SaaS Subscription Agreement (UAE)

A SaaS Subscription Agreement in the United Arab Emirates is a commercial contract by which a provider of cloud-hosted software grants a subscriber the right to access and use the software over the internet as a service (Software as a Service), in exchange for a recurring subscription fee, for a defined term. Unlike a traditional software licence agreement where the software is installed on the subscriber's own hardware, a SaaS arrangement involves the provider hosting the software on its own infrastructure, maintaining the platform, and providing updates, with the subscriber accessing the service through a web browser, mobile application, or API. SaaS subscription agreements are governed by the UAE Civil Code (Federal Law No. 5 of 1985), the Copyright Federal Decree-Law No. 38 of 2021 (which protects the software as an original work), the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) (where personal data is processed through the service), and the Electronic Transactions and Trust Services Law (Federal Decree-Law No. 46 of 2021) (which validates electronic execution).

The UAE has a rapidly growing SaaS market, anchored by major technology hubs including the Dubai Internet City, Dubai Silicon Oasis, the DIFC technology ecosystem, Hub71 in Abu Dhabi, and twofour54 in the Abu Dhabi media zone. UAE enterprises in banking (supervised by the Central Bank of the UAE), government, healthcare, logistics, and retail increasingly rely on SaaS platforms for critical business functions, including enterprise resource planning, human resources management aligned with the Ministry of Human Resources and Emiratisation (MOHRE) Wage Protection System, customer relationship management, financial reporting required by the Securities and Commodities Authority (SCA), and data analytics platforms. The Federal Tax Authority (FTA) has extended Value Added Tax at 5% under Federal Decree-Law No. 8 of 2017 to electronically supplied services including SaaS, making VAT treatment a key commercial term in every UAE SaaS contract.

The Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), administered by the UAE Data Office, is the critical regulatory overlay for SaaS contracts. Because SaaS inherently involves the provider processing the subscriber's data on its infrastructure, the PDPL's data processor obligations apply fully: the provider must act on the subscriber's documented instructions, implement appropriate technical and organisational security measures, not engage sub-processors without consent, assist the subscriber in responding to data subject requests, and notify the subscriber of personal data breaches. The PDPL's cross-border data transfer restrictions impose further constraints on providers who host data outside the UAE.

For free-zone entities established in the DIFC, SaaS contracts may be governed by DIFC law under the DIFC Contract Law (DIFC Law No. 2 of 2004), and data protection is subject to the DIFC Data Protection Law (DIFC Law No. 5 of 2020). For ADGM entities, the ADGM Contract Regulations 2015 and the ADGM Data Protection Regulations 2021 apply. Both free-zone regimes are broadly aligned with international best practice and the GDPR framework, making them familiar to international SaaS providers entering the UAE market through free-zone structures.

A well-structured UAE SaaS subscription agreement addresses six core areas: the scope of the service and permitted use; service levels and uptime obligations; subscription fees, VAT treatment, and payment terms; data protection, data ownership, and data residency; intellectual property ownership (the provider retains the software copyright; the subscriber retains its data); and term, renewal, and termination with clear data return and deletion obligations.

A SaaS Subscription Agreement in the UAE is required whenever a business procures access to a cloud-hosted software service from a third-party provider under the Copyright Federal Decree-Law No. 38 of 2021 and the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021).

Enterprise cloud software procurement is the primary context. UAE companies purchasing access to ERP platforms, HR systems, accounting and finance tools, CRM software, project management platforms, or business intelligence dashboards hosted by a third-party provider require a formal subscription agreement to govern fees, uptime commitments, data handling, and termination rights.

Regulated-sector procurement in banking, insurance, and capital markets requires SaaS contracts that comply with the Central Bank of the UAE's Information Technology Risk Management guidelines and the SCA's technology governance requirements. Both regulators require documented agreements with cloud service providers that address business continuity, data security, and incident response — requirements that go beyond a standard click-wrap terms of service.

Government and semi-government entity procurement of SaaS solutions is governed by the UAE Government Procurement Policy Framework, which requires formal contracts with SaaS vendors, service level agreements, and data handling provisions aligned with the Emirates Government Service Excellence Programme standards.

