collect and/or receive data through customers’ receipt and use of software services, which may be valuable for internal purposes (such as in testing, benchmarking, developing, improving and marketing products and services) and, increasingly, through opportunities to monetize such data. In the U.S., such data may be protected through a combination of trade secret law, copyright law, and contractual permissions and restrictions. In other jurisdictions, there may be additional territory-specific laws and regulations that govern the collection, storing, processing and sharing of such data to protect the data and databases.

GETTING STARTED

IP diligence starts with understanding the Target’s products and services, as well as the client’s motivation for acquiring the Target, the client’s expectations for the scope and level of review, and the transaction structure. Initial steps include requesting, collecting and reviewing information and documents relating to the Target’s development and use of IP, most of which must be provided by the Target. Some pertinent information should also be available from public sources, such as the Target’s website, searchable online databases provided by the USCO and USPTO, public online WHOIS search tools for domain names, and certain limited information may be available for non-U.S. registered IP through publicly-searchable online databases (however, the timeliness and accuracy of the status and assignment histories for such items may vary widely depending on the applicable jurisdiction).

IP OWNERSHIP

Verifying ownership of the Target’s IP is a key area of focus in IP diligence, which typically includes an effort to understand the Target’s development practices, where the important IP originated, who was involved in development, as well as reviewing relevant documentation to confirm that the Target (or selling entity) owns the IP that it purports to own (Target IP). In reviewing agreements that purport to allocate ownership of IP, reviewing of the grant provision is critical. Under US law, present-tense assignment language (“hereby assigns”) rather than an agreement to assign IP (“shall assign”) or mere statements regarding ownership (“shall own”) is necessary to transfer ownership in the IP, even for IP yet to be created. (Arachnid, Inc. v. Merit Indus., Inc., 939 F2d 1574 (Fed Cir 1991) .) Without this wording, there is merely a promise to assign the IP, failure of which is just a breach of contract.

Employee Developers

Employers do not automatically own all IP created by its employees. In the U.S., employers may own the copyrights in works of authorship created by employee developers within the scope of their employment through the work made for hire doctrine; however, other forms of IP, such as inventions and patents resulting from those inventions, must be formally assigned in writing to the Target. (17 USC §201.) If not, the employer may have only a limited (and potentially nontransferable) right to use the IP.

Contractor Developers

IP created by contractors is almost always owned by the contractor unless the contractor has formally assigned ownership in writing to the Target. While the work made for hire doctrine applies to certain statutory categories of works created by independent contractors under U.S. copyright law, software generally does not qualify and the contractor agreement must expressly state that the work will be considered a work made for hire. (17 USC §101. 6 Nimmer on Copyright § 27.02 (2017).)

Overseas Development

To the extent Target IP was created outside of the U.S., the laws of applicable local territory will generally apply and may be substantially different from U.S. law. For instance, in some jurisdictions, employee-inventors are entitled to additional compensation for their contribution to patented inventions. If the Target’s R&D takes place in jurisdiction(s) that lack effective IP enforcement infrastructures and local employees have access to trade secrets or other proprietary information, it may be difficult to prevent them from using the information for the benefit of other local companies.

Registered IP

Registered Copyrights

If the Target owns registered copyrights, IP diligence should include a review of the record ownership information available through the USCO website and the reviewer may use this website to search for additional registrations that may be owned by the Target. However, software companies often choose not to register their software code to avoid the default requirement to deposit a portion of the source code with the USCO.

Registered Trademarks

Typically, IP diligence will include a review the USPTO’s online databases to confirm the status and record ownership of registrations and applications identified by the Target, to identify any additional registrations or applications that may be owned by the Target, and to confirm no adverse proceedings have been instituted by third parties concerning the Target’s trademarks. For trademarks acquired through transfers, confirm the transfer included an assignment of goodwill associated with the trademark. For trademark applications transferred (or to be transferred) while still based on the applicant’s intent-to-use the mark, the assignment may be invalid unless made in connection with a transfer of the business to which the application pertains. Depending on the Target’s business and trademark holdings, it may be prudent to review the limited information available online with respect to non-U.S. trademark applications and registrations as well.

Patents

Patent reviews in IP diligence can range from merely confirming the Target owns the patents and applications it purports to own to performing a deeper dive into the substance of the Target’s patents and applications. Substantive review may include review of the status of the patents and applications and determination of the scope of the subject matter claimed, including whether they cover the products and services of the Target. Although more rare due to time and expense, substantive review may also include an analysis of the validity of the issued patents and/or performing clearance studies/freedom to operate (FTO) analyses of the Target’s products or services.

Domain Names & Social Media Accounts

Diligence of domain names include a review of the list of domain names identified by the Target in diligence, review of the publicly-available registration information through an online WHOIS database to confirm their status and that the Target entity (or selling entity) is listed as the “Registrant” for each domain name (it is not uncommon to find that an individual’s name is listed instead of the appropriate entity, which should be updated to list the entity). If the Target controls a large number of domain names including inactive websites or redirects to main pages, it may be more cost effective to winnow down the review to certain key domains or to spot-check a longer list. Depending on the proposed acquisition transaction structure, the terms of the applicable social media account user agreement may pose an issue and if social media is particularly important to the Target in such cases, special attention should be paid to the corresponding terms governing transferability of the accounts.

