201903.20
Off
1

Do You Need a Microsoft Service Provider License (SPLA)?

If your business model involves hosting applications, websites or data, chances are that Microsoft will require you to obtain and follow a SPLA. Businesses that use Microsoft software for internal use only, or where third-party access is anonymous or unauthenticated, do not need a SPLA. With limited exceptions, Microsoft does require customers engaged in commercial hosting to use a Service Provider License Agreement (SPLA) instead of its standard volume licensing model.

If you are engaged in commercial hosting according to Microsoft’s guidelines and must be a SPLA provider, be very careful. It can be risky, especially if you do not follow the rules very carefully. Failing to understand and adhere to the rules can result in long adversarial audit engagements and massive fines. And often, it is not because companies willfully break the rules; it is because the rules are complicated. As a general rule, you are legally responsible for Microsoft software running on your computers, even if you did not deploy or use it.

Not all customer facing applications require a SPLA.  For example, companies that host their own software for their customers on Microsoft infrastructure may qualify for the self-hosting benefits of software assurance if their use case qualifies as a Unified Solution as that term is defined by Microsoft.

According to the benefits of Microsoft’s Software Assurance a Unified Solution must:

1. add significant and primary functionality to the Self-Hosted Applications that are part of the Unified Solution (dashboards, HTML editors, utilities, and similar technologies alone are not a primary service and/or application of a Unified Solution);

2. be the principal service and/or application of the Unified Solution, and must not allow direct access to the Self-Hosted Applications by any end user of the Unified Solution;

3. be delivered to end users over the Internet, a telephone network, or a private network from servers under the day to day control of Customer or a third party other than the end user of the Unified Solution (the Unified Solution may not be loaded onto the end user’s device); and

4. be owned, not licensed, by it, except that its software may include non-substantive third party software that is embedded in, or operates in support of, its software.

If your hosted application meets the definition of a Unified Solution it may be advisable to license the environment using a volume licensing arrangement instead of a SPLA.  Companies that own and host an application directly to the end user customer, with no third party involved, may not need a SPLA. Self-hosting applies only if the licensee owns the business logic, content or data, and delivers the service under its own brand, with its own intellectual property. Self-Hosting use cases can be licensed with internal volume licensing with external connector licenses to cover the client access.  According to Microsoft rules, applications qualify as self-hosted only if specifically allowed by Microsoft (such as SQL Server and Windows Server), if they are used exclusively in connection with a “Unified Solution”, if they are the principal service and/or application, and sole point of access, to the Unified Solution, and if they are delivered over the Internet or private network from the data center to end users.

Although commercial hosting is not a defined term in Microsoft’s Product Use Rights, it has provided some guidance into what it considers to be commercial hosting use cases. for example, a financial institution offering an online banking service or application to customers, or a business providing a client portal, would not require a SPLA. In general, businesses that use the software as a way to sell other goods or services do not need a SPLA. In addition to the online banking example, e-commerce platforms generally do not require a SPLA because the, because its solution is used by the end-user to acquire goods and services from the licensee.

Microsoft’s standard product use rights prohibit using its infrastructure for commercial hosting. Therefore, businesses in the commercial hosting business require a SPLA. Assuming non-anonymous third parties are accessing the hosted solution, the most critical question you should ask is this: “Is the licensee providing access to software application(s) or data used for third-party business operations?” If the answer is yes, you hosting for third parties, and you may need a SPLA.

The most common use cases requiring an SPLA are:

  • Application hosting. If you host any third-party applications on Microsoft infrastructure, you need a SPLA. Examples include hosted CRM, hosted messaging and hosted backup and disaster recovery (BDR). In other words, if Company A provides a software application for Company B to use, Company A requires a SPLA.
  • Data hosting. Examples include Hosting as a Service (HaaS), website hosting and file-sharing.
  • Multi-tenant cloud or multi-tenant infrastructure as a service. If, for example, your business hosts QuickBooks accounting software in your cloud, or provide a dedicate virtual machine on a physically dedicated host, you need a SPLA.

If you decide that SPLA is the right fit, you’ll need comprehensive policies and procedures for when Microsoft audits you, because they will audit you. Scott & Scott, LLP has been representing SPLA providers in Microsoft Audit matters since 2005.  If you have question about whether you need a SPLA or are defending a Microsoft SPLA audit, we can help.