SaaS Agreement (Malaysia)
SOFTWARE AS A SERVICE (SaaS) AGREEMENT
Contracts Act 1950 (Act 136) | Electronic Commerce Act 2006 (Act 658) | Personal Data Protection Act 2010 (Act 709)
THIS SaaS AGREEMENT is made on [Effective Date]
BETWEEN:
(1) [Provider Name] (SSM No.: [Provider Number]) of [Provider Address] ("Provider"); AND
(2) [Subscriber Name] (SSM No.: [Subscriber Number]) of [Subscriber Address] ("Subscriber").
1. SUBSCRIPTION GRANT
1.1 Subject to payment of the Subscription Fee and compliance with this Agreement, the Provider grants the Subscriber a non-exclusive, non-transferable right to access and use the [Platform Name] ("Platform") under the [Subscription Plan] during the Subscription Term.
1.2 The initial Subscription Term is [Contract Term] commencing on [Effective Date], and shall automatically renew for successive terms of equal duration unless either Party gives [Notice Period] written notice of non-renewal before the end of the then-current term.
2. FEES AND PAYMENT
2.1 The Subscriber shall pay the Subscription Fee of [Subscription Fee], billed [Billing Cycle], exclusive of Service Tax at 8% under the Service Tax Act 2018 (where applicable).
2.2 Payment is due within fourteen (14) days of invoice. Failure to pay may result in suspension of access to the Platform after seven (7) days' written notice.
3. SERVICE LEVELS
3.1 The Provider shall use commercially reasonable efforts to make the Platform available with [Uptime Guarantee] monthly uptime, excluding scheduled maintenance windows notified at least 48 hours in advance.
3.2 Where the Provider fails to meet the uptime commitment in any calendar month, the Subscriber may claim a pro-rated service credit for the affected period as its sole and exclusive remedy for uptime failures.
4. DATA OWNERSHIP AND PROTECTION
4.1 The Subscriber retains ownership of all data uploaded to or generated within the Platform ("Subscriber Data"). The Provider processes Subscriber Data only as necessary to provide the Platform services.
4.2 Both Parties shall comply with the Personal Data Protection Act 2010 (PDPA 2010, Act 709). The Provider implements appropriate technical and organisational security measures under the Security Principle (Section 9 of the PDPA 2010).
4.3 Upon termination, the Provider shall make Subscriber Data available for export for [Data Retention Period] and then permanently delete it from its systems.
5. INTELLECTUAL PROPERTY
5.1 The Provider retains all intellectual property rights in the Platform, including software, algorithms, user interface, and underlying technology. No rights in the Platform are transferred to the Subscriber.
6. GOVERNING LAW
6.1 This Agreement is governed by the laws of Malaysia. Disputes shall be resolved through the courts of Malaysia or arbitration at the Asian International Arbitration Centre (AIAC) under the Arbitration Act 2005 (Act 646).
Authorised Signatory (Provider)
________________
Signature
Authorised Signatory (Subscriber)
________________
Signature
What Is a SaaS Agreement (Malaysia)?
A SaaS Agreement in Malaysia records the terms the parties accept and the commitments each makes to the other.
The Electronic Commerce Act 2006 (Act 658) governs the legal recognition of electronic contracts in Malaysia, confirming that contracts formed electronically — including SaaS subscription agreements accepted by clicking 'I Agree' or executing a digital order form — are legally binding. Digital signatures used in SaaS agreements are further validated under the Digital Signature Act 1997 (Act 562), administered by the Controller of Certification Authorities (CCA) under the Ministry of Communications.
Data protection is the central legal concern in any Malaysian SaaS Agreement. The Personal Data Protection Act 2010 (PDPA 2010, Act 709) applies where the SaaS platform processes personal data of Malaysian residents. The customer, as the data user under PDPA 2010, determines the purpose of data processing and bears primary regulatory responsibility. The SaaS provider, as the data processor with access to customer data on its servers, must implement the Security Principle under Section 9 of the PDPA 2010. The SaaS Agreement must contain a Data Processing Addendum addressing data residency, security standards, breach notification, and audit rights.
Bank Negara Malaysia's (BNM) Risk Management in Technology (RMiT) Policy Document, effective January 2020, imposes strict outsourcing requirements on financial institutions using cloud-based SaaS platforms. BNM-regulated entities (banks, insurers, and payment service providers) must confirm their SaaS agreements with cloud providers include provisions on data residency in Malaysia (for critical systems), right to audit, business continuity, and exit management. The Securities Commission Malaysia (SC) has parallel requirements for capital market operators under its Guidelines on Technology Risk Management.
The legal framework governing the SaaS Agreement (Malaysia) in Malaysia draws on several key statutes and regulatory bodies. Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Parties executing a SaaS Agreement (Malaysia) in Malaysia should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Companies Act 2016 (Act 777) sets the foundational requirements.
