Risks when using and offering no-code platforms as SaaS

At first glance, the title of this blog post might seem like a winner in the contest for most anglicisms in a sentence. But behind the apparent “denglish” lies an extremely relevant topic: no-code platforms.

In the increasingly digitalized world, no-code platforms have become an indispensable tool for companies looking to optimize their business processes and expand their digital presence. They are the invisible heroes of digital transformation, making it possible to create and manage applications without writing a single line of code. This reduces the need for specialized developers and opens the door to a world where anyone can become a builder of their own digital solutions.

But as with any superhero, there is a flip side. Despite their advantages, no-code platforms also carry risks, both for users and for the providers of these services. It’s like suddenly having superpowers but not knowing exactly how to control them. This blog post highlights the security risks associated with using widgets and features from no-code platforms. It also discusses the potential problems that providers may face as a result of poorly worded general terms and conditions (GTCs). Because as with any great power, great responsibility comes into play. And in the world of no-code platforms, it’s no different.

Security risks when using no-code platforms

One of the main problems with using no-code platforms is the security risk. Although these platforms allow users to create applications without programming knowledge, it also means that they may not have the technical knowledge to understand the security risks associated with using certain widgets and features.

For example, some widgets could have security vulnerabilities that could be exploited by hackers to access sensitive data. In addition, some features, if not properly configured, could result in confidential information being inadvertently made publicly available. Therefore, it is essential for users of no-code platforms to be aware of the potential security risks and take appropriate measures to protect their data.

Another problem that is often overlooked is the connection of third-party APIs. Many no-code platforms allow the integration of third-party APIs to extend the functionality of the applications created. While this may appear to be an advantage at first glance, it also carries risks. When programming your own APIs, you can always look into your own code and understand exactly when, where, and what data is being tapped via a third-party API. However, this is often not possible with no-code platforms.

This lack of transparency can quickly lead to problems with the General Data Protection Regulation (GDPR) and information security. It is often unknown how exactly (and in case of doubt whether correctly) the API is integrated on the platform and whether the data is “encrypted in transit”, for example. Most no-code platforms are also silent about this, which in turn could be a problem for their own privacy policies.

In addition, a bug in the programming of the no-code platform, which became known to hackers, could provide them with access to thousands of users of the platform. Failure to take your own precautions could result in a massive data leak. Therefore, it is essential to take appropriate measures to protect the data and ensure compliance with the GDPR and security standards.

Risks for no-code platform providers

For providers of no-code platforms, poorly worded general terms and conditions (GTC) can lead to significant legal problems. The GTC are an integral part of the contract between the Provider and the User and define the conditions under which the Service may be used. If these conditions are not clearly and precisely formulated, the provider could be held liable for damages resulting from the use of its platform.

Of course, the issues mentioned in the previous section can present extensive challenges for the platform. Questions like: Where is data stored? What happens if hackers can penetrate the platform? Are individual instances compartmentalized for individual customers? Does a bug in a widget or feature affect all customers? These and many other issues must be considered in the GTC.

In addition, providers could have information obligations when errors occur that require the customer to make adjustments. You could also be responsible for IT security at the client and may need to educate clients about IT security.

For example, if a user suffers a breach of the General Data Protection Regulation (GDPR) due to a security vulnerability in a widget or feature provided by the platform, the provider could be held legally responsible for such incidents if its TOS do not explicitly exclude liability.

The creation of T&Cs for no-code platforms can therefore be very complicated and should only be carried out by experienced lawyers with IT expertise. They must be able to understand the technical aspects of the platform and translate the potential risks and responsibilities involved into clear and concise legal terms.

The legal aspects of using no-code platforms are diverse and complex. They cover not only data protection law, but also IT security law, contract law and liability law. Each of these areas of law has its own rules and regulations that must be followed.

