Anatomy of a B2B SaaS Agreement
A well-structured SaaS agreement typically consists of: a master agreement (or terms of service), a Service Level Agreement (SLA), a Data Processing Agreement (DPA), an Acceptable Use Policy (AUP), and commercial terms (pricing, payment, term). Each contains clauses that can significantly impact your business.
1. Service Level Agreement (SLA)
The SLA defines availability commitments, typically expressed as a percentage:
- 99.9% uptime = ~8.8 hours of downtime per year
- 99.95% = ~4.4 hours/year
- 99.99% = ~52 minutes/year
Key negotiation points: How is "downtime" defined? Are scheduled maintenance windows excluded? What are the service credits for SLA breaches? (Typically 10-25% of monthly fee per tier of breach.) Are credits the sole and exclusive remedy?
2. Limitation of Liability
The most commercially significant clause. Standard vendor position:
- Total liability capped at fees paid in the preceding 12 months
- Exclusion of indirect, consequential, and lost profit damages
- Carve-outs (unlimited liability): IP infringement, confidentiality breach, willful misconduct
Negotiate for: higher caps for data breaches and GDPR violations, mutual (not just vendor) carve-outs, super-caps for specific risk categories.
3. Data Processing Agreement (DPA)
Mandatory under GDPR Article 28. The DPA should address: scope and purpose of processing, sub-processors (with notification of changes), data transfer mechanisms (SCCs if applicable), audit rights, breach notification timelines (the DPA deadline should be shorter than the GDPR 72-hour deadline to give you time to assess and report), deletion/return of data upon termination.
4. Data Portability and Exit
This is often the most overlooked clause. Questions to negotiate upfront:
- In what format will your data be exported? (Machine-readable, standard format, or proprietary?)
- What is the transition assistance period after termination?
- What is the cost of data extraction? (Should be included in the agreement, not billed ad hoc)
- How long will the vendor retain your data post-termination before permanent deletion?
5. Intellectual Property
- Your data — the agreement should explicitly state that you retain all rights to your data
- Custom development — if the vendor builds features specifically for you, who owns the IP? Negotiate for at least a perpetual license.
- Aggregated/anonymous data — most vendors reserve the right to use aggregated anonymized data for product improvement. This is generally acceptable but should be explicit.
6. Termination and Auto-Renewal
- Watch for auto-renewal clauses with short opt-out windows (30 days before renewal)
- Negotiate termination for convenience with reasonable notice
- Ensure termination for cause triggers include material breach and insolvency
- Define what happens to your data post-termination (see point 4)
Negotiation Checklist
- ☐ SLA: uptime percentage, measurement method, service credits
- ☐ Liability cap: amount, carve-outs, super-caps
- ☐ DPA: sub-processors, audit rights, breach notification timeline
- ☐ Data portability: export format, transition period, cost
- ☐ IP: data ownership, custom development, aggregated data use
- ☐ Termination: notice period, auto-renewal, post-termination data retention
- ☐ Change of terms: how can the vendor modify terms? (Should require notice + opt-out right)
Negotiating a SaaS contract? Let us review the key terms before you sign.