SaaS Agreements: The Foundation of Your Revenue Model
Your SaaS business lives and dies on your customer agreements. They define how your customers can use your product, what happens if things go wrong, what they pay, and what happens when they want to leave. Get them wrong and you lose revenue, face disputes, and might even face liability for how your software performs.
Every Canadian SaaS company needs a master service agreement (MSA) and supporting documents (terms of service, privacy policy, acceptable use policy) that protect your business while being fair enough that customers will actually sign them.
The SaaS Agreement Stack
Master Service Agreement (MSA): The main contract between you and the customer. Defines scope, pricing, term, payment terms, liability, data handling, and dispute resolution.
Statement of Work (SOW) or Order Form: Specific to each customer. Specifies which features/modules they’re buying, pricing, deployment, support level, and implementation details.
Terms of Service: Your public-facing terms. All customers agree to these automatically (binding by acceptance). Covers usage, restrictions, intellectual property, limitation of liability, confidentiality.
Data Processing Agreement (DPA): If you’re processing customer data on behalf of them, this covers data security, PIPEDA compliance, breach notification, and customer data rights. Increasingly required by enterprise customers.
Acceptable Use Policy (AUP): Specifies what customers can’t do with your software (spam, reverse engineering, illegal activity, competitive intelligence).
Privacy Policy: How you collect, use, and protect customer data. Required by law (PIPEDA in Canada, GDPR if EU customers).
Most customers will accept Terms of Service. Enterprise customers will want to negotiate an MSA. This guide focuses on the MSA because that’s where the legal and commercial complexity lives.
10 Essential Terms Every SaaS MSA Must Have
1. Scope of Service and Service Levels
What you’re providing: Define exactly what the software does, what it doesn’t do, and what the customer is responsible for.
Example: “OnleyGC provides a cloud-based legal document management system. The software allows customers to upload, organize, and share legal documents. The software does NOT provide legal advice, does NOT perform document creation, and does NOT guarantee document storage beyond what’s specified in the SLA.”
Service Level Agreement (SLA): Define uptime guarantees (99%, 99.5%, 99.9%), incident response times, and backup procedures.
Example: “OnleyGC maintains 99.5% monthly uptime, measured excluding scheduled maintenance. Customer data is backed up daily with 4-hour recovery time objective.”
Why this matters: Vague scope creates disputes. “OnleyGC integrates with accounting software” is too vague. “OnleyGC integrates with QuickBooks Online via API v2.0 with support for invoices, expenses, and account mappings” is clear.
What to avoid: Don’t promise more uptime than you can deliver. If you’re a 99.5% uptime company, don’t claim 99.9% to win a deal. You’ll breach it and face liability.
2. Pricing and Payment Terms
Subscription pricing: Define the price, billing period (monthly, annual), how many users/seats, and what features are included.
Example: “OnleyGC Professional Plan: $500/month per user, billed monthly, includes document management and sharing. Enterprise Plans available with custom pricing.”
Payment due date: When do invoices need to be paid? (Net 30 is typical, Net 15 for new customers.)
Payment method: Credit card, ACH, check, wire transfer?
Late payment penalties: “Invoices past due 30 days are subject to 1.5% monthly interest.” This incentivizes payment but needs to be reasonable.
Price increases: Can you raise prices mid-contract? Most MSAs allow annual increases of X% (5-10%) with notice. This protects you from inflation.
Additional charges: Overage fees if they exceed usage limits? Implementation/onboarding fees? Support fees beyond what’s included? Define them clearly.
What to avoid: Don’t hide fees. Don’t bury pricing in footnotes. Transparent pricing avoids disputes and chargebacks.
3. Term and Renewal
Initial term: How long is the contract? (1 year is typical for most SaaS; some do month-to-month or 3-year enterprise deals.)
Renewal: Does it automatically renew? If so, when does the customer need to cancel to prevent renewal?
Example: “This Agreement is for one year, renewing automatically for successive one-year periods unless either party provides 30 days written notice of non-renewal before the renewal date.”
Why this matters: Auto-renewal is good for you (keeps customers), but it can look deceptive if the notice requirement is hidden. Be explicit and put it in the confirmation email too.
Termination for convenience: Can the customer cancel anytime, or are they locked in? Most SaaS agreements lock customers in for the initial term, then allow month-to-month cancellation after that.
Example: “Customer may not terminate during the first year. After year one, either party may terminate upon 30 days written notice.”
4. Limitation of Liability
This is critical. If your software has a bug that costs a customer $100K, you need a limit on what you’re liable for. Without it, you could face catastrophic damages.
Liability cap: “Neither party’s total liability under this Agreement shall exceed the total amount paid by Customer in the 12 months preceding the claim.”
This means if a customer pays you $12K/year and there’s a massive failure, they can only recover up to $12K. Without this, they could claim $1M in lost business.
Excluded damages: “Neither party is liable for indirect, incidental, consequential, special, or punitive damages, even if advised of the possibility of such damages. This includes lost profits, lost revenue, lost data, and lost business.”
This prevents customers from suing for “lost business” claims that are impossible to quantify.
Exceptions to the cap: Usually, liability caps don’t apply to:
- Indemnification obligations (IP infringement, violations of law)
- Confidentiality breaches
- Either party’s gross negligence or willful misconduct
- Data breaches or security failures (depending on your risk appetite)
Why this matters: Without liability caps, SaaS businesses face existential risk. One disgruntled customer could wipe you out. Enterprise customers might push back on liability caps, but in Canada, courts respect them if they’re reasonable.
5. Data Security and PIPEDA Compliance
You’re handling customer data. You need to commit to protecting it and complying with Canadian privacy law.
Data security commitments:
- Encryption in transit (SSL/TLS)
- Encryption at rest
- Access controls (passwords, multi-factor auth)
- Annual security audits
- Vulnerability management and patching
- Employee training on data protection
- Firewalls and intrusion detection
PIPEDA compliance: Your agreement should commit to complying with PIPEDA (Personal Information Protection and Electronic Documents Act), Canada’s federal privacy law.
Example: “OnleyGC commits to compliance with PIPEDA and all applicable provincial privacy laws. Customer data is processed only for the purposes specified in this Agreement.”
Data processing addendum: Enterprise customers will require a Data Processing Agreement (DPA) specifying:
- What personal data you process on their behalf
- How you process it (storage, use, sharing)
- Sub-processors (any vendors you use to help process data)
- Data breach notification timelines
- Customer’s rights to audit your security
- Data deletion/return obligations at contract end
Breach notification: What do you do if you suffer a data breach?
Example: “In the event of a confirmed data breach affecting Customer data, OnleyGC will notify Customer within 24 hours and provide information on what data was exposed, when, and what remedial steps OnleyGC has taken.”
6. Intellectual Property Rights
Your IP: You own the software, the code, the technology. The customer gets a limited license to use it.
Example: “OnleyGC retains all right, title, and interest in the Software, including all intellectual property rights. Customer receives a non-exclusive, non-transferable license to use the Software solely for its internal business purposes.”
Customer IP: They own their data and any work product they create using your software. You have the right to use anonymized/aggregated data for improving the service.
Feedback: Can you use customer feedback to improve your product? Typically yes – clarify that feedback they provide is your property to use.
What to avoid: Don’t claim ownership of customer data or work product. Don’t use customer data for competitive intelligence or selling to competitors. Be clear about what “anonymized” means – truly anonymized data is yours to use; identifiable data is theirs.
7. Indemnification
Your indemnification: You’ll likely promise to defend the customer if your software infringes third-party IP (they get sued because your software violates someone’s patent or copyright).
Example: “OnleyGC will defend Customer against any claim that the Software infringes a third party’s intellectual property rights, and will indemnify Customer for damages awarded.”
Customer indemnification: Customer should indemnify you for their misuse of the software (they use it to break the law, they upload infringing content, they violate someone else’s IP with their data).
Indemnification scope: Usually capped at total fees paid. Indemnification for IP is an exception where liability caps sometimes don’t apply (because IP infringement is serious).
8. Acceptable Use and Restrictions
Define what customers can’t do with your software:
- Can’t reverse engineer or decompile the code
- Can’t use it for illegal purposes
- Can’t use it to spam or harass
- Can’t use it to compete with you (depends on your business model)
- Can’t share their login credentials with unauthorized users
- Can’t use it to compromise security (hacking, penetration testing without permission)
- Can’t exceed usage limits (API calls, storage, bandwidth) without paying overages
Consequences: What happens if they violate AUP? You can suspend their account, terminate the agreement, and pursue damages.
Example: “If Customer violates this AUP, OnleyGC may immediately suspend Customer’s access to the Software without refund. Repeated or severe violations may result in termination of this Agreement.”
9. Confidentiality
Mutual confidentiality: Both parties keep confidential information confidential.
Duration: Usually 2-3 years after the relationship ends.
Exceptions: Information that’s already public, that they already knew, or that they’re required to disclose by law.
What to protect: Your source code, your architecture, customer lists (theirs), pricing (yours), financial information, roadmap, strategies.
10. Dispute Resolution and Governing Law
Governing law: Which province/country’s laws apply? For Canadian SaaS, typically Ontario, British Columbia, or Quebec (depending on where your company is).
Jurisdiction: Where would disputes be resolved? Courts or arbitration? If courts, which province?
Escalation: Most modern SaaS MSAs require a good-faith negotiation period (30 days) before either party can sue. This saves legal costs.
Example: “Any dispute arising from this Agreement will first be escalated to the VP of Sales and VP of Legal of each company for 30 days of good-faith negotiation. If unresolved, either party may pursue arbitration or litigation.”
Arbitration vs. litigation: Arbitration is faster and more private than court litigation, but can be expensive. For smaller SaaS businesses, courts might be preferable.
Red Flags: Terms Enterprise Customers Will Push Back On
Liability cap too low. An enterprise customer paying $100K/year might want liability cap of $500K or $1M, not just the annual fee. Be prepared to negotiate.
Auto-renewal. Enterprise buyers hate auto-renewal. They might demand that the contract requires affirmative renewal (not auto-renewal). Negotiate if they’re a big customer.
Termination lock-in. “Locked in for 3 years” is a non-starter for many enterprise customers. Consider: lock-in for year 1, then month-to-month. Or allow termination for convenience with notice.
Data ownership. If you claim ownership of their data, they’ll walk. Be clear: they own their data, you own the software.
Broad confidentiality restrictions. “Everything is confidential forever” is too broad. Narrow it to trade secrets and sensitive business info.
No DPA. If they handle personal information, they’ll require a DPA (Data Processing Agreement). Have one ready.
No SOC 2 or security audit. Enterprise customers often require SOC 2 certification or annual security audits. Budget for this.
The Customer Journey: From MSA to Payment
Step 1: Customer views your website – They see your pricing, features, and Terms of Service. Binding unless they negotiate.
Step 2: They sign up for a trial – They create an account. The standard Terms of Service apply.
Step 3: They want to go live / upgrade to paid – Now they see pricing and payment terms. Small customers just accept. Enterprise customers want to negotiate an MSA and SOW.
Step 4: MSA negotiation (if applicable) – Back and forth on liability caps, term, data handling, SLAs. Takes 2-4 weeks typically.
Step 5: Signature and onboarding – Both sides sign. Customer gets access. Implementation/migration happens (if needed).
Step 6: Monthly/annual billing – You send invoices according to the payment terms. They pay.
How to Avoid Common Mistakes
Mistake 1: Making the same MSA for everyone. Small customers (< $1K/month) should just accept Terms of Service. Only customize an MSA for customers > $5K+/month.
Mistake 2: Being too customer-friendly on liability. If your liability cap is too high, you’re not actually protected. A $10K/year customer shouldn’t be able to sue you for $500K.
Mistake 3: Not specifying what counts as “personal data.” If you say you’ll protect personal data but don’t define it, you might be liable for anything customers upload. Be specific: “Personal data means data that identifies a living individual (names, emails, phone numbers). Security-sensitive data means passwords, authentication tokens, cryptographic keys.”
Mistake 4: Auto-renewal without clear opt-out. This looks shady. Be transparent. Put renewal terms in the initial email confirmation. Send a reminder 30 days before renewal. Make cancellation easy.
Mistake 5: Overpromising on uptime/SLA. 99.99% uptime is very expensive to deliver. If you promise it and miss, you’re liable. Be conservative on SLA commitments.
FAQ: SaaS Agreements
Q: Can I use a template SaaS agreement?
A: Yes, for your Terms of Service and standard MSA. But customize it for your specific product, features, pricing, and business model. Generic templates often miss critical terms.
Q: What if a customer wants their own agreement?
A: This is common with enterprise customers. You can negotiate, but don’t accept terms that expose you to unlimited liability or that require you to do things you can’t do (99.99% uptime when you’re not infrastructure).
Q: Do I need a DPA if I’m not EU/GDPR?
A: Yes, if you process personal information on behalf of customers. PIPEDA applies in Canada. Enterprise customers will demand a DPA for compliance. Have one ready.
Q: How often should I update my Terms of Service?
A: Review annually. Changes in law (privacy laws, accessibility laws) might require updates. Changes in your business model (new pricing, new features) might require updates. Always grandfather existing customers into old pricing to avoid nasty disputes.
Q: What if a customer doesn’t pay?
A: You should have termination for non-payment language. “If payment is 30 days overdue, OnleyGC may suspend access to the Software. If payment is 60 days overdue, OnleyGC may terminate this Agreement and pursue payment through collections.”
The Bottom Line: Protect Your Business, But Be Fair
Your SaaS agreement is your operational manual. It defines how you do business, what you promise, what customers pay, and what happens when things go wrong. Get it right and it protects you. Get it wrong and you face disputes and liability.
The best SaaS agreements are:
- Clear about what you’re providing (scope of service)
- Transparent about pricing and payment
- Protective of your IP and security
- Fair to customers (reasonable liability limits, reasonable usage restrictions)
- Compliant with Canadian law (PIPEDA, provincial privacy laws)
- Flexible enough to negotiate with enterprise customers
Need help drafting or reviewing SaaS agreements? Learn about our contract drafting services, or reach out to discuss your specific business model. I can ensure your agreements are legally sound, customer-friendly, and actually protective of your business.