Software-as-a-service contracts are subscriptions to access software running on someone else's infrastructure. That model changes where the risk sits compared with traditional licensed software: the provider controls availability, security and the data, and the contract is how the customer keeps those under control. The terms below matter to both buyers and builders.
Define what the subscription covers: which modules, how many users or what usage volume, and the acceptable-use rules. Overage handling and how upgrades and downgrades work belong here too, so growth does not trigger surprise charges or a breach.
The service-level agreement sets the uptime commitment, how it is measured, and the remedy if it is missed, usually service credits. Support tiers and response times sit alongside. A credit-only remedy can be thin comfort for a serious outage, so for business-critical services consider whether sustained failure should also give a right to terminate.
The customer keeps ownership of its data; the provider gets a limited right to process it to deliver the service. Where that data is personal data, a GDPR Article 28 data processing agreement is required, covered in our data processing agreements work, and cross-border hosting raises the transfer questions in our note on international data transfers. Where the service uses AI, the allocation of roles and obligations should reflect the EU AI Act, and vendor AI terms deserve the scrutiny set out in AI clauses in vendor contracts.
Expect a liability cap, and check the carve-outs. The provider should indemnify the customer against claims that the service infringes third-party IP. Where the service incorporates open-source components, the licence terms of those components can carry obligations worth understanding before you build on them.
Plan the exit at the start. The contract should guarantee export of your data in a usable format on termination, a transition period, and what happens to your data afterwards (return or deletion). Continuity provisions, such as escrow or a wind-down period, protect you if the provider fails.
SaaS agreements are part of our commercial contracts and transactions work and connect closely to the Data, Data Protection and AI focus area, including data processing agreements and data licensing and data sharing. For framing, see the master services agreement note. Drafting and review run through our Contract Studio and Clause Library and Risk Review technology, with AI governance supported by our AI Act Governance Toolkit.
You do. The provider should only have the rights it needs to run the service. Watch for terms that grant the provider broader rights to use or analyse your data, especially to train models, and negotiate those explicitly.
Exit. It is easy to sign up and hard to leave if the contract does not guarantee data export and a transition period. Sort out the exit before you sign, not when the relationship has soured.
%402x.svg){kind=icon}
%402x.svg){kind=small}
%402x.svg){kind=icon}
