title: 'SaaS Agreements: MSA, Terms of Service & Contract Structure Guide (2025)' description: 'Complete guide to SaaS agreements for startups in 2025. Learn MSA structure, terms of service, service level agreements (SLA), pricing models, data ownership, liability limitations, and GDPR/CCPA compliance (DPA requirements).' keywords: 'SaaS agreements, master service agreement MSA, terms of service, SLA service level agreement, SaaS contracts, software licensing, data processing agreement DPA, liability limitations, indemnification, GDPR compliance, CCPA DPA, auto-renewal clauses' taxonomy: category: ['Startup Legal Guide', 'Contracts', 'SaaS', 'Legal Agreements'] tag: ['saas-agreements', 'msa', 'terms-of-service', 'sla', 'software-contracts', 'data-processing-agreement', 'dpa', 'gdpr-compliance', 'liability-limits', 'indemnification'] metadata: og:url: 'https://promise.legal/startup-legal-guide/contracts/saas-agreements' og:type: 'article' og:title: 'SaaS Agreements: MSA, Terms of Service & Contract Structure Guide (2025) | Promise Legal' og:description: 'Complete guide to SaaS agreements for startups in 2025. Learn MSA structure, terms of service, SLA, pricing models, data ownership, liability limitations, and GDPR/CCPA DPA requirements.' og:image: 'https://promise.legal/user/pages/media/saas-agreements-contracts.jpg' og:author: 'Promise Legal' twitter:card: 'summary_large_image' twitter:site: '@promiselegal' twitter:creator: '@promiselegal' twitter:title: 'SaaS Agreements: MSA, Terms of Service & Contract Structure Guide (2025)' twitter:description: 'Complete guide to SaaS agreements for startups in 2025. Learn MSA structure, terms of service, SLA, pricing models, data ownership, liability limitations, and GDPR/CCPA DPA requirements.' twitter:image: 'https://promise.legal/user/pages/media/saas-agreements-contracts.jpg' sitemap: lastmod: '2025-01-15' changefreq: monthly priority: 0.8 aura: pagetype: article autoseo: enabled: true process: markdown: true twig: false

SaaS Agreements: MSA, Terms of Service & Contract Structure (2025)

If you're building a B2B SaaS startup, your SaaS agreement is the legal foundation of every customer relationship. It defines how customers use your software, who owns the data, what happens when things go wrong, and how much you'll pay if something breaks.

A poorly drafted SaaS agreement can expose you to:

  • Unlimited liability (customer sues for $10M because your software had downtime)
  • IP disputes (customer claims they own features they requested)
  • Data breach liability (GDPR fines because your DPA wasn't compliant)
  • Revenue loss (customers cancel without notice, leaving you with unpaid invoices)

Why SaaS agreements matter:

  • Limit liability: Cap damages to 12 months of fees (instead of unlimited exposure)
  • Protect IP: Ensure you own all platform improvements (even those based on customer feedback)
  • Ensure compliance: Include GDPR/CCPA data processing agreements (DPAs) to avoid fines
  • Prevent disputes: Clear termination, renewal, and refund terms reduce customer conflicts

This guide covers:

  • SaaS agreement structure (MSA, Terms of Service, SLA, SOW, DPA)
  • Key contractual provisions (IP ownership, warranties, indemnification, liability caps)
  • Pricing models and payment terms
  • Termination, renewal, and auto-renewal clauses
  • GDPR/CCPA compliance (data processing agreements)
  • Common mistakes and negotiation tips

Table of Contents

  1. SaaS Agreement Structure: MSA vs ToS
  2. Master Service Agreement (MSA)
  3. Terms of Service (ToS)
  4. Service Level Agreement (SLA)
  5. Statement of Work (SOW)
  6. Data Processing Agreement (DPA)
  7. Key SaaS Contract Provisions
  8. Intellectual Property Ownership
  9. Warranties and Disclaimers
  10. Indemnification Clauses
  11. Liability Limitations and Caps
  12. Pricing Models and Payment Terms
  13. Termination, Renewal, and Auto-Renewal
  14. GDPR/CCPA Compliance (DPA Requirements)
  15. Common SaaS Contract Mistakes
  16. SaaS Agreement Negotiation Tips
  17. SaaS Agreement Resources
  18. FAQ: SaaS Contracts

SaaS Agreement Structure: MSA vs ToS {#saas-agreement-structure}

What is a SaaS Agreement?

A SaaS agreement is a contract between a software provider and a customer that governs access to and use of cloud-based software.

Two main structures:

  1. Master Service Agreement (MSA) – Used for enterprise B2B customers
  2. Terms of Service (ToS) – Used for self-service or SMB customers

MSA vs Terms of Service: Which Should You Use?

Factor Master Service Agreement (MSA) Terms of Service (ToS)
Customer Type Enterprise B2B (custom contracts) Self-service, SMB (click-wrap)
Negotiation Fully negotiated (both parties sign) Non-negotiable (customer accepts)
Structure MSA + SOW + SLA + DPA Single Terms of Service document
Pricing Custom pricing, volume discounts Standard pricing tiers
Liability Caps Negotiated ($100K-$1M+) Standard cap (12 months of fees)
SLA Custom uptime commitments (99.9%+) Standard uptime (or no SLA)
DPA Separate DPA (GDPR/CCPA compliance) Built into ToS or separate DPA

Most SaaS startups need both:

  • MSA for enterprise customers ($50K-$1M+ ARR)
  • ToS for self-service customers ($100-$50K ARR)

SaaS Agreement Structure (Enterprise)

For enterprise customers, SaaS agreements typically consist of multiple documents:

  1. Master Service Agreement (MSA): Umbrella contract covering the entire relationship (IP ownership, warranties, liability, confidentiality, dispute resolution)
  2. Statement of Work (SOW): Project-specific details (specific services, deliverables, timeline, payment terms)
  3. Service Level Agreement (SLA): Performance metrics (uptime commitments, response times, service credits)
  4. Data Processing Agreement (DPA): GDPR/CCPA compliance (data processing terms, sub-processors, security measures)
  5. Order Form: Pricing and quantities (number of users, subscription tier, contract term)

Why this structure?

