SaaS
& Subscription Platforms

Most AI-aware enterprise deals split into a SaaS agreement plus an AI addendum carrying training-data restrictions, output-ownership terms, and AI-specific indemnity. The SaaS agreement governs subscription, payment, uptime, and standard data-handling; the addendum governs training-data scope, output ownership, model-update obligations, indemnity for model-output claims, and acceptable-use limits. Whether the AI clauses ride inside the MSA or attach as a separate addendum is a procurement-process question; the substantive question is what each clause says. SGL drafts both layers; the AI-side governance stack lives on our AI & Generative AI Companies hub.

The SaaS market standard caps liability at 12 months of fees, with super-caps of 2× to 3× for IP, confidentiality, and data-breach categories. Enterprise customers often push for unlimited liability in narrow categories such as IP infringement, data breach, gross negligence, and confidentiality breach. Super-caps of 2× or 3× fees are common compromises for those categories. Unlimited liability for everything is rarely accepted. The cap that ships in the final contract is the result of negotiation, not a default.

99.9% uptime is the SaaS market standard, which is roughly 8.7 hours of downtime per year. Enterprise customers typically push to 99.95% or higher, with tighter response times and meaningful credits. The SLA should also specify what counts as downtime, exclude scheduled maintenance, define the measurement methodology, cap credits at one month's fees, and make credits the exclusive remedy.

Most SaaS companies use both: click-wrap Terms of Service for self-serve users, and a signed MSA for enterprise customers who arrive with their own paper. The hybrid pattern lets sales move fast on small accounts and meet enterprise procurement requirements when the deal size justifies negotiation. Reference each document in the other so the relationship between them is unambiguous. Click-wrap acceptance should be affirmative (a checkbox, not a "by using you agree"), timestamped, and version-tracked.

Customers own their data; the vendor gets a license limited to delivering the service. Specify the boundary in the contract. The SaaS provider may use the data to operate the service, support the customer, and (if separately permitted) build aggregated or anonymized analytics. Anything else (derived insights, training data for model improvements, sub-licensing) needs an explicit grant. California Civil Code § 1798.140 controls the "service provider" boundary under CCPA and CPRA. On termination, the contract should specify return, deletion, and timing.

A signed MSA template, an SLA, a DPA, a security exhibit, and a redline playbook for inbound enterprise paper. The five-piece stack lets sales answer procurement questions in hours instead of weeks. Pre-built positions on the high-leverage clauses (liability cap, indemnification, data ownership, audit rights, breach-notification windows) save weeks per deal. The SLA references the security exhibit; the MSA references the DPA; the playbook covers what to concede and what to hold.

Yes, if your SaaS processes the personal information of a Quebec resident, Quebec Law 25 applies regardless of where the company is headquartered. Law 25 requires named privacy-officer designation, separate consent per purpose, transfer-impact assessments before cross-border data flows, breach notification to the Commission d'accès à l'information, and a documented privacy program. The Quebec module typically attaches as a DPA addendum or schedule in the customer contract. PIPEDA and Law 25 overlap on most SaaS data flows; the customer contract maps both.

A SaaS lawyer handles the contract layer (security exhibits, breach-notification timing, audit rights, MSA language); the SOC 2 audit itself is a CPA firm's work. The two layers fit together. The audit produces the SOC 2 report; the contract commits the SaaS company to the controls the report describes. Enterprise procurement reads the contract first and asks for the report second.

California's Automatic Renewal Law (Cal. Bus. & Prof. Code § 17600) imposes specific consent, disclosure, and cancellation requirements on auto-renewing subscriptions, with stronger rules for consumer-facing tiers. Disclosures must be clear and conspicuous, the consumer must give affirmative consent, the cancellation mechanism must be online and accessible, and renewal-notice windows are regulated. For B2B SaaS, the rules apply with reduced reach, but enforcement actions reach companies that misclassified tiers. Pricing changes on renewal need their own disclosure path.

Buyers check IP ownership chain, open-source compliance, customer-contract transferability, change-of-control clauses, and the consistency of revenue-contract terms across the customer base. Founder and contractor IP assignments must use present-tense "hereby assigns" language to actually transfer ownership under 17 U.S.C. § 201; "shall assign" is just a promise. Open-source code under copyleft licenses (especially Affero GPL for SaaS) can force disclosure of proprietary work. Customer contracts that lack change-of-control clauses or assignment rights can require buyer renegotiation.

A Data Processing Agreement is a contract that allocates responsibility for personal-data processing between a SaaS company (the processor) and its customer (the controller), or with a sub-processor downstream. GDPR Article 28 requires the contract whenever processing happens on behalf of an EU controller. CCPA and CPRA require equivalent "service provider" or "contractor" terms for California personal information. Quebec Law 25 attaches a Quebec module. Most enterprise procurement teams require a customer-facing DPA before the deal closes.

Review six clauses first: liability cap, indemnification scope, data ownership, audit rights, breach-notification timing, and any IP assignment to the customer. For each, expect: 12 months of fees as the cap with super-caps for IP and data-breach, mutual indemnification, customer data owned by the customer with a service license to the vendor, audit rights frequency-bounded, breach notification in hours not days, and no IP transfer to the customer. These six clauses carry most of the deal economics. The remaining pages are boilerplate the redline can leave alone.