SaaS Agreement (New Zealand)

A SaaS Agreement in New Zealand records the software-as-a-service to be provided, the fees, the service standards, and each party's obligations between the provider and the client under the Companies Act 1993.

New Zealand SaaS agreements are governed by three primary statutes. The Contract and Commercial Law Act 2017 (CCLA), which consolidated eleven previously separate commercial statutes including the Contractual Remedies Act 1979 and the Illegal Contracts Act 1970, provides the overarching legal framework for contractual formation, performance, misrepresentation, cancellation, and remedies. The Privacy Act 2020, and its 13 Information Privacy Principles (IPPs), regulates every agency collecting or processing personal information about New Zealand individuals — a central obligation for any SaaS platform that stores customer data, user records, or usage analytics. The Copyright Act 1994 vests ownership of the software in the provider and prevents any implied licence to copy, modify, decompile, or reverse-engineer the underlying code.

The Goods and Services Tax Act 1985 requires GST-registered SaaS providers to charge GST at 15% on all subscription fees. Under 2016 amendments to the GST Act, offshore SaaS providers supplying New Zealand consumers must register for New Zealand GST once their supplies exceed NZD $60,000 in any twelve-month period.

A thorough NZ SaaS Agreement covers the subscription plan tier and number of authorised user seats; uptime SLA commitments (typically 99.9% monthly, the industry standard known as 'three nines'); data ownership confirmation that all customer data remains the customer's property; data residency and sovereignty obligations, which are particularly important for government agencies subject to the Official Information Act 1982 and health sector customers subject to the Health Information Privacy Code 2020; mandatory notifiable privacy breach obligations under section 113 of the Privacy Act 2020; security standards consistent with CERT NZ cloud security guidance; and limitation of liability provisions consistent with the Consumer Guarantees Act 1993 and the Fair Trading Act 1986.

New Zealand's technology sector, supported by NZTech, Callaghan Innovation, and Lightning Lab, has produced globally successful SaaS companies including Xero, Vend, and Timely, as well as hundreds of specialist B2B platforms serving the agriculture, construction, health, and professional services sectors. Every SaaS provider — regardless of size — requires a New Zealand-compliant SaaS agreement before onboarding paying customers.

A SaaS Agreement is needed in New Zealand whenever a cloud software provider onboards a paying customer — regardless of whether the customer is a startup, an enterprise, or a government agency.

**SaaS startups and scale-ups:** New Zealand's technology sector, supported by NZTech, Lightning Lab, and Callaghan Innovation grants, produces hundreds of SaaS businesses. Before charging any subscription fee, providers need a compliant agreement that addresses the CCLA 2017, Privacy Act 2020 IPPs, and GST obligations under the Goods and Services Tax Act 1985.

**Enterprise SaaS procurement:** Large New Zealand enterprises procuring cloud software require agreements addressing data sovereignty, uptime SLA commitments, privacy breach notification under section 113 of the Privacy Act 2020, and exit data portability provisions. Procurement teams at listed companies and financial institutions regulated by the Financial Markets Authority (FMA) have heightened compliance requirements.

**Government and public sector:** New Zealand government agencies procuring SaaS must comply with the Government Rules of Sourcing issued by the Ministry of Business, Innovation and Employment (MBIE) and the Protective Security Requirements. These impose specific rules on data classification, offshore data storage, and vendor security posture.

**Health sector:** SaaS providers serving Te Whatu Ora (Health New Zealand), district health boards, and private health practices must address the Health Information Privacy Code 2020 — issued by the Privacy Commissioner under section 81 of the Privacy Act 2020 — in addition to the standard Privacy Act 2020 IPPs.

**Education sector:** Schools and tertiary providers procuring SaaS tools for student management or learning management systems need agreements that address the student privacy obligations under the Privacy Act 2020 and the Education and Training Act 2020.

**B2B SaaS:** Any New Zealand business offering a recurring subscription cloud service needs a SaaS agreement compliant with the CCLA 2017 to govern liability, IP ownership under the Copyright Act 1994, and dispute resolution through the High Court of New Zealand or the Arbitrators' and Mediators' Institute of New Zealand (AMINZ).

A thorough SaaS Agreement for New Zealand should include the following key provisions to be legally effective and commercially sound.

**Service description:** A precise description of the cloud software, accessible URL or API endpoint, included modules, and any excluded functionality. Ambiguity about what is included is a leading cause of SaaS disputes in New Zealand.

**Subscription terms:** The subscription plan tier, number of authorised user seats, commencement date, initial term length, and auto-renewal mechanics. Section 36 of the Contract and Commercial Law Act 2017 governs electronic contract formation and renewal.

**Fees and GST:** Monthly or annual subscription fees in NZD, the billing cycle and payment method, late payment interest under the Judicature Act 1908 (currently 10% per annum), and GST treatment under the Goods and Services Tax Act 1985. Tax invoices must be issued for each payment to enable input tax credit claims by GST-registered customers.

**Data ownership and privacy:** Explicit confirmation that all customer data is and remains the property of the customer under the CCLA 2017. Privacy Act 2020 compliance obligations, including adherence to Information Privacy Principles 1–13. Mandatory notifiable privacy breach obligations under section 113 of the Privacy Act 2020 — the provider must notify the Office of the Privacy Commissioner and affected individuals if a breach is likely to cause serious harm.

**Data residency and security:** Where data is hosted (New Zealand, Australia, or offshore), which cloud infrastructure provider is used (AWS, Azure, Google Cloud), and the security standards applied — consistent with CERT NZ cloud security guidance and the ISO/IEC 27001 information security framework.

**Uptime SLA:** The uptime commitment (e.g., 99.9% monthly), how uptime is calculated, scheduled maintenance exclusions, and the service credit mechanism for SLA failures. Remedies must comply with the Consumer Guarantees Act 1993 where consumer transactions are involved.

**Intellectual property:** Confirmation that all IP in the software remains vested in the provider under the Copyright Act 1994, and that no implied licence to copy, modify, or reverse-engineer the software is granted. Customer data and customer-created content remain the customer's property.

**Limitation of liability:** A liability cap (typically 12 months' subscription fees) and exclusion of indirect, consequential, and loss-of-profit claims — subject to the Consumer Guarantees Act 1993 and Fair Trading Act 1986 where applicable to consumer transactions.

**Termination and data export:** Notice periods for termination, the customer's right to export their data in a standard machine-readable format within a specified period before permanent deletion, and data retention obligations under applicable New Zealand law.

**Governing law:** New Zealand law, with disputes resolved in the High Court of New Zealand or by arbitration through the Arbitrators' and Mediators' Institute of New Zealand (AMINZ). The forms-legal.com SaaS Agreement (New Zealand) provides a ready-to-use template that meets these requirements.