  • MSA establishes overarching terms (remains constant across all projects)
  • SOW allows flexibility for specific projects (easy to add new services without renegotiating MSA)
  • SLA sets performance expectations (separate from legal terms)
  • DPA ensures compliance (required for GDPR/CCPA)

Master Service Agreement (MSA) {#master-service-agreement}

What is an MSA?

A Master Service Agreement (MSA) is a comprehensive contract that outlines the essential terms and conditions for a long-term business relationship between a SaaS provider and an enterprise customer.

Key characteristics:

  • Covers the entire relationship (not project-specific)
  • Remains in effect for multiple projects/orders
  • Typically 3-5 years (with auto-renewal)
  • Fully negotiated between both parties

Essential MSA Clauses

1. Scope of services

  • Description of SaaS platform and core features
  • What's included in standard subscription vs add-ons
  • Support and maintenance obligations

2. Grant of license

  • Non-exclusive, non-transferable license to access the platform
  • Restrictions on use (no reverse engineering, no reselling)
  • Number of authorized users

3. Intellectual property ownership

  • Provider owns all platform IP
  • Customer owns their data
  • Joint ownership of custom features (if applicable)

4. Warranties

  • Service will function substantially as described
  • Provider has rights to license the software
  • Service will not infringe third-party IP

5. Disclaimers

  • No warranty of uninterrupted or error-free service
  • No fitness for particular purpose (unless specified in SLA)

6. Indemnification

  • Provider indemnifies customer for IP infringement claims
  • Customer indemnifies provider for misuse of platform

7. Liability limitations

  • Cap on total liability (typically 12 months of fees paid)
  • Exclusion of consequential damages
  • Exceptions (IP infringement, data breaches, gross negligence)

8. Confidentiality

  • Mutual obligations to protect confidential information
  • Exceptions (public domain, legally required disclosure)

9. Term and termination

  • Initial term (1-3 years)
  • Auto-renewal (unless terminated with notice)
  • Termination for cause (material breach, insolvency)

10. Payment terms

  • Invoicing schedule (monthly, annually)
  • Late payment fees
  • Price increases (typically annually with notice)

11. Dispute resolution

  • Governing law (Delaware, California, New York common)
  • Venue (specific jurisdiction)
  • Arbitration vs litigation

Terms of Service (ToS) {#terms-of-service}

What are Terms of Service?

Terms of Service (ToS) are standardized, non-negotiable terms that self-service or SMB customers must accept before using your SaaS platform.

Key characteristics:

  • Not negotiated (customer clicks "I Agree")
  • Applies to all self-service customers
  • Updated unilaterally by provider (with notice)
  • Enforced through click-wrap or browse-wrap agreements

Essential Terms of Service Clauses

1. Acceptance of terms

"By creating an account or using the Service, you agree to be bound by these Terms of Service."

2. Description of service

  • Overview of platform features
  • Updates and modifications (provider reserves right to change features)

3. User accounts and responsibilities

  • Account registration requirements
  • Customer responsible for maintaining password security
  • Prohibited uses (no illegal activity, no spam, no reverse engineering)

4. Subscription and payment

  • Pricing tiers (per user, tiered, usage-based)
  • Billing cycle (monthly, annually)
  • Auto-renewal (unless canceled with notice)
  • Refund policy (no refunds, or pro-rated refunds)

5. Intellectual property

  • Provider owns all platform IP
  • Customer grants provider license to use customer data to provide service
  • Customer owns their data

6. Data security and privacy

  • Provider will implement reasonable security measures
  • Link to Privacy Policy
  • Link to Data Processing Agreement (DPA) for GDPR/CCPA compliance

7. Warranties and disclaimers

  • Service provided "AS IS" without warranties
  • No guarantee of uninterrupted or error-free service
  • No fitness for particular purpose

8. Limitation of liability

  • Total liability capped at 12 months of fees paid
  • No liability for consequential damages (lost profits, data loss)

9. Indemnification

  • Customer indemnifies provider for customer's misuse of platform

10. Termination

  • Provider can terminate for cause (non-payment, violation of ToS)
  • Customer can cancel anytime (subject to auto-renewal terms)
  • Effect of termination (access terminated, data deleted after 30 days)

11. Modification of terms

  • Provider can update ToS with notice (typically 30 days)
  • Continued use after update constitutes acceptance

12. Governing law and dispute resolution

  • Governing law (Delaware, California)
  • Arbitration agreement (binding arbitration, class action waiver)

Service Level Agreement (SLA) {#service-level-agreement}

What is an SLA?

A Service Level Agreement (SLA) defines specific performance metrics and service expectations for your SaaS platform, including uptime commitments, response times, and remedies for failure to meet targets.

SLA vs MSA:

  • MSA = overarching legal terms
  • SLA = technical performance commitments

Key SLA Components

1. Uptime commitment

Standard SLA uptime targets:

Tier Uptime Downtime per year Downtime per month
Basic 99.0% 3.65 days 7.3 hours
Standard 99.5% 1.83 days 3.65 hours
Premium 99.9% 8.77 hours 43.8 minutes
Enterprise 99.95% 4.38 hours 21.9 minutes
Mission-critical 99.99% 52.6 minutes 4.38 minutes

Most B2B SaaS platforms offer 99.5%-99.9% uptime.

2. Exclusions from uptime calculation

Scheduled maintenance:

  • Planned maintenance windows (e.g., Sunday 2-6 AM)
  • Advance notice required (typically 7 days)

Force majeure:

  • Natural disasters, war, terrorism
  • Internet backbone failures outside provider's control

Customer-caused downtime:

  • DDoS attacks targeting customer
  • Customer misconfiguration

3. Support response times

Priority Description Response Time Resolution Target
P1 (Critical) Production system down 1 hour 4 hours
P2 (High) Major feature impaired 4 hours 24 hours
P3 (Medium) Minor issue, workaround available 1 business day 5 business days
P4 (Low) Feature request, documentation 3 business days No commitment

4. Service credits (remedies for SLA violations)

Example service credit schedule:

Actual Uptime Service Credit
99.5% - 99.9% 10% of monthly fees
99.0% - 99.5% 25% of monthly fees
< 99.0% 50% of monthly fees

Service credit limitations:

  • Customer must request credit within 30 days
  • Credit applied to future invoices (not refunds)
  • Service credits are customer's sole remedy for SLA violations

5. Monitoring and reporting

  • Provider will monitor uptime using third-party tools (e.g., Pingdom, Datadog)
  • Monthly SLA reports provided to customer
  • Publicly available status page (e.g., status.yourcompany.com)

Statement of Work (SOW) {#statement-of-work}

What is an SOW?

A Statement of Work (SOW) is a project-specific contract that outlines the specific services to be performed, deliverables, timeline, and payment terms.

When to use an SOW:

  • Custom development or integrations
  • Professional services (implementation, training, consulting)
  • One-time projects (data migration, custom reports)

SOW vs MSA:

  • MSA covers the overall relationship
  • SOW covers a specific project

Essential SOW Components

1. Project description

  • High-level overview of project goals
  • What problem will be solved

2. Scope of work

  • Detailed list of tasks to be performed
  • What's included vs what's excluded

3. Deliverables

  • Specific outputs (custom integration, training sessions, migration complete)
  • Acceptance criteria (how customer will verify deliverable is complete)

4. Timeline and milestones

  • Start date
  • Key milestones (e.g., Phase 1 complete by March 31)
  • Final delivery date

5. Payment terms

  • Total project fee
  • Milestone-based payments (50% upfront, 50% on completion)
  • Expenses (travel, third-party costs)

6. Change orders

  • Process for handling scope changes
  • Additional fees for out-of-scope work

7. Acceptance process

  • Customer has 10 business days to review and accept deliverables
  • If no objection raised, deliverable deemed accepted

8. Responsibilities

  • What provider will do
  • What customer must provide (access to systems, timely feedback)

Data Processing Agreement (DPA) {#data-processing-agreement}

What is a DPA?

A Data Processing Agreement (DPA) is a legally binding contract required by GDPR and CCPA that governs how a SaaS provider (data processor) processes personal data on behalf of a customer (data controller).

Why DPAs are mandatory:

  • GDPR Article 28: Data controllers must have a written contract with processors
  • CCPA/CPRA: Businesses must have contracts with "service providers" limiting use of personal data
  • Business requirement: Enterprise customers will not sign without a compliant DPA

If you don't have a DPA, you can't sell to European or California-based enterprise customers.

Legal Requirements for DPAs

GDPR Article 28 requirements:

A DPA must specify:

  1. Subject matter and duration of processing
  2. Nature and purpose of processing
  3. Type of personal data being processed
  4. Categories of data subjects (customers, employees, etc.)
  5. Obligations and rights of data controller
  6. Processor's obligations:
    • Process data only on documented instructions
    • Ensure confidentiality of personnel
    • Implement appropriate security measures
    • Assist with data subject requests (access, deletion, portability)
    • Delete or return data at end of contract
    • Make available all information necessary to demonstrate compliance

Essential DPA Clauses

1. Definitions

  • Data controller: Customer (determines purposes and means of processing)
  • Data processor: SaaS provider (processes data on behalf of customer)
  • Personal data: Any information relating to an identified or identifiable individual
  • Processing: Any operation performed on personal data

2. Scope and purpose of processing

  • Provider will process personal data only as necessary to provide the Service
  • Provider will not process personal data for its own purposes (e.g., marketing)

3. Data subject categories and types of personal data

Example:

  • Data subjects: Customer's end users, employees, contacts
  • Personal data: Name, email, phone number, IP address, usage data, payment information

4. Instructions

  • Provider will process personal data only on documented instructions from customer
  • Customer's use of the Service constitutes instructions
  • Provider will notify customer if instructions violate GDPR

5. Confidentiality

  • Provider personnel must maintain confidentiality
  • Non-disclosure agreements required for all personnel with access

6. Security measures

Example security measures:

  • Encryption at rest and in transit (TLS 1.2+, AES-256)
  • Access controls (role-based access, multi-factor authentication)
  • Regular security audits (penetration testing, vulnerability scans)
  • Incident response plan
  • SOC 2 Type II or ISO 27001 certification

7. Sub-processors

  • Provider may engage sub-processors (e.g., AWS, Google Cloud, Stripe)
  • Provider will maintain list of sub-processors and notify customer of changes
  • Customer can object to new sub-processors

Example sub-processor list:

  • AWS (hosting)
  • Stripe (payment processing)
  • SendGrid (email delivery)
  • Intercom (customer support)

8. Data subject rights

  • Provider will assist customer in responding to data subject requests:
    • Right to access
    • Right to rectification
    • Right to erasure ("right to be forgotten")
    • Right to data portability
    • Right to object
  • Provider will respond to requests within 10 business days

9. Data breach notification

  • Provider will notify customer of data breach within 72 hours of becoming aware
  • Notification must include:
    • Nature of breach
    • Categories and approximate number of affected data subjects
    • Likely consequences
    • Measures taken to address breach

10. Data deletion or return

  • Upon termination, provider will delete or return all personal data within 30 days
  • Customer can request return of data before deletion
  • Provider may retain copies required by law

11. Audits and inspections

  • Customer may audit provider's compliance (once per year)
  • Provider will provide audit reports (SOC 2, ISO 27001)
  • Customer must give 30 days' notice before on-site audit

12. International data transfers

  • If provider transfers personal data outside the EEA, provider will use Standard Contractual Clauses (SCCs) approved by EU Commission
  • Provider will notify customer of any government data access requests

CCPA/CPRA DPA Requirements

California Privacy Rights Act (CPRA) requirements:

In addition to GDPR requirements, CPRA requires:

  1. Purpose limitation: Service provider may only use personal information for "business purpose" specified in contract
  2. No sale or sharing: Service provider may not sell or share personal information
  3. No combining data: Service provider may not combine personal information with data from other sources
  4. Retention and deletion: Service provider must delete or return personal information at customer's request
  5. Sub-service providers: Service provider must have written contracts with sub-service providers

Most SaaS DPAs combine GDPR and CCPA/CPRA requirements.

Key SaaS Contract Provisions {#key-contract-provisions}

1. Grant of License

What it means: Customer receives a limited, non-exclusive, non-transferable license to access and use the SaaS platform.

