How to draft a Software as a Service (SaaS) Agreement: Complete Legal Guide for Businesses in India

A SaaS Agreement (Software as a Service Agreement) is a legal contract between two parties that defines the terms under which software is provided used through the internet.

The two parties involved are:

• The SaaS provider – the company that develops, owns, manages and runs the software.
• The customer – the person/individual or company/business that wants to use the software for its operations or services.

In this model, the customer does not purchase the software permanently and does not need to install it on their own computer systems or servers. Instead, the software is hosted by the provider on remote servers and made available online by a monthly or yearly subscription fee to access and use the software over the internet (cloud-based), such as Google Workspace, Zoom, Salesforce, or Zoho. Because the software is stored and operated in the cloud, users can access it from anywhere with an internet connection.

In simple terms, a SaaS agreement works like a subscription service. This model is commonly referred to as cloud-based software services.

Examples of SaaS Platforms

Many widely used digital tools operate under the SaaS model, such as Google Workspace, Zoom, Salesforce, Zoho, Microsoft 365, Slack, Shopify. In all these cases, users simply log in online to access the software, while the provider handles maintenance, updates, security, and server infrastructure.

The agreement explains the rules: what you can do, what the provider must do, how much you pay, what happens if something goes wrong, and how to end the deal.

Governing Laws

In India, these agreements are governed by:

• Indian Contract Act, 1872 (basic rules for any contract).
• Information Technology Act, 2000 (for electronic contracts and data security).
• Digital Personal Data Protection Act, 2023 (DPDPA – for protecting personal data, now the main data law in India).

Purpose of a SaaS Agreement

A SaaS Agreement clearly sets out the rules, rights, and responsibilities of both parties. It ensures that both the software provider and the customer understand their obligations and expectations.

The agreement generally explains important aspects such as:

• What services and features the software provides
  • What the customer is allowed (or not allowed) to do with the software
  • The subscription fees and payment terms
  • Service reliability and uptime commitments
  • Data protection and security responsibilities
  • What happens if the service fails or problems occur
  • How disputes will be resolved
  • The process for ending or terminating the agreement

By clearly defining these terms, the agreement helps prevent misunderstandings, protect business interests, and reduce potential legal risks.

Basic Checklist for a SaaS Agreement

 A well-drafted Software as a Service (SaaS) Agreement must include several essential clauses that clearly define the rights, responsibilities, and risks for both the software provider and the customer.

In modern SaaS contracts, especially after the introduction of India’s Digital Personal Data Protection Act, 2023 (DPDPA), companies—particularly multinational corporations (MNCs)—require strong contractual protections to avoid regulatory penalties that can reach ₹250 crore.

Here is a clear, step-by-step checklist of what a good SaaS agreement should have. This protects both sides and follows Indian laws.

1. Parties to the Agreement

The agreement should clearly identify the parties entering into the contract.

This section typically includes:

1. SaaS Provider – The Name, registered addresses, contacts details, and other relevant information of the company providing the software service, along with the details of its authorized representatives or signatory, if applicable.
2. Customer – The Name, address, contacts details, and other relevant information of the individual or company subscribing to the software service, along with the details of its authorized representatives or signatory, if applicable.

Clearly identifying the parties ensures there is no confusion about who is responsible for performing the contractual obligations under the agreement and who has the legal authority to enter into and sing the contract.

2. Definitions

The Definitions clause provides clear meanings for important terms used throughout the SaaS Agreement. Including precise definitions helps avoid ambiguity, misunderstanding, or multiple interpretations of key terms in the contract.

By defining important terms at the beginning of the agreement, both parties clearly understand what each term refers to and how it should be interpreted in the context of the agreement

Typical terms that are commonly defined in a SaaS agreement include Service, Customer Date, Personal Data, Order Form, SLA, DPA, AUP, Uptime, Downtime and any word that is required to define clearly.

3. What the Service Is (Scope of Service)

This clause explains what the SaaS provider is offering to the customer under the agreement.