When Do You Need a SaaS Agreement (Malaysia)?
A SaaS Agreement in Malaysia is required whenever a company provides subscription-based access to cloud software or when a company subscribes to a cloud software platform.
A SaaS Agreement is needed when a Malaysian software company launches a cloud-based product — such as an HR management system, accounting software, or CRM platform — and needs a standard subscription agreement that covers usage rights, subscription fees, uptime guarantees, and data ownership.
A SaaS Agreement is required when a Malaysian enterprise subscribes to a foreign SaaS platform — such as Salesforce, Xero, or HubSpot — through a local reseller or direct subscription, and the parties need a Malaysia-law governed agreement addressing PDPA 2010 compliance and data residency requirements.
A SaaS Agreement is needed when a financial institution regulated by Bank Negara Malaysia engages a cloud software provider, as BNM's Risk Management in Technology (RMiT) Policy Document requires the SaaS agreement to address data residency, audit rights, incident notification, and exit obligations.
A SaaS Agreement is required when a company provides a multi-tenant SaaS platform where each customer's data is logically separated but hosted on shared infrastructure, and clear data ownership, isolation, and deletion obligations must be contractually established.
A SaaS Agreement is needed when a SaaS provider offers different subscription tiers (Free, Professional, Enterprise) with different feature sets and SLAs, and the agreement must clearly define the service levels and limitations applicable to each subscription plan.
Parties in Malaysia should prepare a SaaS Agreement (Malaysia) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your SaaS Agreement (Malaysia)
A valid SaaS Agreement in Malaysia under the Contracts Act 1950 must contain the following essential elements.
Subscription Grant: A non-exclusive, non-transferable licence to access and use the SaaS platform during the subscription term, limited to the subscriber's own internal business purposes. The number of authorised users or seats must be specified.
Subscription Fees and Payment: Monthly or annual subscription fees in Malaysian Ringgit (RM), billing cycle, auto-renewal terms, and consequences of late payment. Service Tax at 8% under the Service Tax Act 2018 applies to taxable SaaS services where the provider's revenue exceeds RM 500,000. From 1 January 2020, imported digital services supplied by foreign digital service providers to Malaysian consumers are also subject to Service Tax at 8%.
Service Levels (SLA): Uptime commitments (typically 99.5% to 99.9% monthly availability), scheduled maintenance windows, incident response times by severity, and service credits or remedies for SLA breaches. Service credits must be structured to comply with Section 75 of the Contracts Act 1950 (reasonable pre-estimate of loss, not a penalty).
Data Ownership and Processing: A clear statement that the subscriber retains ownership of all data it uploads or inputs into the SaaS platform (customer data). The provider's rights are limited to processing customer data to provide the service. PDPA 2010 data processor obligations must be expressly addressed, including the Security Principle under Section 9, data breach notification, and data deletion upon termination.
Acceptable Use Policy: Restrictions on prohibited uses of the SaaS platform, including reverse engineering, exceeding usage limits, and uploading malicious code. Reference to the Computer Crimes Act 1997 (Act 563) for criminal liability for unauthorised computer access.
IP Ownership: The provider retains all intellectual property rights in the SaaS platform, including software, algorithms, and user interface. The subscriber grants the provider a limited licence to use customer data solely to provide the contracted services.
Term, Renewal, and Termination: Subscription term (monthly or annual), auto-renewal provisions, notice requirements for cancellation, and post-termination data export and deletion obligations within a specified period (typically 30 days).
Limitation of Liability: Exclusion of liability for indirect losses, cap on aggregate liability (commonly limited to 12 months' subscription fees), and exceptions for data protection breaches and fraud.
Additional compliance elements for a SaaS Agreement (Malaysia) used in Malaysia include: Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Forms-legal.com provides this template as a starting point for Malaysia-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). SaaS Agreement (Malaysia) (Malaysia) [Legal document template]. Forms Legal. https://forms-legal.com/malaysia/business/contracts/saas-agreement-malaysia
"SaaS Agreement (Malaysia) (Malaysia)." Forms Legal, 2026, https://forms-legal.com/malaysia/business/contracts/saas-agreement-malaysia.
@misc{formslegal-saas-agreement-malaysia,
author = {{Forms Legal}},
title = {SaaS Agreement (Malaysia) (Malaysia)},
year = {2026},
howpublished = {\url{https://forms-legal.com/malaysia/business/contracts/saas-agreement-malaysia}},
note = {Free legal document template. Based on Companies Act 2016 (Act 777)}
}Also available for these jurisdictions:
Frequently Asked Questions
A SaaS Agreement is legally binding in Malaysia under the Contracts Act 1950 (Act 136) and the Electronic Commerce Act 2006 (Act 658), provided it meets the requirements for a valid contract: offer, acceptance, consideration, free consent, and a lawful object under Section 10 of the Contracts Act 1950. Electronic contracts — including those formed by clicking an 'I Accept' button or executing an online order form — are recognised as legally valid under Section 7 of the Electronic Commerce Act 2006. The Electronic Commerce Act 2006 confirms that the legal validity of a contract cannot be denied solely on the ground that it was formed electronically. Where a SaaS Agreement is not signed with a handwritten or certified digital signature, it should at minimum be accepted through a documented click-wrap mechanism that records the subscriber's acceptance, the date and time, and the version of terms accepted.