Example:

"Subject to the terms of this Agreement, Provider grants Customer a non-exclusive, non-transferable, revocable license to access and use the Service during the Subscription Term for Customer's internal business purposes only."

Key terms:

  • Non-exclusive: Provider can license to other customers
  • Non-transferable: Customer cannot resell or sublicense
  • Revocable: License terminates when subscription ends

Restrictions:

  • No reverse engineering, decompiling, or disassembling
  • No use for competitive purposes
  • No exceeding authorized number of users

2. Acceptable Use Policy (AUP)

What it means: Rules for how customers can (and cannot) use the platform.

Common prohibited uses:

  • Illegal activity (fraud, hacking, piracy)
  • Spam or unsolicited marketing
  • Uploading malware or viruses
  • Excessive use that degrades service for other customers
  • Violating third-party rights (copyright, trademark)
  • Circumventing usage limits or security measures

Enforcement:

  • Provider can suspend account immediately for AUP violations
  • Provider can terminate for repeated violations

3. Customer Data Ownership

What it means: Customer retains ownership of all data they upload to or create using the platform.

Example:

"Customer retains all right, title, and interest in and to Customer Data. Customer grants Provider a limited license to use Customer Data solely to provide the Service and comply with applicable law."

Provider's license to customer data:

  • Provider can use customer data to provide service (host, back up, analyze performance)
  • Provider cannot use customer data for its own purposes (marketing, training AI models on customer data without consent)

Exception – Aggregated data:

  • Many SaaS agreements allow provider to use anonymized, aggregated data for analytics, benchmarking, and product improvement
  • Aggregated data must not identify customer or reveal confidential information

Intellectual Property Ownership {#intellectual-property}

Who Owns What in a SaaS Relationship?

Asset Typical Owner Notes
SaaS platform Provider Provider owns all core software, features, and infrastructure
Custom features Provider (or joint) Even if customer requests feature, provider typically owns it
Customer data Customer Customer retains ownership of all data uploaded to platform
Feedback and suggestions Provider Customer suggestions become provider's IP (no compensation)
Integration code Depends Custom integrations built by provider → provider owns; customer builds → customer owns
Documentation Provider User guides, API docs, training materials → provider owns

Provider IP Ownership

Standard IP clause:

"Provider retains all right, title, and interest in and to the Service, including all software, documentation, know-how, methodologies, processes, and any enhancements, modifications, or derivative works thereof, whether created by Provider or based on Customer feedback."

Why this matters:

  • Product evolution: If customer requests a feature, you want to offer it to other customers too
  • Competitive advantage: You don't want customers to claim ownership of your product roadmap
  • Financing: Investors expect you to own 100% of your platform IP

Joint Ownership Considerations

When joint ownership makes sense:

  • Customer pays significant development fees for custom features
  • Feature is highly specific to customer's business (unlikely to be useful to others)
  • Customer has strong negotiating leverage (large enterprise)

Risks of joint ownership:

  • Licensing complexity: You need customer's permission to license feature to others
  • Conflicting interests: Customer may want to keep feature exclusive
  • Valuation impact: Shared IP reduces your company valuation

Alternative to joint ownership:

  • Grant customer exclusive use for specified period (e.g., 12 months), then provider can offer to other customers
  • Customer pays higher fees for exclusivity period

Feedback and Suggestions

Standard feedback clause:

"Customer may provide suggestions, feedback, or requests for enhancements to the Service. All such feedback will become the sole property of Provider, and Provider may use such feedback without compensation to Customer."

Why providers need this:

  • Customer suggestions often drive product roadmap
  • Without ownership, customer could claim rights to features they suggested
  • Simplifies product development (no tracking who suggested what)

Warranties and Disclaimers {#warranties-disclaimers}

Standard SaaS Warranties

1. Functionality warranty

"Provider warrants that the Service will perform substantially in accordance with the Documentation for the Subscription Term."

"Substantially in accordance" = minor bugs don't breach warranty, but major feature failures do.

2. Authority warranty

"Each party warrants that it has full authority to enter into this Agreement and perform its obligations hereunder."

3. No infringement warranty

"Provider warrants that the Service will not infringe any third-party intellectual property rights."

This is critical: If your platform infringes someone's patent or copyright, customer can sue you for breach of warranty.

Warranty Disclaimers

Purpose: Limit provider's liability by disclaiming implied warranties.

Standard disclaimer:

"EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE SERVICE IS PROVIDED 'AS IS' WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. PROVIDER DOES NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR FREE FROM VIRUSES OR OTHER HARMFUL COMPONENTS."

What this means:

  • No fitness for particular purpose: Provider doesn't guarantee platform works for customer's specific use case
  • No uninterrupted service: Downtime doesn't breach warranty (unless SLA is violated)
  • No error-free service: Bugs don't breach warranty (unless they prevent "substantial" functionality)

Why disclaimers are necessary:

  • Without disclaimers, implied warranties under UCC § 2-314 (merchantability) and § 2-315 (fitness for purpose) apply by default
  • Disclaimers must be conspicuous (all caps, bold) to be enforceable

Indemnification Clauses {#indemnification}

What is Indemnification?

Indemnification = One party agrees to defend, indemnify, and hold harmless the other party against third-party claims arising from specified circumstances.

Example:

"Provider will indemnify, defend, and hold harmless Customer from and against any third-party claims alleging that the Service infringes any patent, copyright, trademark, or trade secret, provided that Customer gives Provider prompt notice of the claim and sole control over the defense and settlement."

Provider Indemnification (IP Infringement)

Standard provider indemnification:

Provider indemnifies customer for:

  • IP infringement claims: Service infringes third-party patents, copyrights, trademarks
  • Coverage: Legal fees, settlements, judgments
  • Cap: Typically uncapped (or capped at 12-24 months of fees)

Exclusions (provider not liable if claim arises from):

  • Customer's misuse of Service
  • Customer's modification of Service
  • Use in combination with non-approved third-party products
  • Continued use after provider notified customer of infringement

Provider's remedy options:

  1. Obtain license from third party to continue providing service
  2. Modify service to make non-infringing
  3. Replace service with non-infringing alternative
  4. Terminate service and refund prepaid fees

Customer Indemnification (Misuse of Platform)

Standard customer indemnification:

Customer indemnifies provider for:

  • Misuse of platform: Customer uses platform for illegal purposes, violates AUP, infringes third-party rights
  • Customer data: Claims arising from customer's data (defamation, IP infringement)
  • Unauthorized access: Customer fails to maintain password security, allowing unauthorized users

Example:

"Customer will indemnify, defend, and hold harmless Provider from and against any third-party claims arising from (a) Customer's use of the Service in violation of this Agreement or applicable law, (b) Customer Data, or (c) Customer's breach of any representation or warranty."

