Most SaaS agreement reviews are not mysteries. They usually turn on the same handful of clauses: data use, security, renewal, payment, service levels, indemnity, liability cap, and assignment. If the deal is standard and the reviewer has a real playbook, the first pass should not take an afternoon.
This is the checklist we use with in-house teams at Arca. It is opinionated because routine SaaS deals need consistency more than cleverness. The goal is to know what you can accept, what you should redline, and what needs a lawyer with more context.
Key takeaways
- Start with "whose paper?" Vendor paper, customer paper, and marketplace orders each hide risk in different places.
- Read the 8 core clauses first: data use, security, renewal, payment, SLA, indemnity, liability cap, and assignment.
- A written playbook matters because it turns repeat questions into repeat answers.
- The liability cap is usually the hardest clause. For many SaaS deals, 12 months' fees is the starting point, with higher caps for data breach, IP indemnity, and confidentiality.
- AI contract review tools are useful for extraction, playbook checks, and first-pass redlines. A human still needs to own the tradeoffs.
What is a SaaS agreement, really?
A SaaS agreement is the contract that governs a customer's subscription to cloud-hosted software. In practice, it is usually a bundle: a Master Service Agreement (MSA) for the legal terms, an Order Form for the commercial terms, and a few exhibits such as a Data Processing Addendum (DPA), Service Level Agreement (SLA), or security schedule.
What makes SaaS review different from a one-off services contract is that almost every clause turns into an operating obligation. A 60-day notice period is not just drafting. It is a date someone has to track next year. Most of the review is asking, "what happens after we sign this?"
The good news is that SaaS agreements are very playbook-friendly. The same 8 to 10 clauses matter most of the time, and the fallback positions are usually knowable before the negotiation starts. That is also why SaaS review is one of the better places to use AI contract tools: the work has a repeatable shape.
What are the 8 clauses to read first in every SaaS agreement?
Read these before you spend time polishing definitions or notice provisions. If one of these is missing or materially off-market, deal with that first.
- Data use and ownership. The vendor should not get a broad right to use customer data for its own purposes, including model training, identifiable product analytics, or marketing. Aggregated, de-identified use for service improvement is the more common compromise.
- Security and privacy. Look for a named standard (SOC 2 Type II, ISO 27001, HITRUST for healthcare), a clear breach notice timeline, and a DPA or BAA where applicable.
- Renewal and termination. Auto-renewal with a short opt-out window is easy to miss. Push for a longer notice period, or require affirmative consent for renewals above your team's deal-size threshold.
- Payment terms. Net 30 is the usual baseline. Watch for short payment clocks, late-fee mechanics, suspension rights, and uncapped renewal increases.
- Service levels. Uptime commitment (99.9% is table stakes), measurement window, exclusions (scheduled maintenance, customer error), remedy (service credits), and whether chronic failure is a termination trigger.
- Indemnity. Third-party IP claims caused by the vendor's software, and data breaches caused by the vendor's negligence, are the two non-negotiable inclusions. Scope, procedure, and sole-remedy carve-outs all matter.
- Limitation of liability. Usually the most-negotiated clause. Many SaaS deals start at 12 months of fees, with higher caps or carve-outs for confidentiality, data breach, IP indemnity, and gross negligence.
- Assignment and change of control. Silence here means the vendor can assign the contract to a competitor after an acquisition. Require consent for assignment to a direct competitor at minimum.
How does "whose paper" change your review?
The question that changes the review fastest is simple: whose template are we negotiating on? It tells you where the draft is likely to be one-sided and where you should spend your time.
On vendor paper, look hard at the liability cap, the data use grant, and the renewal language. The vendor may call its SLA and security terms "standard," but that does not make them right for your deal.
On customer paper, where your company is the vendor, the risk flips. The harder questions are whether support commitments are actually operable, whether indemnity covers things engineering does not control, and whether the customer's preferred cap lines up with your insurance and risk tolerance.
On a marketplace order (AWS, Azure, GCP, Workday, Salesforce AppExchange), the marketplace terms may come in by reference and sit above or beside your negotiated terms. Read them. They often control billing, data handling, or termination in ways the order form does not make obvious.
