Security Archives

SaaS Agreements – FAQs – What is SaaS and Essential Terms to include in a SaaS Agreement

SaaS is the abbreviation for “software as a service”. You may know this under another name, for example subscription agreement, software on demand, software subscription agreement, cloud computing or ASP services (application service provider). These names all refer to the same thing – software being made available via the Internet to users.

What is a SaaS Agreement

A SaaS agreement is simply the name used for the agreement between a SaaS supplier and a SaaS customer which sets out the terms under which SaaS software may be accessed. This will usually include a service level agreement (SLA).

Differences between a SaaS Agreement and a Standard Software Licence

A SaaS agreement differs from a standard software licence in that:

  • The SaaS customer will not usually receive a physical or installed copy of the software;
  • No ownership in the SaaS software will be transferred to the SaaS customer;
  • The SaaS customer ‘s right to use SaaS software will end upon termination of the SaaS agreement.

Essential Terms to Include in a SaaS Agreement

The following legal issues should be included in any SaaS agreement, whether you are a SaaS supplier or a SaaS customer.

Software Licence

Access to the SaaS software should be limited to the term of the SaaS agreement. Once the SaaS agreement expires or terminates the software licence should automatically terminate.

If the SaaS customer is a global entity, you should specify:

  • Which companies or entities may access the SaaS software;
  • In which territories the software may be used; and
  • The number of authorised users;
  • Identify the specific purposes for which the SaaS software may be accessed; and
  • Name any third parties who will be permitted access to the SaaS software i.e. outsourcing providers or clients of the SaaS customer.

Intellectual Property Rights – IPR

The SaaS supplier should retain ownership of all IPR in the SaaS software and services it provides. The SaaS customer should retain ownership of all IPR in its systems, content and data. You should specifically state that the source code remains owned by the SaaS supplier. The SaaS customer should grant the SaaS supplier the right to use its IPRs for the term of the SaaS agreement i.e. to display the SaaS customer’s logos and copyrighted information.

Applicable Law, Jurisdiction & Language

State which law applies to the SaaS agreement and any disputes arising from it. In international SaaS agreements make sure that you specify in which language the dispute will be dealt with, and if the SaaS agreement is in more than one language, which language prevails if there is a discrepancy between the two versions.

Return of Data

At the end of the SaaS agreement the SaaS customer’s data should be returned. The format in which the data is to be returned and payment for this service should be agreed in advance. Additionally the parties can agree that the SaaS supplier will provide assistance in transferring SaaS customer data to a new supplier – in return for payment for this service.

Data Protection

The SaaS supplier is the data processor and the SaaS customer is the data controller. Under data protection law different rules apply to the data controller and the data processor. The SaaS supplier is obliged to process data in accordance with the SaaS customer’s instructions and should protect itself against claims from third parties that such processing was illegal. Likewise, the SaaS customer will also need to protect itself against claims from third parties caused by the SaaS supplier not processing data in accordance with its instructions or the terms of the SaaS agreement.

From May 2018 each party’s data protections obligations must be set out in a written data processing agreement which should form a schedule to the SaaS agreement.

Service Level Agreement (SLA)

This sets out the hosting, support and maintenance services being provided to the SaaS customer by the SaaS supplier. The SLA should specify where the data centre is located, who is operating it, what security, backup and disaster recovery procedures are in place. Support hours and support services for dealing with hosting problems and software problems should be identified and documented and the procedure for dealing with upgrades and maintenance to the software should be specified. The particular details will depend on the amount being paid for the hosting, support and maintenance and the purpose for which the SaaS software is being used.


Due to the unique nature of SaaS agreements you will need to seek specialist legal advice on the content of a SaaS agreement whether you are a SaaS supplier or a SaaS customer to ensure that your rights are adequately protected and that you are fully complying with all applicable laws.


Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:

To register for my newsletter click here


Other related articles:

SaaS, ASP Agreements – FAQs – Disaster Recovery

Do I need disaster recovery provisions in a SaaS agreement?

Disaster Recovery

Disaster recovery sets out the processes and procedures to be followed in the event of SaaS software, or customer data, no longer being accessible due to a problem with the technology infrastructure at the supplier’s data centre.

