• Sales model: SaaS services with a high-touch sales model involve greater customer engage- ment, giving the SaaS provider more opportunity to undertake customer due diligence. This, in turn, decreases the likelihood of potential human rights harms related to customer end-use. With more customer engagement, SaaS providers have higher visibility into customer use cases, making potential harms more foreseeable. This would more closely connect SaaS providers to potential human rights impacts and give them more leverage to address them. • Level of customizability: Highly customizable SaaS services are more likely to be connected to harm since customers can change the services’ functionality and outcomes, making poten- tial harms less foreseeable by the SaaS provider. This may indicate that providers have less leverage to address potential impacts. On the flip side, if a SaaS service has been custom- ized for the specific needs of a specific company, switching costs may increase, indicating increased leverage for the SaaS provider to address potential impacts. • Level of substitutability: If a SaaS service is less substitutable, the SaaS provider has higher leverage to address potential human rights harms associated with the use of their service. Privacy and Data Governance Most SaaS services rely on data input to serve their purpose. What and how data is collected, how it is stored, used, and shared may impact the privacy of end-users and employees. Company-Level Impacts • The use of SaaS services by a company or government entity may result in the capture of more information than is necessary. For example, SaaS services may collect personal attributes from data subjects, potentially leading to violations of privacy and non-discrimination, among others. • The data collected for a SaaS service may be combined with other data (e.g., user information that the company already has), enabling them to gather information on individuals that could be used for surveillance. • Law enforcement agencies may demand that SaaS providers share sensitive user data to help the agencies. Law enforcement may subsequently use this data to identify, track, or monitor individuals, which may result in a violation of individuals’ rights. These risks may change depending on datacenter locations and data localization regulations. Examples of Company-Level Impacts SaaS Provider One: A company may use a CRM solution to collect data on race, ethnicity, socioeconomic class, or other protected category, which may then be used to discriminate against certain individuals or populations. 22 Human Rights Assessment of the Software-as-a-Service Sector