SaaS Agreement Negotiation Positions In The UK
Negotiation topic | Position summary | Issue type | Negotiation significance | Practical note |
|---|---|---|---|---|
Supplier-friendly | ||||
Liability cap | Liability is capped at fees paid in the previous 12 months. | Legal, Financial | High | May leave the customer under-recovered for major outage or data loss. |
Balanced | ||||
Liability cap | General cap applies, with higher caps for key risk areas. | Legal, Financial | High | Common compromise for data, confidentiality and indemnity risks. |
Customer-friendly | ||||
Liability cap | Cap is high or uncapped for critical supplier breaches. | Legal, Financial | High | Useful where SaaS failure could cause material business loss. |
Balanced | ||||
Uncapped liabilities | Death, personal injury, fraud and wilful misconduct remain uncapped. | Legal | High | Some liability exclusions are restricted or subject to reasonableness under UCTA. |
Supplier-friendly | ||||
Exclusion of indirect loss | Excludes indirect, consequential and loss of profit claims. | Legal, Financial | High | Can significantly reduce recoverable losses after service failure. |
Customer-friendly | ||||
Data loss liability | Supplier accepts enhanced liability for data loss or corruption. | Legal, Operational, Financial | High | Important where customer data is operationally critical or irreplaceable. |
Supplier-friendly | ||||
Service availability SLA | Availability target is aspirational or heavily qualified. | Operational | High | Weak SLA may provide little leverage during recurring downtime. |
Balanced | ||||
Service availability SLA | Availability is measured monthly with defined exclusions. | Operational | High | Gives both parties measurable performance expectations. |
Supplier-friendly | ||||
Service credits | Service credits are the sole remedy for SLA failure. | Commercial, Legal, Financial | High | May prevent damages claims for outages exceeding credit value. |
Customer-friendly | ||||
Service credits | Credits apply automatically and do not limit other remedies. | Commercial, Legal, Financial | Medium | Improves practical compensation for repeated performance failures. |
Balanced | ||||
Planned maintenance | Maintenance excluded from uptime if notified in advance. | Operational | Medium | Notice windows help customers plan around service disruption. |
Supplier-friendly | ||||
Emergency maintenance | Supplier may suspend service without notice for urgent maintenance. | Operational | Medium | Operationally necessary, but should be limited to genuine urgency. |
Support hours | Support is limited to UK business hours only. | Operational, Commercial | Medium | May be unsuitable for customers with 24/7 operations. |
Balanced | ||||
Support response times | Response times vary by incident severity level. | Operational | High | Severity definitions prevent disputes over support urgency. |
Supplier-friendly | ||||
Resolution times | Supplier commits only to commercially reasonable resolution efforts. | Operational, Legal | Medium | Avoids firm deadlines, but weakens customer escalation rights. |
Balanced | ||||
Security standards | Supplier must maintain documented security controls aligned to recognised standards. | Operational, Legal | High | NCSC cloud principles help assess SaaS security expectations. |
Customer-friendly | ||||
ISO 27001 certification | Supplier must maintain ISO 27001 or equivalent certification. | Operational, Legal | Medium | Provides external assurance, but scope of certification should be checked. |
Balanced | ||||
Data processing agreement | Processor terms include Article 28 UK GDPR requirements. | Legal, Operational | High | UK GDPR requires mandatory controller-processor contract terms. |
Customer-friendly | ||||
Personal data breach notice | Supplier must notify suspected personal data breaches promptly. | Legal, Operational | High | Controllers may need to notify the ICO within 72 hours. |
Supplier-friendly | ||||
Subprocessors | Supplier may appoint subprocessors with general authorisation. | Legal, Operational | High | Customers may need notice and objection rights for compliance oversight. |
Balanced | ||||
International data transfers | Restricted transfers require appropriate safeguards and transfer documentation. | Legal | High | Relevant where hosting, support or subprocessors are outside the UK. |
Customer-friendly | ||||
Data location | Customer data must remain in the UK or approved regions. | Legal, Operational | Medium | Can simplify transfer compliance and regulated-sector procurement. |
Supplier-friendly | ||||
Audit rights | Customer receives summary compliance reports instead of direct audits. | Operational, Legal | Medium | Reduces supplier burden but may not satisfy customer assurance needs. |
Customer-friendly | ||||
Audit rights | Customer may audit security and data processing on notice. | Operational, Legal | Medium | Important for regulated customers and material outsourcing arrangements. |
Balanced | ||||
Customer data ownership | Customer retains ownership of data submitted to the service. | Legal, Operational | High | Prevents disputes over business data, records and customer content. |
Supplier-friendly | ||||
Supplier platform IP | Supplier retains all rights in the SaaS platform and software. | Legal, Commercial | High | Essential for SaaS suppliers licensing a multi-customer platform. |
Balanced | ||||
Licence scope | Customer receives a limited subscription licence for authorised users. | Legal, Commercial | High | Defines who may use the service and for what business purposes. |
Customer-friendly | ||||
Affiliate use | Customer affiliates may use the SaaS under the same subscription. | Commercial, Legal | Medium | Useful for group companies, but affects pricing and liability allocation. |
