Software-as-a-service (SaaS): legal issues and concerns

What are SaaS contracts?

Software as a Service (SaaS) is a form of cloud computing that has become indispensable in modern business. In a SaaS solution, software is no longer installed locally; instead, a provider provides access to software over the Internet based on a subscription model. A SaaS agreement is the legal foundation that governs the relationship between the SaaS provider and the customer.

Unlike traditional software licensing, in this model the SaaS provider retains control of the software, while the customer accesses its functionalities via a Web browser or app. This fundamental difference requires specific contractual provisions that differ from conventional software agreements.

Why are good SaaS contracts crucial?

A sound SaaS agreement protects the interests of both the provider and the customer. For customers, it is essential to be sure of service availability, security and continuity. For providers, it is important to limit liability and protect intellectual property rights.

Without properly drafted SaaS contracts, you run risks such as:

• Lack of clarity about responsibilities in case of failures
• Inadequate protection of business-critical data
• Compliance risks related to privacy laws
• Uncertainty about continuity in the event of supplier bankruptcy
• Unclear agreements on service levels and maintenance

Core provisions in SaaS contracts

1. Description of services

The basis of any SaaS contract is a precise description of the service being offered. This defines:

• The exact functionalities and modules of the software
• Usage restrictions (number of users, data storage, etc.)
• Access conditions and authorization levels
• Integration capabilities with other systems
• Uses and possible restrictions

A detailed description prevents later discussions about what does and does not fall within the service and gives the customer clarity about what they can expect.

2. Service Level Agreement (SLA).

An essential part of the SaaS agreement is the Service Level Agreement, which sets concrete quality standards:

• Availability guarantees (uptime rates)
• Failure response times
• Maintenance procedures and windows
• Escalation Procedures
• Performance standards and reporting
• Compensation arrangements for non-performance

A well-crafted SLA protects the customer from service interruptions and gives the provider clear parameters within which service must occur.

3. Data security and privacy

In today's digital landscape, data security is critical. Good SaaS contracts therefore contain detailed provisions on:

• Technical and organizational security measures
• Encryption of data during transport and storage
• Backup procedures and disaster recovery
• Penetration testing and security audits.
• Location of data storage and data centers
• Security incident reporting procedures.

4. Processor agreement under the AVG/GDPR.

When personal data are processed, a processing agreement in accordance with the General Data Protection Regulation (GDPR) required. This regulates, among other things:

• The obligations of the processor
• Instructions for data processing
• Personal data security
• Assistance in meeting AVG obligations
• Use of sub-processors
• Data breach procedures
• International data traffic

The processor agreement can be integrated into the SaaS contract or prepared as a separate document.

5. Intellectual property rights

Clear agreements about intellectual property rights are crucial in SaaS contracts:

• The provider usually retains all rights to the software
• The customer acquires a right of use (license)
• Ownership of data entered by the customer remains with the customer
• Rights to customer-created configurations or modifications
• Software usage restrictions and conditions

6. Liability and indemnities

Liability provisions are one of the most negotiated aspects of SaaS contracts:

• Maximum liability (often tied to contract value)
• Exclusion of indirect and consequential damages
• Indemnities for third-party claims
• Specific liability for data breaches
• Exceptions to limitations of liability for intentional or gross negligence

7. Duration and termination

Clear agreements on term and termination options:

• Initial contract term and tacit renewal
• Notice periods for both parties
• Grounds for termination (breach of contract, bankruptcy, etc.)
• Exit strategy and transfer of data
• Termination support
• Retention or deletion of data after termination

8. Continuity arrangements

For mission-critical applications, continuity arrangements are essential:

• SaaS escrow arrangements for access to source code
• Continuity guarantees in case of acquisition or bankruptcy
• Data export capabilities in a usable format
• Transition support to another solution

Impact of recent legislation on SaaS contracts

The AVG/GDPR requirements.

The General Data Protection Regulation (GDPR) has a significant impact on SaaS contracts when personal data are processed. Some key considerations are:

• Responsibilities: The division of roles between controller (usually the customer) and processor (usually the SaaS provider) must be clear.
• Target binding: Personal data may be processed only for specified, explicit and legitimate purposes.
• Security measures: Appropriate technical and organizational measures must be taken to protect personal data.
• Data minimization: No more data shall be processed than necessary for the purpose of processing.
• Retention terms: Data will not be kept longer than necessary.
• Processor Agreement: A written agreement must be in place that establishes the obligations of the processor.

The NIS2 guideline

The Network and Information Security Directive 2 (NIS2). is a European directive that has been in effect in Belgium through the NIS2 law since October 2024. This law imposes additional cybersecurity obligations on organizations and has direct implications for SaaS contracts:

• Security requirements: Stricter requirements for cyber risk management and security measures
• Incident reporting: Obligation to report significant security incidents to appropriate authorities
• Chain Cooperation: Increased focus on security throughout the supply chain
• Liability management: Top management responsibility for non-compliance with security measures

Even if your organization is not directly covered by the NIS2 Act, it may apply indirectly when you do business with parties that do fall within its scope.

Specific concerns by role

For SaaS customers

As a purchaser of SaaS services, it is crucial to get the following aspects right:

• Availability Guarantees: Provide clear uptime guarantees with compensation arrangements
• Data ownership: Ensure you retain full ownership of your data
• Exit strategy: Agree on data transfer upon termination
• Audit capabilities: Bedding in the right to control security measures
• Compliance support: Make sure the supplier supports you in complying with laws and regulations
• SLA monitoring: Provide transparent reporting on compliance with service levels
• Price escalation: Limit possible price increases during the contract term

For SaaS providers

As a provider of SaaS solutions, the following points deserve special attention:

• Liability limitation: Limit your liability to a realistic level
• Intellectual property: Protect your intellectual property rights in the software
• Service flexibility: Retain the right to further develop the software
• Support levels: Clearly define what support is provided
• Payment terms: Provide clear payment terms and consequences for non-payment
• Use restrictions: Set reasonable limits on the use of your software
• Subprocessors: Maintain flexibility to engage sub-processors

Why legal counsel is essential in SaaS contracts

Drafting or reviewing SaaS contracts requires specific expertise at the intersection of IT law, privacy and contract law. The legal implications are complex, and the risks of a poorly drafted contract can be significant.

Our law firm has in-depth knowledge of both the legal and technical aspects of SaaS services. We offer support on:

• Drafting customized SaaS agreements.
• Reviewing and negotiating offered SaaS contracts.
• Drafting Service Level Agreements (SLAs).
• Implementing AVG/GDPR-compliant processor agreements
• Integrating NIS2 requirements into your contracts.
• Designing escrow and continuity arrangements
• Assisting with disputes regarding SaaS services.

Our services

Our law firm offers specialized legal services on SaaS contracts for both suppliers and customers:

For SaaS providers

• Contract templates: Development of standardized but flexible contract templates
• General conditions: Drafting general terms and conditions that protect your interests
• SLAs: Designing Service Level Agreements with realistic guarantees
• Compliance Advice: Advice on complying with relevant laws and regulations
• International expansion: Advice on legal aspects of entering foreign markets

For SaaS customers

• Contract review: In-depth analysis of SaaS contracts offered
• Negotiation Support: Assistance in negotiating more favorable terms
• Risk analysis: Identification and mitigation of legal risks.
• Due diligence: Examining the compliance and reliability of SaaS providers
• Exit strategies: Advice on termination and transition to other solutions