Software as a Service (SaaS) Agreement

A SaaS agreement is no longer a simple subscription contract. It sits at the intersection of the DPDP Act 2023, GDPR, service-level commitments, intellectual property rights, and data exit obligations. Whether you sell SaaS to enterprises or buy SaaS from a vendor, the contract decides what happens when the platform fails, when data is breached, when a sub-processor changes, or when one side wants out. Vague drafting on any of these points costs real money.

The market has moved past generic MSA templates. Enterprise customers now expect a Master Services Agreement, a Service Level Agreement, a Data Processing Addendum, and an Order Form structure with internal cross-references that hold up. Vendors who try to retrofit a US template for an Indian customer base run into DPDP Act gaps. Customers who sign a vendor's standard MSA without review often discover the exit clause too late.

At a Glance

• Who needs this: B2B SaaS vendors, API platforms, PaaS providers, cloud service companies, and enterprise customers reviewing vendor MSAs before signature.
• Governing law: Indian Contract Act 1872, IT Act 2000, and DPDP Act 2023; international layer through GDPR for EU customers and state-level US laws.
• Documents covered: Master Services Agreement, Service Level Agreement, Data Processing Addendum, Order Form template, and a negotiation playbook.
• Standard turnaround: Five to ten working days for the full set; per-deal negotiation cycles typically one to four weeks depending on the customer.
• Standard uptime SLA: 99.9% for B2B SaaS, 99.95% for premium tiers, and 99.99% only where redundant infrastructure justifies the commitment.
• Liability cap norm: Twelve months of fees paid, with carve-outs and super-caps for IP infringement, data breach, and confidentiality.
• Data role: The vendor is typically a data processor and the customer is the data fiduciary under DPDP Act 2023.

What's New for FY 2026-27

SaaS contracting changed materially in the last two years. The drafting positions that worked in 2023 now leave gaps.

• DPDP Act rules notified: Operational rules for consent, breach notification within 72 hours, data principal rights, and cross-border data transfer are now in force. DPAs must align to the notified rules, not just the 2023 Act.
• AI clauses are standard: Customer data used for model training, ownership of model outputs, hallucination disclaimers, and AI-specific indemnity carve-outs now appear in most enterprise MSAs.
• Cyber-insurance is contractual: Enterprise customers now require vendors to maintain cyber-liability insurance with named limits; the policy summary is annexed to the MSA.
• Sub-processor transparency: Customers demand named sub-processor lists with advance notice of any changes; blanket consent language is no longer accepted.
• ISO 42001 references: AI management system certification is appearing in MSA security schedules alongside ISO 27001 and SOC 2 Type II.
• EU AI Act timeline: Vendors with EU customers offering AI features are now expected to map their obligations against the AI Act risk classification and disclose it contractually.

Why SaaS Agreements Need Specialist Drafting

A generic contract template will miss the mechanics that make a SaaS agreement enforceable. Here is what specialist drafting actually solves.

• SLA mechanics: Uptime is meaningless without a measurement definition, a credit formula, and an exclusion list. Generic templates skip all three.
• DPDP Act overlay: The Act creates a sharp data fiduciary versus data processor split with different obligations on each side. Generic templates blur this distinction.
• Data ownership lines: Customer data, derived data, aggregated data, and AI model output each have separate ownership and use rights that need express drafting.
• Liability calibration: A liability cap that is too low loses enterprise deals; one that is too high creates uninsurable exposure for the vendor.
• Cross-border transfer: Mechanisms differ for the EU, UK, US, and India. Standard Contractual Clauses, adequacy, and DPDP cross-border lists each apply differently.
• Exit clause depth: Where, how, and in what format customer data leaves the platform is the most disputed clause at termination.

How It Actually Works

The drafting process is sequential. Each step builds the document set that ships at the end.

Step 1: Brief and Customer Profile (1-2 Days)

We start with the subscription model, customer mix, geography, data sensitivity, regulatory overlay, and average deal size. A vendor selling to Indian SMEs at ₹2 lakh per year needs a different MSA than one selling to UK-listed enterprises at £150,000 per year. The profile decides every drafting position downstream, from liability cap to audit rights.

Step 2: Drafting the Document Set (5-10 Days)

The Master Services Agreement, Service Level Agreement, Data Processing Addendum, and Order Form template are drafted as one consistent set with internal cross-references. The MSA carries the legal frame; the SLA carries the operational commitments; the DPA carries the data obligations; the Order Form carries the commercial terms that change per customer. Cross-references are explicit so a change to one document does not silently break another.

Step 3: Industry and Compliance Overlay (3-5 Days)

DPDP Act 2023 obligations are baked in by default. GDPR layers on for EU customer data. HIPAA Business Associate Agreement language sits over healthcare deals. PCI-DSS references apply where card data flows through the service. RBI and SEBI overlays apply for financial-services customers. Each overlay changes specific clauses, not the whole document.

Step 4: Review and Negotiation Cycle (Per Deal)

Customer-side mark-ups arrive in waves. We hold defined fallback positions on liability cap, indemnity, audit rights, and exit. Red-line clauses, the ones that should never move, are protected. A negotiation playbook gives sales and legal teams pre-cleared language for the top twenty customer redlines, so deals do not stall waiting for outside counsel.