It should clearly describe:

• Clear description of the software provided
• Key features and functionalities (what is included and what is not included).
• User access limits (i.e. the number of permitted users or accounts)
• Date storage capacity
• Support services included (such as email, chat, or technical support)
• Any services, modules or features that are specifically excluded

Example: “Access to CRM tool with 10 user logins, email support, data storage up to 50 GB, and reporting and analytics dashboard.”

Providing a clear description of the services helps avoid misunderstandings between the parties and ensures that the customer understands exactly what services they are paying for under the agreement.

4. Subscription and Payment Terms

This section defines financial arrangement between parties. It outlies how much the customer will pay and how payments are calculated and will be made.

Key points generally included are:

• Subscription price (monthly, yearly, per user, or fixed plan)
• Billing cycle and due dates
• Payment timelines (for example Net 30 or Net 45 days)
• Accepted payment methods (bank transfer, credit card, auto-debit)
• Applicable taxes such as GST
• Late payment charges or penalties
• Policy/rules regarding price increases
• Notice period before any pricing changes

Clear financial terms help avoid billing disputes, confusion, and unexpected charges.

Why this clause is important

Unclear payment terms may lead to:

• Unexpected billing or hidden charges
• Disputes over pricing or invoicing
• Long-term lock-in with increasing subscription costs

Suggestion

Customers should consider negotiating:

• A price lock for the first 1–2 years of the agreement.
• A cap on annual price increases (i.e. 5–7% per year or linked to inflation).

5. Term (Duration) and Renewal

This clause specifies how long the agreement will remain valid and the conditions under which it may be renewed.

Important details typically include:

• Contract start date
• Contract duration (i.e. one year or another specified period)
• Whether the agreement renews automatically at the end of the term
• Notice period required to cancel or opt out of auto-renewal (usually 30 days before the renewal date)

Auto-renewal clauses are common in SaaS agreements. Therefore, customers should carefully review and understand the renewal terms and the procedure for cancelling or terminating the agreement before it automatically renews.

6. Service Level Agreement (SLA)

The Service Level Agreement (SLA) defines the reliability, performance standards, and availability of the software service provided by the SaaS provider. It sets clear expectations regarding service performance and outlines remedies if the provider fails to meet those standards.

Typical elements of an SLA include:

• Guaranteed uptime (usually 9% or higher availability)
• Maximum allowed downtime within a specific period
• Service credits if uptime targets are not met (typically 10%–50% of monthly subscription fees).
• Defined response and resolution times for technical issues.
• Clear exclusions, such as force majeure events (earthquakes, war, major infrastructure failure beyond the provider’s control).
• Compensation if service levels are not met
• Technical Support response times for different types of issues

For example: many SaaS providers promise 99.9% uptime, which means the software can only be unavailable for about 43 minutes per month.

Support response times are usually categorized by the severity of the issue, such as:

• Critical issues – response within 1 hour
• High priority issues – response within 4 hours
• Normal issues – response within one business day

An SLA ensures the customer receives a reliable and dependable service.

Why this clause is important

Software downtime can cause:

• Business interruption
  • Loss of productivity
  • Customer dissatisfaction
  • Financial losses

Therefore, the SLA ensures that the provider must maintain a reliable service and compensate customers if the agreed service standards are not met.

Suggestion

Customers should consider requesting:

• Automatic service credits if uptime commitments are breached.
  • Pro-rated compensation for downtime.
  • No unnecessary caps or limitations on service credits where possible.

7. Data Ownership and Security

This is one of the most important clauses in a SaaS agreement. It clarifies who owns the personal data and personal information and how it will be protected.

It should also defines how personal data is processed, stored, transferred, and protected in accordance with applicable data protection laws.

A well-drafted clause should guarantee the following:

• The customer retains full ownership of their data, including files, customer information, and business records.
• The SaaS provider may only use the data to operate, maintain, and improve the service as permitted under the agreement.
• The customer has the right to export or retrieve data in standard formats such as CSV, Excel, or through API access.

