SaaS Agreement (India-Specific Terms)
SAAS AGREEMENT (INDIA-SPECIFIC TERMS)
IT Act 2000 | DPDP Act 2023 | Indian Contract Act 1872 | CGST Act 2017 | Income Tax Act 1961
This SaaS Agreement ("Agreement") is entered into on [Agreement Date] between:
VENDOR: [Vendor Name] (PAN: [Vendor PAN]), GSTIN: [Vendor GSTIN], registered at [Vendor Address] (the "Vendor"); and
CUSTOMER: [Customer Name] (PAN: [Customer PAN]), GSTIN: [Customer GSTIN], registered at [Customer Address] (the "Customer").
1. LICENCE GRANT
1.1 The Vendor grants the Customer a non-exclusive, non-transferable, revocable licence to access and use [Software Name] ("Software") via the internet for the Customer's internal business purposes during the subscription term.
1.2 Software: [Software Description].
1.3 Term: [Subscription Term] commencing [Subscription Start Date]. This Agreement auto-renews unless either party provides written notice of non-renewal at least 30 days before the end of the then-current term.
1.4 Restrictions: The Customer shall not reverse engineer, sublicence, resell, use for unlawful purposes, or attempt to gain unauthorised access to the Vendor's infrastructure.
2. FEES, GST AND TDS
2.1 The Customer shall pay ₹[Subscription Fee] per [Subscription Term] (excluding GST) for the Software subscription.
2.2 GST: GST at 18% is chargeable under the CGST Act 2017 (SAC code 998313). The Vendor shall issue compliant GST tax invoices. The Customer (if GST-registered) may claim ITC on GST paid.
2.3 TDS: The Customer shall deduct TDS at [TDS Rate]% under Section 194J of the Income Tax Act 1961 (technical / professional services) on the subscription fee excluding GST, deposit the TDS with the Income Tax Department by the 7th of the following month, and issue Form 16A to the Vendor within the prescribed time.
2.4 Payment: Due within 15 days of invoice date. Late payment attracts interest at 1.5% per month.
3. SERVICE LEVELS
3.1 Uptime guarantee: [SLA Uptime]% monthly availability, measured in IST (Indian Standard Time), excluding scheduled maintenance windows communicated at least 48 hours in advance.
3.2 Service credits: Uptime below [SLA Uptime]% entitles the Customer to 5% of the monthly fee for each 0.5% shortfall, up to 30% of the monthly fee. Service credits are the sole remedy for SLA breaches.
3.3 Incident response: Critical (service unavailable): response within 1 hour IST, target resolution within 4 hours. High severity: response within 4 hours, resolution within 24 hours.
4. DATA PROTECTION — DPDP ACT 2023 AND IT ACT 2000
4.1 The Customer is the data fiduciary and the Vendor is the data processor under the Digital Personal Data Protection Act 2023 (DPDP Act). The Vendor shall process personal data only on the Customer's written instructions.
4.2 Data residency: [Data Residency]. The Vendor shall not transfer Customer data to any jurisdiction restricted by the Central Government under the DPDP Act without the Customer's prior written consent.
4.3 Security: The Vendor shall implement technical and organisational safeguards compliant with Section 43A of the IT Act 2000 and the DPDP Act, including ISO 27001 or equivalent standards.
4.4 Breach notification: The Vendor shall notify the Customer within 72 hours of becoming aware of any personal data breach and cooperate fully in breach reporting obligations to the Data Protection Board of India.
4.5 Data return: Within 30 days of termination, the Vendor shall provide a full export of all Customer Data in a portable format (CSV/JSON) and certify deletion of all copies within 60 days thereafter.
5. INTELLECTUAL PROPERTY AND CONFIDENTIALITY
5.1 The Vendor retains all IP in the Software under the Copyright Act 1957 and applicable Indian IP laws. This Agreement grants no IP rights except the limited access licence in Clause 1.
5.2 The Customer retains ownership of all Customer Data. The Vendor is granted a limited licence to process Customer Data solely to provide the Software.