Mutual Indemnification

What it means: Each party indemnifies the other for its own actions.

Example:

  • Provider indemnifies for IP infringement by the Service
  • Customer indemnifies for misuse of Service or claims arising from Customer Data

Procedural requirements for indemnification:

  1. Prompt notice: Indemnified party must notify indemnifying party of claim within 10-30 days
  2. Control of defense: Indemnifying party has sole control over defense and settlement
  3. Cooperation: Indemnified party must reasonably cooperate with defense
  4. No settlement without consent: Indemnifying party cannot settle without indemnified party's consent if settlement imposes obligations on indemnified party

Liability Limitations and Caps {#liability-limitations}

Why Liability Caps Matter

Without liability caps:

  • Customer's $100/month subscription could expose you to $10M+ liability if platform failure causes them business losses
  • Unlimited exposure makes SaaS business economically unviable

With liability caps:

  • Total liability capped at 12 months of fees ($1,200 for $100/month customer)
  • Predictable risk exposure
  • Insurance coverage becomes affordable

Standard Liability Cap

Typical liability cap clause:

"IN NO EVENT WILL PROVIDER'S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT EXCEED THE TOTAL AMOUNT PAID BY CUSTOMER TO PROVIDER IN THE 12 MONTHS PRECEDING THE CLAIM."

Variations:

  • 6 months of fees: More customer-friendly (lower cap)
  • 12 months of fees: Industry standard
  • 24 months of fees: More provider-friendly (higher cap), common for enterprise
  • Flat dollar amount: $100,000, $500,000, $1M (common for large enterprise deals)

Exclusion of Consequential Damages

Standard exclusion clause:

"IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS, REVENUE, DATA, OR BUSINESS OPPORTUNITIES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES."

What this means:

  • Direct damages: Covered (actual monetary losses directly caused by breach)
  • Consequential damages: Excluded (lost profits, lost revenue, reputational harm)

Example:

  • Your platform has downtime for 4 hours
  • Customer loses $50,000 in sales during downtime
  • Without consequential damages exclusion: You owe customer $50,000
  • With consequential damages exclusion: You owe service credits per SLA (e.g., 10% of monthly fees = $50)

Exceptions to Liability Caps

Liabilities typically not capped:

  1. IP infringement indemnification: Uncapped (or capped at 12-24 months of fees)
  2. Data breaches: Uncapped for breaches caused by provider's gross negligence or willful misconduct
  3. Confidentiality breaches: Uncapped for disclosure of confidential information
  4. Gross negligence or willful misconduct: Uncapped
  5. Payment obligations: Customer must pay all fees (no cap)

Example exception clause:

"The limitations in this Section do not apply to (a) either party's indemnification obligations, (b) Customer's payment obligations, or (c) breaches of confidentiality obligations."

Negotiating Liability Caps (Enterprise Customers)

Customer perspective:

  • Wants higher caps (24 months of fees, or flat $1M-$5M)
  • Wants fewer exclusions (cover some consequential damages)
  • Wants uncapped liability for data breaches

Provider perspective:

  • Wants lower caps (6-12 months of fees)
  • Wants broad exclusion of consequential damages
  • Wants cap to apply to data breaches (except gross negligence)

Compromise positions:

  • Cap at 12 months of fees for most claims, uncapped for IP infringement and gross negligence
  • Exclude consequential damages except for data breaches caused by provider's breach of security obligations
  • Higher caps for larger enterprise customers (tiered: $100K for customers paying <$50K/year, $500K for customers paying $50K-$250K/year, $1M for customers paying $250K+/year)

Pricing Models and Payment Terms {#pricing-payment}

Common SaaS Pricing Models (2025)

1. Per-User (Per-Seat) Pricing

How it works: Price per user per month (e.g., $50/user/month)

Pros:

  • Predictable revenue (scales with customer growth)
  • Easy for customers to understand
  • Aligns with value (more users = more value)

Cons:

  • Encourages seat-sharing (customers limit users to reduce costs)
  • Can penalize customer growth (adds friction to expansion)

Examples: Slack ($7.25-$12.50/user/month), Zoom ($10-$20/user/month)

2. Tiered Pricing

How it works: Multiple packages with different features and prices

Example tiers:

  • Free: $0, limited features, 5 users
  • Starter: $29/month, basic features, 10 users
  • Professional: $99/month, advanced features, 25 users
  • Enterprise: Custom pricing, all features, unlimited users

Pros:

  • Appeals to different customer segments (SMB vs enterprise)
  • Clear upgrade path (easy to upsell)
  • Most popular model (3.5 tiers average)

Cons:

  • Requires thoughtful feature differentiation
  • Customers may feel "nickeled and dimed" if too many tiers

Examples: HubSpot ($20-$3,200/month), Mailchimp (Free-$350/month)

3. Usage-Based Pricing

How it works: Pay for what you use (e.g., per API call, per GB stored, per email sent)

Pros:

  • Aligns perfectly with value delivered
  • Low barrier to entry (start small, grow as usage grows)
  • Fast-growing model (2025 trend)

Cons:

  • Unpredictable revenue for provider
  • Unpredictable costs for customer
  • Requires metering and billing infrastructure

Examples: AWS ($0.09/GB data transfer), Twilio ($0.0075/SMS), SendGrid ($0.0001/email)

4. Flat-Rate Pricing

How it works: Single price for unlimited access (e.g., $99/month for entire team)

Pros:

  • Simplest pricing (no seat counting, no usage tracking)
  • Encourages adoption (no penalty for adding users)
  • Predictable revenue

Cons:

  • Doesn't scale with customer value (whale customers pay same as small customers)
  • Leaves money on table (enterprise customers willing to pay more)

Examples: Basecamp ($299/month unlimited users), Miro ($16/month for unlimited boards with 3 editable boards)

5. Hybrid Pricing (Combination)

How it works: Combine multiple models (e.g., per-user + usage overage, or tiered + add-ons)

Example:

  • Base: $50/user/month (includes 10GB storage per user)
  • Usage overage: $5/GB over limit
  • Add-ons: Advanced analytics ($500/month), API access ($1,000/month)

Pros:

  • Captures more value from high-usage customers
  • Flexibility (customers can start small and add features as needed)

Cons:

  • Complex pricing (can confuse customers)
  • Billing complexity

Payment Terms

1. Billing frequency

  • Monthly: Most common for SMB ($10-$500/month)
  • Annual: Common for enterprise ($10K-$1M+/year), often with discount (10-20% off monthly price)
  • Usage-based: Billed monthly in arrears based on usage

2. Payment methods

  • Credit card (for self-service, SMB)
  • ACH/wire transfer (for enterprise)
  • Invoice + net 30/60 terms (for large enterprise)

3. Late payment

  • Late fees (1.5% per month, or $50 minimum)
  • Service suspension after 10 days past due
  • Termination after 30 days past due

4. Price increases

  • Annual price increases (tied to CPI, typically 3-5%)
  • Notice required (30-90 days)
  • Customer can terminate if they object to increase

5. Taxes

  • Customer responsible for all taxes (sales tax, VAT, GST)
  • Provider collects and remits sales tax where required

Termination, Renewal, and Auto-Renewal {#termination-renewal}

Termination for Convenience

What it means: Customer can cancel anytime (subject to notice requirements).

Standard terms:

  • Notice period: 30-90 days before end of current term
  • Effective date: End of current billing period
  • Refunds: No refund of prepaid fees (or pro-rated refund for annual subscriptions)

Example:

"Customer may terminate this Agreement for convenience by providing Provider with 60 days' written notice prior to the end of the current Subscription Term. No refunds will be provided for fees paid in advance."

Termination for Cause

What it means: Either party can terminate immediately for material breach.

Common grounds for termination for cause:

  • Non-payment (customer fails to pay within 30 days)
  • Material breach (provider fails to provide service, customer violates AUP)
  • Insolvency (bankruptcy, receivership, liquidation)

Cure period:

  • Breaching party has 30 days to cure breach after written notice
  • If not cured, non-breaching party can terminate immediately

Example:

"Either party may terminate this Agreement immediately upon written notice if the other party materially breaches this Agreement and fails to cure such breach within 30 days of receiving written notice."

Auto-Renewal Clauses

What is auto-renewal? Subscription automatically renews at end of term unless customer cancels.

Standard auto-renewal terms:

  • Initial term: 1 year
  • Renewal term: 1 year (automatically renews each year)
  • Notice to cancel: 30-90 days before renewal date

Example:

"This Agreement will automatically renew for successive one-year terms unless either party provides written notice of non-renewal at least 60 days prior to the end of the then-current term."

Legal Considerations for Auto-Renewal (2025)

State auto-renewal laws:

  • ~25 states have auto-renewal laws (California, New York, Illinois, Virginia)
  • Requirements vary by state (typically apply to consumer contracts, not B2B)

California Automatic Renewal Law (ARL):

  • Clear disclosure of auto-renewal terms before purchase
  • Customer must affirmatively consent
  • Provider must send reminder before renewal (30-60 days)
  • Easy cancellation mechanism

Federal Trade Commission (FTC):

  • Addressing unfair auto-renewal practices (primarily consumer-focused)

Best practice for B2B SaaS:

  • Include auto-renewal terms in bold or conspicuous text in contract
  • Send renewal reminder 30-60 days before renewal
  • Provide easy cancellation mechanism (email, online portal)

Effect of Termination

Standard termination provisions:

1. Access termination

  • Provider will terminate customer's access immediately upon termination

2. Data deletion

  • Customer has 30 days to export data
  • Provider will delete all customer data after 30 days (unless legally required to retain)

3. Surviving provisions

  • Provisions that survive termination:
    • Payment obligations (customer must pay all fees owed)
    • Confidentiality (remains in effect for 3-5 years)
    • Indemnification (survives indefinitely for claims arising during term)
    • Limitation of liability (survives indefinitely)
    • IP ownership (provider retains IP rights)

Example:

"Upon termination, Provider will immediately terminate Customer's access to the Service. Customer will have 30 days to export Customer Data, after which Provider may delete all Customer Data. Sections 5 (IP Ownership), 8 (Confidentiality), 10 (Indemnification), 11 (Liability Limitations), and 13 (General Provisions) will survive termination."

GDPR/CCPA Compliance (DPA Requirements) {#gdpr-ccpa-compliance}

When Do You Need a DPA?

You need a Data Processing Agreement (DPA) if:

  1. You provide SaaS platform to customers in the EU or California
  2. Your platform processes personal data (names, emails, IP addresses, etc.)
  3. Your customer is the data controller (determines purposes/means of processing)
  4. You are the data processor (process data on customer's behalf)

If you don't have a DPA:

  • EU/California enterprise customers will not sign your contract
  • You violate GDPR Article 28 (fines up to €20M or 4% of revenue)
  • You violate CCPA (fines up to $7,988 per intentional violation)

GDPR Compliance Checklist for SaaS Providers

1. Designate Data Protection Officer (DPO)

  • Required if you process large amounts of personal data
  • DPO oversees GDPR compliance

2. Maintain list of sub-processors

  • AWS, Google Cloud, payment processors, email services
  • Notify customers of changes

3. Implement appropriate security measures

  • Encryption at rest and in transit (AES-256, TLS 1.2+)
  • Access controls (RBAC, MFA)
  • Regular security audits (penetration testing, vulnerability scans)
  • SOC 2 Type II or ISO 27001 certification

4. Establish data breach notification process

  • Notify customers within 72 hours of breach
  • Prepare incident response plan

5. Support data subject rights

  • Provide tools for customers to respond to data subject requests (access, deletion, portability)
  • Respond to requests within 30 days