SaaS providers in Malaysia that process personal data of Malaysian residents on behalf of their customers must comply with the Personal Data Protection Act 2010 (PDPA 2010, Act 709) requirements applicable to data processors. The customer (subscriber), as the data user under PDPA 2010, bears primary regulatory responsibility for compliance. However, the SaaS provider as a data processor must implement the Security Principle under Section 9 of the PDPA 2010, which requires appropriate technical and organisational measures to prevent unauthorised access, disclosure, alteration, or destruction of personal data. The SaaS Agreement should contain a Data Processing Addendum obliging the provider to: process data only on the customer's instructions; notify the customer of data breaches promptly; not engage sub-processors without consent; maintain records of processing activities; and delete or return customer data upon termination. Violations of PDPA 2010 obligations attract fines up to RM 500,000 under Section 130.
Service Tax applies to SaaS subscriptions in Malaysia under the Service Tax Act 2018 at a rate of 8% (increased from 6% effective 1 March 2024). Malaysian SaaS providers with annual taxable revenue exceeding RM 500,000 must register for Service Tax with the Royal Malaysian Customs Department (Jabatan Kastam Diraja Malaysia) and charge Service Tax on SaaS subscription invoices to Malaysian customers. Foreign digital service providers supplying digital services — including SaaS, cloud software, and online platforms — to Malaysian consumers (both B2B and B2C) are also required to register for and collect Service Tax under the Digital Service Tax provisions introduced from 1 January 2020 via amendments to the Service Tax Act 2018. Foreign SaaS providers with Malaysian revenue exceeding RM 500,000 must register as a foreign registered person (FRP) with the Royal Malaysian Customs Department and charge 8% Service Tax on subscriptions.
In a SaaS Agreement governed by Malaysian law, the customer (subscriber) retains ownership of all data it uploads, inputs, or generates within the SaaS platform — commonly called customer data or user data. The SaaS provider's rights over that data are limited to processing it as necessary to deliver the contracted services and, in some cases, to use anonymised or aggregated data for product improvement purposes. The SaaS Agreement should expressly state that the provider will not use customer data for any purpose other than providing the service, will not sell or transfer customer data to third parties, and will delete or return customer data within a specified period (typically 30 to 90 days) after termination. Upon termination, the customer should have a reasonable period to export its data in a standard format before the provider deletes it. This data ownership framework is consistent with the data user's obligations under the Personal Data Protection Act 2010 (PDPA 2010) and protects the customer's compliance position.
A SaaS Agreement uptime SLA for a Malaysian SaaS platform should specify: the uptime percentage commitment (typically 99.5% to 99.9% measured monthly, excluding scheduled maintenance); how uptime is measured (e.g., continuous monitoring by a third-party tool); the definition of 'downtime' (complete unavailability versus degraded performance); scheduled maintenance windows (commonly 2 to 4 hours per month, notified at least 48 hours in advance, excluded from uptime calculations); incident severity categories and corresponding response and resolution time targets; the service credit mechanism payable for SLA breaches (structured as liquidated damages under Section 75 of the Contracts Act 1950 to avoid characterisation as a penalty); and the process for claiming service credits (typically by written request within 30 days of the SLA breach). Malaysian courts will assess SLA credit clauses to determine whether they represent a genuine pre-estimate of loss or an unenforceable penalty under the principles established in Dunlop Pneumatic Tyre Co v New Garage and Motor Co [1915] as applied in Malaysia.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Software Development Agreement (Malaysia)
A Software Development Agreement for Malaysia that governs the engagement of a developer or software house to build custom software for a client. Addresses IP ownership, delivery milestones, payment, warranties, and liability under the Contracts Act 1950, Copyright Act 1987, and Digital Economy framework.
IT Services Agreement (Malaysia)
An IT Services Agreement for Malaysia that governs the ongoing provision of information technology services — including managed IT, helpdesk, infrastructure management, and support — between an IT service provider and a client. Compliant with the Contracts Act 1950, Computer Crimes Act 1997, and PDPA 2010.
Data Processing Agreement (Malaysia)
A Data Processing Agreement (DPA) for Malaysia that governs the processing of personal data by a data processor on behalf of a data user, as required by the Personal Data Protection Act 2010 (PDPA 2010, Act 709). Covers the seven PDPA data protection principles, security obligations, data breach notification, and sub-processor controls.