RGPD

Negotiating Your SaaS Contract

Negotiating a SaaS (Software as a Service) contract is necessary to formalise the relationship between the software publisher and the customer.

Contents
Schedule a discussion

Reading time:

14 min

Negotiating a SaaS contract (Software as a Service) is necessary to formalise the relationship between the software publisher and the customer.

This type of contract, often complex, must be clear and comprehensive in order to avoid disputes and to define the responsibilities of both parties. A well-drafted SaaS contract anticipates the operational and legal needs of both parties while offering flexibility suited to changes in the software or in the customer's expectations.

A well-structured contract protects the interests of both the publisher and the customer by setting out the service levels (SLA), the protection of personal data (in particular with regard to the GDPR), the rights of use, and reversibility upon termination of the contract.

Below are the main points to watch for when negotiating or drafting a SaaS contract, accompanied by concrete examples to better understand what is at stake.

1. Rights of use and licences

When negotiating the SaaS contract, the agreement must clearly define the rights of use granted to the customer, since SaaS is based on a model of licence of use, not of ownership.

It is important to specify:

  • The type of licence granted: renewable subscription, time-limited use or perpetual use.
  • The number of authorised users: Limit access to the staff designated by the customer, and specify whether adding extra users is permitted under certain conditions, or whether fees apply. A common example: a SaaS solution allows 50 initial users and charges an additional €10 per extra user per month.
  • Usage restrictions: State whether the customer is prohibited from modifying, reselling, or sub-licensing the software. In some cases, it is relevant to specify whether the customer may access the SaaS via personal devices.
  • The duration of the licence: Specify whether the licence is temporary (in the form of a renewable subscription) or perpetual, and define the terms of renewal or termination.

Point to watch: Restrictions must be sufficiently clear to prevent any abusive exploitation by the customer, while taking care not to impose limitations that could hinder legitimate use of the software. Make sure the contract includes a clause specifying that any use outside the specified terms will constitute a breach of the contract.

A well-structured SaaS contract protects the publisher's rights while clearly defining the uses available to the customer.

Concrete example: My client had integrated software into its agricultural equipment and wished to restrict use of the source code to its users in order to retain control over it. I secured user access to the source code, taking care to insert measures to protect against abusive use of the source code, such as the non-assignment of rights to the software.

Other points to consider:

  • Rights of access to the software environment: specify whether the customer may access the software from multiple devices or locations. Also indicate whether use is restricted to certain territories (for example, use authorised only in France or in Europe).
  • Restrictions on reuse: specify that the software may not be duplicated, translated, or reconfigured for another use without written authorisation. A clause of this kind is often crucial to protect publishers' business models.

Let's discuss your needs for 15 minutes!

2. Service Level Agreement (SLA)

The SLA (Service Level Agreement) is an essential element of a SaaS contract, as it guarantees the quality and availability of the service (negotiating a SaaS contract).

This document must specify:

  • Availability rate: The SLA should include an availability commitment (for example, 99.9% monthly availability) to ensure customers have reliable access to the service. Also include the penalties provided for in the event of failure to meet this availability, such as a partial refund of the monthly subscription. The contract may specify scheduled maintenance periods, during which the service may be temporarily unavailable.
  • Response time in the event of incidents: Define the types of incidents (minor, major, critical) and the timeframes for each level of severity. For example, for a critical incident affecting all users, the SLA could require a response within 30 minutes. Also add concrete examples: for a minor incident, a response within 24 hours might suffice, whereas a major outage requires priority resolution within 2 hours (negotiating a SaaS contract).
  • Technical support: Specify the availability hours of technical support (for example, 24/7 or only during business hours) and the support channels (telephone, email, online chat). Also mention whether premium support is offered and any additional costs.

Point to watch: A poorly defined or unrealistic SLA can lead to customer frustration and expose the publisher to disputes if the service does not match expectations.

The SLA goes beyond standard commitments: it may also include specific guarantees to reassure customers and to set the expectations of both parties.

  • Penalties for non-compliance: Include clear penalties if the commitments are not met. For example, if the availability rate is not met, the customer could receive a refund proportional to the period of interruption.
  • Commitments on updates: Specify whether software updates are included in the contract. This may include corrective updates (bug fixes) and evolutionary updates (new features).
  • Exclusions of liability: Identify the events that could affect availability without the publisher being held liable: external network failure, force majeure, or non-compliant use by the customer.

