Legal Safeguards Against Code Reverse Engineering in SaaS Platforms (Philippines)

Introduction: why reverse engineering is a real SaaS risk in the Philippines

Foreign cloud providers operating in the Philippines commonly face a recurring threat: a local competitor gains access to the platform (as a customer, reseller, contractor, or integration partner), studies how it works, and then releases a look-alike service that mirrors the workflow, features, and sometimes even the underlying code structure. In Philippine practice, stopping this conduct usually requires a combined approach: tight contracting (to control access and define prohibited conduct) plus copyright-based enforcement (to address copying of protectable code and related materials), supported by evidence and well-designed internal controls.

Governing law: where SaaS protection usually comes from

Republic Act No. 8293 (Intellectual Property Code of the Philippines), as amended is the primary statute for copyright protection and limitations, including fair use and certain permitted acts involving computer programs. The 2013 amendments under Republic Act No. 10372 (2013) strengthened protection relevant to digital contexts by expressly recognizing concepts such as technological measures and rights management information, both of which matter when a provider uses access controls and embedded identifiers to discourage copying or misuse.

On the jurisprudence side, the Supreme Court has repeatedly emphasized that copyright protection is statutory—its scope depends on what the statute grants and allows. This is relevant because enforcement success often turns on statutory definitions, limitations, and proof, rather than broad fairness arguments. The Court reiterated that copyright’s “metes and bounds” are governed by statute in Philippine Home Cable Holdings, Inc. v. Filipino Society of Composers, Authors & Publishers, Inc. (2023).

What you can (and cannot) stop: reverse engineering vs. protectable expression

In SaaS disputes, it is important to distinguish between: (a) copying protected expression (e.g., source code, object code, screen displays, documentation text, training manuals), and (b) imitating ideas, processes, and general product logic (e.g., “a workflow-based CRM with approval routing”). As a practical matter, foreign providers often win or lose based on whether they can show actual copying of protectable elements or breach of a clear contractual no-reverse-engineering covenant.

Copyright tools that matter for SaaS providers

1) Fair use and “decompilation for interoperability” (the competitor’s common defense)

Philippine law recognizes fair use and expressly notes that decompilation may qualify as fair use under certain conditions—specifically where the reproduction/translation of code is done to obtain information necessary to achieve interoperability of an independently created program. This appears in the amended fair use provision under Republic Act No. 10372 (2013), which revised the fair use text of the Intellectual Property Code.

For enforcement planning, this means your contracts and compliance design should anticipate an “interoperability” justification and respond to it with (a) controlled APIs, (b) developer terms limiting use of SDKs and documentation, and (c) clear audit and termination provisions when access is abused.

2) Backup copy rights: the “lawful owner” exception and why it matters

The Intellectual Property Code allows a lawful owner of a computer program to reproduce one backup copy or adapt a program without authorization, but only to the extent necessary for use with a computer or for archival/replacement purposes, and the copy must be destroyed when continued possession becomes unlawful. This is set out in Section 189, Republic Act No. 8293 (1997).

For cloud providers, the immediate takeaway is contractual and operational: structure access so customers are licensees with limited rights, not parties who can plausibly claim broad ownership-like entitlements to copy or adapt the program beyond what the law permits.

3) Technological measures and rights management information (RMI): strengthen your enforcement posture

Republic Act No. 10372 (2013) explicitly defines technological measures and rights management information. A technological measure is a technology/device/component that restricts unauthorized acts in respect of a work; RMI identifies the work, author/owner, or usage terms, including codes attached to a copy or appearing with the public communication of the work. These definitions help support a compliance-and-evidence strategy where the platform uses access controls, logging, watermarking, and identifiers tied to license terms.

Contractual safeguards: clauses foreign cloud providers should include (and enforce)

Because SaaS code is not typically delivered in source form to customers, the strongest day-to-day protection is often contractual: you control access, define misuse, and create enforceable remedies. Below are clauses commonly used in Philippine-facing cloud agreements, adapted to the reverse-engineering threat profile.

1) No reverse engineering / no decompilation clause (with interoperability carve-outs handled carefully)

Your agreement should prohibit the customer, its affiliates, and its contractors from:

• reverse engineering, disassembling, or decompiling any portion of the platform;
• attempting to derive source code, algorithms, or architecture;
• using scraping, bots, or systematic extraction to replicate features or logic.

However, because the statute contemplates decompilation potentially as fair use for interoperability, the drafting should address this by requiring customers to use published APIs and to request interoperability information first, rather than self-help decompilation, to reduce disputes under the fair use language in Republic Act No. 10372 (2013).

2) Limited license grant (usage-only), with explicit reservation of rights

Structure the grant as a limited, non-exclusive, non-transferable right to access and use the service for internal business purposes, and reserve all rights not expressly granted. This reduces the risk of the user asserting “ownership-like” copying privileges beyond those narrowly described in Section 189 of Republic Act No. 8293 (1997).

3) Non-competition and non-cloning covenants (carefully scoped)

A “no cloning” clause is often more enforceable than a broad non-compete. Consider prohibiting the creation of any service that is “substantially similar” in UI flows, database schema derived from the platform, or feature sequencing, when similarity results from access to the platform or confidential materials. Keep it tied to misuse of access and confidential information rather than attempting to ban all competition.

4) Confidentiality clause that explicitly includes technical materials and usage analytics

Define confidential information to include: system design documents, onboarding materials, training recordings, non-public API references, integration guides, pricing logic, and security documentation. Add that platform logs, telemetry, and reports are confidential and may be used to investigate misuse.

