The Software-as-a-Service (SaaS) agreement is the foundational legal document of the cloud economy. It is not just a standard technology contract – it is a unique legal hybrid that governs the subscription model of software, shifting the end user’s relationship from owning a copy of the software to merely having a right to access and use a service.
For businesses adopting or providing cloud solutions, understanding the elements of a SaaS agreement is crucial for managing risk, defining accountability, and ensuring performance. In this article, we are going to break down the essence of a SaaS agreement for better understanding of the readers, so that you know what to look out for when you are reviewing your next piece of SaaS agreement.
From Licence to Service: Key Distinctions Between SaaS and Traditional Software Licence
The SaaS model departs sharply from the traditional software licence agreement in terms of its delivery and deployment. Traditionally, where software licence agreement grants a right to install and make copies of a software, SaaS agreement grants a right to access and use a service that is being delivered through a software. Following this structural difference, one can naturally expect differences in the contractual elements between a SaaS agreement and a conventional software licence agreement:
• Nature of Right: In a traditional software licence, end users are granted a licence to install, copy and use a piece of software; whereas under a SaaS agreement, users are granted a licence to access the services that are being delivered via a software being hosted by the software principal.
• Hosting and Maintenance: Due to the difference in delivery and deployment, the software that is the subject of a licence agreement is typically installed on the premises of the end users, making it the customer’s own responsibility to host the software. SaaS model on the hand, the software through which the services are being delivered will be hosted and maintained by the software principal, lifting the burden of hosting from the customers to the hands of the professionals.
• Data Storage: Considering that the software is being installed on-premise, the customers’ data being processed by the software is typically also stored on-premise on the customers’ own servers in a traditional software licence arrangement. This is different from the SaaS model where the customers’ data will have to be transferred to the software provider’s cloud infrastructure, potentially outside of the jurisdiction where the customers are at.
• Updates: A traditional software licence model would require the customers to manage any updates or patches to the software on their own. Occasionally, the customers’ licence to the software may not even cover updates or patches, limiting the customers’ licence to the version of the software at the point the licence was obtained, unless the customers separately procure or pay for updates or patches.
Due to the distinctions above, when companies review and negotiate a SaaS agreement, it would not be right to treat it just as another software licence agreement. Doing so may derail the entire process and potentially exposing the companies to the risk of liabilities.
Key Contractual Elements: Pointers for Contractual Review and Negotiations
Because SaaS providers host both the software and customers’ data, the key points of contractual negotiations revolve around accountability for data handling and service reliability.
• Data Ownership, Security and Privacy
Most people would say that data is the lifeblood of a SaaS arrangement. I would even go one step beyond to say that data is the lifeblood of every arrangement these days. For a customer to receive services to be delivered through the software of a SaaS provider, the customer will have to input data. On this basis, a SaaS agreement should clearly distinguish ownership of the software from ownership of customer data.
Most SaaS agreements would expressly address the providers’ ownership of the software and the underlying intellectual property rights but stay silent on the ownership of the data fed into the software by the customers. For better protection, it would be crucial for the customers to include provisions that ensure the customers’ ownership of all uploaded data, and that the SaaS providers only have limited right to use the customers’ data strictly for delivering the service, not for unrelated commercial purposes.
Where the customers’ data being processed through the use of the software includes personal data, the relevant SaaS agreements should also address obligations pertaining to personal data protection. As the data controllers, customers have the statutory obligations under the Personal Data Protection Act 2010 to ensure the security of the personal data being transferred to the custody of the SaaS providers. Contractual obligations should also be imposed on the SaaS providers to notify the customers in the event of cybersecurity breaches on the end of the SaaS providers so that the customers can fulfil its obligations pertaining to personal data breach notification.
• Service Levels and Remedies
Since customers cannot directly control or maintain the SaaS infrastructure on which the software and data are being hosted, control in this regard will have to be done through service level agreement built into the SaaS agreement. Typically, this is done by a combination of measures.
Customers are advised to obtain uptime guarantees from the SaaS providers to ensure that the availability of the software services is maintained at the level required by the customers – commonly at 99% or higher. Where uptime guarantees are not met, the customers should be entitled to remedies – typically a reduction in fees payable or service credits, reflecting the lower availabilities of the services than expected. There should also be other service levels depending on the customers’ needs.
• Renewal Mechanics
Other contractual pointers to look out for include the renewal mechanics of the SaaS agreement. Unlike a traditional software licence model, customers do not get a continuous right to use the software in a SaaS model. Access to the software service is usually based on subscription – typically on an annual basis. If the subscription is not renewed, customers may lose the right to access the software service after the end of the subscription period. As such, it is important for the customers to spell out the terms for the renewal, whether it should be automatic and if so, what is the period of notice for an opt-out of renewal.
• Exit Strategy
Last but not least, companies looking to subscribe to SaaS should also pay attention to provisions on the termination or expiry of the SaaS agreement. Considering how hosting of the software and the customers’ data are done by the SaaS providers, customers should secure commitments on how their data will be returned or deleted within a specified time after the termination or expiry of the SaaS agreement. For greater flexibility, customers can even consider securing the rights to require the SaaS providers to provide data migration assistance or service after the end of the SaaS contract to port the customers’ data either back to the customers’ environment or the incoming service providers. Exit strategy such as this is important, the omission of which can result in additional financial exposure on the part of the customers to pay SaaS providers to migrate the data.
Conclusion
SaaS agreements continue to adapt to new technologies and business models, making the contractual terms in SaaS agreements ever changing. Onboarding a new SaaS should not just be another routine corporate exercise, but one that requires careful review and consideration of the contracting terms, to ensure that customers retain not just control over data and fair remedies for service failures, but also overall protection of the customers’ interests. The use of SaaS should provide companies with improved efficiencies, do not let ill-negotiated SaaS agreements be the stumbling block of cloud adoption. Legal specialists who are well-versed with technology contracts will be great help to companies looking to migrate their on-prem solutions to cloud-based SaaS, all while ensuring the interests of the organisations are well protected.
If your organisation is embarking on a digitisation journey involving the migration of on-prem solutions to cloud-based solutions and is in need of lawyers who are specialised in technology offerings, you can reach out to our partners at the Technology Practice Group of Halim Hong & Quek.
Our Technology Practice continues to be recognised by leading legal directories and industry benchmarks. Recent accolades include FinTech Law Firm of the Year at the ALB Malaysia Law Awards (2024 and 2025), Law Firm of the Year for Technology, Media and Telecommunications by the In-House Community, FinTech Law Firm of the Year by the Asia Business Law Journal, a Band 2 ranking for FinTech by Chambers and Partners, and a Tier 3 ranking by Legal 500.
About the authors
Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
ky.lo@hhq.com.my.
◦
Ong Johnson
Partner
Head of Technology Practice Group
Fintech, Data Protection,
Technology, Media & Telecommunications (“TMT”),
IP and Competition Law
johnson.ong@hhq.com.my
More of our Tech articles that you should read:
