2 full contract analyses, no credit card.

Analyze free
Back to Resources

SaaS agreement checklist: what to review before you sign

SaaS agreements look simpler than traditional software licenses, but they carry their own risks. You're trusting a vendor with your data, your uptime, and often your compliance posture. Here's what to check before you sign.

Data ownership and portability. Who owns the data you put in? The answer should be you — but check for language granting the vendor a broad license to "use, modify, and create derivative works." Also check what happens when you leave: can you export your data? In what format? How long do you have?

Service Level Agreements (SLAs). Does the vendor commit to uptime? 99.9% is common; 99.5% is weaker than it sounds (that's nearly 4.5 hours of downtime per month). More important than the number: what are the remedies? Service credits are standard, but many SLAs cap credits at 10–30% of monthly fees — which may not match your actual cost of downtime.

Security and compliance. Does the vendor hold SOC 2, ISO 27001, or other relevant certifications? Will they sign a Data Processing Agreement (DPA) if you handle personal data? Where is data stored and processed? If you have regulatory requirements (GDPR, HIPAA, state privacy laws), the SaaS agreement is where those commitments need to appear.

Auto-renewal and termination. Most SaaS contracts auto-renew. Check the notice period — 30, 60, or 90 days before the renewal date. If you miss the window, you're locked in for another term. Also check for early termination rights and whether there are penalties.

Price increases. Can the vendor raise prices at renewal? Many SaaS agreements allow increases with 30 days' notice and no cap. Look for annual increase caps (3–7% is reasonable) or the ability to lock in pricing for the initial term.

Limitation of liability. The standard cap is 12 months of fees paid. Check for carve-outs that effectively uncap liability for confidentiality breaches, indemnification, or IP infringement. If the carve-outs are broad, the cap may not protect you.

Acceptable use and suspension. Can the vendor suspend your account for alleged violations of acceptable use? What constitutes a violation, and do you get notice and a chance to cure? Some agreements allow immediate suspension without notice — which can take your operations offline.

Integration and API terms. If you're building on the vendor's API, check the API terms separately. Are there rate limits, usage fees, or restrictions on how you use the data? Can they change the API with or without notice?

Subprocessors. Does the vendor use third-party subprocessors? Can they add new ones without notice? If you have compliance or security requirements, you may need the right to object to new subprocessors.

None of this replaces legal review on high-stakes deals. But checking these points before you sign — or before you send to counsel — means fewer surprises and faster closes. For a structured risk view, try a free risk analysis or see an example report.