Service Level Agreements: The Backbone of Any SaaS Contract

A Service Level Agreement (SLA) is one of the most negotiated — and most frequently disputed — provisions in a SaaS service agreement. The SLA defines the performance standards the SaaS provider commits to maintaining, and the remedies available to the customer when those standards are not met. Key SLA elements include:

• Uptime commitment: Expressed as a percentage (e.g., 99.9% monthly uptime). 99.9% allows approximately 8.7 hours of downtime per year; 99.99% allows approximately 52 minutes.
• Measurement methodology: By the provider’s monitoring tools? By a third-party service? The methodology can be as important as the percentage.
• Scheduled maintenance exclusions: Customers should negotiate limits on the frequency, duration, and timing of maintenance windows.
• Service credits: The most common SLA remedy is a service credit — a reduction in the next invoice. Credits are typically capped at a percentage of the monthly fee and are often the customer’s exclusive remedy for SLA violations.
• Termination triggers: Customers should negotiate the right to terminate for cause — and receive a pro-rated refund — if uptime falls below a specified threshold for a specified number of consecutive months.

Data Ownership and Data Portability

SaaS customers should never assume that they own the data they generate or input into a third-party platform. The service agreement controls data ownership, and many SaaS providers claim a broad license — or even ownership — of data generated on their platform. Critical provisions to negotiate:

• Customer owns customer data: The agreement should explicitly state that all data uploaded by, or generated on behalf of, the customer is owned by the customer.
• Limited provider license: The provider’s license to use customer data should be limited to the minimum necessary to provide the service — not for product improvement, benchmarking, or sale to third parties.
• Data portability on termination: The agreement should require the provider to make all customer data available for export in a standard, machine-readable format for at least 30–60 days after termination.
• Data deletion on termination: The provider should be contractually obligated to delete all customer data within a specified period after the export window closes, and to certify that deletion.

Security Obligations and Breach Response

SaaS providers process sensitive customer data and must maintain appropriate security. The service agreement should specify the security standards the provider commits to maintaining (e.g., SOC 2 Type II audit, ISO 27001 certification), require prompt notice of any security incident affecting customer data (typically within 72 hours of discovery), and allocate responsibility for breach response costs, including notification expenses, credit monitoring, and regulatory fines.

Under many state data breach notification laws — including Michigan’s Identity Theft Protection Act, MCL § 445.72, and California’s Customer Records Act, Cal. Civ. Code § 1798.82 — the business that owns the customer relationship (the SaaS customer) is typically responsible for notifying affected individuals, even when the breach occurred in the SaaS provider’s systems. SaaS customers therefore bear regulatory risk for their providers’ security failures and must address this in the service agreement.

Intellectual Property Provisions: Who Owns What?

• Platform IP: The SaaS provider owns the platform, software, and underlying technology. The customer receives only a license to use the platform — not ownership.
• Configurations and customizations: If the customer pays for custom development or configuration, the agreement should specify who owns those customizations. Without an explicit provision, the provider may own them.
• Feedback provisions: Many SaaS agreements include provisions giving the provider ownership of any feedback, suggestions, or ideas the customer provides. These provisions are often broader than they appear.
• AI features: SaaS agreements increasingly include provisions allowing the provider to use customer data to train AI models. These provisions are frequently buried in the agreement and deserve careful scrutiny.

Limitation of Liability: The Most Important Provision You May Be Ignoring

The limitation of liability provision in a SaaS agreement caps the provider’s exposure, typically at the fees paid in the preceding 12 months. For customers paying $50,000 per year for a mission-critical system, this means that even a catastrophic data breach results in a maximum recovery of $50,000 — often far less than the actual damages. Customers should negotiate:

• Carve-outs from the liability cap for data breaches, IP infringement claims, and willful misconduct
• Increased caps (e.g., 24 months of fees) for mission-critical systems
• Mutual caps — the customer’s liability for nonpayment or IP infringement should also be capped
• Exclusion of the mutual waiver of consequential damages for data breach events

Revision Legal’s SaaS attorneys draft, review, and negotiate SaaS agreements for both providers and enterprise customers. Whether you are launching a SaaS product or entering into a high-value subscription agreement, we can protect your interests. Contact us at revisionlegal.com/contact or visit our SaaS practice page.

Software-as-a-service (“SaaS”) is, of course, very different from software-as-a-product. The latter is downloaded or comes on a disk in a box, comes with a licensing agreement, mostly involves a one-time payment, and is installed and hosted on the users’ networks and computers. SaaS, on the other hand, is a web-hosted software solution offered on a subscription model, comes with a service contract, generally involves monthly access charges, and the software is hosted on the servers of the service provider with limited or no software hosted on the user’s computer system. There are, of course, many market segments that offer related software as both. Video game developers, for example, offer the basic software and features of the game as a product, but if the game is developed as a multiplayer, interactive, over-the-net game experience, that aspect is SaaS.

Because SaaS is very different from software-as-a-product, companies that offer SaaS need lawyers with specific and deep SaaS experience. For example, with the basic service agreement, there are many, many legal issues that must be negotiated and agreed upon. Thus, an SaaS service agreement must have a wealth of key provisions These include:

• Details of services to be provided, including issues like implementation, testing, and acceptance by the user
• Training and support by the service provider
• Mutual terms of cooperation
• Issues with respect to business interruption, continuity, disaster recovery, etc.
• Invoicing, payments, and audits
• Provisions related to limited use, non-sharing of access codes, excessive and/or unauthorized use
• Payment of sales and use taxes
• Termination and default provisions
• Ownership of data present on the provider’s network or system
• Any obligations upon termination, such as transition assistance
• Cyber-security measures by each party; breach and attempted breach notification provisions
• Mutual confidentiality and non-disclosure issues
• Provider’s on-site and remote access user’s system and/or data storage
• Intellectual property issues, including ownership and non-infringement
• Compliance with relevant laws and regulations like consumer privacy statutes, HIPAA, COPPA, etc.
• Limitations of liability
• Assignment or use of SaaS by third parties, independent contractors, vendors, and others
• Service provides by third parties, independent contractors, vendors, and others
• Dispute resolution, choice of law, etc.
• Default provisions

At Revision Legal, we offer legal solutions to move from concept to agreement and then to actualization. We also offer legal assistance with enforcement and are top-tier SaaS litigators if disputes end up in a courtroom or arbitration proceeding.

Other ways an SaaS lawyer can assist your SaaS business

There are many other ways in which an SaaS lawyer can help your SaaS business. Interestingly enough, an SaaS platform can become a software-as-product if your SaaS business wants to license the software, platform, and business model to third parties. Under those circumstances, your SaaS business will need to negotiate and finalize a licensing agreement. All businesses, of course, need various legal services like corporate entity formation and maintenance, intellectual property legal services, responses to litigation and threat of litigation, response to governmental and administrative investigations, help with other types of business contracts, compliance assistance with labor, privacy, tax, and other laws and regulations, and more.

Contact the SaaS Attorneys at Revision Legal

For more information, contact the experienced SaaS Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.