[ DEAL-MAKING ]

SaaS Subscription Agreement Review Guide

SaaS contracts are template-perfect for the vendor and quietly punishing for the customer. The defaults bake in auto-renewal, vendor-friendly SLAs, broad data rights, and exit costs that nobody flags during the demo. Nine clauses determine whether you're locked in.

What it is

A SaaS subscription agreement is the contract for using cloud-based software. The vendor hosts the software; you pay for access. Almost always pre-written by the vendor's lawyers, often presented as "non-negotiable" for smaller customers and quietly negotiated to death by enterprise procurement.

Standard structure: a Master Services Agreement (sometimes called the SaaS agreement, subscription agreement, or terms of service) that covers the legal terms, plus an Order Form that specifies what you're buying — modules, seat count, term, price.

What's negotiable depends on your size. Startups signing self-serve: barely anything. Enterprise customers: almost everything except the absolute floor pricing.

Common clauses to check

  1. [ 01 ]

    Term & auto-renewal

    Initial subscription length and what happens at the end. Auto-renewal is standard; the question is the notice window and whether prices reset.

    What to look for
    • Initial term clearly stated (1 year is typical; multi-year for discounts).
    • Renewal cadence — annual is standard, monthly auto-renew on annual terms is rare.
    • Notice period to cancel — 30 days is standard; 60 or 90 is aggressive.
    • Renewal rate — locked, capped (e.g., "no more than 7% increase"), or "current published pricing."
    Red flags
    • Auto-renewal with 90+ days notice required to cancel — easy to miss.
    • Renewal at "then-current rates" with no cap.
    • Compounding multi-year auto-renewals (3-year initial, then 3-year auto-renewals).
  2. [ 02 ]

    Service level agreement (SLA)

    Uptime guarantees and what you get if the vendor misses them. The SLA is usually a separate document referenced by the contract.

    What to look for
    • Uptime commitment (99.9% is common; 99.99% for critical systems).
    • Carve-outs from downtime — scheduled maintenance, force majeure, customer's own fault. Reasonable carve-outs are standard.
    • Remedy for missed SLA — service credits as a percentage of fees. Should escalate with severity.
    • Right to terminate for chronic SLA failures (e.g., 3 missed months in a 12-month period).
    Red flags
    • Service credits capped at 5% of monthly fees, with restrictive claim windows.
    • No definition of "downtime" (is degraded performance counted?).
    • Customer must request credits in writing within 30 days, vendor isn't on the hook to volunteer them.
  3. [ 03 ]

    Data ownership

    Who owns the customer data you put into the system. Should be clearly stated as the customer's.

    What to look for
    • Explicit statement: "Customer Data is owned by Customer."
    • Vendor's license to use Customer Data limited to "operating the service" or "providing the service to Customer."
    • Restrictions on vendor using Customer Data for analytics, ML training, or product improvement without consent.
    Red flags
    • Broad license for vendor to use Customer Data "for any business purpose."
    • Vendor's right to use Customer Data to train AI models (read this carefully — many contracts now include).
    • Aggregated/anonymized data carve-outs that swallow the rule.
  4. [ 04 ]

    Data security & breach notification

    Vendor's commitments to protect data and notify on a breach. Increasingly governed by data-protection law (GDPR, CCPA, etc.).

    What to look for
    • Reference to a security policy or attestation (SOC 2 Type II, ISO 27001).
    • Encryption at rest and in transit, with stated standards.
    • Breach notification commitment — within 72 hours for GDPR-covered data.
    • Data Processing Addendum (DPA) for personal data, with Standard Contractual Clauses for international transfers.
    Red flags
    • Generic "reasonable security" with no defined controls.
    • Breach notification "as required by law" — that means as late as possible.
    • No DPA when you're processing personal data — non-compliance with GDPR/CCPA on you.
  5. [ 05 ]

    Pricing & escalators

    Price for the initial term, what happens on renewal, and any add-ons.

    What to look for
    • Initial-term price locked.
    • Renewal escalators capped (e.g., "lesser of CPI or 7%").
    • Add-on user pricing locked or capped.
    • True-up mechanism — if you exceed seat count mid-year, what's the cost?
    Red flags
    • Renewal price "as published by vendor" — could be 30% higher.
    • True-up at "list price" without your discount applied.
    • Bundled features that get split (and re-priced) at renewal.
  6. [ 06 ]

    Termination & exit

    When and how you can leave. The default is at end of term; mid-term exit usually requires breach.