5.3 Each party shall maintain the other's Confidential Information in strict confidence for 3 years after termination.
6. GOVERNING LAW AND DISPUTE RESOLUTION
6.1 This Agreement is governed by the laws of India and the State of [Governing State].
6.2 Disputes shall be resolved by arbitration under the Arbitration and Conciliation Act 1996, seated at [Governing State], before a sole arbitrator appointed by mutual agreement. Language: English.
6.3 This Agreement shall be executed on non-judicial stamp paper as required by the Indian Stamp Act 1899 and the applicable state stamp act of [Governing State].
Vendor
________________
Signature
Customer
________________
Signature
What Is a SaaS Agreement (India-Specific Terms)?
A SaaS Agreement (-Specific Terms) in India sets out the mutual obligations the parties accept and the terms that govern their dealings.
The Information Technology Act 2000 (IT Act) is the foundational statute for electronic contracts and data liability in India. Section 43A of the IT Act (as applicable alongside the DPDP Act) imposes liability on companies possessing, dealing with, or handling sensitive personal data or information in a computer resource who negligently implement and maintain reasonable security practices, causing wrongful loss or gain. The IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 prescribed under Section 43A define sensitive personal data to include passwords, financial information, health information, biometrics, and sexual orientation — information that SaaS platforms commonly process.
The Digital Personal Data Protection Act 2023, which received Presidential assent on 11 August 2023, introduces the roles of Data Fiduciary and Data Processor into Indian law for the first time in statutory form. A SaaS customer who directs the processing of personal data is the Data Fiduciary; the SaaS vendor processing on the customer's instructions is the Data Processor. Section 8 of the DPDP Act requires Data Processors to process personal data only according to the Data Fiduciary's instructions, maintain security safeguards, and report data breaches to the Data Protection Board of India (DPBI). Penalties under the DPDP Act reach ₹250 crore for security failures — far exceeding any comparable GDPR-era risk for Indian businesses.
GST at 18% applies to SaaS subscription payments under SAC Code 998313 (computer programming, consultancy, and related services) or 998314 (IT infrastructure services), making India-specific SaaS agreements distinct from international SaaS contracts. The customer (if GST-registered) can claim input tax credit (ITC) on the GST paid on SaaS subscriptions under Section 16 of the CGST Act 2017, making the effective cost of SaaS significantly lower for businesses with taxable output. Non-business customers and exempt-sector customers (hospitals, educational institutions) cannot claim ITC.
Tax Deducted at Source (TDS) under Section 194J of the Income Tax Act 1961 is a compliance requirement unique to Indian SaaS contracts. When an Indian customer pays a SaaS subscription to an Indian vendor, TDS at 2% (for technical services) must be deducted before remitting payment. The customer files Form 26Q quarterly and issues Form 16A to the vendor. For payments to foreign SaaS vendors, Section 195 TDS at applicable rates (or reduced DTAA rates) applies on the royalty or technical service fee component.
Dispute resolution in India-specific SaaS agreements commonly provides for arbitration under the Arbitration and Conciliation Act 1996, with a seat at a major Indian commercial centre (Mumbai, Delhi, Bengaluru, Hyderabad). The Act, as amended by the Arbitration and Conciliation (Amendment) Act 2021, permits virtual hearings and online submission of pleadings, making it particularly suitable for technology disputes between parties in different cities.
When Do You Need a SaaS Agreement (India-Specific Terms)?
A SaaS Agreement with India-Specific Terms is required whenever an Indian business subscribes to cloud-delivered software, or when a SaaS vendor (Indian or foreign) contracts with Indian enterprise customers and needs to address the specific tax, data protection, and regulatory obligations that apply in India.
Indian businesses purchasing SaaS from domestic vendors must use an India-specific agreement to address TDS deduction obligations under Section 194J of the Income Tax Act 1961. Without an explicit TDS clause, disputes arise over whether the customer deducted TDS, at what rate, and whether the vendor's invoice correctly excludes GST from the TDS base. The agreement eliminates these operational disputes.
