SaaS Agreement (Hong Kong)
SAAS AGREEMENT
Supply of Services (Implied Terms) Ordinance (Cap. 457), Hong Kong SAR
This SaaS Agreement is entered into on [Agreement Date] between:
(1) [Provider Name] (CRN: [Provider CRN]) of [Provider Address] (“the Provider”); and
(2) [Customer Name] (CRN: [Customer CRN]) of [Customer Address] (“the Customer”).
1. THE SAAS SERVICE
1.1 The Provider grants the Customer a non-exclusive, non-transferable subscription to access and use the “[Platform Name]” platform: [Service Description].
1.2 Authorised users: [Authorised Users].
1.3 The initial subscription term is [Subscription Term] from the date of this Agreement.
1.4 Auto-renewal: [Auto Renewal]. If auto-renewal applies, the subscription renews for successive periods of the same length unless either Party gives at least 60 days’ written notice before the end of the current term.
1.5 The Provider shall perform all services with reasonable care and skill in accordance with the Supply of Services (Implied Terms) Ordinance (Cap. 457).
2. SERVICE LEVELS
2.1 The Provider commits to [Uptime Commitment] monthly uptime, excluding scheduled maintenance notified at least 48 hours in advance.
2.2 Support: [Support Level].
2.3 If uptime falls below the committed level, the Customer is entitled to a service credit of [Service Credit Rate]% of the monthly subscription fee for each full 0.1% below the commitment, capped at 50% of the monthly fee.
3. SUBSCRIPTION FEES
3.1 The Customer shall pay [Subscription Fee]. No GST or VAT applies in Hong Kong.
3.2 Billing cycle: [Billing Cycle]. Invoices are due within 30 days of issue.
3.3 The Provider may suspend the Customer’s access if any invoice remains unpaid for more than 30 days, upon 14 days’ written notice.
3.4 Late payments attract interest at 1.5% per month on overdue amounts.
4. DATA OWNERSHIP AND PROTECTION
4.1 The Customer retains all ownership rights in its data. The Provider shall not use Customer data except as necessary to provide the service.
4.2 Personal data processing: [Personal Data Processed]. The Provider shall comply with the Personal Data (Privacy) Ordinance (Cap. 486), processing personal data only on the Customer’s instructions (DPP 3) and implementing appropriate security measures (DPP 4).
4.3 Data centre location: [Data Centre Location]. The Provider shall not move Customer data outside the specified location without prior written consent.
4.4 The Provider shall notify the Customer promptly of any data breach and provide reasonable assistance in investigation and remediation.
5. INTELLECTUAL PROPERTY
5.1 The Provider retains all intellectual property rights in the platform, software, documentation, and underlying technology.
5.2 The Customer’s subscription grants a licence to access and use the platform only. No ownership of the platform or its IP is transferred to the Customer.
6. TERMINATION AND DATA EXIT
6.1 Either Party may terminate for material breach not remedied within 30 days of written notice.
6.2 Upon termination or expiry, the Provider shall make all Customer data available for export in a standard machine-readable format for 60 days.
6.3 After the export period, the Provider shall permanently delete all Customer data and provide written certification within 30 days.
7. GOVERNING LAW
7.1 This Agreement is governed by the laws of the Hong Kong Special Administrative Region of the People’s Republic of China.
7.2 The Parties submit to the exclusive jurisdiction of the Hong Kong courts.
EXECUTION
IN WITNESS WHEREOF, the Parties have executed this SaaS Agreement as of the date first written above.
Provider (Authorised Signatory)
________________
Signature
Customer (Authorised Signatory)
________________
Signature
What Is a SaaS Agreement (Hong Kong)?
A SaaS Agreement in Hong Kong records the terms the parties accept and the commitments each makes to the other.
The SaaS Agreement is governed by Hong Kong’s common law of contract together with several specific statutes. The Supply of Services (Implied Terms) Ordinance (Cap. 457) implies into all service contracts a term that services will be performed with reasonable care and skill (Section 5), within a reasonable time where no time is agreed (Section 6), and for a reasonable charge where no price is agreed (Section 7). The Personal Data (Privacy) Ordinance (Cap. 486) imposes obligations on both the SaaS provider and customer where the platform processes personal data of Hong Kong data subjects — the customer is typically the data user and the provider the data processor under the PDPO framework. The Control of Exemption Clauses Ordinance (Cap. 71) subjects limitation of liability clauses to a reasonableness test. The Electronic Transactions Ordinance (Cap. 553) validates electronic contracts and signatures, meaning SaaS click-wrap or online agreements are legally enforceable in Hong Kong.