5) IP ownership clause covering deliverables and customer feedback

Specify ownership of: platform code, updates, documentation, UI assets, training content, and derivative works. Include a feedback clause where suggestions can be used by the provider without transferring ownership of the platform, while still respecting customer confidential data.

6) Audit rights, security cooperation, and evidence preservation

Reverse engineering is usually proven through behavior patterns (unusual API calls, scraping signatures, abnormal traffic, repeated error probes, suspicious account creation). Contractual audit and cooperation clauses allow investigation while preserving admissible evidence. Pair these with: mandatory incident notice by the customer and consent to preserve logs for a defined period.

7) Termination, injunctive relief language, and liquidated damages (as appropriate)

Include termination for cause for reverse engineering or cloning attempts. Consider liquidated damages only if they are defensible as a genuine pre-estimate of loss; otherwise they risk being attacked as a penalty. Also add an express acknowledgement that breach may cause irreparable harm and that the provider may seek injunctive relief—while recognizing courts still evaluate injunction requests on evidence and equitable considerations.

8) Contractor/subprocessor controls

Competitors often obtain access through third-party developers or outsourced IT providers. Require customers to bind contractors to the same restrictions, limit access by role, and remain liable for contractor acts.

Illustrative clause set (summary table)

Clause	What it prevents	Operational support needed
No reverse engineering / no decompilation	Code derivation, architecture cloning, systematic probing	API gating, rate limits, anomaly detection
Limited license + reservation of rights	Claims of broader copying/adaptation rights	Clear user roles; no code delivery unless controlled
Confidentiality (expanded definition)	Use of non-public docs, methods, and training to build competitor product	Document labeling, access controls, DLP measures
Audit + evidence preservation	Spoliation; inability to prove misuse	Logging, retention policies, chain-of-custody playbook

Copyright claim design: what to document so enforcement is realistic

For a copyright-based claim, what typically matters is your ability to show (1) you own or control the protected work and (2) the competitor copied protected expression. Philippine courts treat copyright as a statutory right defined by law, as emphasized in Philippine Home Cable Holdings, Inc. v. Filipino Society of Composers, Authors & Publishers, Inc. (2023). Accordingly, providers should prepare evidence that links the competitor’s output to protected material.

Recommended evidence package (provider-side)

• Versioned source code repositories showing dates, authorship, and commit history.
• Documentation set (user manuals, admin guides, API docs, training decks) with clear authorship and timestamps.
• UI/UX assets (screens, icons, layouts) with design files and export history.
• Access logs and audit trails showing suspicious querying, scraping, or error-based probing.
• Embedded identifiers (RMI-like markers) and access controls aligned with the concepts under Republic Act No. 10372 (2013).

Typical SaaS scenarios and how the legal tools apply

Scenario A: competitor subscribes as a customer, then releases a near-identical UI flow

Start with contract enforcement: breach of no-reverse-engineering, no-scraping, and confidentiality provisions. If UI screens or manuals were copied, consider copyright enforcement based on protectable expression. Preserve logs, screenshots, and a dated comparison of the competing interface.

Scenario B: competitor claims “we only decompiled to integrate”

Assess whether the conduct fits the statutory concept of decompilation for interoperability mentioned in Republic Act No. 10372 (2013). Providers reduce exposure by offering an official integration path (APIs/SDKs) and requiring written requests for interoperability information. If the competitor went beyond interoperability and reproduced protected expression, the fair use posture weakens.

Scenario C: a Philippine integration partner reuses implementation materials to build its own SaaS

Here, confidentiality and IP ownership clauses are central. Enforce contractor controls and restrict reuse of implementation playbooks, scripts, and training content. If partner deliverables include derivative works of provider materials, the contract should clarify ownership and permitted reuse.

Practical advice for foreign providers doing business in the Philippines

• Use layered agreements: Master SaaS Agreement + Data Processing terms + Developer/API terms + Partner/Reseller addendum, each with consistent IP and reverse engineering rules.
• Control access like evidence matters: logging, retention, role-based permissions, and anomaly alerts should be designed to support enforcement, not just security.
• Publish an interoperability route: clear APIs and documentation reduce “we had no choice but to decompile” arguments tied to the fair use language on decompilation for interoperability in Republic Act No. 10372 (2013).
• Keep customer status clear: avoid language implying “ownership” of the program; draft the relationship as a limited license and align it with statutory limits like Section 189 of Republic Act No. 8293 (1997).

Conclusion: combine contract controls, statutory rights, and proof planning

For foreign SaaS providers, the most effective protection against Philippine competitors attempting to clone architecture is a combined approach. Contractually, define and police prohibited conduct (reverse engineering, decompilation outside defined interoperability handling, scraping, and cloning). Statutorily, rely on the Intellectual Property Code and its amendments—particularly fair use and computer-program limitations in Republic Act No. 8293 (1997) and the added digital concepts under Republic Act No. 10372 (2013). Operationally, build logs, access controls, and documentation discipline so that if a dispute arises, you can prove misuse and copying of protected expression in a way consistent with the Supreme Court’s view that copyright’s scope is determined by statute, as reiterated in Philippine Home Cable Holdings, Inc. v. Filipino Society of Composers, Authors & Publishers, Inc. (2023).

About Nicolas and De Vega Law Offices

 Nicolas and de Vega Law Offices is a full-service law firm in the Philippines.  You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines.  You may also call us at +632 84706126, +632 84706130, +632 84016392 or e-mail us at [email protected]. Visit our website https://ndvlaw.com.