Organisations in regulated sectors — banking (regulated by the Reserve Bank of India), insurance (Insurance Regulatory and Development Authority of India, IRDAI), capital markets (Securities and Exchange Board of India, SEBI), and healthcare — require India-specific SaaS agreements that address sector-specific data localisation requirements. The RBI's payment data storage circular (2018) mandates storage of payment system data exclusively in India; SEBI's Cloud Adoption Framework (2023) requires classified data residency in India. Generic international SaaS agreements do not address these obligations.
Any SaaS deployment processing personal data of Indian residents after the DPDP Act 2023 rules are operationalised requires a contract that allocates the roles of Data Fiduciary and Data Processor, establishes security standards, addresses the 72-hour breach notification obligation to the Data Protection Board of India, and includes data deletion requirements on contract termination.
Foreign SaaS vendors entering Indian enterprise contracts need India-specific agreements to address withholding tax obligations under Section 195 of the Income Tax Act — specifically whether the subscription fee constitutes 'royalty' under Section 9(1)(vi) or 'fees for technical services' under Section 9(1)(vii), and at what treaty rate TDS applies under the applicable Double Taxation Avoidance Agreement (DTAA) between India and the vendor's country.
Startups and technology companies processing sensitive personal data of employees, customers, or users — including health platforms processing medical records, fintech platforms processing financial information, and HR platforms processing biometric data — need India-specific data processing agreements embedded within or attached to their SaaS contracts to comply with the IT (SPDI) Rules 2011 and the emerging DPDP Act framework.
What to Include in Your SaaS Agreement (India-Specific Terms)
An India-specific SaaS Agreement governed by the Indian Contract Act 1872 and the IT Act 2000 must contain several provisions beyond a standard international SaaS contract to address the unique regulatory obligations applicable in India.
Service description and access rights define the specific software modules, features, and platforms being subscribed to, the number of authorised users or user licences, the subscription tier, and the access method (web browser, API, mobile application). The agreement must specify whether the SaaS includes data storage and, if so, where data is stored — critical for regulatory compliance by banking, insurance, and SEBI-regulated entity customers.
GST and invoicing clauses specify the applicable GST rate (18% for most SaaS under SAC 998313), whether the quoted subscription fee is inclusive or exclusive of GST, the vendor's GSTIN (GST Identification Number), the invoicing frequency, and the format of GST-compliant tax invoices. GST invoices must include the vendor's GSTIN, HSN/SAC code, GST amount, and the place of supply — essential for the customer to claim input tax credit under Section 16 of the CGST Act 2017.
TDS clause establishes the parties' respective obligations regarding Tax Deducted at Source. The clause must specify: the applicable TDS section (Section 194J for domestic payments; Section 195 for foreign vendor payments); the TDS rate (2% for technical services under 194J); that the customer will deduct TDS on the subscription fee excluding GST; the customer's obligation to deposit TDS by the 7th of the following month; the customer's obligation to file Form 26Q quarterly; and the vendor's obligation to issue Form 16A to the customer within 15 days of the quarterly filing due date. For foreign vendors, the clause should specify the applicable DTAA rate and the requirement for a Tax Residency Certificate.
Data protection and DPDP Act clause allocates the roles of Data Fiduciary (customer) and Data Processor (vendor) under the Digital Personal Data Protection Act 2023. The clause must: require the vendor to process personal data only on the customer's documented instructions; mandate implementation of security safeguards as prescribed under Section 8 of the DPDP Act; specify the 72-hour breach notification obligation to the Data Protection Board of India; require the vendor to assist the customer in responding to Data Principal rights requests (access, correction, erasure under Sections 11–13); and obligate the vendor to delete or return all personal data on contract termination.
Data residency and localisation clause addresses sector-specific obligations for regulated-sector customers. The clause should specify whether the vendor's infrastructure is located in India (region/availability zone name) or abroad, and include the vendor's obligation to comply with any data localisation requirements notified under the DPDP Act or by the RBI, IRDAI, or SEBI that apply to the customer's sector during the contract term.
Service Level Agreement (SLA) and credits define uptime commitments (typically 99.9% monthly), measurement methodology (IST timezone), incident severity classification, response and resolution time targets, and the service credit formula for SLA breaches — typically expressed as a percentage of monthly fees, escalating with the severity of the breach. Section 74 of the Indian Contract Act 1872 makes pre-agreed service credit clauses enforceable as liquidated damages.
Arbitration and governing law clause specifies Indian law as the governing law, designates the seat of arbitration (typically Mumbai, Delhi, or Bengaluru) under the Arbitration and Conciliation Act 1996, specifies the number of arbitrators (sole arbitrator for smaller disputes, three-member tribunal for higher-value disputes), and specifies the arbitration institution (DIAC, MCIA, or ad hoc under the Act). The MSME Facilitation Council has jurisdiction over SaaS payment disputes where the vendor is an MSME registered under the MSMED Act 2006. The forms-legal.com SaaS Agreement (India-Specific Terms) template covers the mandatory elements under Indian Contract Act, 1872.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). SaaS Agreement (India-Specific Terms) (India) [Legal document template]. Forms Legal. https://forms-legal.com/india/business/contracts/saas-agreement-india-specific-terms
"SaaS Agreement (India-Specific Terms) (India)." Forms Legal, 2026, https://forms-legal.com/india/business/contracts/saas-agreement-india-specific-terms.
@misc{formslegal-saas-agreement-india-specific-terms,
author = {{Forms Legal}},
title = {SaaS Agreement (India-Specific Terms) (India)},
year = {2026},
howpublished = {\url{https://forms-legal.com/india/business/contracts/saas-agreement-india-specific-terms}},
note = {Free legal document template. Based on Indian Contract Act, 1872}
}Also available for these jurisdictions:
Frequently Asked Questions
The Digital Personal Data Protection Act 2023 (DPDP Act), which received Presidential assent on 11 August 2023, fundamentally reshapes data processing obligations in India-specific SaaS agreements. The Act introduces a clear framework distinguishing between a 'data fiduciary' (the entity that determines the purpose and means of processing — typically the SaaS customer) and a 'data processor' (the entity that processes data on the fiduciary's instructions — typically the SaaS vendor). Every India-specific SaaS agreement must explicitly allocate these roles. Under the DPDP Act, a SaaS vendor acting as a data processor must: (a) process personal data only on the documented instructions of the data fiduciary customer; (b) implement appropriate technical and organisational security safeguards; (c) notify the customer within 72 hours of becoming aware of a personal data breach; (d) assist the customer in fulfilling data principal rights requests (access, correction, erasure); and (e) delete all personal data upon termination of the SaaS agreement or upon customer instruction. The DPDP Act also grants the Central Government power to restrict cross-border data transfers to notified countries or territories. Until the rules are notified, SaaS agreements should include provisions addressing potential data localisation requirements and the procedure for compliance if restrictions are imposed during the contract term.
Tax Deducted at Source (TDS) obligations are a critical India-specific feature of SaaS agreements that must be addressed explicitly. When an Indian company (the customer) pays subscription fees to a SaaS vendor, TDS obligations arise under the Income Tax Act 1961. For domestic SaaS payments (Indian customer to Indian vendor), TDS is deductible under Section 194J, which covers fees for professional services or technical services. The applicable rate depends on classification: if the SaaS constitutes 'technical services', TDS is deductible at 2% of the subscription fee (excluding GST); if classified as 'professional services', TDS is at 10%. The Finance Act 2020 reduced the TDS rate on technical services from 10% to 2%. SaaS services involving cloud computing, automated software access, and IT infrastructure are generally treated as 'technical services' under the CBDT's administrative guidance, making the 2% rate applicable in most cases. The customer must: (a) deduct TDS at the applicable rate before making each payment; (b) deposit the TDS with the Income Tax Department by the 7th of the month following deduction; (c) file quarterly TDS returns on Form 26Q; and (d) issue a TDS certificate in Form 16A to the vendor within 15 days of the due date for furnishing the quarterly return. GST is not subject to TDS — TDS is deducted on the base subscription fee only (excluding GST amount). The SaaS agreement must specify whether quoted fees are TDS-inclusive or TDS-exclusive, and how the net payment is calculated.