Regulated industries in Hong Kong face additional SaaS obligations. Banks and licensed institutions supervised by the Hong Kong Monetary Authority (HKMA) must comply with the HKMA’s Supervisory Policy Manual TM-G-1 (General Principles for Technology Risk Management) when using cloud or SaaS services. Securities firms licensed by the Securities and Futures Commission (SFC) must comply with the SFC’s circular on cloud computing and confirm adequate oversight of cloud service providers. Insurance companies must satisfy the Insurance Authority (IA) on cloud outsourcing arrangements. These regulatory requirements typically impose enhanced contractual protections — audit rights, business continuity planning, data residency requirements, and incident reporting obligations — that must be reflected in the SaaS Agreement.
Hong Kong imposes no GST or VAT. All subscription fees and other charges under a SaaS Agreement are expressed in Hong Kong Dollars (HKD) and the stated amount is the total payable. Forms Legal provides a free Hong Kong SaaS Agreement template covering all essential commercial, data protection, and regulatory provisions. Available as PDF and Word download.
The SaaS model differs from a traditional software licence in several legally significant ways. Under a SaaS arrangement, the customer does not receive a copy of the software and cannot exercise rights over the software independently of the provider's infrastructure. The provider retains full control of the software, its updates, and the data environment. The customer's access is contingent on the continued operation of the provider's platform and the ongoing commercial relationship. These characteristics make the SaaS Agreement's provisions on service levels, data portability, and termination exit rights especially critical for enterprise customers in Hong Kong.
For SaaS providers operating in Hong Kong's financial services sector, additional regulatory requirements apply. The Hong Kong Monetary Authority (HKMA) Supervisory Policy Manual TM-G-1 on General Principles for Technology Risk Management requires authorised institutions to conduct due diligence on technology service providers, including SaaS vendors. The Securities and Futures Commission (SFC) has issued circulars on the use of external electronic data storage by licensed corporations, directly impacting SaaS arrangements for securities firms. The Insurance Authority has similar requirements for licensed insurers. SaaS Agreements for regulated entities must reflect these supervisory requirements, including the regulator's right to audit the provider's systems and the provider's obligation to support the customer's regulatory compliance.
When Do You Need a SaaS Agreement (Hong Kong)?
A SaaS Agreement is needed whenever a business in Hong Kong provides or subscribes to cloud-hosted software on a subscription basis. Both the provider and the customer need a properly documented agreement to define their respective rights, obligations, and risk allocation.
SaaS providers entering the Hong Kong market: A SaaS company launching its platform for Hong Kong enterprise customers needs a compliant Hong Kong-law SaaS Agreement that addresses local data protection requirements under the PDPO (Cap. 486), implied terms under Cap. 457, and industry-specific regulatory requirements for customers in regulated sectors.
Enterprise SaaS subscriptions: A Hong Kong business subscribing to a SaaS platform for mission-critical operations — CRM, ERP, accounting systems, HR management, supply chain management, or project management — should insist on a written SaaS Agreement that clearly defines service level commitments, data ownership, security standards, and exit rights. Without a written agreement, the provider’s standard terms (often unfavourable to customers) govern the relationship.
Regulated financial institutions: Banks, securities firms, insurers, and MPF trustees subscribing to SaaS services must confirm the SaaS Agreement satisfies the HKMA, SFC, or IA requirements for cloud outsourcing arrangements. Required provisions typically include: audit rights; business continuity and disaster recovery commitments; data residency within specified jurisdictions; incident notification within specified timeframes; and the right to terminate if the provider cannot satisfy regulatory requirements.
Data processing arrangements: Where the SaaS platform processes personal data of Hong Kong data subjects, a Data Processing Agreement (DPA) must be in place between the customer (data user) and the provider (data processor) to comply with DPP 4 of the PDPO. The DPA may be embedded in the SaaS Agreement or executed as a separate schedule.
B2B SaaS with negotiated terms: While many smaller SaaS subscriptions use standard click-wrap terms, enterprise B2B SaaS arrangements involve significant negotiation of commercial terms. A custom SaaS Agreement allows both parties to negotiate liability caps, indemnification provisions, SLA penalties, data processing obligations, and termination rights appropriate to the specific relationship and transaction value.