What is a contract review playbook, and how do you use it?
A contract playbook is a written set of decisions. For each clause, it says what your preferred position is, what fallback you can accept, and when the reviewer needs to escalate. A useful SaaS playbook is short enough that people actually use it.
Each clause entry should answer four questions: what do we ask for, what can we accept without escalation, what is outside bounds, and why. For liability, that might mean: ask for 24 months' fees with higher caps for key risks; accept 12 months with the usual carve-outs; escalate anything below that or anything missing a data-breach carve-out.
Why it matters in practice: once the playbook is live, the routine deals stop bouncing between legal, procurement, and sales for the same questions. The hard deals are still hard, but the standard ones stop consuming senior counsel time.
When should you escalate a SaaS agreement?
Escalation is not a failure. It is how the playbook keeps routine review from turning into quiet risk acceptance. Escalate to senior counsel or the GC when one of these is true:
- The liability cap is below 12 months' fees, or any super-cap is missing (data breach, IP indemnity, or confidentiality).
- The vendor wants a right to use customer data to train AI models, even "de-identified."
- The agreement uses a non-US governing law with no sophisticated-party carve-out.
- Indemnity is mutual and uncapped for anything other than third-party IP and data claims.
- The deal size is above your team's escalation threshold.
- The counterparty is in a regulator-sensitive industry you have not sold to before — healthcare, defense, government, financial services.
- The sales team has already agreed to non-standard commercial terms verbally, or the deadline is tight enough that legal will not get a normal review cycle.
How does AI contract review fit into a SaaS review workflow?
AI contract review changes where the first pass happens. The work that used to take the first chunk of a lawyer's time — reading the agreement, pulling out key terms, comparing them to the playbook — can now happen before the lawyer opens the document.
The split that works is this: AI extracts the terms, checks them against the playbook, and drafts a first-pass redline with comments tied to fallback positions. The lawyer reads the summary, opens the clauses that were flagged, and decides whether to accept, redline, or escalate.
What AI still does not do well is business judgment. It can tell you the indemnity is uncapped. It cannot decide whether that is acceptable because this customer is strategic, the renewal is at risk, or the CFO has already approved the exposure. Keep that decision with a human.
Frequently asked questions
How long should a SaaS agreement review take?
A routine SaaS agreement on familiar paper can often be reviewed in 20 to 40 minutes with a good playbook. Without one, the same agreement can take much longer because every fallback has to be re-decided. Enterprise deals, regulated data, and unusual commercial structures still take real lawyer time and several rounds of back-and-forth.
What is the standard liability cap in a SaaS agreement?
A common starting point is 12 months of fees paid by the customer before the claim. Many buyers ask for higher caps, or uncapped liability, for breach of confidentiality, data breach, IP infringement indemnity, and gross negligence or willful misconduct.
What is the difference between an MSA, a DPA, and an SLA?
The MSA is the overarching commercial contract. The DPA is a privacy-law-driven addendum that governs how personal data is processed, required under GDPR Article 28 and parallel laws. The SLA is an exhibit specifying uptime, response times, and remedies for service failures. All three are usually cross-referenced and signed together.
Do I need a DPA for every SaaS vendor?
If the vendor will process personal data on your behalf and that data is subject to the GDPR, UK GDPR, CPRA, or an equivalent law, then yes — a DPA is legally required, not optional. Many US-only B2B SaaS deals that do not touch personal data do not strictly need a DPA, but it is common to sign one anyway as a due-diligence signal.
Is AI contract review reliable enough to skip legal review?
No. AI is useful for extracting terms, checking them against a playbook, and drafting first-pass redlines. It is much less reliable on business-risk judgment, unusual contract structures, and anything likely to be disputed later. Every contract still needs a named human owner.
What should I do if the vendor will not redline the liability cap?
Try three moves. First, leave the general cap alone but ask for higher caps on the specific risks that matter: data breach, IP indemnity, and confidentiality. Second, ask for stronger insurance commitments. Third, if the exposure is real and the cap is too low, be prepared to escalate or walk away.
Keep reading
These resources are starting points, not legal advice. Review every template and recommendation against your facts, policies, and applicable law before use.