Step 5: Execution and Order Form Cycle

The Master MSA is executed once. Each subsequent customer engagement adds an Order Form or Statement of Work that references the MSA and lists the modules subscribed, the term, the fee, and any customer-specific clauses. An e-signature workflow keeps the cycle to days, not weeks, and the executed copies sit in a single contract repository.

Step 6: Renewals and Annual Update

Annual MSA refresh against new law, including DPDP Act amendments, the EU AI Act timeline, and sectoral notifications. Renewal Order Forms capture price changes, scope changes, and any new modules. The customer's renewal negotiation leverage is highest at this point; the MSA renewal clause decides who actually holds it.

A Real Example: HR SaaS Vendor Selling Across India and the UK

Consider a B2B SaaS vendor selling HR software to mid-market companies. Average contract value is ₹18 lakh per year per customer. The customer base is split between India and the United Kingdom.

• MSA structure: A single Master Services Agreement is signed by the legal entity in India; Order Forms reference the MSA. UK customers sign with the vendor's UK subsidiary under the same MSA template, localised to UK governing law.
• SLA commitment: 99.9% monthly uptime measured by external monitoring. Service credit of 5% of the monthly fee for the first SLA miss, 10% for a second miss in the same quarter, capped at 25% of the monthly fee.
• Liability cap: Capped at 12 months of fees paid, around ₹18 lakh per customer; super-cap of 2x for data breach and IP indemnity; no cap for confidentiality and gross negligence.
• DPA flow: The vendor is the data processor; UK customer data is hosted in the EU region under Standard Contractual Clauses; Indian customer data is hosted in Mumbai under DPDP Act compliance.

Three deals closed off the same MSA template in a single quarter; one customer-side negotiation lasted six weeks because of audit-rights pushback, the other two closed in twelve days each.

Annual Compliance and Post-Execution Maintenance

An executed MSA is the beginning of the contract lifecycle, not the end. Live SaaS contracts need active maintenance to stay enforceable.

• Annual MSA refresh: The vendor's standard MSA is reviewed every twelve months against new statute, regulator guidance, and any precedent customer redlines that should now sit in the standard form.
• Sub-processor list updates: Adding a new infrastructure provider or analytics vendor triggers customer notice obligations under the DPA. The list is maintained on a public page with version history.
• Security certification renewal: ISO 27001 and SOC 2 Type II reports are renewed annually and made available to customers under NDA. ISO 42001 sits alongside where AI features are live.
• Breach response drills: The 72-hour breach notification clock under the DPDP Act rules cannot be met without rehearsed playbooks. Annual tabletop exercises keep response times realistic.
• Insurance renewal: Cyber-liability and tech E&O policies are renewed before expiry; certificates of insurance go out to customers who contractually require them.

Where It Goes Wrong

The recurring failure points show up in customer disputes and renegotiations. Specialist drafting eliminates most of them at the start.

• US template copied to India: A US-origin SaaS MSA pasted into the Indian market misses DPDP Act obligations, Indian stamp duty, and Indian jurisdiction defaults. The contract becomes vulnerable at enforcement.
• Uncapped IP indemnity: Open-ended IP infringement indemnity exposes the vendor to bet-the-company risk. A reasonable carve-out structure with mitigation steps protects both sides.
• Vague exit clause: If the contract does not specify the data export format, the export window, and the deletion certification, customers risk losing their data and vendors risk lock-in claims at termination.
• No service credit cap: Service credits that are not capped expose the vendor to credits exceeding the monthly fee. A 25% to 50% monthly cap is industry standard.
• Missing AI clauses: Without express clauses on training data, model outputs, and AI hallucination, both parties carry unallocated risk where AI features are part of the service.
• Sub-processor blanket consent: A clause allowing the vendor to add or change sub-processors without notice fails most enterprise procurement checks. Notice and right-to-object language is now expected.
• Audit rights drafted blindly: An audit clause that allows the customer unrestricted physical audit of the vendor's data centres is unenforceable in practice; a reasonable audit framework based on SOC 2 reports works.

The single most expensive drafting failure we see is a missing or vague exit clause. It turns every customer churn event into a legal dispute.

What You Receive at the End

• Master Services Agreement tailored to your subscription model and geography
• Service Level Agreement with measurable uptime, credit formula, and exclusions
• Data Processing Addendum aligned to DPDP Act 2023 and GDPR
• Order Form template ready for sales team use across multiple deals
• Sub-processor disclosure template and customer notice workflow
• Negotiation playbook with fallback positions on the top twenty customer redlines
• Acceptable Use Policy and a security schedule referencing your certifications
• Annual update note covering new statute and regulator guidance

How to Get Started

Share a short brief on the subscription model, customer base, average deal size, the industries you serve, and the geographies you operate in. If you are reviewing a vendor's MSA, share the draft and a note on what matters most to you: liability cap, exit, SLA, or data handling. The brief takes a half-hour call to complete.

We turn around the first draft in five to ten working days, walk you through the drafting choices on a structured call, and stay engaged through the first three customer-side negotiations. Renewals, annual updates, and ad-hoc redline reviews are handled under a retainer or per-deal basis, whichever fits the deal volume.