Concrete example: When a SaaS customer in the medical field experienced an unexpected outage, a well-structured SLA with repair commitments within 4 hours made it possible to avoid costly disputes, while protecting the publisher's reputation.

Point to watch: SLA clauses must be realistic; overly ambitious commitments can generate high financial risks for the publisher. Add a limitation of liability for financial compensation in the event of a breach (for example, a maximum equivalent to one month's subscription).

I want to ensure the availability of my SaaS software

3. Confidentiality and data protection

Confidentiality and data security are crucial aspects of SaaS contracts, particularly since the entry into force of the GDPR, notably its Article 13 (negotiating a SaaS contract).

The contract must include measures to protect data and guarantee its confidentiality:

  • Data protection policy: Describe data security practices, such as encryption, restricted access controls, and regular backups to prevent data loss. Also add a clause on the secure destruction of data at the end of the contractual relationship.
  • Responsibility of each party: The contract must clarify the respective responsibilities of the publisher and the customer regarding personal data, in particular where the customer collects data on its own users through the software. Also indicate the measures the customer must take to ensure the security of the access it controls (for example, robust password management).
  • Notification in the event of a data breach: Specify the procedures and timeframes for informing the customer in the event of a data breach, generally within 72 hours, as required by the GDPR. Add an obligation for the customer to cooperate in the event of an audit or regulatory investigation.

Point to watch: If data protection obligations are not properly defined, the publisher may incur significant penalties in the event of a security breach. Also include a clause limiting the publisher's liability in the event of unforeseeable external attacks.

To strengthen data protection, the SaaS contract must also include:

  • Security audit: Provide for the possibility for the customer to carry out or request security audits, under specific conditions. Add details on the frequency (annual, half-yearly) and on the limits in order to avoid unjustified service interruptions (negotiating a SaaS contract).
  • Data location: Clearly indicate where the data will be hosted (for example, within the European Union to comply with the GDPR). If subcontractors are used for hosting, list them or specify that they must comply with the same obligations as the publisher.
  • Business continuity plan: Include guarantees on the continuity of the service in the event of a serious incident, such as a cyberattack or a major outage. Add a clause on the return of data in the event of the publisher's insolvency.

Concrete example: A SaaS company hosting health data had to include a quarterly audit to reassure its customers regarding GDPR compliance and ISO 27001 security standards.

Point to watch: Insufficient data protection commitments can not only expose the publisher to financial penalties, but also damage its reputation. Add a clause specifying that customer data will remain accessible even upon termination in order to facilitate migration.

I want to ensure GDPR compliance for my SaaS software

4. Intellectual property

The question of intellectual property is crucial in SaaS contracts. Although the customer benefits from rights of use, the publisher generally retains intellectual property over the software (negotiating a SaaS contract).

The contract must clarify:

  • Ownership of the source code: The publisher retains full ownership of the source code, which prevents the customer from modifying or duplicating the software, in accordance with Articles L122-4 and L122-6-1 of the Intellectual Property Code. Also add a clause prohibiting reverse engineering of the software to prevent any attempt at unauthorised reproduction.
  • Rights of use: The customer is granted a right to use the software, without any ownership right. For example, the customer may access the software for its professional needs, but has no right to extract components from it to integrate them into another solution (negotiating a SaaS contract).
  • Content created by the customer: The customer remains the owner of the data or content it enters into the software, and may retrieve it upon termination. Also specify that this content may not be used by the publisher without express authorisation.

Point to watch: Any ambiguity regarding ownership can lead to costly disputes. Include a specific clause for modules or extensions jointly developed by the customer and the publisher, in order to clearly define their ownership.

In some cases, customers may request modifications or adaptations to the software. The contract must provide for these situations:

  • Improvements made by the customer: If the customer participates in the development or improvement of the software, specify whether these contributions remain the property of the publisher or whether they are shared. Add a clause providing for a non-exclusive licence to the publisher over any improvement made by the customer.
  • Exploitation by third parties: Specify that the customer may not make the software or its extensions available to third parties without authorisation. This includes an explicit prohibition on renting, assigning, or sub-licensing the software (negotiating a SaaS contract).
  • Ownership of analytical data: Define who owns the analytical data generated by use of the software (for example, usage statistics, performance data). Add a clause specifying that the publisher may use this data in aggregated and anonymised form for the purposes of improving the service.

