SaaS Agreement (Ireland)

A SaaS Agreement in Ireland sets the service levels, data-handling duties, fees, and liability terms under which the technology or platform is supplied, and takes its legal force from the Consumer Rights Act 2022.

SaaS agreements in Ireland are governed by the general law of contract, supplemented by a number of key statutes. The Consumer Rights Act 2022 is the most recent and significant piece of legislation affecting SaaS agreements in an Irish context. The Act implements the EU Digital Content and Digital Services Directive (2019/770/EU) and extends statutory consumer rights to digital services — including SaaS applications — supplied to consumers. Part 3 of the Consumer Rights Act 2022 imposes conformity requirements on digital service providers, giving consumers the right to remedies where a digital service is defective, not updated as promised, or fails to meet the contractual specification. These rights cannot be excluded in consumer contracts and represent a significant development in the legal framework applicable to SaaS services in Ireland.

The General Data Protection Regulation (GDPR) and the Data Protection Acts 1988–2018, enforced by the Data Protection Commission (DPC), are of central importance to SaaS agreements because SaaS platforms typically process significant volumes of personal data on behalf of their business customers. Ireland hosts the European headquarters of many major global SaaS companies — including Salesforce, HubSpot, Workday, and Zendesk — and the DPC is therefore the lead supervisory authority under Article 56 GDPR for many of these companies across the EU. The mandatory data processing agreement required by Article 28 GDPR is a core component of any SaaS Agreement involving the processing of personal data.

The Electronic Commerce Act 2000 applies to SaaS services provided online and imposes disclosure obligations on providers — including the requirement to make certain information easily, directly, and permanently accessible to customers. The Act also governs electronic contracts and electronic signatures, confirming the legal validity of SaaS agreements concluded and signed online.

The Competition and Consumer Protection Commission (CCPC) may also be relevant where SaaS contracts are offered to consumers or small businesses on standard terms — the CCPC monitors unfair terms in consumer contracts under the European Communities (Unfair Terms in Consumer Contracts) Regulations 1995 (as amended), which transpose the EU Unfair Terms Directive (93/13/EEC). Terms that create a significant imbalance in the parties' rights and obligations to the detriment of the consumer may be declared unfair and therefore non-binding.

The Network and Information Security (NIS) Directive (EU 2016/1148), transposed into Irish law by the European Union (Measures for a High Common Level of Security of Network and Information Systems) Regulations 2018 (S.I. No. 360 of 2018), imposes cybersecurity obligations on operators of essential services and digital service providers — including cloud computing service providers. SaaS providers that qualify as digital service providers under the NIS Regulations are required to take appropriate and proportionate technical and organisational measures to manage the security risks posed to their networks and information systems, and to notify the National Cyber Security Centre (NCSC) of Ireland of incidents having a substantial impact on the provision of the service. The forthcoming NIS2 Directive (EU 2022/2555) will significantly expand the scope of these obligations. SaaS providers should confirm that their security practices and incident notification procedures comply with the NIS Regulations and anticipate the requirements of NIS2.

The Taxes Consolidation Act 1997 governs the Irish tax treatment of SaaS transactions. SaaS fees received by Irish-resident companies are subject to Irish corporation tax on their trading profits. For international SaaS transactions, VAT (at the standard rate of 23% in Ireland) is generally chargeable on digital services supplied to Irish consumers, and under the EU VAT One Stop Shop (OSS) rules, non-EU SaaS providers supplying to EU consumers may be required to register for VAT in one EU member state and account for VAT across all EU jurisdictions through the OSS mechanism. Ireland missed the 17 October 2024 transposition deadline for the NIS2 Directive (EU 2022/2555), which significantly expands cybersecurity obligations on digital service providers compared to the original NIS Directive. A draft National Cyber Security Bill was published in August 2024 and the Irish Government is expected to transpose NIS2 into domestic law in late 2025, with enforcement penalties commencing in 2026. The Commission for Communications Regulation (ComReg) will serve as the competent authority for digital service providers under the new regime, while the National Cyber Security Centre (NCSC) will act as the Single Point of Contact. SaaS providers should begin aligning their security risk management and incident notification procedures with the NIS2 requirements ahead of formal transposition. The Data Protection Commission (DPC) appointed two new Data Protection Commissioners in February 2024 following Helen Dixon's departure, and continues to be the lead supervisory authority under Article 56 GDPR for the many major SaaS companies headquartered in Ireland.

An Irish SaaS Agreement is needed in two principal scenarios: when a business provides cloud software services to customers and needs thorough terms to govern the subscription relationship; and when a business subscribes to a SaaS platform and needs to review, negotiate, or supplement the provider's standard terms to protect its interests.

For SaaS providers, the SaaS Agreement is the foundational commercial document for their business. It governs the relationship with every customer, defines the scope of the service and the provider's obligations, limits the provider's liability, and addresses the critical issues of data protection, intellectual property, and acceptable use. A well-drafted SaaS Agreement protects the provider against misuse of the platform, clearly defines what the subscription fee includes, and provides a contractual basis for terminating access in the event of non-payment or breach. Given the recurring revenue model of SaaS businesses, the SaaS Agreement is also an important commercial asset — investors and acquirers will scrutinise the terms of SaaS agreements when assessing the sustainability of the provider's customer relationships.