Security Interests

IP diligence typically involves reviewing the USCO and USPTO assignment records to identify active security interests recorded against registered IP and to confirm previous liens have been released; however, since the general view under U.S. law is that perfection against U.S. patents and registered trademarks is through UCC filings, UCC searches are also relevant to the review.

Shared IP

For transactions involving the sale of a business line, it is important to consider whether there is any shared IP necessary for the operation of the business being sold, as well as the business being retained by the seller post transaction. If so, the parties will need to determine how ownership and use of shared IP will be allocated between the seller and the buyer post transaction.

INBOUND LICENSES

Important inbound licenses are another key area of IP diligence. It is unlikely that the Target has developed in-house all of the IP material to its business. More likely is that the Target is using some third party IP through licenses. Therefore, it is important to review licenses to software or other technology incorporated into the Target’s products or otherwise material to the Target’s ability to generate revenue. The review of inbound licenses should include confirmation that the license scope is appropriate to the business and sufficiently broad (e.g., sublicensing rights), understanding any outstanding license fees, royalty obligations or other payments involved, whether IP indemnification is provided, and whether the proposed transaction (and any contemplated future transactions) will not put the license in jeopardy (e.g., change in control restrictions).

Open Source Software

Use of open source software is relatively common in the software and SaaS industries, but such use involves certain risks. In the case of the most onerous open source license terms, users who distribute proprietary software incorporating modified versions of the open source software may be required to make the entire source code (including proprietary source code) available to downstream users at no charge. Of particular relevance to SaaS businesses (which may not technically distribute their software), the Affero GPL license terms expand the scope of the “distribution” trigger and is generally viewed to cover software offered as a service. As such, one should review the Target’s use of open source software, including confirming whether the business has established and maintains an open source policy and reviewing a list of all open source-licensed software used by the Target (including the associated license terms for each such component and a breakdown of how each such item of open source software has been used). It may also be prudent to require the Target to conduct a third-party open source software audit, such as an audit offered by Black Duck or similar provider.

RIGHTS GRANTED TO THIRD PARTIES

While it is typical for SaaS companies to agree to provide access and support for a SaaS offering on a non-exclusive basis during a subscription term, it will be important to confirm whether the Target has granted any exclusive IP licenses, source code licenses, patent licenses or other licenses outside the ordinary course of business. One should review copies of all such outbound license agreements, as well as copies of the Target’s standard customer license/service agreements or user terms (as well as any other outbound license agreements that deviate from these forms), in particular, to identify any exclusive or uncommonly broad license grants, ongoing material obligations (including any not tied to the continued payment of subscription fees), onerous service level commitments, or any other unusual and potentially concerning provisions or obligations.

Source Code

SaaS companies are usually protective of the source code version of their proprietary software. If the Target has granted source code licenses (in particular, licenses to customers or potential competitors), such agreements should be reviewed to confirm the scope of the license and other contractual restrictions. However, software-focused companies may, from time to time, agree to deposit source code into a third-party technology escrow for the benefit of particularly important customers. If so, one should review the corresponding escrow and customer agreements to confirm that the release conditions (i.e., potential events that would trigger a release of source code) are not overly broad and that the permitted use following such a release is appropriately limited (typically, this is limited to internal use as permitted under the terms of the customer agreement as well as fixing bugs and modifying the software for maintenance purposes only). One should also confirm that no customers or other third parties are entitled to or have requested or received a release of source code from escrow.

TRADE SECRETS

IP diligence should include a review of the steps the Target has taken to protect its trade secrets, including confirmation regarding whether any key trade secrets have been disclosed or licensed to third parties, whether any such disclosures were subject to written confidentiality obligations, and what security procedures and access controls/limitations the Target has implemented. As noted above, this includes understanding the Target’s source code practices and protections.

IP DISPUTES

IP diligence should include a thorough review of any IP-related disputes, including attention to any active or settled IP-related litigation, infringement or other IP-related claims or offers to license made by third parties, claims or potential infringement claims by the Target against third parties, etc., to identify, quantify and qualify the potential risks that may impact the Target business post-transaction. This should include a review of information, documents, opinions of counsel, and other materials relating to any infringement claim or action involving the Target to understand the nature and status of the claims, the monetary exposure/risk to the business and the likelihood of success or failure.

DATA

It is important to understand how the Target is currently using the data associated with its SaaS offerings, whether the Target (or the acquiror) views this data as potentially valuable for other uses, and to investigate whether the Target has obtained the necessary rights to use and transfer such data under applicable law for such purposes. Depending on the geographic operations and practices of a given Target, local laws must be taken into consideration. If the Target’s business involves the transfer of any personal data between jurisdictions, it is important to also consider local data security and privacy laws and ensure that such transfers are permitted by and in compliance with applicable laws and regulations.

CONCLUSION

The extent of IP diligence for a SaaS business acquisition transaction may vary significantly. Before jumping into the IP diligence review, it is important to take the time to learn about the Target’s products and services, remember to account for how the transaction structure may affect the approach to diligence and think through the key areas of potential concern based on the factors outlined above, then tailor the scope and level of review accordingly.