Startup SaaS providers: Hong Kong startups developing and commercialising SaaS products for the enterprise market need a professionally drafted SaaS Agreement before signing their first paying customer. A well-structured agreement from the outset establishes the commercial relationship on sound terms, limits the provider's liability exposure under the Control of Exemption Clauses Ordinance (Cap. 71), and demonstrates professionalism to enterprise procurement teams. Forms Legal's free template provides a foundation for early-stage SaaS providers to adapt with legal advice.
What to Include in Your SaaS Agreement (Hong Kong)
A Hong Kong SaaS Agreement requires thorough drafting to address the commercial, technical, regulatory, and data protection dimensions of a cloud software relationship. Forms Legal’s template covers the following essential elements.
Service description: A precise definition of the SaaS platform — the features and functionality included in the subscription, the permitted number of users or seats, the access method (web browser, API, mobile application), and any geographic or usage restrictions. The service description forms the basis for the provider’s service level commitments and the customer’s entitlement claims.
Subscription fees: All fees stated in HKD (no GST or VAT applies in Hong Kong). The fee structure — per user, per module, per transaction volume, or flat subscription — must be clearly defined. Payment terms (monthly, quarterly, or annually in advance), invoicing procedures, and late payment consequences (suspension after a grace period, typically 14–30 days) must be addressed. Auto-renewal provisions and price increase mechanisms should be specified, with adequate advance notice to the customer.
Service levels (SLA): Uptime commitments (typically 99.9% or 99.95% monthly availability for enterprise SaaS), measurement methodology, scheduled maintenance exclusions with advance notice requirements, support response time tiers by severity level, and service credit remedies for downtime. For financial institutions, performance metrics must satisfy HKMA or SFC expectations.
Data ownership and portability: Express confirmation that the customer owns all data it uploads or generates through the platform. The provider’s rights to use customer data must be clearly limited — typically to the minimum necessary to provide the service. Data portability obligations — the provider must make customer data available for export in a standard format upon request and within a specified period after termination.
Data protection and PDPO compliance: The provider’s obligations as a data processor under the PDPO (Cap. 486) — processing personal data only on the customer’s instructions (DPP 3), implementing appropriate security measures (DPP 4), restricting access to personal data to authorised personnel, and notifying the customer of any data breach within a specified period. Data residency requirements (particularly for regulated institutions) and cross-border transfer restrictions should be addressed.
Security standards: Encryption requirements for data at rest and in transit, penetration testing frequency, access control standards (multi-factor authentication, role-based access), vulnerability management, and incident response procedures. Enterprise customers should specify minimum security certification requirements (for example, ISO 27001 certification).
Intellectual property: Confirmation that the provider owns all rights in the platform, underlying technology, and documentation. The customer receives a limited, non-exclusive licence to access and use the platform during the subscription term. Customer data and any customer-specific configurations remain the customer’s property.
Limitation of liability: A mutual limitation of liability cap (typically expressed as a multiple of the annual subscription fee), exclusions from the cap (for data breaches, wilful misconduct, and intellectual property indemnities), and mutual exclusion of consequential and indirect losses — subject to the reasonableness requirements of the Control of Exemption Clauses Ordinance (Cap. 71).
Termination and data exit: Notice periods for termination by either party; grounds for immediate termination (material breach, insolvency); post-termination data export obligations (the provider must make data available in a standard format for a specified period after termination); and post-export data deletion obligations.
Business continuity: Provider obligations to maintain a documented business continuity plan and disaster recovery plan; the recovery time objective (RTO) and recovery point objective (RPO) for the SaaS platform; and the provider's obligation to notify the customer if a business continuity event has occurred. For regulated financial institutions using SaaS, business continuity requirements under HKMA Supervisory Policy Manual TM-G-1 impose specific minimum standards that must be reflected in the SaaS Agreement. The forms-legal.com SaaS Agreement (Hong Kong) template covers the mandatory elements under Supply of Services (Implied Terms) Ordinance (Cap. 457).
Sources & Citations
Statutory citations link to official government sources.