Concrete example: One of my clients developed an automotive software solution of which he wishes to remain the exclusive owner. By including specific clauses limiting or even prohibiting users from reproducing the software, he secured the exclusive retention of the intellectual property.

Point to watch: These clauses must be drafted in such a way as to protect the publisher's business model while respecting the customer's legitimate rights. Also add a clause specifying the remedies in the event of a breach, such as an immediate suspension of access to the software.

I want to secure my assets!

5. Termination and reversibility clauses

Termination and reversibility clauses are essential in a SaaS contract, especially at the end of the commercial relationship. They define the conditions of termination and the procedures for retrieving the customer's data (negotiating a SaaS contract).

The contract must specify:

  • Conditions of termination: Define the grounds allowing termination of the contract by either party, such as a serious breach of the SLA, a breach of confidentiality, or a violation of intellectual property rights. Also add the possibility for the customer to terminate for convenience with a defined notice period, for example 60 days.
  • Procedures for retrieving data: Specify how the customer's data will be returned at the end of the contract, in what format (for example, CSV, XML), and within what timeframe. Add an option for the customer to request migration assistance, for a reasonable fee.

Point to watch: A well-drafted reversibility clause is crucial to avoid disputes upon termination of the contract and to guarantee the customer access to its data. Also mention whether fees apply for the retrieval or secure destruction of data after termination.

Reversibility is a central concern for customers when they wish to change provider or end their contract. The contract must also provide for:

  • Data retention period after termination: Specify whether the customer's data is retained temporarily after termination to allow it to carry out the migration, and indicate the period before definitive deletion. A standard timeframe may be 30 to 90 days.
  • Reversibility fees: Mention whether specific fees apply for the return or migration of data. Also add a clause stating that these fees must be communicated to the customer from the outset of the contract.
  • Continued access before effective termination: Guarantee that the customer retains full access to its data until the effective date of termination, except in the event of serious misconduct on its part.

Concrete example: A SaaS customer wishing to migrate to another solution was able to retrieve all of its data in a standard format (CSV) thanks to a clear reversibility clause, thereby allowing a smooth transition without any service interruption.

Point to watch: Provide for a clause prohibiting the customer from withholding outstanding payments as leverage to accelerate or influence reversibility. Add a mention of the obligation of both parties to cooperate during the migration process.

6. Liability and limitation of liability

The limitation of liability is a key point of the SaaS contract, allowing the publisher to be protected against costly claims while setting the customer's expectations (negotiating a SaaS contract).

The contract must include:

  • Exclusions of liability: Specify the situations in which the publisher is not liable, such as in the event of misuse of the software by the customer, an interruption due to external causes (network failures, force majeure), or cyberattacks. Also add a mention of limited liability in the event of use that does not comply with the terms of the contract.
  • Limitation of damages: Indicate a liability cap to limit financial claims (for example, up to the amount of the annual or quarterly subscription). This clause may include an exclusion of indirect damages, such as loss of profits or data.
  • Indemnification obligations: Provide for indemnification clauses to protect the publisher against third-party claims, in particular in the event of infringement of the software's intellectual property rights.

Point to watch: A well-drafted limitation of liability clause is essential to avoid costly and unforeseen disputes. Add a section detailing the remedies available to the customer in the event of a serious breach by the publisher, such as limited compensation or early termination without charge.

To strengthen the protection of both parties and prevent abuse, the contract may also include:

  • Force majeure clauses: Specify that the publisher will not be held liable in the event of unforeseeable and external events, such as natural disasters or global failures of the Internet network. Add an obligation for the publisher to promptly notify the customer in the event of force majeure affecting the service.
  • Data-specific limits: Define the responsibilities relating to data breaches: is the publisher liable only in the event of proven fault (for example, negligence in security)? Mention that the customer must also take measures to protect its access and its data.
  • Professional liability insurance: Include a mention indicating that the publisher holds insurance covering the risks associated with the SaaS contract. This can reassure customers as to the publisher's financial capacity to meet claims.

Concrete example: When a customer claimed financial compensation for a loss of revenue linked to a temporary outage, a limitation of liability clause capped at one month's subscription made it possible to limit the financial losses for the publisher while offering acceptable compensation for the customer.

