28 Appropriate action to address adverse impacts can be categorized as follows : • Avoid, prevent, and mitigate human rights harm: Take action to define what customers and users can and cannot do with the service, establish mechanisms to implement the poli- cies and terms, and define who the SaaS provider will and will not sell to, or partner with, and what use cases are acceptable. • Technology and design choice: Establish technical limitations to SaaS service functionality to restrict how it can be used and/or the addition of features or customizations that have the potential for adverse impacts. • Ongoing human rights due diligence: Conduct ongoing human rights due diligence on products, platforms, and services to assess for actual and potential impacts across the full range of human rights. • Transparency, guidance, and communications: Share information about the service, best practices, and human rights-based approaches that reduce the likelihood of adverse impacts. • Industry collaboration: Collaborate with companies across the SaaS sector, stakeholders, and the broader tech industry to better understand the human rights risks of SaaS prod- ucts, platforms, and services; share insights; and establish overarching guidance and best practices. These five approaches should exist in a framework of ongoing human rights due diligence capable of addressing new human rights risks as technology, and the SaaS sector overarchingly, evolve. 1. Avoid, Prevent, and Mitigate Human Rights Harms Take action to define what customers and users can and cannot do with a SaaS provid- er’s service, establish mechanisms to implement the policies/terms, and define who the provider will and will not sell to, partner with, and what use cases are acceptable. Compa- nies can begin to do this through the following actions: AUPs and Service Specific Terms Deploy, and ideally publish, an Acceptable Use Policy (AUP) that describes the intended use of the SaaS service; the prohibited uses, content or activity; and the company’s 29 Public AUPs set clear expectations for customer use and provide a enforcement practices. clear basis for enforcement actions when the policy is violated. In addition to the AUP, deploy tailored service-specific terms for individual products and services that restrict how they are used and address risks specific to that service. SaaS providers could also consider including service termination clauses in the case of severe human rights violations by customers. Customer Gating Institute a “gating process” for prospective SaaS customers. The gating process is intended to help companies establish boundaries and limitations on who they will and will not do business with and consider how they will implement these limitations. 35 Human Rights Assessment of the Software-as-a-Service Sector
Human Rights Assessment of the Software-as-a-Service Sector Page 35 Page 37