Supplier-friendly | ||||
Usage limits | Usage above plan limits triggers additional charges automatically. | Commercial, Financial | Medium | Can create unexpected cost if monitoring and alerts are weak. |
Balanced | ||||
User count true-up | Additional users are charged pro rata during the subscription term. | Commercial, Financial | Medium | Avoids overcharging while allowing supplier revenue for increased use. |
Supplier-friendly | ||||
Acceptable use policy | Customer must comply with supplier’s online acceptable use policy. | Operational, Legal | Medium | Online policies should be fixed or change-controlled for certainty. |
Unilateral changes to terms | Supplier may update terms or policies by website notice. | Legal, Commercial | High | Can alter risk allocation after signature without real negotiation. |
Balanced | ||||
Change control | Material contract changes require written agreement by both parties. | Legal, Commercial, Operational | High | Protects agreed pricing, scope, security and compliance commitments. |
Feature changes | Supplier may improve features but not materially reduce core functionality. | Operational, Commercial | Medium | Supports product evolution while protecting customer dependency. |
Implementation services | Implementation milestones, responsibilities and dependencies are specified. | Operational, Commercial | High | Reduces disputes over delays, configuration and customer readiness. |
Customer-friendly | ||||
Acceptance testing | Customer may test configured services before go-live acceptance. | Operational, Commercial | Medium | Important for configured SaaS or paid onboarding projects. |
Supplier-friendly | ||||
Fees and invoicing | Fees are payable annually in advance and non-refundable. | Commercial, Financial | High | Improves supplier cash flow but increases customer lock-in risk. |
Customer-friendly | ||||
Fee refunds | Prepaid fees are refunded pro rata after supplier default termination. | Financial, Legal | Medium | Avoids paying for unused service after serious supplier breach. |
Supplier-friendly | ||||
Price increases | Supplier may increase fees on renewal at its discretion. | Commercial, Financial | High | Customer may face material cost increase after integration dependency. |
Balanced | ||||
Price increases | Annual increases are capped by CPI or an agreed percentage. | Commercial, Financial | High | Provides budget certainty while preserving inflation adjustment. |
Supplier-friendly | ||||
Late payment interest | Overdue sums accrue statutory or contractual interest. | Financial, Legal | Low | UK late payment rules may imply interest in business contracts. |
Balanced | ||||
Payment dispute process | Undisputed invoices are paid while disputed amounts are investigated. | Commercial, Financial | Medium | Prevents tactical non-payment and improper service suspension. |
Taxes and VAT | Fees are exclusive of VAT unless stated otherwise. | Financial, Legal | Medium | Clarifies whether VAT is added to subscription charges. |
Supplier-friendly | ||||
Suspension for non-payment | Supplier may suspend access after overdue payment notice. | Commercial, Operational, Financial | High | Customer should require notice and protection for disputed invoices. |
Balanced | ||||
Suspension for security risk | Supplier may suspend affected access to prevent security harm. | Operational, Legal | Medium | Should be proportionate, prompt and limited to affected users or systems. |
Supplier-friendly | ||||
Initial term | Customer commits to a fixed multi-year initial term. | Commercial, Financial | Medium | Improves revenue certainty but increases switching risk for customers. |
Auto-renewal | Subscription renews automatically unless cancelled before notice deadline. | Commercial, Financial, Legal | High | Missed notice dates can create unwanted renewal liabilities. |
Balanced | ||||
Renewal notice period | Either party may prevent renewal on 30 to 90 days’ notice. | Commercial, Operational | Medium | Allows planning for migration, budgeting and renewal negotiations. |
Supplier-friendly | ||||
Termination for convenience | Customer has no right to terminate during the committed term. | Commercial, Financial, Legal | High | Locks in revenue but limits customer flexibility if needs change. |
Customer-friendly | ||||
Termination for convenience | Customer may terminate for convenience on notice. | Commercial, Financial | High | Often resisted unless fees, minimum term or exit charges compensate supplier. |
Balanced | ||||
Termination for material breach | Either party may terminate for uncured material breach. | Legal, Commercial | High | Cure periods should reflect whether breaches are remediable. |
Customer-friendly | ||||
Termination for repeated SLA failure | Customer may terminate after repeated serious service level failures. | Operational, Legal, Commercial | High | Gives a meaningful exit where service credits are insufficient. |
Balanced | ||||
Insolvency termination | Termination rights apply on insolvency events where legally effective. | Legal, Commercial, Operational | Medium | UK insolvency rules can affect enforcement of termination clauses. |
Customer-friendly | ||||
Exit assistance | Supplier must provide migration support after termination. | Operational, Commercial | High | Reduces business disruption and vendor lock-in at exit. |
Balanced | ||||
Data export | Customer can export data in a usable format during and after term. | Operational, Legal | High | Essential for migration, continuity and records retention. |
Post-termination data deletion | Supplier deletes or returns personal data after services end. | Legal, Operational | High | Article 28 requires return or deletion at end of processing. |