Point to watch: These clauses must be balanced so as to protect the publisher without appearing too restrictive for the customer. Add a specific clause for situations in which the customer contributed to the incident (example: misconfiguration of SaaS access).

I want to secure my contracts!

To learn more

What is a SaaS contract?

A SaaS (Software as a Service) contract formalises the relationship between the publisher of online-accessible software and its customer. It is based on a model of licence of use, not of ownership. When well drafted, it sets out service levels, data protection, rights of use and reversibility upon termination of the contract.

How do you define the rights of use in a SaaS contract?

The contract must specify the type of licence (subscription, limited or perpetual use), the number of authorised users and the conditions for adding them, the usage restrictions (prohibition on modifying, reselling or sub-licensing) and the duration. As SaaS is based on a licence and not on ownership, these rights must be delimited with precision.

What is an SLA in a SaaS contract?

The SLA (Service Level Agreement) defines the guaranteed service levels: software availability (uptime), recovery time, performance, support. It sets out measurable commitments and often penalties in the event of a breach. It is a central element of the SaaS contract, as it determines the actual quality of the service provided to the customer.

Why is reversibility important in a SaaS contract?

The reversibility clause organises the retrieval of the customer's data at the end of the contract, in a usable format, and the migration to another solution. Without it, the customer risks losing access to its data or being locked in by the publisher. It is an essential protection against technological dependence.

How does the GDPR apply to a SaaS contract?

Where the SaaS processes personal data on behalf of the customer, the publisher is generally a processor within the meaning of the GDPR. The contract must then incorporate the provisions of Article 28: security, instructions, further sub-processing, assistance with data subjects' rights. GDPR compliance is an unavoidable aspect of the negotiation.

How do you limit liability in a SaaS contract?

The contract may provide for a limitation of liability clause, capping the indemnities. Care must be taken, however: it must not deprive the publisher's essential obligation of its substance, on pain of being deemed unwritten. The balance between protecting the publisher and providing guarantees to the customer is a key point of the negotiation.

How do you protect the source code in a SaaS contract?

The contract must state that the SaaS is granted under licence, without any assignment of rights to the software or to the source code. Non-assignment, non-reproduction and prohibition of reverse-engineering clauses protect the publisher. Any use outside the agreed terms must be characterised as a breach of the contract, giving rise to a sanction.

Why negotiate your SaaS contract with a lawyer?

Because a SaaS contract combines intellectual property, personal data, service levels and liability. Imprecise drafting exposes you to disputes and to a loss of control over the software or the data. A lawyer calibrates the rights of use, the SLA, reversibility and the limitations of liability in favour of the party they advise.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

2 min

Cybersecurity & NIS 2: Legal Obligations?
The NIS 2 directive, driven by the European Union, aims to strengthen cybersecurity. Significantly, it broadens protection against cyber threats. Let us therefore examine the entities concerned and the resulting legal obligations.

14 min

Internationalizing your franchise network: a complete legal guide for ambitious franchisors
Internationalizing your franchise network is the natural culmination for a franchise network. Read this complete guide!

6 min

CHARTERED ACCOUNTANT - Generative AI and data protection: how to reconcile innovation and confidentiality? Académie Notebook No. 43
The dramatic rise of generative artificial intelligence is transforming professional practices, particularly in the use of AI for accounting and legal professions. Since late 2022, tools such as ChatGPT, Copilot, Claude and Llama have become embedded in everyday use. They make it possible

9 min

Domain name protection: 5 essential preventive strategies in 2025
In today's digital ecosystem, the domain name has established itself as one of the most strategic intangible assets for any organization. As a true gateway to your digital universe, it simultaneously serves as your business address, your brand identifier and a valuable l

9 min

Dropshipping: which legal structure to choose (sole trader, SARL or SAS)?
Choosing the legal structure is a fundamental step for any entrepreneur starting out in dropshipping. This decision, far from trivial, will have major repercussions on your growth, your taxation and the protection of your personal assets. Between sole trader status, the SARL and

7 min

Blockchain and GDPR: challenges and issues in 2025
On 8 April 2025, the European Data Protection Board (EDPB) published crucial guidelines on the use of blockchain in relation to the General Data Protection Regulation (GDPR). This text, regularly updated and open for consultation until 9 June 2025,
Prendre rendez-vous
Book an appointment