However, as BSR pointed out in an earlier report, “Increased public consciousness and stake- holder understanding of downstream human rights impacts, coupled with the emerging HRDD regulatory requirements, is leading to a new era in which companies must be prepared to identify, avoid, prevent, and mitigate the adverse human rights impacts associated with their 15 Due diligence related to end-use of products and services is products and services.” increasingly expected from companies further up the value chain, such as providers of B2B SaaS services. To address their potential downstream human rights impacts, SaaS providers must determine their company’s connection to potential human rights harms. The actions that a company must take to avoid, prevent, and mitigate adverse human rights impacts depends in part on their attribution to such impacts. According to the UNGPs, a company may cause, contribute, or be directly linked to an adverse human rights harm. The cause/contribute/directly linked framework is an important 16 tool to help companies understand their attribution to human rights impacts. The United Nations B-Tech Project17 builds on this framework, proposing that technology 18 companies contribute to an impact when they: • Facilitate or enable another entity to cause an adverse impact, where a company’s actions add to the conditions that make it possible for use of a product by a third party to cause a harm; • Incentivize or motivate another entity to cause an adverse impact, where a company’s actions make it more likely that a product or service will be used in ways that cause harm; or • Fail to undertake reasonable human rights due diligence to identify and address harms. SaaS providers should understand how their unique position in the value chain, and the spec- ificities of their service offerings, affect their company’s attribution to human rights impacts. This, in turn, will help determine what actions they should take to prevent and mitigate risks. “Know Your Customer” Ethics Some companies ask ethical questions about who they choose to do business with, regard- less of how closely connected they are to a harm. In our engagement with SaaS providers, we saw that some providers stopped working with specific companies or industries due to values misalignment or pressure from employees, while others followed legal sanctions when it comes doing business with certain customers and partners. As BSR pointed out in an earlier report, “While the UNGPs emphasize a specific connection between product/service and corresponding harm, some downstream business relationships can legitimize and empower bad actors to commit human rights violations in an indirect 19 Such business relationships may create ethical conundrums and reputational risk for way.” companies (see callout box on Reputational Risk). Although this HRA does not focus on ethical and reputational questions, companies’ increasing attention to these factors indicates that the importance of downstream due diligence is growing. 13 Human Rights Assessment of the Software-as-a-Service Sector