What laws govern a SaaS agreement in England and Wales?

A SaaS agreement in England and Wales is governed by several overlapping legal frameworks. The primary legislation affecting SaaS contracts includes: the UK General Data Protection Regulation (UK GDPR) as incorporated by the Data Protection Act 2018, which governs how personal data is processed when the provider hosts customer data; the Supply of Goods and Services Act 1982, which implies terms of reasonable care and skill into service contracts unless expressly excluded (subject to the Unfair Contract Terms Act 1977); the Consumer Rights Act 2015, which applies where the customer is a consumer and imposes non-excludable digital content quality standards; the Computer Misuse Act 1990, which protects cloud infrastructure against unauthorised access; and the Electronic Commerce (EC Directive) Regulations 2002, which apply to online contracts formed electronically. For B2B SaaS contracts, English common law governs most aspects of contract formation, performance, and remedies.

What should a UK SaaS agreement say about data protection?

Data protection is one of the most critical aspects of any UK SaaS agreement. Where the SaaS provider processes personal data on behalf of the customer — which is almost always the case when customer employees or end users upload data to the platform — the provider acts as a data processor and the customer acts as a data controller. Article 28 of the UK GDPR requires the parties to enter into a written data processing agreement (DPA) setting out the subject matter, duration, nature, and purpose of the processing; the type of personal data and categories of data subjects; and the obligations and rights of both parties. The DPA must contain specific mandatory terms, including the processor's obligation to process data only on the controller's documented instructions, to maintain confidentiality, to implement appropriate security measures, to assist the controller with data subject rights requests, and to delete or return personal data on termination. Failure to comply with the UK GDPR can result in fines of up to £17.5 million or 4% of global annual turnover, whichever is higher.

What is an uptime SLA and how is it calculated?

A service level agreement (SLA) for uptime defines the percentage of time the SaaS service must be operational and available during a given measurement period (typically a calendar month). Uptime is calculated as: (Total Time - Downtime) / Total Time x 100. For example, a 99.9% uptime commitment in a 30-day month means the service may be unavailable for no more than approximately 43.8 minutes per month. A 99.5% uptime commitment allows up to approximately 3.65 hours of downtime per month. The SLA should specify: (1) what counts as downtime (total unavailability vs. degraded performance); (2) how downtime is measured (Provider's monitoring systems vs. Customer-reported); (3) the measurement period; and (4) what remedies are available if the SLA is breached, typically service credits. It should also specify what is excluded from the calculation — such as scheduled maintenance windows, outages caused by the Customer's own systems, or force majeure events.

Who owns the customer data on a SaaS platform under English law?

Under English law, the customer retains ownership of the data it uploads to or generates on a SaaS platform. There is no general principle of 'database rights' that would automatically vest in the provider by virtue of hosting the data, although the provider may have database rights in any databases it creates as part of the platform itself under the Copyright and Rights in Databases Regulations 1997. A well-drafted SaaS agreement should expressly confirm that Customer Data remains the property of the customer, that the provider is only granted a limited licence to use that data to provide the service, and that on termination the customer has the right to export or receive a copy of its data before it is deleted. This clarity is particularly important in the context of UK GDPR, where the customer (as data controller) must be able to demonstrate that it has control over its data and that data subjects' rights can be exercised.

Can a SaaS provider in England and Wales limit its liability for service outages?

Yes, a SaaS provider can limit its liability for service outages in a B2B contract, but only to the extent that the limitation is reasonable under the Unfair Contract Terms Act 1977 (UCTA 1977). A clause limiting or excluding liability for breach of contract must satisfy the reasonableness test in UCTA 1977, which considers factors such as the bargaining strength of the parties, whether the customer received any inducement to accept the limitation, whether the customer knew or ought to have known of the limitation, and whether it would have been practicable for the customer to obtain the goods or services elsewhere without the limitation. In practice, limiting liability to service credits for SLA failures is widely accepted in the B2B SaaS market and is generally considered reasonable, provided the credits represent a meaningful remedy for the customer. For consumer customers, the Consumer Rights Act 2015 imposes stricter rules and certain limitations of liability may be void.

What notice period should a SaaS agreement include for termination in England and Wales?

The appropriate notice period for termination of a SaaS agreement in England and Wales depends on the nature of the service and the subscription term. For monthly rolling subscriptions, a notice period of 30 days before the renewal date is common. For annual subscriptions, a notice period of 60 to 90 days before the annual renewal is more typical, giving both parties sufficient time to plan for continuity or transition. The agreement should distinguish between: (1) termination for convenience, where the customer or provider simply chooses not to renew; (2) termination for cause, where one party may terminate immediately or with a short cure period in response to a material breach or insolvency; and (3) termination for failure to meet SLA commitments over an extended period. It is also important to include a data export period — the agreement should give the customer a reasonable period (at least 30 days) after termination to retrieve its data before the provider deletes it from its systems.

SaaS Agreement (UK) — United Kingdom

Formalise a software as a service subscription in England and Wales with a comprehensive UK SaaS Agreement. Whether you are a SaaS provider onboarding a business customer or an organisation subscribing to a cloud-based platform, a properly drafted SaaS agreement defines the scope of access, service level commitments, data protection obligations under the UK GDPR, subscription fees, and the rights and responsibilities of each party. Our template is drafted in accordance with the UK General Data Protection Regulation, the Data Protection Act 2018, the Consumer Rights Act 2015, and English common law.

What Is a SaaS Agreement (UK)?