For SaaS customers (particularly businesses), reviewing and understanding the SaaS Agreement before signing is critically important. Business customers often accept standard SaaS terms without negotiation, only to discover later that the terms are unfavourable in areas such as data ownership, SLA remedies, liability caps, termination rights, price escalation, and auto-renewal provisions. Businesses that process significant volumes of personal data through a SaaS platform — for example, using a cloud HR system, a CRM platform, or a cloud accounting package — have specific GDPR obligations that may require them to negotiate amendments to the provider's standard data processing agreement.

The SaaS Agreement is also needed for GDPR compliance purposes. Under Article 28 GDPR, a data controller must not use a data processor that does not provide sufficient guarantees to implement appropriate technical and organisational measures to protect personal data. Before subscribing to any SaaS platform that will process personal data of employees, customers, or other individuals, a business must confirm that the SaaS provider's data processing agreement satisfies the requirements of Article 28 and that the provider implements adequate security measures. Using a SaaS platform without a compliant data processing agreement is itself a GDPR violation.

For business customers, the SaaS Agreement is also important from a business continuity and vendor risk management perspective. A business that depends on a SaaS platform for critical operations — for example, a cloud accounting system, a cloud telephony platform, or a cloud-based ERP — faces significant operational risk if the SaaS provider becomes insolvent, is acquired, or discontinues the service. The SaaS Agreement should include provisions addressing the customer's right to export data, the notice period for discontinuation, and any escrow arrangements for the software source code. Business customers conducting risk assessments for key SaaS vendors should review whether the SaaS Agreement adequately addresses these continuity risks before committing to a long-term subscription.

Under the Companies Act 2014, the Companies Registration Office (CRO) maintains the register of Irish companies. Section 343 of the Companies Act 2014 sets annual confirmation obligations. The Competition and Consumer Protection Commission (CCPC) enforces the Consumer Rights Act 2022. The Central Bank of Ireland regulates financial services under the Central Bank Act 1971. The High Court of Ireland has jurisdiction under Section 212 of the Companies Act 2014.

A thorough Irish SaaS Agreement should contain the following essential provisions.

The service description clause specifies the SaaS service being provided — including the name and version of the software, the features and functionality included in the subscription, any usage limits (such as the number of users, data storage capacity, or transaction volumes), and any excluded features or optional add-ons.

The subscription and payment clause specifies the subscription fee, the billing frequency (monthly or annual), the payment method, automatic renewal provisions, price escalation rights, and the consequences of non-payment (including account suspension and termination). Auto-renewal clauses must comply with the notification requirements of the Consumer Rights Act 2022 for consumer contracts, and unfair auto-renewal terms may be challengeable under the Unfair Terms Regulations.

The service level agreement (SLA) specifies the availability commitment (uptime), the definition of downtime, scheduled maintenance windows, incident classification and response times, the mechanism for claiming service credits, and any exclusions from the SLA (such as force majeure events, customer-caused issues, or third-party service failures).

The intellectual property clause confirms that the SaaS provider retains all intellectual property rights in the software and platform, and grants the customer a limited, non-exclusive, non-transferable licence to access and use the service during the subscription term. The clause should confirm that the customer owns all data they input into the platform and retains ownership of any outputs or reports generated using their data.

The data protection clause incorporates the mandatory data processing agreement required by Article 28 GDPR — setting out the subject matter, duration, nature, and purpose of processing; the types of personal data processed; the categories of data subjects; the security measures the provider must implement; the provider's obligations regarding sub-processors; and the provider's obligations to assist the controller with data subject rights requests, security incidents, and DPIAs. The clause should address international data transfers and the legal basis for any transfers outside the EEA.

The acceptable use policy (AUP) specifies the permitted uses of the platform and the activities that are prohibited — including prohibited content, prohibited competitive uses, rate limiting and API usage restrictions, and the consequences of AUP violations (up to and including account suspension or termination).

The confidentiality clause imposes obligations on both parties to maintain the confidentiality of the other party's confidential information — including the customer's business data and the provider's proprietary technology and pricing.

The limitation of liability clause specifies the maximum liability of each party under the agreement — typically capped at the fees paid by the customer in the preceding 12 months — and excludes indirect and consequential losses. The exclusions must satisfy the reasonableness test under the Unfair Contract Terms Act 1977 and must not contravene the Consumer Rights Act 2022 for consumer contracts.

The data portability and exit clause specifies the customer's rights to export their data, the format in which data is made available, the data retention period following termination, and the provider's obligation to delete customer data after the retention period expires in compliance with Article 28(3)(g) GDPR.

The governing law clause confirms that the agreement is governed by the laws of Ireland, and for B2B contracts, that disputes are subject to the jurisdiction of the Irish courts. Consumer-facing SaaS agreements must also comply with mandatory EU consumer protection rules that cannot be derogated from by a choice of foreign law. The forms-legal.com SaaS Agreement (Ireland) template covers the mandatory elements under Companies Act 2014.