Saas Agreements: Service Levels, Data Protection, and Liability

In a SaaS agreement, the customer receives a contractual right to access the software through the vendor's servers for the duration of the subscription, not a traditional software license. This access right is defined by the scope of use clause, which must specify the number of authorized users, the permitted use cases, and whether affiliates or contractors may access the platform. Because the customer does not own or possess the software, if the vendor terminates the agreement or becomes insolvent, the customer may lose access to both the software and the data stored on the platform. SaaS vendors and enterprise customers should immediately engage contract drafting & review counsel to ensure the scope of use, termination rights, and data access provisions protect their interests.

The agreement must specify which pricing model applies and how overages are calculated and billed when the customer exceeds contracted usage limits. The agreement must also specify the renewal term, the notice period required to prevent automatic renewal, and whether the vendor may increase pricing at renewal without the customer's affirmative consent. An auto-renewal clause that renews for the full original term without adequate notice to the customer is frequently the subject of contract disputes. Enterprise customers entering into SaaS subscription agreements should engage commercial contract counsel to review pricing, overage, and auto-renewal terms before executing any multiyear subscription.

When a SaaS vendor processes personal data on behalf of a GDPR-covered controller, the parties must enter into a data processing agreement (DPA) satisfying the requirements of Article 28 of the GDPR. Under the CCPA, the service provider agreement must prohibit the service provider from retaining, using, or disclosing personal information for any purpose other than providing the contracted services. A SaaS agreement that does not include a compliant DPA or CCPA service provider agreement can expose both the vendor and the customer to regulatory enforcement actions and class action litigation. SaaS vendors and customers operating under GDPR or CCPA obligations should immediately engage privacy and data protection counsel to draft or review their data processing agreements.

Vendors must not use customer data for any purpose other than providing the contracted services, including training machine learning models or benchmarking, without the customer's explicit written consent. The vendor's security obligations must be defined, including specific standards such as SOC 2 Type II certification, encryption standards, and access controls. Unauthorized access to customer data may implicate the Computer Fraud and Abuse Act (CFAA) and applicable state computer crime statutes. The vendor must notify the customer of any actual or suspected data breach within 48 to 72 hours to allow the customer to meet its own breach notification obligations under GDPR and applicable state breach notification laws. Customers who have experienced or suspect a data breach through their SaaS vendor should immediately engage data breach counsel to assess notification obligations and evaluate claims against the vendor.

The SLA must specify the minimum uptime commitment, expressed as a percentage of total available time, typically 99.9 percent or higher for enterprise-grade services. The SLA must define how uptime is measured, which events constitute scheduled maintenance, and how downtime is calculated when outages span multiple reporting periods. When the vendor fails to meet the uptime commitment, the SLA must specify whether service credits are the customer's sole remedy or whether the customer may also pursue termination rights for recurring SLA failures. SaaS vendors and customers who are negotiating SLA terms should engage technology licensing counsel to ensure uptime commitments, remedy structures, and exclusions are commercially reasonable and legally enforceable.

The SLA should go beyond uptime to define additional performance metrics that are material to the customer's use case, including response time, transaction processing speed, and data processing accuracy. The customer should have the right to monitor platform performance through the vendor's status page, monitoring APIs, or third-party monitoring tools. Audit rights clauses should specify the frequency of permitted audits, the notice required, and whether the customer may use a qualified third-party auditor. Customers who need to verify vendor compliance should immediately engage cybersecurity and data privacy counsel to evaluate their audit rights and initiate an audit process.

The limitation of liability clause in a standard SaaS agreement caps the vendor's financial exposure for contract breaches and service failures. Vendors typically seek to limit their liability to fees paid by the customer in the preceding 12 months. Customers should negotiate carve-outs from this cap for claims arising from the vendor's gross negligence, data breaches caused by the vendor's security failures, and the vendor's indemnification obligations. The indemnification clause should require the vendor to indemnify the customer for claims arising from IP infringement, data breaches caused by the vendor's security failures, and violations of applicable law. SaaS vendors and customers who are negotiating liability and indemnification provisions should immediately engage breach of contract counsel to assess the commercial and legal risk of the proposed liability cap and carve-outs.

The termination clause must specify the circumstances under which each party may terminate the agreement, including termination for material breach, termination for convenience, and termination upon the vendor's insolvency. Data portability and return rights are among the most important customer protections in any SaaS agreement. Upon termination, the vendor must provide a complete export of all customer data in a machine-readable format within a defined timeframe and at no additional charge, and must confirm deletion in writing. Customers in a dispute with a SaaS vendor or planning to transition to a new platform should immediately engage data privacy counsel to evaluate their data return rights and enforce data portability obligations.