In the area of data protection law, the GDPR is the central set of rules governing the processing of personal data in the EU. It sets strict requirements for data processing security and requires no-code platform providers to take appropriate technical and organizational measures to protect their users’ data.

In the area of IT security law, there are a number of laws and standards that impose requirements on the security of IT systems. These include, for example, the Federal Data Protection Act (BDSG), the IT Security Act (IT-SiG) and ISO 27001. These laws and standards may impose different requirements depending on the type of platform and the specific circumstances of the data processing.

In contract law, the GTC must be designed in such a way that they clearly and precisely regulate the rights and obligations of the parties. They must also comply with the requirements of the German Civil Code (BGB) and the Unfair Competition Act (UWG).

In liability law, the GTC must adequately regulate the provider’s liability for damages resulting from the use of its platform. They must also take into account the requirements of the Product Liability Act (ProdHaftG) and the German Civil Code (BGB).

The creation of T&Cs for no-code platforms therefore requires a deep understanding of these different areas of law and the ability to translate this knowledge into clear and concise legal terms. It is therefore essential that providers of no-code platforms hire experienced lawyers with IT expertise to draft and review their T&Cs.

Short excursion: code generation by AI?

An interesting side issue in the discussion of no-code platforms is the increasing ability of artificial intelligence (AI) to generate code. A prominent example of this is ChatGPT, an AI from OpenAI that is capable of generating human-like text while also generating code. Although ChatGPT is not a classic no-code platform, its use raises similar issues of liability and responsibility.

If ChatGPT is used for code generation and this code contains errors or leads to undesired results, who is responsible? Is it the employee who uses ChatGPT for code generation? Is it the employer who enables or even encourages the use of ChatGPT? Or could it even be ChatGPT itself or its developer, OpenAI?

The answer to these questions is not simple and depends on many factors, including the exact circumstances of code generation and the applicable legal framework. In general, however, one could argue that the employee using ChatGPT has some responsibility to review and validate the generated code. After all, it is his decision to use the AI to generate code, and he should be able to understand and check the generated code for errors.

Employers may also bear some responsibility, especially if they encourage or mandate the use of AI tools such as ChatGPT. It could be required to provide appropriate training and support to ensure that its employees can use AI tools safely and effectively.

The issue of ChatGPT or OpenAI liability is more complex and depends on the specific legal framework. In some jurisdictions, it might be possible for an AI developer to be liable for errors or damages caused by its AI. However, in other jurisdictions, this might not be the case, especially if AI is considered a “tool” that is controlled and directed by the user.

These issues show that the increasing prevalence of AI and no-code platforms presents new and complex legal challenges. It is therefore important that both providers and users of these technologies are aware of the potential risks and take appropriate measures to manage these risks.

Conclusion

While no-code platforms offer significant benefits, such as accelerating digital transformation and democratizing application development, it is imperative that both users and vendors are aware of the associated risks.

Users need to be aware of the security risks associated with the use of widgets and features. These include potential security vulnerabilities that could be exploited by hackers, as well as the risks associated with connecting third-party APIs. It is important that users educate themselves and take appropriate measures to protect their data and ensure compliance with the General Data Protection Regulation (GDPR).

For their part, providers of no-code platforms must ensure that their general terms and conditions (GTC) are clearly and precisely worded in order to avoid legal problems. They must also implement the technical and organizational measures necessary to ensure the security of their platforms and compliance with the relevant laws and standards, such as the German Federal Data Protection Act (BDSG), the IT Security Act (IT-SiG) and ISO 27001.

In addition, the increasing ability of artificial intelligence (AI) to generate code shows that the lines between code and no-code are becoming increasingly blurred. This raises new issues of liability and responsibility that must be considered by both users and providers of these technologies.

By better understanding these risks and implementing appropriate safeguards, the benefits of no-code platforms can be realized without compromising security or risking legal issues. It is an exciting time for digital transformation, but as with any technological innovation, it is important that we take the risks as seriously as the opportunities.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.