- The Supply of Services (Implied Terms) Ordinance (Cap. 457)HK official
- The Personal Data (Privacy) Ordinance (Cap. 486)HK official
- The Control of Exemption Clauses Ordinance (Cap. 71)HK official
- The Electronic Transactions Ordinance (Cap. 553)HK official
- Control of Exemption Clauses Ordinance (Cap. 71)HK official
- Supply of Services (Implied Terms) Ordinance (Cap. 457)HK official
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). SaaS Agreement (Hong Kong) (Hong Kong) [Legal document template]. Forms Legal. https://forms-legal.com/hong-kong/business/intellectual-property/saas-agreement-hong-kong
"SaaS Agreement (Hong Kong) (Hong Kong)." Forms Legal, 2026, https://forms-legal.com/hong-kong/business/intellectual-property/saas-agreement-hong-kong.
@misc{formslegal-saas-agreement-hong-kong,
author = {{Forms Legal}},
title = {SaaS Agreement (Hong Kong) (Hong Kong)},
year = {2026},
howpublished = {\url{https://forms-legal.com/hong-kong/business/intellectual-property/saas-agreement-hong-kong}},
note = {Free legal document template. Based on Supply of Services (Implied Terms) Ordinance (Cap. 457)}
}Also available for these jurisdictions:
Frequently Asked Questions
SaaS agreements in Hong Kong are governed by several statutes and the common law of contract. There is no SaaS-specific legislation in Hong Kong — the legal framework is assembled from general commercial and data protection laws. The Supply of Services (Implied Terms) Ordinance (Cap. 457) implies terms into service contracts, including that the provider will carry out services with reasonable care and skill (Section 5), within a reasonable time if no time is fixed (Section 6), and for a reasonable charge if no price is agreed (Section 7). These implied terms apply to SaaS as a service contract. The Personal Data (Privacy) Ordinance (Cap. 486) applies where the SaaS platform processes personal data of Hong Kong residents. The SaaS provider is typically a data processor, and the customer (data user) must ensure that the provider complies with the six Data Protection Principles. DPP 4 (Security) is particularly relevant, requiring all practicable steps to protect personal data. The Electronic Transactions Ordinance (Cap. 553) provides the legal framework for electronic contracts and electronic signatures in Hong Kong. SaaS agreements executed electronically are legally valid under Cap. 553. The Control of Exemption Clauses Ordinance (Cap. 71) regulates exclusion and limitation clauses. Clauses that attempt to exclude or restrict liability for negligence or breach of implied terms must satisfy a test of reasonableness. The Copyright Ordinance (Cap.
Data ownership in a Hong Kong SaaS arrangement is determined by the SaaS agreement itself, as Hong Kong law does not have a general statutory framework for “data ownership” in the property law sense. The SaaS agreement should clearly address ownership of different categories of data. Customer data is data uploaded, entered, or generated by the customer and its users in the course of using the SaaS platform. This includes business data, transaction records, customer lists, documents, and communications. The SaaS agreement should expressly confirm that the customer retains all ownership rights in its data and that the provider has no rights to use customer data except as necessary to provide the service. Personal data processed through the SaaS platform is subject to the PDPO (Cap. 486). The customer is the data user and the provider is the data processor. The provider must process personal data only on the customer’s instructions (DPP 3) and implement appropriate security (DPP 4). The customer’s ownership of personal data is reinforced by the PDPO’s data user obligations. Aggregated and anonymised data is a frequently contested area. SaaS providers often seek the right to use anonymised, aggregated customer data for analytics, benchmarking, product improvement, and machine learning. The SaaS agreement should specify whether the provider may use such data, and if so, under what conditions (e.g. truly anonymised so no individual customer can be identified).
A well-drafted SaaS Agreement for Hong Kong should include detailed SLA commitments covering availability, performance, support, and data protection. Uptime availability is the core SLA metric. Enterprise SaaS agreements typically commit to 99.9% or 99.95% monthly uptime. The agreement should define: how uptime is measured (typically by the provider’s monitoring systems); what counts as downtime (complete unavailability vs. degraded performance); scheduled maintenance exclusions (with advance notice requirements, typically 48-72 hours); and force majeure exclusions. Performance metrics should address page load times, API response times, data processing speeds, and any industry-specific benchmarks. For financial services SaaS in Hong Kong (subject to HKMA oversight), performance metrics may need to meet specific regulatory expectations. Support response times should be tiered: Severity 1 (service unavailable) — response within 15-30 minutes; Severity 2 (major feature unavailable) — response within 1-2 hours; Severity 3 (minor issue) — response within 4-8 hours; Severity 4 (question/enhancement request) — response within 1 business day. Data protection SLAs should commit to: encryption of data at rest and in transit; regular security audits and penetration testing; data backup frequency and recovery time objectives (RTO/RPO); and incident response and notification timeframes. Service credits are the standard remedy.