Security Obligations

The agreement should require the SaaS provider to implement appropriate security measures, including:

• Encryption and secure storage of data
• Access control and authentication mechanisms
• Regular security updates, monitoring, vulnerability management
• Backup procedures and disaster recovery systems

Compliance with DPDPA 2023

The agreement must ensure compliance with India’s Digital Personal Data Protection Act, 2023 (DPDPA), which governs the collection, processing, storage, and protection of personal data.

The agreement should address key data protection obligations, including:

• User consent for the collection and processing of personal data
• Clear Privacy notices informing users how their data will be used
• Data breach notification obligations in case persona data is compromised
• Users’ rights to access, correct, update, or delete their data

If personal data is mishandled, leaked, or misused, the parties may face serious regulatory penalties, legal liability and reputational damage.

Under the DPDPA 2023 framework:

• The customer organization is typically the “Data Fiduciary”, meaning it determines the purpose and manner of collecting and using personal data.
• The SaaS provider acts as the “Data Processor”, meaning it processes personal data on behalf of the customer and follows the customer’s instructions.

A comprehensive SaaS agreement should include the following provisions:

• A separate Data Processing Addendum (DPA) attached to the agreement (rather than relying solely on a general privacy policy).
• Clear obligations regarding encryption, data security practices, and periodic security audits.
• Mandatory data breach notification within 24–48 hours of discovery.
• Clear rules on data storage location, preferably within India, or appropriate safeguards if data is transferred internationally.
• Audit rights, allowing the customer or an independent auditor to verify the provider’s security controls.
• Restrictions on sub-processors, ensuring the provider cannot engage third-party processors without prior approval.
• Unlimited or higher liability for serious data breaches or violations of the DPDPA.

Data Return and Deletion after Termination

The agreement should also clearly specify procedures for handling customer data after the contract ends. These typically include:

• Data delivery to the customer within 15–30 days after termination of the agreement.
• The customer’s right to retrieve their data in a usable format.
• Permanent deletion of all customer data from the provider’s systems after the termination period.Issuance of a formal Data Deletion Certificate confirming that the data has been securely removed.

In most professional SaaS contracts, these obligations are detailed in a separate Data Processing Addendum (DPA) to ensure clear privacy and regulatory compliance.

Suggestion

Customers should avoid or accept vague language such as “as per our internal policy.” Instead, they should insist on a formal and detailed Data Processing Addendum (DPA) that clearly outlines the provider’s data protection obligations, security practices, and legal responsibilities.

8. Intellectual Property (IP) Rights

This clause clarifies the ownership of the software and related technology used in the SaaS service.

Generally, the agreement provides that:

• The SaaS provider retains full ownership of the software, source code, and technology.
• The customer only receives a limited, non-exclusive, and non-transferable license to use the software during the subscription period.
• The agreement may also clarify ownership of AI-generated outputs, reports or analytics results, if such features are part of the software.

The agreement should also prohibit the customer from engaging in activities such as:

• Reverse engineering the software
• Copying, modifying, or creating derivative works based on the software
• Reselling, sublicensing, or redistributing the software to third parties

These restrictions help protect the intellectual property rights and proprietary technology of the SaaS provider.

Suggestion

Customers should ensure that they retain full rights to their own data and any outputs generated from their data, and that their internal rights to use such data continue even after termination of the agreement.

9. Confidentiality

Both parties must agree to protect confidential business information shared during the relationship.

A strong confidentiality clause should include protection for the following types of information:

• Business strategies and internal plans
• Customer data and client information
• Technical systems, software architecture, and product design
• Login credentials, passwords, and other security-related information
• Any other non-public or proprietary information shared between the parties

The clause should also provide exception, such as

• Information that becomes publicly available without breach of the agreement
• Information that must be disclosed due to legal or regulatory requirements.

In most SaaS agreements, confidentiality obligation continue even after the contract ends, typically for a period of 3-5 years following termination.

This clause ensures that sensitive information shared during the business relationship cannot be disclosed to third parties without proper authorization, thereby protecting the commercial interests and data security of both parties.

Suggestion

Confidentiality obligations should be mutual, reasonable, and balanced for both parties.

10. Limitation of Liability

This clause limits the financial responsibility of the SaaS provider and the customer in the event of losses or damages. In other words, it outlines the maximum financial liability of each party if something goes wrong.

It may also defines who must cover legal claims brought by third parties.

Typically, SaaS agreements provide that:

• The provider is not responsible for indirect or consequential damages, such as loss of profits, loss of business opportunities, or reputational harm.

Many agreements also include a maximum liability cap, often equal to 12-24 months of subscription fees paid under the agreement.

However, certain situations are commonly excluded from liability limits, meaning liability may remain unlimited or subject to a higher cap. These may include:

• Fraud or wilful misconduct
• Gross negligence
• Data breaches or security failures
• Violations of data protection laws
• Breaches of confidentiality obligations

Why this clause is important

Without liability limits, a party could face unlimited financial exposure for damages arising from the agreement. At the same time, liability caps that are too low may unfairly disadvantage customers if serious losses occur.

Suggestion

Many corporate customers require higher or unlimited liability for serious issues such as data breaches, confidentiality violations, and breaches of the Digital Personal Data Protection Act, 2023 (DPDPA).

11. Indemnity

The indemnity clause explains which party will bear legal responsibility if a third party brings a legal claim or lawsuit related to the use of the software of services.

This clause ensures that one party agrees to defend, protect, and compensate the other party for losses, damages, or legal expenses arising from certain actions or breaches

For example:

• The SaaS provider may indemnify the customer if the software infringes or violates intellectual property rights of a third party.
• The customer may indemnify the provider if the customer uploads illegal content, violates laws, or misuses the platform.
• The provider may also agree to defend and compensate the customer against claims related to software defects, security failures, or intellectual property violations.

This clause ensures that each party is responsible for its own wrongful acts, negligence, or legal violations.

Suggestion

Many corporate customers require strong indemnity protections, particularly for data breaches, intellectual property infringement, and violations of the Digital Personal Data Protection Act, 2023 (DPDPA), and may insist on unlimited or higher liability for such risks.

12. Termination of the Agreement

The termination clause explains how and under what circumstances the agreement may be ended by either party.

Common reasons for termination include:

• Breach of contract by either party
• Non-payment of subscription fees
• Security violations or misuse of the service
• Mutual agreement between the parties

The clause should also clearly specify:

• Contract term (usually one year or another specified period)
• Required notice period for termination or cancellation (30-90 days)
• Whether refunds are available in case of early termination
• Procedures for returning or exporting customer data
• Pro-rated refunds for unused prepaid services, if applicable
• Transition support, such as assistance with data migration when switching to another provider

A well-drafted termination clause ensures that both parties have clear exit rights and responsibilities, reducing the risk of disputes when the agreement ends.

Suggestion

Customers should consider negotiating:

• Short cancellation notice periods
• No long-term lock-in obligations or restrictive termination conditions

13. Governing Law and Dispute Resolution

This clause determines which laws will govern the agreement and where disputes between the parties will be resolved.

Typical provisions include:

• The agreement will be governed by the laws of India.
• Courts located in a specific city (i.e. Bengaluru or Delhi) will have jurisdiction over disputes arising under the agreement.

In many SaaS agreements, disputes may also be resolved through arbitration in cities such as Bengaluru, Delhi, or Mumbai.

Arbitration is often preferred because it allows disputes to be resolved privately, efficiently, and more quickly than traditional court proceedings.

Suggestion

Businesses should try to avoid agreements that require foreign courts or foreign governing laws or foreign courts, unless absolutely necessary, as this can increase legal costs and complicate dispute resolution.

14. Force Majeure

The Force Majeure clause protects the parties from liability if they are unable to perform their contractual obligations due to events that are beyond their reasonable control.

Examples of such events may include:

• Natural disasters (such as earthquakes, floods, or hurricanes)
• War, terrorism or civil unrest
• Government action or restrictions including lockdowns or regulatory prohibitions
• Major internet outrages or infrastructure failures

In such circumstances, the affected party is usually temporarily excused from performing its obligations under the agreement for the duration of the force majeure event, provided that the party promptly notifies the other party and takes reasonable steps to resume performance as soon as possible.

15. Other Important Provisions

Several additional clauses are often included in a SaaS agreements to ensure clarity, completeness, and legal certainty.

These may include:

Software warranties

This clause confirms that the software will function substantially as described in the documentation and will be free from harmful code, such as viruses, malware, or other malicious components.

Amendments

This provision states that any changes or modifications to the agreement must be made in writing and agreed upon by both parties.

Electronic Signatures

This clause confirms that Electronic signatures are legally valid under the Information Technology Act, 2000, allowing the parties to sign the agreement digitally through electronic means.

Entire Agreement Clause                                  

This clause confirms that the written agreement represents the complete and final understanding between the parties, and that no prior discussions, verbal promises, or side agreements will have legal effect unless they are included in the written contract.

Crucial Checklists to Append (Add as Separate Documents)

 In most professional SaaS agreements, some important documents are attached as separate annexures or appendices instead of being written inside the main agreement. These additional documents are often called “addendums,” “policies,” or “schedules.” These are very important extras that should be attached or linked:

• Data Processing Addendum (DPA) or Privacy Addendum — Must for DPDPA compliance. Explains how personal data is collected / processed / handled, roles (fiduciary/processor), security measures, breach duties, and cross-border transfer rules.
• Service Level Agreement (SLA) Details — Separate sheet with exact uptime (e.g. 99.9%), downtime limits, service credits for failure, support response time, maintenance schedules.
• Acceptable Use Policy (AUP) — It prohibits illegal activities, hacking attempts, sending spam, distributing malware, or abusive use of the software.
• Security & Compliance Policy — Details on encryption methods, network security controls, incident response procedures, audits, ISO certifications (e.g. ISO 27001).

Appending them separately allows the provider to include full technical specifications without complicating the core legal document. This approach makes compliance clear, auditable, and legally enforceable, while also improving organizational efficiency and contract management.

Closing Insight

A Software as a Service (SaaS) Agreement is an essential legal contract that governs how cloud-based software services are provided and used between a SaaS provider and a customer. Instead of purchasing software permanently, customers access the software through the internet by paying a subscription fee, while the provider manages the infrastructure, maintenance, updates, and security.

A well-drafted SaaS agreement clearly defines the rights, obligations, and responsibilities of both parties, including service scope, subscription and payment terms, service reliability, data protection, intellectual property rights, confidentiality, liability limits, termination rights, and dispute resolution mechanisms. These provisions help ensure transparency, reduce misunderstandings, and protect both parties from operational and legal risks.

In India, SaaS agreements must also comply with key legal frameworks such as the Indian Contract Act, 1872, the Information Technology Act, 2000, and the Digital Personal Data Protection Act, 2023 (DPDPA), particularly with respect to data security, privacy obligations, and breach reporting requirements.

Given the increasing reliance on cloud technology and the potential regulatory penalties—especially for mishandling personal data—a carefully structured SaaS agreement is critical for businesses, startups, and multinational companies. By incorporating strong contractual protections and attaching detailed annexures such as Data Processing Addendums (DPA), Service Level Agreements (SLA), Acceptable Use Policies (AUP), and Security Policies, organizations can ensure legal compliance, operational clarity, and long-term business security.

In summary, a comprehensive SaaS agreement not only defines the commercial relationship between the provider and the customer but also serves as a key legal safeguard that promotes trust, accountability, and compliance in modern digital services.

At The Barrister Talk,

Information and facilitation services are provided by seasoned legal professionals with proven expertise across complex legal and regulatory matters. We offer more than advice—we provide clear strategy, sound judgment, and dependable representation tailored to each client’s objectives.

Every engagement is approached with precision, confidentiality, and professional integrity. Whether advising individuals, founders, or enterprises, we combine rigorous legal analysis with practical insight, ensuring outcomes that are both legally sound and commercially sensible.

With The Barrister Talk, you gain access to trusted legal minds committed to protecting your interests and guiding you with confidence.