A SaaS Agreement (Software as a Service Agreement) is a legally binding contract that governs the terms on which a technology provider makes a software application available to a customer via the internet on a subscription basis. Unlike a traditional software licence, where the customer installs software on their own hardware, a SaaS arrangement involves the provider hosting the application on its own servers (or in a third-party cloud environment) and delivering access to it over the internet. The customer pays a recurring subscription fee in exchange for the right to access and use the platform, without acquiring any ownership of the underlying software.

In England and Wales, SaaS agreements are widely used across every sector of the economy. Cloud-based software for accounting, HR management, customer relationship management (CRM), project management, e-commerce, and data analytics are all typically delivered on a SaaS basis. The SaaS model has become the dominant paradigm for enterprise software procurement in the United Kingdom, and a well-drafted SaaS agreement is an essential commercial and legal foundation for any SaaS business or subscription-based technology arrangement.

The legal framework governing SaaS agreements in England and Wales is multifaceted. The UK General Data Protection Regulation (UK GDPR) as incorporated by the Data Protection Act 2018 is particularly significant, because virtually every SaaS platform processes some personal data on behalf of the customer, creating specific legal obligations on both the provider and the customer. The Consumer Rights Act 2015 applies where the customer is a consumer and imposes non-excludable statutory rights in relation to digital content quality. The Supply of Goods and Services Act 1982 implies obligations of reasonable care and skill into the provision of services. The Computer Misuse Act 1990 provides criminal law protection for cloud infrastructure.

A SaaS Agreement differs from a software licence agreement in that it addresses the ongoing nature of the service relationship — including uptime commitments, support and maintenance obligations, data protection compliance, subscription fee escalation, and the mechanics of termination and data return — rather than simply defining the scope of a static licence to use software.

When Do You Need a SaaS Agreement (UK)?

A SaaS Agreement is needed whenever a business or individual subscribes to or provides access to software delivered over the internet on a subscription basis. The agreement is relevant to a very wide range of commercial situations in England and Wales.

From the provider's perspective, a SaaS agreement is essential before any paying customer is granted access to the platform. Without a written agreement, the provider has no legal basis for charging subscription fees, no contractual right to restrict the customer's use of the platform, and no limitation on its liability if the service is unavailable or performs poorly. A properly drafted SaaS agreement also establishes the legal framework for data protection compliance, which is critical given the UK GDPR's requirements for a written data processing agreement between controller and processor.

From the customer's perspective, a SaaS agreement is important because it defines the service level the provider is committed to delivering, what happens to the customer's data if the provider becomes insolvent or the contract is terminated, whether the subscription auto-renews and on what terms, and how liability is allocated if the platform suffers an outage or data breach. Customers who access SaaS platforms without a written agreement have no contractual recourse if the service is unavailable or their data is lost.

Common situations requiring a SaaS agreement include: a technology startup that has built a cloud-based application and is onboarding its first paying customers; an enterprise business procuring a cloud-based HR, accounting, or CRM system from a vendor; a financial services firm accessing a cloud-based data analytics platform; a healthcare organisation using a cloud-based patient management system (where additional data protection requirements apply); and any business that relies on cloud-hosted software for critical business operations.

If the SaaS platform will process special category personal data (such as health data, financial data, or biometric data), additional legal requirements apply under the UK GDPR, and the SaaS agreement should be supplemented by a detailed data processing agreement and, where appropriate, a data protection impact assessment.

What to Include in Your SaaS Agreement (UK)

A well-drafted SaaS Agreement for use in England and Wales should contain several key provisions that reflect both the ongoing service nature of the relationship and the UK legal framework.

The grant of access clause must clearly define the scope of the customer's right to access and use the service — whether it is non-exclusive, non-transferable, and limited to specified purposes; the number of authorised users permitted; and any restrictions on use (such as prohibitions on sub-licensing or using the service to provide bureau services to third parties).

The service level agreement (SLA) is one of the most commercially important provisions in a SaaS contract. It should specify the uptime commitment (expressed as a percentage availability per calendar month), how downtime is measured and what is excluded from the calculation, scheduled maintenance windows, and what remedies are available if the SLA is not met. Service credits are the standard remedy for SLA failures in the UK market, and the agreement should specify the credit calculation methodology and the process for claiming credits.

The data protection provisions are legally mandatory under Article 28 of the UK GDPR. The agreement must identify the roles of the parties (controller and processor), set out the subject matter, duration, nature, and purpose of the processing, and include all the mandatory processor obligations required by the UK GDPR. A failure to include adequate data protection provisions is not just commercially risky — it can result in regulatory enforcement action by the Information Commissioner's Office (ICO).

The subscription fee and payment clause should specify the subscription fee, the billing cycle, the VAT treatment, the consequences of late payment (including interest under the Late Payment of Commercial Debts (Interest) Act 1998 for B2B contracts), and any rights to increase fees on renewal.

The customer data clause should confirm that the customer retains ownership of its data, that the provider will only use it to provide the service, and that on termination the customer will be given a reasonable period to export its data. The limitation of liability clause should comply with the Unfair Contract Terms Act 1977 (for B2B contracts) or the Consumer Rights Act 2015 (for B2C contracts).

What Is a SaaS Agreement (UK)?

When Do You Need a SaaS Agreement (UK)?

What to Include in Your SaaS Agreement (UK)

Frequently Asked Questions

Related Documents

Software Licence Agreement (UK)

IP Assignment Agreement (UK)

Non-Disclosure Agreement (NDA) (UK)

Privacy Policy (UK)

Website Development Agreement (UK)