6. Use Standard Contractual Clauses (SCCs) for international transfers

  • If you transfer personal data outside the EEA (e.g., to US-based servers), you must use SCCs

7. Conduct Data Protection Impact Assessments (DPIAs)

  • Required for high-risk processing activities

8. Document processing activities

  • Maintain records of all processing activities (required for GDPR Article 30 compliance)

CCPA/CPRA Compliance Checklist for SaaS Providers

1. Include purpose limitation in contracts

  • Service provider may only use personal information for business purpose specified in contract

2. Prohibit sale or sharing of personal information

  • Include contractual prohibition on selling or sharing data

3. Delete or return data at customer's request

  • Provide mechanism for customers to request data deletion

4. Conduct risk assessments for sensitive personal information

  • CPRA requires risk assessments for processing sensitive PI (racial origin, health data, precise geolocation)

5. Conduct cybersecurity audits

  • Required for businesses processing significant amounts of personal information

6. Provide notice of sub-service providers

  • Notify customers of all sub-service providers

Common SaaS Contract Mistakes {#common-mistakes}

Mistake #1: No Liability Cap

The problem: Your ToS says service is provided "AS IS" but doesn't cap total liability.

Why it's bad:

  • Customer's $50/month subscription exposes you to $10M+ liability if platform failure causes them business losses
  • Unlimited liability makes business uninsurable

The fix:

  • Add liability cap: "Provider's total liability will not exceed 12 months of fees paid by Customer"
  • Add consequential damages exclusion: "Provider will not be liable for lost profits, revenue, or business opportunities"

Mistake #2: No Data Processing Agreement (DPA)

The problem: You provide B2B SaaS to EU/California customers but don't have a DPA.

Why it's bad:

  • Violates GDPR Article 28 (fines up to €20M or 4% of revenue)
  • Violates CCPA (fines up to $7,988 per intentional violation)
  • Enterprise customers will not sign without DPA

The fix:

  • Create GDPR/CCPA-compliant DPA (include in MSA or provide as separate document)
  • Include Standard Contractual Clauses (SCCs) for international data transfers

Mistake #3: Unclear IP Ownership

The problem: Customer requests custom feature. You build it. Contract doesn't specify who owns the IP.

Why it's bad:

  • Customer may claim they own feature (because they requested it and paid for it)
  • You can't offer feature to other customers without customer's permission
  • Reduces company valuation (investors expect you to own 100% of platform IP)

The fix:

  • Add IP ownership clause: "Provider retains all right, title, and interest in the Service, including any enhancements or modifications, whether created by Provider or based on Customer feedback"
  • For custom development, specify upfront who owns the IP (provider, customer, or joint)

Mistake #4: No Auto-Renewal Notice Requirement

The problem: Your contract auto-renews without notice to customer.

Why it's bad:

  • Violates California Automatic Renewal Law (and similar laws in 25+ states)
  • Customers feel "tricked" into renewals (damages reputation)
  • Leads to disputes and chargebacks

The fix:

  • Send renewal reminder 30-60 days before renewal date
  • Include auto-renewal terms in bold text in contract
  • Provide easy cancellation mechanism

Mistake #5: No SLA (for Enterprise Customers)

The problem: Enterprise customer pays $100K/year but your ToS says service is provided "AS IS" with no uptime guarantee.

Why it's bad:

  • Customer has no recourse if platform is down for days
  • Customer will demand SLA during contract negotiation (delays sales cycle)
  • Damages customer relationships (no trust)

The fix:

  • Create standard SLA for enterprise customers (99.5%-99.9% uptime)
  • Include service credits for SLA violations (10%-50% of monthly fees)
  • Make SLA violations customer's sole remedy (to avoid unlimited liability)

Mistake #6: Customer Can Terminate Anytime Without Notice

The problem: Your ToS allows customer to cancel anytime without notice.

Why it's bad:

  • Unpredictable revenue (customers can churn without warning)
  • No time to retain customers (can't offer discounts or solutions before they leave)

The fix:

  • Require 30-60 days' notice before cancellation
  • No refunds for prepaid fees (customer pays for full billing period)
  • For annual contracts, require notice 60-90 days before renewal date

Mistake #7: No Indemnification for Customer Misuse

The problem: Customer uses your platform to send spam. Recipient sues you.

Why it's bad:

  • You're liable for customer's actions
  • Legal fees add up quickly ($50K-$500K+)

The fix:

  • Add customer indemnification clause: "Customer will indemnify Provider for any third-party claims arising from Customer's use of the Service in violation of this Agreement or applicable law"

SaaS Agreement Negotiation Tips {#negotiation-tips}

For SaaS Providers (Selling to Enterprise Customers)

1. Start with your standard MSA

  • Don't negotiate from customer's paper (their terms heavily favor them)
  • Position your MSA as "market standard" with "balanced terms"

2. Know your non-negotiables

  • Liability cap (12 months of fees minimum)
  • Consequential damages exclusion
  • IP ownership (provider retains all platform IP)
  • No unlimited indemnification

3. Offer tiered concessions based on contract value

  • <$50K/year: No negotiation (standard ToS)
  • $50K-$250K/year: Limited negotiation (higher liability cap, custom SLA)
  • $250K+/year: Full negotiation (custom terms, unlimited liability for certain claims)

4. Trade concessions strategically

  • Customer wants higher liability cap? Ask for longer contract term or higher price
  • Customer wants custom SLA? Charge premium ($10K-$50K additional annual fee)

5. Involve legal early

  • Don't negotiate contracts yourself (unless you're a lawyer)
  • Legal review costs $2K-$10K but prevents $100K+ mistakes

For SaaS Customers (Buying from Vendors)

1. Request vendor's standard MSA early

  • Don't wait until end of sales cycle (delays deal)
  • Review terms before final negotiations

2. Focus negotiations on high-impact terms

  • Liability cap: Push for 12-24 months of fees (or flat $1M-$5M)
  • SLA: Negotiate uptime commitment (99.5%-99.9%) and service credits
  • Data ownership: Ensure you retain ownership of your data
  • Termination: Get right to terminate for convenience with 60-90 days' notice

3. Require DPA and SOC 2 / ISO 27001

  • Vendor must provide GDPR/CCPA-compliant DPA
  • Request SOC 2 Type II or ISO 27001 audit report (annual)

4. Negotiate price and contract term together

  • Vendors offer 10-20% discount for annual prepayment
  • Longer contracts (3 years) may get additional discounts (5-10%)

5. Use legal templates as starting point

  • Tech companies often use standardized terms (from law firms like Wilson Sonsini, Cooley)
  • If vendor's terms are unusually one-sided, reference industry standards

SaaS Agreement Resources {#resources}

SaaS Agreement Templates

GDPR/CCPA DPA Templates

SLA Templates

Legal Research

Compliance Tools

FAQ: SaaS Contracts {#faq}

1. Do I need separate Terms of Service and a Master Service Agreement?

It depends on your customer base:

  • Self-service/SMB customers ($10-$50K/year): Terms of Service (ToS) is sufficient
  • Enterprise customers ($50K-$1M+/year): Master Service Agreement (MSA) + SLA + DPA

Most SaaS companies have both: ToS for self-service, MSA for enterprise.

2. What should my liability cap be?

Industry standard: 12 months of fees paid by customer.

Variations:

  • 6 months of fees (more customer-friendly)
  • 24 months of fees (more provider-friendly, for enterprise)
  • Flat dollar amount ($100K-$1M for large enterprise)

Exceptions (typically uncapped):

  • IP infringement indemnification
  • Data breaches (caused by gross negligence)
  • Confidentiality breaches

3. Do I need a Data Processing Agreement (DPA)?

Yes, if:

  • You provide B2B SaaS to customers in the EU or California
  • Your platform processes personal data (names, emails, IP addresses)

GDPR Article 28 and CCPA/CPRA require written contracts between data controllers (customers) and data processors (SaaS providers).

Without a DPA:

  • Violates GDPR (fines up to €20M or 4% of revenue)
  • Violates CCPA (fines up to $7,988 per violation)
  • Enterprise customers will not sign your contract

4. What uptime commitment should I offer in my SLA?

Standard SLA uptime targets:

  • 99.0%: 3.65 days downtime/year (7.3 hours/month)
  • 99.5%: 1.83 days downtime/year (3.65 hours/month)
  • 99.9%: 8.77 hours downtime/year (43.8 minutes/month) – Most common for B2B SaaS
  • 99.95%: 4.38 hours downtime/year (21.9 minutes/month)
  • 99.99%: 52.6 minutes downtime/year (4.38 minutes/month)

Most B2B SaaS platforms offer 99.5%-99.9%.

5. Should I allow auto-renewal in my contracts?

Yes, but with proper notice requirements:

  • Auto-renewal is standard in SaaS (simplifies billing, reduces churn)
  • Send renewal reminder 30-60 days before renewal (required by California ARL and similar state laws)
  • Require 30-90 days' notice to cancel (prevents surprise churn)

Auto-renewal laws apply primarily to consumer contracts, not B2B, but best practice is to follow them anyway.

6. Who owns custom features built for a specific customer?

Default rule: Provider owns all platform IP (including custom features), unless contract specifies otherwise.

Why providers should retain ownership:

  • Ability to offer feature to other customers
  • Maintains platform competitiveness
  • Investors expect provider to own 100% of IP

Alternative to joint ownership:

  • Grant customer exclusive use for 6-12 months, then provider can offer to other customers
  • Customer pays premium for exclusivity

7. Can customers use my platform to train AI models?

Depends on your Terms of Service.

Standard prohibition:

"Customer may not use the Service to train artificial intelligence or machine learning models without Provider's prior written consent."

Why this matters:

  • Prevents competitors from scraping your platform to build competing products
  • Protects your own AI/ML models from being replicated

Exception: If customer's data contains training data they own, they may use it to train their own models (but not your platform's features).

8. What happens to customer data when they cancel?

Standard data retention terms:

  • Customer has 30 days to export data after termination
  • Provider deletes all customer data after 30 days
  • Provider may retain data if legally required (tax records, compliance)

Best practice:

  • Provide easy data export mechanism (CSV, JSON, API)
  • Send reminder before deletion
  • Include data retention terms in DPA

9. Should I include an arbitration clause?

Pros:

  • Faster and cheaper than litigation ($10K-$50K vs $100K-$500K+)
  • Private (no public court records)
  • Final decision (no appeals)

Cons:

  • No jury trial
  • Limited discovery (harder to get evidence from other party)
  • Arbitrator fees ($5K-$20K)

Recommendation:

  • For SMB/self-service customers: Include arbitration clause in ToS
  • For enterprise customers: Negotiable (customer may insist on litigation)

10. How much should I charge for custom SLA commitments?

Pricing custom SLAs:

  • 99.5% uptime: Standard (no additional charge)
  • 99.9% uptime: +10-20% annual fee
  • 99.95%+ uptime: +20-50% annual fee

Additional SLA customizations:

  • Dedicated account manager: $5K-$25K/year
  • 24/7 phone support: $10K-$50K/year
  • Faster response times (1-hour P1 response): $5K-$15K/year

Custom SLAs are profit centers for SaaS companies (customers pay premium for higher uptime commitments).

Need Help with Your SaaS Agreements?

Drafting a SaaS agreement requires balancing customer protection with business viability. If you're building a B2B SaaS startup, we can help:

Promise Legal assists SaaS startups with:

  • Drafting Terms of Service and Master Service Agreements
  • Creating GDPR/CCPA-compliant Data Processing Agreements (DPAs)
  • Negotiating enterprise customer contracts
  • Reviewing and redlining customer paper
  • Updating terms to comply with new regulations (California ARL, CCPA amendments)

Schedule a consultation →

Related Guides

Disclaimer: This guide provides general information about SaaS agreements and contracts for startups and should not be construed as legal advice. Contract law varies by jurisdiction. Consult with a qualified attorney before drafting or signing any contract. This guide was last updated in January 2025 and reflects contract practices and regulations as of that date.

About Promise Legal: We're a Texas-based law firm focused on startups, technology companies, and entrepreneurs. We provide practical, cost-effective legal guidance on corporate formation, fundraising, compliance, contracts, and intellectual property.

Learn more about our services →

This button allows you to scroll to the top or access additional options. Alt + A will toggle accessibility mode.