Startup and SME contracts with SaaS vendors. UAE startups and SMEs registered with free-zone authorities such as the DIFC Fintech Hive, Hub71, in5, and Dubai CommerCity routinely subscribe to SaaS tools and should review the provider's standard terms before accepting them, particularly regarding data handling, IP ownership, limitation of liability, and lock-in through proprietary data formats.

Multi-jurisdictional deployments where a UAE subsidiary uses a SaaS platform also used by its parent company in another country require a subscription agreement that addresses which entity is the subscriber, how user licences are allocated, and whether the parent's master agreement covers the UAE entity's use — which may trigger data transfer issues under the PDPL if the parent's master agreement requires UAE data to be processed abroad.

A UAE SaaS Subscription Agreement compliant with the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and the UAE Civil Code (Federal Law No. 5 of 1985) must contain the following elements. The forms-legal.com UAE SaaS Subscription template addresses each component in a commercially standard format accepted by UAE enterprise subscribers and recognised by the Dubai Courts, the DIFC Courts, and the ADGM Courts.

Party identification must record the full legal name, trade licence number, and registered address of both the provider and the subscriber. Corporate signatories must hold board authorisation or a power of attorney under the Commercial Companies Law (Federal Decree-Law No. 32 of 2021).

Service description must identify the SaaS service by product name and functional description. Clarity here prevents disputes about whether specific features, integrations, or modules are included in the subscription.

Permitted users must be defined: the number of named users, concurrent sessions, or the scope of the subscriber's organisation authorised to access the service. Clear user-count definitions prevent over-deployment disputes.

Service levels must set the uptime commitment (typically 99.0% to 99.9% monthly), incident response and resolution targets, scheduled maintenance windows, and the subscriber's remedy for SLA failure (typically service credits capped at a monthly percentage).

Subscription fees and VAT must state the fee in AED, the payment schedule, and confirm that VAT at 5% under Federal Decree-Law No. 8 of 2017 applies in addition to the fee where the provider is VAT-registered with the Federal Tax Authority.

Data protection provisions must comply with the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021). The agreement must confirm the subscriber as data controller and the provider as data processor, specify processing instructions, security measures, sub-processor rules, data breach notification obligations, and cross-border transfer restrictions. For DIFC and ADGM entities, the applicable free-zone data protection law must be identified.

IP ownership must confirm that the provider retains copyright in the software under the Copyright Federal Decree-Law No. 38 of 2021 and that the subscriber owns all subscriber data.

Term, renewal, and termination must set the initial term, auto-renewal mechanics, notice periods, grounds for early termination, and the provider's obligation to return or delete subscriber data within a defined period on termination.

Limitation of liability must cap the provider's exposure under Article 390 of the UAE Civil Code (Federal Law No. 5 of 1985) and exclude indirect loss, subject to carve-outs for data protection breaches and fraud.

Governing law and forum must identify UAE law and the competent court — the Dubai Courts, Abu Dhabi Judicial Department, DIFC Courts, or ADGM Courts — or an arbitral institution such as the Dubai International Arbitration Centre (DIAC).

Completing a UAE SaaS Subscription Agreement requires the provider and subscriber to agree commercial and technical terms before filling in the template. Proceed as follows.

Begin with the parties. Enter the provider's full legal name as registered with its UAE or foreign company registry. If the provider is a foreign entity without a UAE trade licence, record its full company name, jurisdiction of incorporation, and registered address. Enter the subscriber's full legal name and UAE trade licence number.

Enter the date in DD/MM/YYYY format.

In the service section, enter the product name and a functional description of the service. Be specific about what the subscription covers: list modules, integrations, and APIs included. State the permitted user count — per-named-user, per-seat, or enterprise — clearly.

Enter the uptime SLA as a percentage with a clear exclusion for scheduled maintenance. Typical UAE enterprise commitments range from 99.0% to 99.9% monthly.

State the subscription fee in AED, noting whether it is monthly or annual. Annual subscriptions usually attract a discount. Add the VAT position: if the provider is UAE VAT-registered, VAT at 5% under Federal Decree-Law No. 8 of 2017 applies in addition to the stated fee.

Choose the data hosting location. For subscribers with UAE data sovereignty requirements or regulated-sector obligations (Central Bank of the UAE, Department of Health), select 'within the United Arab Emirates'. Major cloud providers including Microsoft Azure, AWS, and Google Cloud operate UAE data centre regions that satisfy this requirement.

