Numerique
Software as a Service (SaaS) has established itself as the dominant model for distributing professional software. Yet it remains a hybrid legal product, poorly understood by the executives who negotiate it daily. A SaaS contract is neither a software sale nor a simple servic
Reading time:
14 min
Software as a Service (SaaS) has established itself as the dominant model for distributing professional software. Yet it remains a hybrid legal product, poorly understood by the executives who negotiate it daily. A SaaS contract is neither a software sale nor a simple, traditional IT services arrangement. It combines the provision of a hosted software by a vendor, remote access by the client's users, the processing of personal data and a long-term service continuity commitment.
This composite nature multiplies the areas of risk. A poorly drafted contract can lead to a business interruption, data loss, a sanction from the CNIL, or costly litigation between vendor and client. Conversely, a well-structured contract secures the commercial relationship, protects the vendor's intellectual property and guarantees the client control over its data and its business tool.
This article sets out, point by point, the essential clauses of a SaaS contract that every executive must know, whether vendor or client, in order to secure their digital business.
In a traditional software license model, the user acquires a right to use the software installed on their own workstation or server. In a SaaS model, the software remains hosted on the vendor's infrastructure or that of its host, and the client accesses it online, generally in exchange for a periodic subscription.
This structural difference has three major legal consequences. The first relates to intellectual property: in accordance with Article L122-6 of the Intellectual Property Code, the vendor retains all rights to exploit the software, the code and its developments. The second concerns service continuity: the technical availability of the software becomes a central obligation, unlike a license where the software remains functional even if the vendor disappears. The third concerns the flow of the client's data, which transits and is stored at the vendor's premises, triggering the application of the GDPR and all the associated obligations.
No specific legislation governs SaaS contracts as a whole under French law. The contract is analyzed as an innominate sui generis contract subject to the ordinary law of contracts derived from the Civil Code, in particular Articles 1101 et seq. relating to contractual obligations.
Several bodies of structuring rules are added to this. The Commercial Code, notably Article L442-1, governs relations between professionals by sanctioning restrictive competition practices and significant imbalance. The Intellectual Property Code secures ownership of the software. The European Regulation 2016/679 (GDPR) and Law No. 78-17 of 6 January 1978, as amended, apply as soon as the SaaS processes personal data, which is almost always the case. Finally, the Law for Confidence in the Digital Economy (LCEN) and the Consumer Code come into play if the SaaS is aimed at consumers.
The subject matter clause is the cornerstone of the SaaS contract. It must define with precision the scope of the service provided, failing which a dispute may arise over the actual content of the service. An overly vague description exposes the vendor to client demands for features that were never planned, and exposes the client to a service reduced compared to its expectations.
The clause must specify the nature of the service (online hosted software, accessible by subscription, without local installation), the modules and features included (often referred to a technical annex), the authorized users(number, profiles, geographic scope), as well as the explicit exclusions (custom integrations, specific developments, advanced support). For the record, Article 1163 of the Civil Code requires a determined or determinable service, failing which the contract risks nullity for indeterminacy of the subject matter.
The client does not acquire the software but a limited right of use. The clause must qualify the license as non-exclusive, non-transferable and personal, granted solely for the duration of the contract and solely for the internal needs of the client company and its authorized users.
The vendor must explicitly affirm that it retains exclusive ownership of the software, the source code, the documentation, the updates and all elements protected under copyright. This specification is essential to avoid any subsequent claim by the client over developments or improvements financed by it.
The contract must formally prohibit reverse engineering, copying, redistribution, making available to third parties, use for competitive purposes or the creation of derivative works. These prohibitions must remain compatible with the mandatory exceptions of the Intellectual Property Code, in particular Article L122-6-1 which authorizes certain interoperability operations.
The SLA (Service Level Agreement) is the most strategic clause for the client. It sets the guaranteed availability rate of the platform, generally between 99% and 99.9%, or even 99.99% for critical uses.
To be enforceable, the SLA must rigorously define the calculation method (reference period, monthly or annual), the exclusions (scheduled maintenance notified, force majeure, failure of the client's infrastructure, disruptions of the public internet network) and the measurement methods (monitoring tools, periodic reports). An availability guarantee without a clear calculation method is legally ineffective.
The penalties must be proportionate and precisely quantified. Practice generally distinguishes between automatic penalties (subscription credit, extension of duration) and penalties on claim. The client must obtain a mechanism for termination for repeated breach of the SLA when the degraded thresholds occur in succession.
The vendor, for its part, must ensure it caps these penalties to prevent them from becoming a disproportionate instrument of pressure. An excessive penalty clause may be revised by the judge pursuant to Article 1231-5 of the Civil Code.