Data localisation requirements in India operate across multiple regulatory frameworks, and a comprehensive India-specific SaaS agreement must address each relevant framework applicable to the customer's industry sector. Reserve Bank of India (RBI): The RBI's circular on Storage of Payment System Data (2018) requires all payment system operators to store payment data — including full end-to-end transaction details, customer data (name, mobile number, Aadhaar, PAN), payment sensitive data (card/bank account details), and transaction/usage data — exclusively in India. SaaS vendors serving payment companies must ensure their platforms process and store this data only on Indian servers. The RBI has extended similar requirements to regulated entities under its outsourcing guidelines. Insurance Regulatory and Development Authority of India (IRDAI): IRDAI's cloud guidelines require insurance companies to store policyholder data and underwriting data in India, with limited exceptions for secondary data in approved jurisdictions. Securities and Exchange Board of India (SEBI): SEBI's circular on Cloud Adoption Framework (2023) requires registered intermediaries to store data classified as 'critical' or 'sensitive' in India. SaaS vendors serving SEBI-regulated entities must design their infrastructure accordingly. DPDP Act framework: The DPDP Act grants the Central Government power to notify countries or territories to which cross-border transfer of personal data is permitted.
Stamp duty on SaaS agreements in India is governed by the Indian Stamp Act 1899 and the respective state stamp acts, as stamp duty is a state subject under the Indian Constitution. The stamp duty treatment of SaaS agreements varies by state and depends on how the agreement is characterised — as a service agreement, a licence agreement, or a technology services agreement. For most Indian states, a SaaS agreement signed between Indian parties should be executed on non-judicial stamp paper or bear an adhesive stamp of the value required by the applicable state stamp act. Common characterisations and their stamp duty implications include:
Service agreement: Most states treat SaaS agreements as service agreements and prescribe fixed stamp duty (₹500 or ₹1,000 in many states) for service agreements below a threshold value, and ad valorem duty (a percentage of the contract value) for higher-value agreements. Maharashtra: Under the Maharashtra Stamp Act 1958, agreements for services generally attract stamp duty of ₹500. For technology service agreements above ₹10 lakh, some practitioners characterise them under the 'Agreement' article, attracting 0.1%–0.5% depending on the transaction value. Karnataka: The Karnataka Stamp Act 1957 prescribes ₹500 for ordinary agreements. Complex technology agreements may be characterised under specific articles at higher rates. E-stamping: Most states now offer e-stamping for SaaS agreements, which provides a convenient and secure mechanism for paying stamp duty.
A SaaS Agreement (India-Specific Terms) does not legally require a lawyer in India, and individuals and businesses may draft and execute the document independently. The Indian Contract Act, 1872 does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified India lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The Supreme Court of India has jurisdiction over disputes arising from this type of document, and Registrar of Companies (ROC) may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
SaaS Agreement (India)
A SaaS Agreement for India, governed by the IT Act 2000 and Indian Contract Act 1872. Covers software access licence, subscription fees, SLA, data processing obligations under the DPDP Act 2023, IP ownership, acceptable use, and termination. Suitable for cloud software vendors and enterprise customers.
Cloud Services Agreement (India)
A Cloud Services Agreement for India, governed by the IT Act 2000 and DPDP Act 2023. Covers IaaS/PaaS/SaaS cloud service delivery, data residency, DPDP Act compliance obligations, shared responsibility model, SLA, security requirements, and exit/data portability rights.
Service Level Agreement (India)
A Service Level Agreement (SLA) for India, governed by the Indian Contract Act 1872 and the IT Act 2000. Defines service metrics, uptime targets, response and resolution times, performance measurement methodology, service credits for SLA breaches, escalation matrix, maintenance windows, and reporting obligations. Suitable as a standalone SLA or schedule to a Master Service Agreement or SaaS Agreement for IT services, managed services, and technology outsourcing in India.
Non-Disclosure Agreement (India)
A legally enforceable non-disclosure agreement for India, governed by the Indian Contract Act 1872 (Sections 27 and 73), IT Act 2000, and SPDI Rules 2011. Available in mutual and unilateral forms. Includes confidential information definition, exclusions, return/destruction clause, injunctive relief, and arbitration under the Arbitration and Conciliation Act 1996.