For example if there is a power cut, flood or fire at the data centre, the server on which the software is running will no longer function and the customer will no longer have full access to the software and its data. If the customer is using the software for a live website, the website will cease to function correctly, or possibly at all.

Supplier Obligations

The disaster recovery provisions of a SaaS agreement should be set out in the SLA and should as a minimum, include the following supplier obligations in the event of a disaster:

  • customers must be notified of the disaster;
  • any third parties used for disaster recovery should be identified;
  • the estimated time for restoring the servers and access to the software and services should be specified; and
  • details should be given about the supplier’s testing procedures i.e. how often its disaster recovery processes are tested.


The extent and speed of the disaster recovery offered by the supplier will depend upon the fee charged for this service. Suppliers often include the costs of basic disaster recovery in their licence fees. In addition, or as an alternative, they may offer higher levels of disaster recovery for additional fees. The faster and more individual the disaster recovery process is, the higher the fees.

If the supplier does not provide any disaster recovery services, or the customer is not satisfied with the disaster recovery offered, it should consider setting up its own disaster recovery procedure with a third party, particularly if a disaster would be business critical i.e. for a customer providing online banking services.

Avoiding Disasters

The most common disaster recovery risks are power failure, physical damage to the data centre or data and insolvency.

Power Failure

To minimise the risk of a power failure causing the servers to fail, ensure that the data centre has a continuous power supply (UPS) and power regulators to prevent fluctuations or interruptions in the power supply.


If the SaaS agreement includes backup of customer data, the regularity, media used for backups and storage should be set out in the SLA.  Backups should not be stored at the same physical location as the servers on which the data is being processed.


The media on which customer data is backed up should be encrypted. Particularly, if backups are to be physically sent to the customer, or moved to another data centre in the event of a disaster.

Access to Data

In the event that the data centre or a third party making backups of customer data becomes insolvent, the customer usually has no right to access its data and backups. Provisions should be included in the SLA to give the customer the right to access its data and backups in such circumstances.


For assistance with any disaster recover issues, SLA, SaaS, ASP, software on demand contracts or any other IT legal issues contact me at:

To register for my newsletter click here


Other related articles:


SaaS, ASP Agreements – FAQs – Security

What data security provisions need to be included in a SaaS agreement?

Customer’s Security Obligations

These should be set out in the software licence. Access to the software and services should not be permitted to third parties without prior authorisation from the supplier. The customer should provide the following warranties:

  • existence of adequate security measure to ensure access to the software and services does not breach the terms of the SaaS agreement
  • relevant confidentiality provisions relating to the use and access to passwords required for accessing the software and services
  • the obligation to notify the supplier of all security breaches, unauthorised access to the software and services and misuse of passwords
  • provision of indemnities for breaches of the above warranties

Supplier’s Security Obligations

These should be set out in the software licence and in the service level agreement (SLA). The supplier’s obligations will be more extensive than the customer’s obligations due to the nature of a SaaS agreement and the inherent risks of operating over the Internet. The following provisions should be included:

  • details of the firewalls and cryptology used
  • obligation of the supplier to notify the customer of security breaches or data loss
  • details of the data centre security structure
  • restrictions on access to passwords
  • information about virus protection mechanisms

Additionally the supplier should reserve the right to suspend access to the software and services if there is a security breach in order to ensure the integrity or security of the software and services.

Audit Rights

Sometimes customer’s will have a regulatory duty (i.e. under the FSA) to check the supplier’s security structures and systems and that the supplier is complying with its contractual security obligations. If an audit right is granted the following issues should be covered in the SaaS agreement:

  • frequency of the audits
  • payment for the supplier’s time and assistance with audits
  • the supplier’s right to be given copies of audit reports
  • confidentiality provisions relating to access to the supplier’s IPRs, data and infrastructures and disclosure of such to third parties
  • whether or not the supplier has any obligation to make changes to the software and services following an audit


For assistance with any security issues, SaaS, ASP, software on demand contracts or any other IT legal issues contact me at:

To register for my newsletter click here


Other related articles:


Bodle Law
Assign a menu in the Left Menu options.
Assign a menu in the Right Menu options.

This website uses cookies. You may not use this website, unless you agree to our use of cookies. For further details about the cookies we use please visit our Cookie Policy

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.