Key Takeaways:

  • A strong SaaS agreement checklist protects both vendor and customer by addressing security, liability, availability, integrations, and business continuity.
  • Information and data security clauses should cover compliance, warranties, audits, backups, disaster recovery, and data ownership.
  • Financial liability terms must clarify responsibility for breaches, including training, technology safeguards, and insurance.
  • SLAs should define uptime guarantees, maintenance schedules, and remedies for service failures.
  • Key factors include integration costs, vendor stability, outsourcing, virus protection, and change-of-ownership provisions.
  • Additional considerations include IP rights, customization limits, termination clauses, payment terms, dispute resolution, compliance with laws, and support obligations.

A SaaS contract checklist can help you ensure you hit all the important topics and sections that should be addressed in your SaaS contract agreement. SaaS contracts deal with software delivery that is not downloaded or installed locally. It's managed from a central location, and customers access the software via the Internet.

In these types of contracts, the availability of the software and performance monitoring is critical. Therefore, SaaS agreements, or contracts, need to include a service-level guarantee. Stipulations on service-levels need to spell out the minimum acceptable performance levels. They should include details such as uptime, response time, customer satisfaction, and more. If you don't include minimum performance guarantees, there is a diminished value of SaaS for your business.

Information and Data Security

One of the most important sections to address in your SaaS contract relates to data security provisions:

  • Add a requirement that the vendor must comply with the client's data security procedures.
  • Include warranties that address data security, alteration, and loss.
  • Give the client the right to conduct audits and security evaluations on a periodic basis.
  • Create a disaster plan that includes business continuity steps, along with the vendor's related obligations.
  • Properly draft a force majeure clause.
  • Include very detailed statements regarding data ownership and return procedures.
  • Address what is the vendor's obligation regarding performing backups, and how often should they happen.
  • Explore what the vendor requires regarding data restoration.

Intellectual Property and Ownership Rights

Your SaaS agreement checklist should clarify which party owns the software, underlying code, and any content or data generated through the service. Specify:

  • Vendor IP Rights: The provider retains ownership of the software and any proprietary technology used to deliver it.
  • Customer Data Rights: The customer owns all data they upload or generate, with clear rights to export or delete it.
  • Customizations: If the provider creates custom features or integrations, determine whether these are owned by the vendor, the customer, or shared.
  • License Scope: Define whether the license is non-exclusive, limited, transferable, or perpetual, and any restrictions on use, reverse engineering, or sublicensing.

Handling Financial Liability in Case of a Data Breach

SaaS vendors need to be prepared for and take proper steps to mitigate a potential risk of a data breach:

  • Make sure your personnel are appropriately trained.
  • Utilize proper security-related technology — multiple firewalls, encryption, an intrusion detection system, etc.

SaaS vendors need to have third-party reviews done and to certify that their security measures are more than adequate. SaaS customers will likely try to hold the vendor completely responsible, and therefore, liable for damages such as:

  • Intrusion
  • Data loss
  • Damage
  • Unintended disclosure
  • Breach
  • Corruption

Indemnification and Limitation of Liability

A robust SaaS agreement checklist includes indemnification clauses to protect each party from certain claims:

  • Vendor Indemnity: The vendor should cover claims arising from intellectual property infringement, data breaches caused by their negligence, or violations of law.
  • Customer Indemnity: The customer may need to indemnify the vendor against misuse of the service, illegal content, or violations of third-party rights.
  • Liability Caps: Limit total liability to a specific dollar amount or a multiple of fees paid, except in cases of gross negligence, willful misconduct, or breach of confidentiality.
  • Exclusions: Clearly state which damages are excluded (e.g., indirect, consequential, or punitive damages).

Availability of SaaS Applications

Customers have a reasonable expectation to have a working SaaS application to the same degree as if it was installed in the customer's physical location and on-site computers. In the event a crucial SaaS application is not working and is unavailable, the customer's business has the potential to be significantly impaired.

It's not unrealistic for customers to ask the vendor to make the SaaS application accessible and available round the clock, 365 days a year, and 99.5 percent of the time. This is where many vendors now utilize SLAs, or service level agreements, because there is a growing demand for them. Customers need to be understanding and patient during scheduled maintenance outages, which are done during nonpeak hours. There will also be events that are beyond the vendor's control, such as internet and power outages, and equipment failures.