Select the governing forum. The DIFC Courts or ADGM Courts are common choices for SaaS contracts involving international providers and UAE enterprise subscribers, given their English-language proceedings and recognition under the mutual enforcement framework. The Dubai Courts and Abu Dhabi Judicial Department are the default onshore forums.

Both parties sign through authorised representatives, electronically under the Electronic Transactions and Trust Services Law (Federal Decree-Law No. 46 of 2021) or on paper.

A UAE SaaS Subscription Agreement must comply with the following legal requirements under UAE and free-zone law.

Data processing obligations under the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) are the most significant regulatory requirement. The PDPL requires that processing by a data processor (the SaaS provider) be governed by a written agreement with the data controller (the subscriber) covering the scope of processing, security measures, sub-processing, data subject rights assistance, breach notification, and cross-border transfer restrictions. The UAE Data Office can investigate non-compliant processing arrangements and impose administrative penalties.

Cross-border data transfer restrictions under Chapter 7 of the PDPL require that personal data transferred outside the UAE be sent only to countries deemed adequate by the UAE Data Office or on the basis of approved safeguards. SaaS providers must identify their data centre locations and ensure the agreement documents the applicable transfer mechanism.

VAT registration and invoicing obligations under Federal Decree-Law No. 8 of 2017 require providers who make taxable supplies of electronically supplied services in the UAE exceeding the registration threshold to register with the Federal Tax Authority, charge VAT at 5%, issue compliant tax invoices, and submit periodic returns. Foreign providers may be required to register even without a UAE establishment.

Copyright protection under the Copyright Federal Decree-Law No. 38 of 2021 protects the SaaS software as an original work. The agreement must not grant the subscriber rights to reproduce, reverse-engineer, or distribute the software beyond what is necessary for the authorised use.

Corporate authority under the Commercial Companies Law (Federal Decree-Law No. 32 of 2021) requires that signatories hold board authorisation or a valid power of attorney.

Electronic execution is valid under the Electronic Transactions and Trust Services Law (Federal Decree-Law No. 46 of 2021) for both the agreement and any associated schedules. Click-wrap acceptance of standard SaaS terms is treated as binding by UAE courts where the terms were reasonably available and the subscriber had an opportunity to review them before acceptance.

UAE SaaS Subscription Agreements regularly fail to protect the subscriber or expose the provider to liability because of the following recurring errors.

1. No data processing clause. A SaaS agreement that processes personal data without a data processing clause or schedule violates the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021). The UAE Data Office may investigate and impose penalties on both the provider (for operating without documented processing instructions) and the subscriber (for failing to ensure the processor agreement is in place).

2. Vague data return obligations. An agreement that does not specify when and how the provider will return or delete subscriber data on termination leaves the subscriber unable to migrate away and potentially in breach of PDPL data minimisation obligations. Require return or deletion within 30 days with written certification.

3. No uptime commitment. Accepting a SaaS service without a contractual uptime SLA leaves the subscriber without a remedy when the service is unavailable. Negotiate a minimum monthly uptime and a service credit schedule.

4. Undefined data residency. Failing to specify where subscriber data is hosted creates regulatory risk for subscribers in regulated sectors. Confirm the hosting location in writing, particularly where the Central Bank of the UAE, the Securities and Commodities Authority (SCA), or the Abu Dhabi Judicial Department has issued data localisation requirements.

5. No auto-renewal opt-out mechanism. SaaS agreements that auto-renew without adequate notice of the renewal date and a reasonable notice period for cancellation can result in the subscriber being locked into an unwanted renewal term. Require a minimum 60-day non-renewal notice window.

6. Ignoring VAT. Agreeing a subscription fee without addressing VAT under Federal Decree-Law No. 8 of 2017 creates pricing disputes. Confirm whether the stated fee is VAT-inclusive or exclusive, and ensure the provider issues VAT-compliant invoices.

7. Accepting the provider's standard terms without review. Many SaaS providers present standard-form terms that heavily favour the provider — with broad IP licences over subscriber data, minimal SLA commitments, and uncapped liability for the subscriber. UAE enterprise subscribers should negotiate key terms, particularly data ownership, data security, SLA credits, and termination rights.