Data residency and cross-border data transfer are significant considerations for SaaS agreements involving Hong Kong customers, particularly for regulated entities supervised by the HKMA, SFC, or Insurance Authority. PDPO cross-border transfer restrictions: Data Protection Principle 3 of the Personal Data (Privacy) Ordinance (Cap. 486) restricts the use of personal data — including transfer — to the purposes for which it was collected. Section 33 of the PDPO (not yet brought into force as of 2026) would impose additional restrictions on cross-border transfers of personal data, requiring that the receiving jurisdiction provide comparable data protection or that the data subject has consented. In the meantime, the Office of the Privacy Commissioner for Personal Data (PCPD) has published recommended model clauses for cross-border data transfers, which SaaS agreements should incorporate when personal data is transferred outside Hong Kong. HKMA cloud computing requirements: The HKMA's Supervisory Policy Manual TM-G-1 requires authorised institutions to assess the jurisdictional risks of cloud services, including the location of data centres and the applicable legal and regulatory framework in those jurisdictions. For sensitive customer data, the HKMA expects institutions to consider data residency within Hong Kong or in jurisdictions with comparable regulatory oversight. The SaaS Agreement should specify the data centre locations and give the customer the right to object to changes in data residency.
Subscription renewal and pricing provisions are critical elements of a SaaS agreement and should be addressed clearly to avoid disputes. Auto-renewal is standard in SaaS agreements. The agreement should specify: the initial subscription term (typically 12 months for enterprise, monthly for SMB); the renewal term (typically the same as the initial term, or month-to-month); the notice period for non-renewal (typically 30-90 days before the end of the current term); and the mechanism for giving notice (email to a specified address, through the platform, or formal written notice). Price increases should be addressed with a price escalation clause. Common approaches include: fixed price for the initial term with the provider’s right to increase prices on renewal upon advance notice (typically 60-90 days); price increases capped at a percentage (e.g. 5-10% per year or CPI plus a margin); price increases only on renewal, not mid-term; and the customer’s right to terminate if the proposed price increase exceeds a threshold. Usage-based pricing (common in SaaS) should specify: the pricing unit (per user, per transaction, per GB, per API call); overage charges if usage exceeds the subscribed tier; the process for upgrading or downgrading subscription tiers; and how usage is measured and reported. All subscription fees should be denominated in HKD. No GST or VAT applies in Hong Kong, so the stated subscription fee is the total amount payable.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Cloud Services Agreement (Hong Kong)
A Cloud Services Agreement for Hong Kong governing the provision of cloud computing infrastructure, platform, or software services. Addresses data protection under the Personal Data (Privacy) Ordinance (Cap. 486), service levels, uptime commitments, and data sovereignty. Suitable for IaaS, PaaS, and SaaS engagements under Hong Kong law.
Software Licence Agreement (Hong Kong)
A Software Licence Agreement for Hong Kong governing the licensing of software for installation and use on the licensee’s systems. Covers the Copyright Ordinance (Cap. 528), licence scope, permitted users, modification rights, source code access, and maintenance. Suitable for proprietary software, enterprise licences, and OEM arrangements.
IT Services Agreement (Hong Kong)
An IT Services Agreement for Hong Kong covering managed IT services, technical support, system maintenance, and IT consulting. Addresses the Supply of Services (Implied Terms) Ordinance (Cap. 457), PDPO (Cap. 486) data protection obligations, service levels, and IP ownership. Suitable for outsourced IT support, managed services providers, and IT consulting engagements.
Data Processing Agreement (Hong Kong)
A Data Processing Agreement (DPA) governing the processing of personal data by a third-party processor on behalf of an organisation, compliant with the Personal Data (Privacy) Ordinance (Cap. 486) and its six Data Protection Principles. Establishes processor obligations, data handling standards, and security requirements under Hong Kong's PDPO framework.
Service Agreement (Hong Kong)
A general service agreement governing the provision of services between a service provider and client under Hong Kong law, including the Supply of Services (Implied Terms) Ordinance (Cap. 457) and the Personal Data (Privacy) Ordinance (Cap. 486). Suitable for professional, technology, creative, and commercial service engagements. No GST or VAT applies in Hong Kong. HKIAC arbitration clause included.