Support, Maintenance, and Updates

A comprehensive SaaS agreement checklist addresses how support will be provided and how the software will evolve:

  • Support Levels: Define standard, premium, or dedicated support options, response times, and escalation procedures.
  • Maintenance Windows: Specify notice periods for planned downtime and the duration of such maintenance.
  • Updates and Upgrades: Clarify whether updates are included in the subscription fee, whether they are automatic, and how they will be communicated to customers.
  • Bug Fixes and Patches: Outline expected timelines for resolving critical, major, and minor issues.

Important Factors in SaaS Agreements

If you have the need to integrate a SaaS application with another system, either a cloud-based or on-site one, it can become more complex. It's good practice to budget for potential integration expenses, which may be anywhere from 10 to 30 percent, and in rare cases, as high as 50 percent of the initial cost for purchase and implementation. Some vendors don't want you to do this, as their go-to sales strategy may be just to close the deal and do an add-on after.

If this SaaS application is vital to your business, ensure you have a mechanism in place for protecting your business in case the SaaS vendor undergoes a serious event that renders it unable to provide service, such as:

  • Bankruptcy
  • Massive failure of service
  • Lawsuit and pending injunction

How will you secure business continuity if your SaaS provider is sold or changes hands? What are your rights to terminate your agreement?

Include outsourcing suppliers and technology partners you may need. A number of companies outsource their support to a third-party IT supplier. There are instances where an outsourced technology partner requires access to all products that interact with the central portfolio of information technology services, so it can proceed with proper troubleshooting.

Virus protection is another point to address in your SaaS contract. The agreement should contain clear language on how virus protection software is utilized and what happens if there is a virus. Ensure the SaaS vendor agrees to utilize proper virus-protection software and solutions. Also, make sure the provider attempts to prevent any risks in both the SaaS software as well as the customer's information technology environment.

Termination, Renewal, and Exit Strategy

Your SaaS agreement checklist should define how and when either party can terminate the contract:

  • Termination for Cause: Either party may terminate for material breach if not cured within a defined period.
  • Termination for Convenience: Decide if either party can terminate without cause and the notice required.
  • Auto-Renewal: Specify renewal terms, notice deadlines to opt out, and pricing changes upon renewal.
  • Data Return and Deletion: Detail the process, timeline, and format for returning customer data after termination, and when data will be securely deleted from vendor systems.
  • Transition Assistance: If critical to business operations, require the vendor to assist with migration to a new provider.

Compliance and Regulatory Requirements

Regulatory compliance should be a standard part of any SaaS agreement checklist, especially for industries subject to strict data laws:

  • Applicable Laws: Specify compliance with laws like GDPR, CCPA, HIPAA, or industry-specific regulations.
  • Certifications: Require the vendor to maintain relevant certifications (e.g., ISO 27001, SOC 2).
  • Audit Rights: Allow for audits to verify compliance with contractual and legal obligations.
  • Cross-Border Data Transfers: Address where data will be stored and how international transfers will comply with legal requirements.

Frequently Asked Questions

1. What is a SaaS agreement checklist? It’s a structured list of key contract provisions to review or include when negotiating a Software as a Service (SaaS) agreement.

2. Why are SLAs important in SaaS agreements? Service Level Agreements define uptime, performance, and support standards, ensuring the vendor meets critical business needs.

3. How should intellectual property be addressed in a SaaS contract? The agreement should clearly state that the vendor retains software ownership, while the customer retains ownership of their data and content.

4. What happens to my data if the SaaS agreement is terminated? The contract should specify how and when you can retrieve your data, the format provided, and when it will be deleted from vendor systems.

5. Can a SaaS agreement limit liability for data breaches? Yes, most agreements cap liability, but exceptions may apply for gross negligence, willful misconduct, or breach of confidentiality.

If you need help with a SaaS contract checklist, you can post your legal need on UpCounsel's marketplace. UpCounsel accepts only the top 5 percent of lawyers to its site. Lawyers on UpCounsel come from law schools such as Harvard Law and Yale Law and average 14 years of legal experience, including work with or on behalf of companies like Google, Menlo Ventures, and Airbnb.