SaaS Agreements – Legal Requirements – Online SaaS Sales

SaaS suppliers making online sales of SaaS services to business customers in the UK need to ensure that they have the necessary legal documents and information available on their website to comply with English law. Simply having a SaaS agreement online will not cover all legal obligations in the UK when providing SaaS services online. Below is a summary of the documents and information that you should have available on a UK website.

SaaS Agreement

The terms and conditions under which you will be providing SaaS services to customers should be set out in your SaaS agreement. These should as a minimum include:

  • granting SaaS customers a licence to access the SaaS services for the term of the SaaS agreement;
  • retaining ownership in all intellectual property rights in the software and services;
  • return of SaaS customer data on termination of the SaaS agreement;
  • the Customer’s obligations as a data controller under the Data Protection Act 1998.

Service Level Agreement (SLA)

This should set out the hosting, support and maintenance services being provided to the SaaS customer. The SLA should specify:

  • where the data centre is located;
  • who is operating the data centre;
  • what security, backup and disaster recovery procedures are in place;
  • what support services are provided;
  • when and how maintenance will be carried out.

Privacy Statement

When making online SaaS sales you will be collecting and processing the personal data of your SaaS customer. Even if SaaS customers do not have to register in order to use your website you will undoubtedly be using Google analytics or setting other cookies to collect information about visitors to your website. To comply with the Data Protection Act 1998, if you collect, store or process personal data i.e. email addresses you need to have a privacy policy on your website. Your privacy policy must be easy to find and should include the following information:

  • the type of data being collected;
  • why the data is being collected;
  • how the data is used and why;
  • information about any cookies used;
  • if and why personal data will be disclosed to third parties;
  • how and where data is stored;
  • how complaints or queries about personal data will be dealt with.

Registration under the Data Protection Act

If you collect personal data on your website – i.e. email addresses, name or address of a living individual, you will be processing personal data and must register as a data controller under the Data Protection Act. It is a criminal offence not to register.

About Us/Contact Information

SaaS suppliers must provide the following information in an easily accessible position on their website:

  • legal name i.e. XYZ Ltd;
  • geographical address;
  • contact details i.e. telephone number, fax number and email address;
  • which country your business is registered in and the registration number;
  • details of any supervisory body which regulates your business i.e. the FSA;
  • where you are registered for VAT and your VAT number;
  • clear details of prices and whether or not delivery and/or tax is included.

Compliance with other Laws

SaaS supplier’s will also need to consider their compliance with any other applicable laws or rules. These will be industry specific depending on the type of SaaS services being provided.
For example, if you provide email marketing services you will need to comply with applicable email marketing and advertising rules and guidelines such as the CAP Code and the Privacy and Electronic Communications Regulations 2003.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

Speaker at the Berlin CloudConf 2013.

To register for my newsletter click here


Other related articles: