SaaS agreements concentrate risk in nine review areas: licence scope, data ownership and IP, confidentiality and security, regulatory compliance, service levels, warranties and indemnities, liability, termination and exit, and the operational clauses around audit, assignment, and publicity.
This is the checklist for verifying all of them. First, how to run the review in LEGALFLY in minutes.
A checklist that LEGALFLY uses for SaaS contract review is included at the end of this article, ready to download and adapt for your own team.
If your team is still reviewing SaaS agreements manually, LEGALFLY can cut that time by 87.5%. If you want to see how in-house legal teams at SAP, Lufthansa, AXA, and Bosch run contract review in minutes, book a demo.
5 steps to run a SaaS contract review in LEGALFLY in minutes
In-house teams use LEGALFLY to apply a structured SaaS contract review playbook to every agreement they receive. A review that would take a senior lawyer two hours takes 15 minutes, with the same review logic applied consistently across every contract. Here is how it works.
Open the contract in Word
Launch the LEGALFLY add-in. Before any AI processing, sensitive data is anonymised at the point of ingestion. Vendor names, commercial terms, and identifying information become tokens, and the original document stays under your control.
Select the SaaS contract playbook
The playbook contains the review points covered in this article, configured with your organisation's preferred positions and fallback wording. If you have variants for different SaaS vendors or contract types (per-seat, consumption-based, enterprise agreements), select the relevant one.
Run the review
LEGALFLY analyses the contract clause by clause against the playbook, applying your organisation's risk thresholds consistently and flagging deviations from your preferred positions.
Review tracked changes with rationale
Each suggested edit appears as a tracked change in Word, linked to the specific playbook rule that triggered it. You see what was flagged, why it was flagged, and the redraft language proposed. Accept, modify, or reject each change individually.
Export with a full audit trail
The final document exports with a complete record of changes made, rules applied, and approvals given, ready for internal governance or external audit.
For high-volume agreements, this review can also be automated end-to-end through Agent Studio.
In-depth SaaS contract review checklist: what to verify before signing
The nine review areas below cover everything in the LEGALFLY SaaS contract playbook, plus the additional checks (service levels, pricing, regulatory compliance) that complete a thorough review.
Verify the licence scope, users, and commercial structure
Most SaaS contract red flags surface in the first sections of the agreement: what the licence permits, who can use it, how long it runs, and how it is priced. These set the commercial frame for everything that follows.
Licence grant
The licence grant should be clearly defined, specifying the scope (typically internal business operations), the territory (commonly worldwide), the duration, and any user limitations.
A licence grant in vague or unlimited terms can be read narrowly by the vendor if a dispute arises.
Licence exclusivity
Confirm the licence is expressly stated as non-exclusive. Silence on exclusivity is technically ambiguous and worth amending; an exclusive licence is unusual for SaaS and a red flag if proposed by the vendor without commercial justification.
Licensed users
Permitted users should be clearly defined. The standard position is that the software may be used by employees and contractors of the licensee, provided the use is for the sole benefit of the licensee and the licensee remains responsible for their compliance with the agreement. Watch for definitions that are unduly narrow (excluding contractors, affiliates, or successors) or that require named-user identification, which creates administrative overhead and can constrain how the business uses the software.
Licence term
The term should be defined with a clear renewal process.
The two red flags here are an undefined or ambiguous term, and unfavourable renewal terms, particularly multi-year auto-renewal.
The preferred position is a fixed initial term with single-year renewals on mutual agreement, or auto-renewal subject to a workable opt-out notice period (60 to 90 days is common).
Pricing model and renewal terms
SaaS pricing models vary: per-seat, consumption-based (usage metrics, API calls, transactions), flat-fee enterprise agreements, or hybrid structures. Per-seat pricing scales predictably but rises with headcount; consumption pricing creates budget volatility; flat-fee structures cap exposure but require accurate usage forecasting. Whatever the model, confirm the pricing terms, what counts as a chargeable event, and how usage is measured.
Auto-renewal terms deserve particular attention. Verify the notice window for opt-out, calendar the deadline, and check the renewal pricing terms. Many SaaS vendors apply CPI or fixed-percentage increases on renewal, and some impose uncapped escalation. A renewal increase cap (often 3% to 7% or CPI-linked) is a common negotiated position.
Most teams using LEGALFLY cut their contract review time in half within a few weeks of onboarding. Book a short demo to see how it works for your business.
Confirm ownership of data, IP, and feedback
Ownership clauses are where SaaS agreements can transfer value the licensee did not intend to give up. Three categories require explicit treatment: the platform IP, the customer data, and the feedback the licensee provides about the service.
Intellectual property ownership
The agreement should confirm the licensee retains ownership of its data, with the licensor using it only to provide the service. Silence leaves the default unclear.
More serious: any clause granting the licensor ownership of customer data or broad rights to use it for purposes beyond service delivery (training AI models on customer data is increasingly common and should be considered separately).
Unacceptable for most enterprise SaaS arrangements.
Customer data ownership
The agreement should confirm that the licensee retains ownership of its data, and that the licensor may only use it to provide the service. Silence leaves the default unclear. More serious: any clause granting the licensor ownership of customer data or broad rights to use it for purposes beyond service delivery. Unacceptable for most enterprise SaaS arrangements.
AI training on customer data is increasingly common in SaaS templates. Treat it as a separate question, and assume the answer is no.
Feedback ownership
Feedback clauses determine who owns the suggestions, ideas, and product input the licensee provides during the engagement.
The standard position is that the licensor receives an unrestricted, perpetual, royalty-free licence to use feedback in its products and services.
Verify the clause is bounded to genuine feedback and does not extend to confidential information, customer data, or trade secrets the licensee shares while using the service.
Set confidentiality and data security obligations
Confidentiality and data security clauses determine how the vendor handles the licensee's sensitive information once it sits on the platform. Both deserve close attention.
Confidentiality obligation term
Confidentiality obligations should survive termination for a defined period. A fixed term of three to five years for general confidential information, with perpetual protection for trade secrets, is the standard position. Verify the carve-outs (information already in the public domain, information independently developed, disclosures required by law) are standard and do not undermine the protection.
Data security requirements
The agreement should contain specific data security obligations, or reference a data security addendum that does. A general statement that the licensor will use 'reasonable' security measures is weak. The stronger position requires 'industry standard' measures, references a defined framework (ISO 27001, SOC 2 Type II), and specifies obligations around encryption, access controls, and incident response.
Verify regulatory compliance and data protection obligations
Regulatory compliance sits alongside data security but deserves separate treatment. The applicable regimes depend on the licensee's industry and the data being processed.
Data processing addendum (DPA)
If the SaaS platform processes personal data on behalf of the licensee (which most do), a DPA is required under GDPR and equivalent regimes. Verify the DPA references appropriate transfer mechanisms (standard contractual clauses for cross-border transfers, supplementary measures where required), and addresses breach notification timelines, audit rights, and obligations on data subject requests.
Sub-processor disclosure and approval
Modern SaaS platforms rely on sub-processors (hosting providers, analytics tools, support vendors).
The agreement should require the licensor to disclose its sub-processors, give notice of new sub-processors before they are engaged, and offer the licensee a right to object on reasonable grounds.
Verify the approval mechanism is workable and includes a transition path if a sub-processor is objected to.
Industry-specific compliance
Depending on the licensee's industry, additional regimes apply. Financial services firms need to consider regulatory outsourcing rules (EBA guidelines, DORA in the EU, FCA rules in the UK). Healthcare organisations may need HIPAA business associate agreements. Organisations handling payment data need PCI-DSS commitments. Identify the applicable regimes at the start of the review and check the contract against each.
Legal Radar tracks regulatory change across these regimes and flags the contracts in your portfolio that are affected when something moves.
Define service levels, credits, and support expectations
Service level agreements set the contractual standard for platform availability and support.
Service level agreement and uptime guarantees
The SLA should specify the uptime guarantee (commonly 99.5% to 99.99%), the measurement window (monthly is standard), and the exclusions that do not count against uptime (scheduled maintenance, force majeure, licensee-caused issues). Verify the measurement methodology is fair: an uptime calculation that excludes too many categories of downtime is meaningless. The headline number matters less than what is being measured.
Service credits and remedies
Service credits are the standard remedy for failure to meet the SLA, usually expressed as a percentage of monthly fees refunded for each band of missed uptime. Verify the credit structure is meaningful (a 5% credit for sustained downtime is not meaningful on a mission-critical platform), and consider whether the licensee needs an additional right to terminate for persistent SLA failure. The standard position is that termination rights apply if the SLA is missed in multiple consecutive months.
Support tiers and response times
Support obligations should specify the support tiers available, the response time commitments by severity level, and the channels through which support is provided. For business-critical platforms, the licensee usually needs a defined escalation path and named technical contact, with a response time commitment that reflects the operational impact of an outage.
Check the warranty and indemnity coverage
Warranties and indemnities determine what the licensee can recover if the software fails to perform or if its use exposes the licensee to third-party claims.
Performance warranty
The agreement should provide a warranty that the software will perform in all material respects in accordance with its documentation, for a defined period from the effective date. The standard remedy is for the licensor to correct or replace the non-conforming software.
Watch for warranties that are too narrow (90-day warranties on an annual licence are common but worth pushing back on) or that have remedies so limited they do not meaningfully address material non-conformity.
IP infringement warranty
The licensor should warrant that the software does not infringe on third-party intellectual property rights. A warranty qualified by 'to the licensor's knowledge' is acceptable; an absence of any IP non-infringement warranty is a red flag and should be corrected. This warranty becomes meaningful when paired with the IP indemnity below.
Licensor IP indemnification
An IP indemnity from the licensor is non-negotiable. The licensor should indemnify the licensee against claims that the software infringes third-party IP, and should carry the defence of any such claims. Verify the indemnity is not heavily qualified or capped at a low amount, and confirm it is carved out of the general limitation of liability. An IP indemnity that is subject to a 12-month-fees cap provides no meaningful protection against a serious infringement claim.
LEGALFLY helps your team move faster: less time buried in contracts, more time on the work that actually matters. Book a call to see it in action.
Calibrate the liability cap and carve-outs
Liability provisions determine the maximum financial exposure either party carries under the agreement.
Liability cap
Liability should be capped at a defined amount. The standard SaaS position is a cap equal to 12 months of fees paid under the agreement, generally accepted as a reasonable allocation for an enterprise SaaS contract. Uncapped liability is unacceptable. Higher caps (24 months of fees, or a multiple) may be appropriate where the data, service, or operational dependency justifies it; lower caps should be resisted unless the contract value is genuinely small.
Liability exclusions and carve-outs
Standard carve-outs from the liability cap should be present. These typically cover the licensor's IP indemnification obligations, breaches of confidentiality, and gross negligence or wilful misconduct.
Without these carve-outs, the cap shields the licensor from liability for the most serious failures and undermines the protection elsewhere in the agreement.
A consequential damages waiver is common and excludes liability for indirect losses such as lost profits; confirm the waiver does not exclude direct losses you would expect to recover.
Get termination and exit right before signing
Termination and exit clauses determine what happens when the relationship ends, whether by mutual decision, breach, or end of term. The licensee's leverage to exit cleanly is set at the drafting stage.
Termination for convenience
A termination for convenience clause gives the licensee the right to end the agreement without cause, typically on a defined notice period. This is not standard in all SaaS agreements. Many SaaS vendors resist termination for convenience because it undermines multi-year commitments. Where included, verify the notice period is workable and the compensation formula does not expose the licensee to unreasonable break fees.
The licensee's leverage to exit cleanly is set at the drafting stage.
Termination for cause
Termination for cause rights apply when the other party materially breaches the agreement and fails to cure within a defined period.
The standard position is termination on material breach with a 30-day cure period.
Verify the cure period is reasonable, the trigger events for non-curable termination (insolvency, regulatory action) are appropriate, and the notice process is clearly defined.
Post-termination data handling
The licensor should be required to return or delete licensee data within a defined timeframe after termination, typically 30 to 60 days. Verify the licensee has the right to elect between return and deletion, the format of returned data is workable for migration, and the licensor is required to certify completion of any deletion obligation. Without this, the licensee can find itself unable to recover its data after switching vendors.
Check governing law, venue, and the operational clauses
The remaining clauses cover where disputes are heard, what audit rights the licensor has over the licensee's use of the platform, and the operational permissions around assignment and publicity. They are less commercially material than the clauses above, but they get tested once the relationship is underway.
Clause | Standard position | What to watch out for |
Governing law | Aligned with a defensible jurisdiction: typically the licensee's home jurisdiction or a recognised commercial centre (Delaware, New York, England and Wales). Aligned with the venue clause. | Ambiguous or unusual choice of law, or governing law that doesn't align with venue. |
Venue | Exclusive courts aligned with the governing law. | Licensee required to litigate at the licensor's home base, creating a practical barrier to enforcing rights. |
Right to audit | Prior notice required, limited to once a year, conducted during business hours, no unreasonable interference with operations. | Unannounced or unrestricted audit access. |
Assignment | Licensee may assign with a carve-out for merger, acquisition, or change of control. Licensor's right to assign reasonably controlled. | No M&A carve-out, which can block corporate transactions. |
Publicity | Use of the licensee's name or logo in marketing requires prior written consent. | Unilateral marketing rights granted to the licensor by default. |
Make SaaS contract review consistent across your team
A SaaS contract review checklist gives you the structure to apply consistent standards across every agreement coming through the legal team. The checklist below is a working version of the playbook LEGALFLY runs for SaaS contract review, extended with the additional checks (service levels, pricing, regulatory compliance) that complete a thorough review. Adapt it to your organisation's preferred positions, share it across the team, and use it as the starting point for your own playbook.
Book a LEGALFLY demo. We will walk you through the SaaS contract playbook using contract types relevant to your portfolio.
Frequently asked questions
What should be included in a SaaS contract review checklist?
A complete SaaS contract review checklist for in-house counsel should cover licence grant, licence exclusivity, licensed users, licence term, pricing model and renewal terms, IP ownership, customer data ownership, feedback ownership, confidentiality, data security, regulatory compliance and data protection (including DPA and sub-processors), service levels and support, performance warranty, IP infringement warranty and indemnification, liability cap and carve-outs, termination for convenience and cause, post-termination data handling, governing law and venue, audit rights, assignment, and publicity.
What are the most common red flags in a SaaS agreement?
The most common red flags are an ambiguous or overly broad licence grant, multi-year auto-renewal without a workable opt-out, the licensor claiming ownership of customer data, silence on data security obligations, the absence of an IP indemnity from the licensor, an uncapped liability provision or one without standard carve-outs, no obligation to return or delete data on termination, audit rights drafted too broadly, and publicity clauses that allow the licensor to use the licensee's brand without consent.
How should the liability cap be set in a SaaS contract?
The standard SaaS position is a liability cap equal to 12 months of fees paid under the agreement. This is generally accepted as a reasonable allocation for an enterprise SaaS contract. Uncapped liability is unacceptable. Higher caps (24 months of fees, or a multiple) may be appropriate where the data, service, or operational dependency justifies it. The cap should be subject to standard carve-outs covering IP indemnification, confidentiality breaches, and gross negligence or wilful misconduct. Without these, the cap shields the licensor from liability for the most serious failures.
What data ownership clauses should be in a SaaS contract?
The agreement should explicitly confirm that the licensee retains ownership of its data, and that the licensor may only use it to provide the service. Silence on data ownership is a gap that should be filled. Any clause that grants the licensor ownership of customer data, or broad rights to use it for purposes beyond service delivery (including AI model training), should be revised. The agreement should also address what happens to customer data on termination, requiring the licensor to return or delete it within a defined timeframe.