    What to look for
    • Termination for material breach with cure period (typically 30 days).
    • Termination for convenience — rare in vendor-friendly SaaS, but worth asking.
    • Data export — format, timeline, vendor obligation to provide before deletion.
    • Transition assistance period (90 days) for migration to a new vendor.
    Red flags
    • No data export rights — vendor returns data only as a charge.
    • Vendor deletes data within 30 days of termination, no grace.
    • Termination triggers acceleration of remaining fees.
  7. [ 07 ]

    Indemnification

    Who's on the hook for IP claims, breach of contract, and damages.

    What to look for
    • Vendor indemnifies customer for IP infringement claims about the service.
    • Customer indemnifies vendor for breaches by customer's users.
    • Cap on customer's indemnification at fees paid in 12 months preceding the claim.
    • Mutual carve-outs for indemnification (no cap on willful misconduct).
    Red flags
    • Vendor's indemnification limited to "replace or refund" — useless if you've integrated.
    • Customer's indemnification of vendor with no cap.
    • Vendor reserves right to control defense AND require customer to settle.
  8. [ 08 ]

    Liability cap

    How much either side can be made to pay if something goes wrong.

    What to look for
    • Cap stated as fees paid in the 12 months preceding the claim.
    • Carve-outs from cap — IP indemnification, confidentiality, gross negligence.
    • Mutual cap (vendor and customer subject to same limit).
    Red flags
    • Asymmetric caps (vendor's is lower than customer's, or one-way exclusion of consequential damages).
    • Cap of "$10,000" regardless of contract value.
    • Carve-outs that benefit only one party.
  9. [ 09 ]

    Acceptable use policy

    Restrictions on what you can do with the service. Often includes content prohibitions and rate limits.

    What to look for
    • Reasonable AUP referenced as separate document — read it.
    • Vendor's right to suspend for AUP violation only after notice and cure.
    • Indemnification by customer for AUP violations is standard.
    Red flags
    • Immediate suspension for any AUP violation, no cure period.
    • AUP that vendor can update unilaterally with no notice.
    • Vague prohibitions on "objectionable content" giving vendor wide latitude.

Other watchouts

  • Audit rights — vendor can audit your usage; check the cost-shifting if audit finds noncompliance.
  • Most-favored-customer or MFN clauses — guarantee parity with other customers; check carve-outs.
  • Force majeure — should be mutual.
  • Publicity rights — vendor's right to announce you as a customer; require approval.
  • Open source policy — disclosure of OSS components used.
  • Subprocessor list and notification of changes.
  • Insurance requirements (cyber, GL, professional liability).
  • Dispute resolution — arbitration vs. court, governing law, venue.

Frequently asked questions

Should I have a lawyer review my SaaS subscription agreement?
For self-serve subscriptions under ~$10K/year, most companies sign without legal review. For enterprise contracts, multi-year commits, or anything touching personal data at scale (HIPAA, GDPR), a lawyer review is essential — the gotchas can run six figures.
Can I negotiate a SaaS contract?
More than vendors say. Even small customers can usually negotiate term length, auto-renewal terms, price caps, data export rights, and SLA carve-outs. The vendor's sales team has wider authority than legal pretends. Ask for the redlined version, not just the form.
What is a service level agreement (SLA)?
A contractual commitment to a minimum performance standard (typically uptime), with defined remedies (usually service credits) if the vendor falls below it. "99.9% uptime" allows ~8.76 hours of downtime per year. Carve-outs and exclusions matter as much as the headline number.
What's an MFN clause in SaaS?
Most-favored-nation: the customer is guaranteed pricing or terms at least as favorable as those given to other customers. Sometimes phrased as "most-favored customer." Vendors resist these; carve-outs (volume discounts, special situations) usually swallow the rule.
Should I sign a multi-year SaaS contract?
If you're confident in the product and you can lock in pricing with capped escalators, yes. If you're early in adoption or the vendor's product roadmap is uncertain, no. Multi-year contracts almost always include termination penalties or pre-payment that lock you in regardless of subsequent unhappiness.

Run this checklist on your actual contract

Upload the PDF. We’ll flag every clause from this guide that matters in yours, in plain English.

Read your contract

Related guides