SaaS Contract
01
Subject matter of the clause
Content
Main risk in its absence
Content
Clause 1 of 10
In almost all SaaS contracts, the client is the data controller of the data it imports into the platform, and the vendor acts as a processor within the meaning of Article 4(8) of the GDPR. This qualification places on the vendor the strict obligations of Article 28 of the GDPR, which requires the conclusion of a written processing agreement containing mandatory provisions.
These provisions concern in particular the subject matter and duration of the processing, the nature and purpose, the types of dataprocessed, the categories of data subjects, as well as the specific obligations of the processor. Otherwise, the vendor is exposed to a direct sanction from the CNIL and engages the client's liability before its own supervisory authorities.
The SaaS vendor almost always uses sub-processors (host, authentication providers, email sending services). The GDPR requires a prior written authorization from the client, specific or general, accompanied by an obligation of prior information in the event of an addition or replacement.
The clause must also detail the technical and organizational measures implemented by the vendor: encryption of data at rest and in transit, management of access and authorizations, logging, regular backups, business continuity plan, intrusion testing. The client must obtain an audit right, generally arranged to preserve the vendor's operational constraints.
The vendor is moreover required to notify the client of any data breach as soon as possible, in order to enable the latter to comply with its obligation to notify the CNIL within the 72 hours provided for in Article 33 of the GDPR.
The reversibility clause guarantees the client the recovery of its data at the end of the contract, in a structured and usable format. Without this clause, the client risks technological captivity: its data remain prisoners of the SaaS and their migration becomes technically or financially impossible.
The contract must set the return period, the data format (CSV, JSON, exportable database), any migration assistance fees, and the period for definitive deletion of the data at the vendor's premises after return. This clause is articulated with the GDPR obligations on storage limitation.
The contract must specify the initial subscription price (per user, per module, per volume), its periodicity(monthly, annual), the initial commitment period and the renewal terms. The tacit renewal clause must comply with Article L215-1 of the Consumer Code when it applies to non-professionals, which requires prior information.
In B2B, the vendor retains greater pricing freedom, but must frame it to avoid the significant imbalance sanctioned by Article L442-1 of the Commercial Code. A unilateral price revision without a cap, without notice and without a right of termination for the client may be qualified as abusive. The practice consists of providing for a notice period (generally 60 to 90 days), an increase cap or an objective indexation (Syntec index for example), and a right of termination for the client in the event of an increase above the agreed threshold.
The vendor must provide for late payment interest under the conditions of Article L441-10 of the Commercial Code and the flat-rate recovery penalty of 40 euros provided for by the decree of 2 October 2012. The clause may also provide for a suspension of access to the service after an unsuccessful formal notice, provided that the terms are clearly described and proportionate.
The limitation of liability clause is one of the most debated in SaaS negotiations. It generally caps the vendor's liability at the amount of the sums paid by the client over the last 12 months, and excludes indirect damages (loss of turnover, loss of opportunity, loss of clientele).
Two mandatory limits must be respected. Article 1170 of the Civil Code provides that any clause that deprives the debtor's essential obligation of its substance is deemed unwritten. A clause that would entirely exonerate the vendor from its liability for the availability of the service would thus be annulled, in accordance with the Chronopost and Faurecia case law.
Article 1171 of the same Code, applicable to adhesion contracts, deems unwritten any non-negotiable clause creating a significant imbalance between the rights and obligations of the parties. This provision particularly concerns SaaS whose conditions are imposed without negotiation. Article L442-1 of the Commercial Code further allows this imbalance to be sanctioned in relations between professionals.
Force majeure is defined by Article 1218 of the Civil Code as an event beyond the debtor's control, which could not reasonably have been foreseen at the time of the conclusion of the contract and the effects of which cannot be avoided by appropriate measures. In a SaaS contract, the parties generally specify a list of events (natural disasters, terrorist acts, decisions of public authorities, massive cyberattacks, major failures of telecom operators).
This list remains non-exhaustive and must define the consequences (suspension of obligations, extension of deadlines, termination beyond a duration threshold). An overly broad clause, which would cover for example any ordinary technical failure, would be set aside by the judge.
SaaS Contract
01
Vendor
Risk incurred
Content
Client
Risk incurred
Content
Clause 1 of 10
The duration clause must set an initial duration (often 12 to 36 months), the renewal terms (express or tacit) and a termination notice period (generally 1 to 3 months). In B2B, Article L442-1 II of the Commercial Code sanctions the abrupt termination of an established commercial relationship occurring without written notice taking into account the duration of the relationship. This provision may apply to a SaaS contract renewed over several years.
The contract must also provide for grounds for early termination for fault: non-payment, serious breach not remedied after formal notice, violation of the terms of use, breach of the platform's security. The termination clause must, in order to take effect by operation of law, include a prior formal notice specifying the period given to the debtor to perform, in accordance with Article 1225 of the Civil Code.
For a vendor based in France and a French client, French law applies naturally and the competent jurisdiction is generally the commercial court of the vendor's registered office. In cross-border relations, the drafting of the clause becomes strategic: it is appropriate to expressly designate the applicable law and the jurisdiction, taking into account the Rome I Regulation and the Brussels I bis Regulation.
The parties may also provide for a prior recourse to mediation or to an amicable mechanism, which can speed up the resolution of a dispute without immediately referring it to the judge. A CIArb or ICC arbitration clause may be relevant for contracts with high international stakes.
Drafting and negotiating a SaaS contract is not just a matter of assembling standard clauses. Each contract must reflect the vendor's business model, the client's criticality level and the regulatory constraints specific to the sector (health, finance, public sector, HDS-certified health data host).
The Mirabile Avocat Law Firm assists SaaS vendors, startups, micro-businesses and SMEs as users, as well as the legal departments of groups, throughout the entire life cycle of their SaaS contracts. Our involvement covers several complementary areas.
We first carry out an audit of the existing or planned contractual model, in order to identify the areas of risk (clauses deemed unwritten within the meaning of Articles 1170 and 1171 of the Civil Code, imbalances within the meaning of Article L442-1 of the Commercial Code, GDPR compliance). We draft bespoke SaaS contracts, integrating SLAs, GDPR annexes, processing agreements (DPAs), subsequent subcontracting conditions and technically realistic reversibility clauses.
We also assist our clients in contractual negotiation, in particular when facing major accounts that impose their own templates, as well as in the full GDPR compliance of the SaaS (record of processing activities, impact assessment, management of sub-processors, management of breaches).
Finally, in the event of litigation (service interruption, data breach, pricing dispute, abrupt termination, breach of the SLA), we act before the civil, commercial and administrative courts, and in the management of CNIL procedures.
Concrete example: a B2B SaaS vendor publishing an HR solution was reproached by a client for a major unavailability of 9 consecutive days. The contract capped liability at one month's subscription and entirely exonerated the vendor in the event of a failure of its host. The exoneration clause was deemed unwritten on the basis of Article 1170 of the Civil Code, the vendor being unable to exonerate itself from its essential obligation to provide the service. A nuanced drafting would have limited liability without eliminating it.
Another example: a SaaS client of a marketing platform saw its price increase by 40% at renewal, without specific notice. The pricing revision clause was unilateral, without a cap or a right of termination. The significant imbalance within the meaning of Article L442-1 of the Commercial Code was upheld and the client obtained termination without penalty as well as damages.
Involving a lawyer from the drafting stage avoids almost all subsequent litigation. It is the legal investment with the best cost/risk ratio for a SaaS vendor as well as for a professional client.
Legal disclaimer: This article has an educational and informative purpose. It does not constitute personalized legal advice. Each situation calls for a specific analysis in light of the contract, the business model and the sector of activity. To secure a SaaS contract, it is advisable to consult a specialized lawyer.
To learn more
A SaaS contract governs the provision of software hosted by a vendor, accessible remotely by the client's users. A hybrid legal product, it combines license, services provision, data processing and a service continuity commitment.
No. A SaaS contract is neither a software sale nor a simple, traditional IT services arrangement. It combines the provision of hosted software, remote access, data processing and a continuity commitment, which makes it a composite product.
A SaaS contract must frame service levels, availability, security and intellectual property, the processing of personal data (GDPR processing), reversibility and liability. These clauses secure the relationship between the vendor and the client.
A poorly drafted SaaS contract can lead to a business interruption, data loss, a sanction from the CNIL or costly litigation between vendor and client. Its composite nature multiplies the areas of risk, hence the importance of a solid framework.
Yes. SaaS involves the processing of personal data, with the vendor generally acting as a processor. The contract must provide for a framework compliant with Article 28 of the GDPR, failing which the vendor and the client are exposed to sanctions.
Reversibility guarantees the client the recovery of its data and migration at the end of the contract. It avoids dependence on the vendor and data loss. Its absence weakens the client's control over its data, which makes it an essential clause.
Yes. A well-structured contract protects the vendor's intellectual property in its software, while guaranteeing the client a right of use and control over its data. This balance secures both parties.
A lawyer helps draft or negotiate a balanced SaaS contract: service levels, security, GDPR, intellectual property and reversibility. This support protects both the vendor and the client and limits the risks of interruption, data loss or dispute.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin