Understanding the Key Clauses in a SaaS Agreement Help Avoid Legal Risks and Disputes

Understanding the key clauses of a SaaS agreement will help you negotiate more effectively and approach the contract with greater diligence, thereby reducing potential risks and enabling you to execute the agreement with confidence. These key clauses include the following:

1. What is “Uptime 99.5%” and “99.9%”? (In exact minutes)

2. What credit or refund do you get for downtime?

3. How fast will the provider reply to a problem? (Support Response Time)

4. Who owns your data and where is it stored?

5. What happens if there is a data leak (data breach)?

6. Can you get your data back easily when you leave?

7. What is “Liability Cap” and “Indemnity”?

8. If any loss happens — who is liable and who pays whom?

At the end of this crucial article, you will also learn the key questions to ask during negotiations and the important points to keep in mind before signing the agreement.

1. What is “Uptime 99.5%” and “99.9%”? (In exact minutes)

In a Service Level Agreement (SLA), the term uptime refers to the percentage of time a software service is available and working properly for users. In simple terms, uptime tells you how reliable the software is. The higher the uptime percentage, the less downtime (service interruption) the customer will experience.

For example, cloud-based services such as Google Docs, Zoom, Salesforce, or Zoho promise a certain level of uptime to ensure their systems remain available for users.

Uptime Calculations

To understand uptime calculations, we first calculate the total number of minutes in a month.

If we assume a 30-day month:

1. 24 hours × 60 minutes × 30 days
2. Total = 43,200 minutes per month

This total time is used to determine how much downtime is allowed under different uptime guarantees.

99.9% Uptime (High Reliability)

If a SaaS provider promises 99.9% uptime, it means the system must remain operational 99.9% of the time.

Allowed downtime:

• Per month:

0.1% of 43,200 minutes = 43.2 minutes

So the system can be unavailable for only about 43 minutes per month.

• Per year (365 days):

Allowed downtime ≈ 525.6 minutes, which equals about 8.8 hours per year.

This level of uptime is generally considered very reliable for business software.

99.5% Uptime (Lower Reliability)

If the service guarantees 99.5% uptime, the system can be unavailable 0.5% of the time.

Allowed downtime:

• Per month:

0.5% of 43,200 minutes = 216 minutes

This equals 3 hours and 36 minutes of downtime per month.

• Per year:

Allowed downtime ≈ 2,628 minutes, which equals about 43.8 hours per year.

Compared to 99.9% uptime, this level allows much more downtime.

Simple Example

Suppose you are using a CRM software system for your company and the system goes down for 2 hours in one month.

• If the agreement guarantees 9% uptime – Allowed downtime is only 43 minutes, so the provider failed to meet the SLA.
• If the agreement guarantees 5% uptime – Allowed downtime is 216 minutes (3 hours 36 minutes), so the provider still meets the SLA.

What Uptime Do Large Companies Usually Require?

Most multinational companies (MNCs) operating in India require very high reliability standards, such as:

• 9% uptime (industry standard)
• 95% uptime
• 99% uptime (very high availability)

For critical business systems, anything below 99.9% uptime is usually considered unacceptable, because frequent downtime can cause:

• Business interruptions
• Loss of productivity
• Customer dissatisfaction
• Financial losses

 The difference between 99.5% and 99.9% uptime may look small, but in reality it can mean many additional hours of downtime each year. This is why uptime guarantees are one of the most important clauses to review in a SaaS Service Level Agreement (SLA).

2. What credit or refund do you get for downtime?

In most SaaS Service Level Agreements (SLAs), if the software service is unavailable for longer than the permitted downtime, the provider must compensate the customer. This compensation is usually provided in the form of service credits.

What Are Service Credits?

Service credits are discounts applied to the customer’s future invoice, typically the next billing cycle. Instead of giving a direct cash refund, SaaS providers usually reduce the amount payable for the next month’s subscription fee. This approach is widely used in enterprise SaaS contracts and multinational company agreements.

Common Service Credit Structure in Indian and MNC Contracts

In many modern SaaS agreements, the amount of credit depends on how much the provider failed to meet the uptime commitment.

A common structure is:

• Downtime slightly above the allowed limit – Customer receives 10% credit of that month’s subscription fee. 

• Significant downtime – Customer receives 25% credit of that month’s subscription fee. 

• Severe service failure (i.e. uptime falling below 99%) – Customer may receive up to 50% credit of the monthly fee, and in some cases may also have the right to terminate the agreement without penalty.

Claim Process for Service Credits

Most SaaS agreements require the customer to request or claim the credit within a specific period, typically:

• Within 30 days of the downtime incident

If the customer does not submit a claim within this timeframe, the provider may deny the service credit. Additionally, many contracts include a maximum cap on service credits, often limited to 50% of the monthly subscription fee.

Simple Example

Suppose a company pays ₹1,00,000 per month for a SaaS platform. If the provider fails to meet the agreed uptime and significant downtime occurs:

• A 10% service credit would give the customer a ₹10,000 discount on the next invoice.
• A 25% service credit would result in a ₹25,000 discount on the next month’s bill.

These credits compensate the customer for the service disruption while encouraging the provider to maintain reliable service performance.

Why This Clause Is Important

Downtime can cause serious problems for businesses, including:

• Interrupted operations
• Loss of productivity
• Customer dissatisfaction
• Financial losses

By including service credit provisions in the SLA, SaaS agreements ensure that the provider is financially accountable if service levels are not maintained.

Service credits are the primary remedy for downtime in SaaS agreements, and customers should always check how downtime is measured, how credits are calculated, and how claims must be submitted before signing the contract.

3. How fast will the provider reply to a problem? (Support Response Time)

In a Service Level Agreement (SLA), the provider usually specifies how quickly their technical support team will respond to issues or service disruptions. This is known as the Support Response Time.

To manage problems efficiently, issues are generally classified into different severity levels, depending on how serious the problem is and how many users are affected.

1. Critical Issues

A critical issue is the most serious type of problem. It usually means that the entire system or major business functions are unavailable.

Examples may include:

• The entire company cannot access the software
• A data breach or security incident occurs
• The system crashes and stops working completely

Typical response commitments are:

• Initial response time: within 15–30 minutes
• Target resolution time: within 1–4 hours

In many enterprise SaaS contracts, support for critical issues is available (24×7).

2. High-Priority Issues

A high-priority issue is a serious problem but does not affect the entire system.

Examples may include:

• One department cannot access the software
• Certain important features stop working
• Performance is significantly reduced

Typical response commitments are:

• Initial response time: within 1 hour
• Target resolution time: within 4–8 hours

3. Normal or Low-Priority Issues

A normal issue affects only a limited number of users and does not stop the business from operating.

Examples may include:

• One user cannot log in
• A minor feature is not functioning properly
• A configuration or user-setting issue

Typical response commitments are:

• Initial response time: within 4 business hours

Ongoing Updates During Issue Resolution

 In well-drafted SaaS agreements, the provider also commits to regular status updates while the issue is being resolved.

For example:

• Updates every 1–2 hours for critical problems
• Continuous communication until the issue is fully resolved

Industry Practice

 In India, most multinational companies (MNCs) require SaaS providers to offer 24×7 support for critical issues, ensuring that urgent problems are addressed immediately regardless of time or location.

Clear support response times in the SLA ensure that customers receive prompt assistance during service disruptions, helping businesses maintain continuity and minimize operational losses.

4. Who owns your data and where is it stored?

In most Software as a Service (SaaS) agreements, the question of data ownership and storage is very important because businesses store sensitive information on cloud platforms.

Who Owns the Data?

In a typical SaaS arrangement, the customer fully owns their data. This includes all information uploaded or generated while using the software, such as:

• Business files
• Customer names and contact details
• Sales records
• Reports and analytics data
• Internal company information

The SaaS provider does not own this data. The provider only processes and stores the data to operate and maintain the software service. In simple terms, the SaaS Company temporarily uses or manages the data on behalf of the customer, but the ownership always remains with the customer.

Where Is the Data Stored?

Customer data is usually stored in large cloud data centres operated by major cloud service providers, such as:

• Amazon Web Services (AWS)
• Microsoft Azure
• Google Cloud Platform
• Other certified cloud infrastructure providers, including some Indian cloud service providers

These data centres are designed with high-level security systems, backup mechanisms, and disaster recovery protections.

Data Storage Requirements under the Digital Personal Data Protection Act, 2023 (DPDPA)

 Under India’s Digital Personal Data Protection Act, 2023, SaaS agreements must clearly specify where personal data is stored and how it is protected. The contract should address one of the following:

• Data stored within India – Many multinational companies now prefer or require data localization, meaning personal data is stored in servers located in India.
• Data stored outside India – If data is stored in another country, the agreement must ensure strong legal and technical safeguards to protect the data and comply with Indian data protection requirements.

These safeguards may include encryption, secure transfer protocols, and contractual obligations ensuring data protection standards equivalent to Indian law.

Even though SaaS provider’s store and process data on cloud servers, the customer remains the legal owner of the data. The provider is responsible only for securely hosting and processing the data according to the agreement and applicable data protection laws.

5. What happens if there is a data leak (data breach)?

A data leak or data breach occurs when unauthorized persons gain access to confidential information. This may happen if hackers steal customer data, or if the SaaS provider loses, exposes, or mishandles the data due to weak security controls.

Because SaaS platforms often store sensitive personal and business data, most professional SaaS agreements include strict rules for handling data breaches, especially under the Digital Personal Data Protection Act, 2023 (DPDPA) in India.

Key Obligations in Case of a Data Breach

A well-drafted SaaS agreement usually requires the following actions:

a) Immediate Notification by the Provider

The SaaS provider must notify the customer as soon as the breach is discovered. In many contracts, the maximum notification period is 24–48 hours from the time the provider becomes aware of the incident.

b) Reporting to the Data Protection Authority

Under the DPDPA framework, the customer organization often acts as the Data Fiduciary (the entity responsible for determining how personal data is used). Therefore, the customer may be required to report the breach to the Data Protection Board of India within 72 hours, depending on the seriousness of the incident.

c) Investigation and Incident Response

The SaaS provider must assist the customer in investigating and resolving the issue. This typically includes:

• Providing security logs and technical reports
• Identifying how the breach occurred
• Fixing vulnerabilities or system weaknesses
• Assisting in notifying affected customers or users

d) Compensation and Legal Responsibility

If the breach occurred because of the provider’s negligence, weak security measures, or failure to comply with the contract, the customer may be entitled to claim compensation under the liability and indemnity clauses of the agreement.

This may include recovery of:

• Financial losses
• Legal expenses
• Regulatory penalties (depending on contract terms)

A strong SaaS agreement should clearly define breach notification timelines, investigation procedures, and liability obligations. This ensures that if a data breach occurs, the parties can respond quickly, limit damage, and comply with data protection laws such as the DPDPA 2023.

 6. Can you get your data back easily when you leave?

Yes. This right is commonly known as data portability and data deletion rights. When a customer stops using a SaaS service or terminates the agreement, they should be able to retrieve all their data easily and securely. A well-drafted SaaS agreement must clearly describe how the customer’s data will be returned and deleted after the contract ends.

Data Portability

Data portability means the customer has the right to receive a copy of their data in a usable format so that it can be transferred to another system or service provider.

In a good SaaS contract:

• When the agreement is cancelled or terminated, the provider must return all customer data within a specific period, usually 15–30 days.
• The data should be provided in an easy and commonly used format, such as Excel, CSV, or another compatible format that allows the customer to use the data without difficulty.

This ensures that the customer is not locked into the platform and can smoothly move to another service if needed.

Data Deletion

After the data is returned to the customer, the SaaS provider should permanently delete all copies of the customer’s data from its systems.

In many professional SaaS agreements:

• The provider must issue a Data Deletion Certificate confirming that all customer data has been securely removed from its servers and backups.
• The deletion process must follow proper security and data protection standards.

Cost of Data Return

• In most contracts, the provider should not charge any additional fee for returning the data.
• In some cases, a small one-time administrative fee may apply for data export or migration support.

Legal Importance under the DPDPA 2023

Under the Digital Personal Data Protection Act, 2023 (DPDPA), individuals and organizations have the right to control and retrieve their personal data. Therefore, SaaS agreements should clearly include data portability and deletion provisions.

Customers should never sign a SaaS agreement that does not clearly provide for data return and deletion rights. Without these protections, a business may face serious difficulties retrieving its own data when leaving the service provider.

7. What is “Liability Cap” and “Indemnity”?

In a SaaS Agreement, two important legal concepts are often included to define financial responsibility and risk allocation between the parties. These are known as the Liability Cap and Indemnity.

Understanding these terms is essential because they determine how much compensation can be claimed and who will bear legal responsibility if something goes wrong.

Liability Cap

A Liability Cap refers to the maximum amount of money a party (usually the SaaS provider) is required to pay if a loss, damage, or legal claim arises under the agreement. In simple terms, it sets a financial limit on liability.

In many SaaS agreements, the liability cap is often linked to the amount of subscription fees paid by the customer.

For instance: If a customer pays ₹12 lakh per year for a SaaS service, the contract may state that the maximum liability of the provider is limited to 12 months of fees, meaning the provider would be required to pay no more than ₹12 lakh, even if the customer suffers greater losses.

Exceptions to Liability Caps

However, many enterprise and multinational company (MNC) contracts exclude certain serious issues from liability limits. In such cases, liability may be unlimited or subject to a higher cap.

Common exceptions include:

• Data breaches or security failures
• Violations of data protection laws, such as the Digital Personal Data Protection Act, 2023 (DPDPA)
• Fraud or wilful misconduct
• Gross negligence

This ensures that the provider cannot avoid responsibility for serious misconduct or major legal violations.

Indemnity

Indemnity means that one party agrees to protect the other party from legal claims, damages, and expenses arising from certain actions or breaches.

In simple terms, If a problem caused by me leads to a lawsuit against you, I will defend you and pay the losses.

Example

A SaaS provider may agree to indemnify the customer if:

• The software infringes someone else’s intellectual property rights
• A data breach or security failure occurs due to the provider’s negligence

In such cases, the provider may be required to:

• Defend the customer in court
• Pay legal costs and damages
• Compensate the customer for any losses

Similarly, customers may also provide indemnity to the provider if they upload illegal content, misuse the platform, or violate laws while using the service.

Key Difference

Liability Cap limits how much money a party must pay if something goes wrong and Indemnity determines who must defend and compensate the other party if a third-party legal claim arises.

Both clauses are crucial in SaaS agreements because they balance risk between the provider and the customer. A carefully negotiated liability cap and indemnity provision can help ensure fair financial protection and clear legal responsibility for both parties.

8. If any loss happens — who is liable and who pays whom?

In a SaaS arrangement governed by the Digital Personal Data Protection Act, 2023 (DPDPA), the law generally recognizes two main roles regarding personal data:

• Customer (Data Fiduciary) — The organization that decides why and how personal data is collected and used.
• SaaS Provider (Data Processor) — The company that processes the data on behalf of the customer and is responsible for maintaining proper security and handling the data according to instructions.

Because both parties have different responsibilities, liability for losses depends on who caused the problem.

Who Pays If Something Goes Wrong?

Below are common scenarios in SaaS contracts and how responsibility is usually determined.

1. Data Leak Caused by Weak Security of the Provider

If a data breach occurs because the SaaS provider failed to implement proper security measures, the provider is considered responsible.

Who is at fault:

• SaaS Provider (Data Processor)

Who pays:

• The provider must compensate the customer for losses, legal costs, and damages.
• In many enterprise contracts, there is no liability cap for data breaches.

2. Customer Uploads Incorrect Data or Misuses the Platform

If the customer uploads illegal, incorrect, or unauthorized data, or uses the software in violation of the agreement or applicable laws, the responsibility lies with the customer.

Who is at fault:

• Customer (Data Fiduciary)

Who pays:

• The customer must bear the losses, penalties, or regulatory fines arising from their actions.

3. Software Bug Causes Business Loss

If the software contains a technical defect or system failure that causes financial loss to the customer, the SaaS provider may be responsible.

Who is at fault:

• Usually the SaaS Provider (Data Processor)

Who pays:

• The provider compensates the customer up to the agreed liability cap in the contract.
• However, if the issue results from gross negligence or serious misconduct, liability may be unlimited.

4. Government Penalty Under the DPDPA

If a government authority imposes a fine under the Digital Personal Data Protection Act, the responsibility depends on who caused the violation.

Who is at fault:

• Determined based on the circumstances of the breach.

Who pays:

• If the violation occurred due to the provider’s failure to protect data, the provider must pay the fine and compensate the customer.
• If the customer misused or mishandled personal data, the customer may be responsible for the penalty.

In most well-drafted SaaS agreements, the principle is straightforward. The party that caused the problem is responsible for the losses. For serious issues such as data breaches or violations of the DPDPA, many enterprise SaaS contracts require the provider to accept unlimited liability, ensuring stronger protection for customers. Clear clauses on liability, indemnity, and data protection responsibilities are essential in SaaS agreements to determine who pays if something goes wrong and to reduce the risk of legal disputes.

Crucial Questions to Discuss and Negotiate Before Signing a SaaS Agreement

Before signing a Software as a Service (SaaS) Agreement, it is important for both parties—especially customers or smaller SaaS providers—to carefully discuss and negotiate key contractual terms. These discussions help ensure that the agreement is fair, transparent, and legally compliant.

The following questions should be clearly addressed during negotiations:

1. Data Protection and Privacy

• Is the SaaS provider fully compliant with the Digital Personal Data Protection Act, 2023 (DPDPA)?
• Who legally owns the personal and business data stored in the system?
• What procedures are in place if a data breach or security incident occurs?
• Who is responsible for reporting the breach and compensating losses?

2. Uptime and Technical Support

• Does the provider guarantee at least 99.9% uptime for the service?
• How is downtime measured and reported?
• What service credits or compensation will be provided if uptime commitments are not met?
• What are the support response times for critical, high-priority, and normal issues?

3. Data Exit and Portability

• Can the customer easily retrieve all their data when terminating the service?
• Will the data be provided in usable formats such as CSV, Excel, or API export?
• Will the provider permanently delete all remaining copies of the data after termination?

4. Pricing Structure and Future Price Increases

• Can the provider increase subscription fees during the contract period?
• Is there a price lock for the first one or two years?
• Is there a maximum annual price increase cap?

5. Liability Limits

• What is the liability cap under the agreement?
• Is the liability limit reasonable and fair for both parties?
• Are serious issues such as data breaches, fraud, or DPDPA violations excluded from liability limits?

6. Termination Rights and Refunds

• How easily can either party terminate the agreement?
• Is there any minimum lock-in period?
• Are refunds available for unused prepaid services?
• What happens to customer data after termination?

7. Governing Law and Jurisdiction

• Which laws govern the agreement?
• Where will disputes be resolved—Indian courts or arbitration within India?
• Does the agreement require foreign jurisdiction, which could increase legal complexity and costs?

8. Auto-Renewal Terms

• Does the agreement automatically renew at the end of the contract period?
• How much notice is required to cancel auto-renewal?
• Is the cancellation process simple and clearly defined?

Final Advisory Note

Before signing any SaaS agreement, it is essential to ensure that the contract clearly includes the protections discussed above. If a provider refuses to include or discuss these key provisions, it may be a warning sign (red flag) that should be carefully reviewed.

It is always advisable to share the contract with a qualified legal professional before signing. An experienced lawyer can quickly review the document, identify potential risks, and ensure that the agreement adequately protects your business interests.

This guidance reflects general industry practices and Indian legal standards as of 2026, including requirements under the Indian Contract Act, 1872, the Information Technology Act, 2000, and the Digital Personal Data Protection Act, 2023 (DPDPA).

Because every SaaS agreement may differ depending on the service model, industry, and negotiated terms, it is strongly recommended to have the final contract reviewed by legal counsel, particularly where significant financial commitments or sensitive personal data are involved. This helps prevent misunderstandings, legal disputes, and compliance risks in the future.

At The Barrister Talk,

Information and facilitation services are provided by seasoned legal professionals with proven expertise across complex legal and regulatory matters. We offer more than advice—we provide clear strategy, sound judgment, and dependable representation tailored to each client’s objectives.

Every engagement is approached with precision, confidentiality, and professional integrity. Whether advising individuals, founders, or enterprises, we combine rigorous legal analysis with practical insight, ensuring outcomes that are both legally sound and commercially sensible.

With The Barrister Talk, you gain access to trusted legal minds committed to protecting your interests and guiding you with confidence.