SaaS Agreement Checklist: 15 Clauses You Must Have Before Signing
SaaS vendors write contracts that protect them, not you. Here are the 15 clauses every buyer should verify before signing — and what to push back on.
Why SaaS agreements deserve extra scrutiny
SaaS contracts are uniquely risky because you’re not buying software — you’re renting access. The vendor controls the infrastructure, the data, the uptime, and the feature set. If the relationship goes wrong, you need contractual protections to get your data out and your business running on an alternative.
Most SaaS vendors present a standard Terms of Service and expect you to accept it as-is. But everything is negotiable, especially on annual contracts over $10K. Here are the 15 clauses to check.
The 15 essential clauses
1. Service Level Agreement (SLA): Minimum 99.9% uptime with service credits. Check the measurement methodology — some vendors exclude planned maintenance from the calculation.
2. Customer Data Ownership: The contract must explicitly state that you own your data. The vendor gets a limited license to process it solely for providing the service.
3. Data Security Standards: Require TLS 1.2+ in transit, AES-256 at rest, SOC 2 Type 2, and annual pen testing.
4. Breach Notification: 48–72 hour notification timeline with specific content requirements.
5. Data Portability and Export: Ability to export your data at any time in standard formats (CSV, JSON, XML) at no additional cost.
6. Sub-Processor Controls: Prior written consent before new sub-processors, with 30-day notice and objection rights.
7. AI Training Restrictions: Explicit prohibition on using your data to train AI models. This is the most important new clause in SaaS contracts.
8. Service Modifications: 30-day notice before material changes, with termination right if changes adversely affect you.
9. API Stability: 90-day deprecation notice, backward compatibility commitment, and rate limit protections.
10. Termination for Convenience: Either party can exit with 30–60 day notice and pro-rata refund of prepaid fees.
11. Data Retention and Deletion: Data available for export for 30 days post-termination, permanent deletion within 90 days with written certification.
12. Limitation of Liability: Aggregate cap at 12 months’ fees with carve-outs for data breaches, IP infringement, and confidentiality.
13. Acceptable Use Policy: Make sure the AUP restrictions don’t inadvertently prohibit your legitimate use cases.
14. Auto-Renewal Terms: Know the opt-out window (should be at least 60 days) and pricing increase cap.
15. Disaster Recovery: RPO and RTO commitments with annual testing.
The clause most people miss
AI training restrictions are the newest and most frequently missing clause in SaaS agreements. Without an explicit prohibition, many vendors’ terms of service grant them a broad license to use your data for "product improvement" — which increasingly means training machine learning models.
The problem? Your proprietary data could end up improving a product that your competitors also use. The fix is a single clause: the vendor shall not use your data, content, or derivatives to train AI or machine learning models without explicit written consent.
ClauseGuard flags this automatically when analyzing SaaS agreements.
Download free SaaS Agreement template
Free, no account required.