Backup retention | Backups are retained for a defined period and securely overwritten. | Operational, Legal | Medium | Affects recovery, deletion compliance and incident response. |
Customer-friendly | ||||
Disaster recovery | Supplier commits to defined RTO and RPO targets. | Operational | High | Critical for business continuity and acceptable data loss tolerance. |
Business continuity testing | Supplier must test continuity plans and share summary results. | Operational | Medium | Assures customers that recovery commitments are operationally credible. |
Balanced | ||||
Confidentiality duration | Confidentiality applies during the term and for a defined period after. | Legal | Medium | Trade secrets may need longer or indefinite protection. |
Confidentiality exclusions | Standard exclusions apply for public, known or independently developed information. | Legal | Low | Prevents overbroad confidentiality duties covering non-confidential material. |
Customer-friendly | ||||
IP infringement indemnity | Supplier indemnifies customer for third-party IP infringement claims. | Legal, Financial | High | Important because supplier controls platform code and technology stack. |
Supplier-friendly | ||||
IP indemnity exclusions | Indemnity excludes customer data, combinations and unauthorised modifications. | Legal, Financial | Medium | Prevents supplier covering risks caused outside its control. |
Customer-friendly | ||||
Data protection indemnity | Supplier indemnifies customer for supplier-caused data protection breaches. | Legal, Financial | High | Often negotiated due to ICO exposure and data subject claims. |
Balanced | ||||
Indemnity procedure | Indemnified party must give notice and allow defence control. | Legal | Medium | Protects indemnifier from unmanaged settlements or prejudiced defence. |
Supplier-friendly | ||||
Warranties | Service is provided as is with broad warranty disclaimers. | Legal, Commercial | High | May undermine expectations about performance, security and fitness. |
Balanced | ||||
Performance warranty | Supplier warrants material conformity with documentation. | Legal, Operational | Medium | Ties service quality to objective product documentation. |
Customer-friendly | ||||
Malware warranty | Supplier warrants it will not knowingly introduce malicious code. | Legal, Operational | Medium | Supports security assurance, though absolute malware warranties are resisted. |
Balanced | ||||
Compliance with laws | Each party complies with laws applicable to its obligations. | Legal | Medium | Avoids one party guaranteeing the other’s regulatory compliance. |
Anti-bribery compliance | Parties must comply with the Bribery Act 2010. | Legal | Low | Often required in UK corporate procurement and compliance policies. |
Modern slavery compliance | Supplier must comply with modern slavery policies and applicable law. | Legal, Operational | Low | Relevant for larger UK organisations with supply chain reporting duties. |
Sanctions compliance | Parties must not use the service in breach of UK sanctions. | Legal, Operational | Medium | Important for cross-border customers, users and payment flows. |
Export controls | Customer must not export or use software in breach of controls. | Legal, Operational | Medium | Relevant for encryption, defence, dual-use and international access. |
Customer-friendly | ||||
Insurance | Supplier must maintain cyber, professional indemnity and public liability insurance. | Financial, Legal | Medium | Insurance supports recovery but does not replace contractual liability. |
Security incident cooperation | Supplier must investigate incidents and provide reasonable cooperation. | Operational, Legal | High | Helps customers meet notification, mitigation and stakeholder obligations. |
Penetration testing reports | Supplier shares recent penetration test summaries under confidentiality. | Operational, Legal | Medium | Useful assurance, but reports may need redaction for security. |
Balanced | ||||
Vulnerability remediation | Supplier remediates vulnerabilities according to severity-based timescales. | Operational, Legal | High | Turns security assurance into operationally measurable obligations. |
Access controls | Customer manages users while supplier protects administrative access. | Operational, Legal | Medium | Allocates responsibility for account compromise and permission misuse. |
Customer-friendly | ||||
Multi-factor authentication | MFA is required or available for administrative and user accounts. | Operational, Legal | Medium | NCSC recommends MFA to reduce account takeover risk. |
Supplier-friendly | ||||
Customer responsibilities | Customer is responsible for users, devices, credentials and input data. | Operational, Legal | Medium | Supplier should not bear risk for customer-controlled environments. |
Third-party integrations | Supplier is not liable for third-party integration failures. | Operational, Legal, Commercial | Medium | Customers relying on integrations should clarify support boundaries. |
Balanced | ||||
APIs | API access is provided subject to rate limits and documentation. | Operational, Commercial | Medium | API reliability and limits matter where SaaS is integrated into workflows. |
Open source software | Supplier manages open source use and licence compliance. | Legal, Operational | Medium | Reduces risk from copyleft obligations and unpatched components. |
Supplier-friendly | ||||
Feedback rights | Supplier may freely use customer feedback to improve the platform. | Legal, Commercial | Low | Customers may restrict use of confidential or competitive ideas. |
Aggregated analytics | Supplier may use anonymised aggregated usage data for analytics. | Legal, Commercial | Medium | Should exclude personal data and customer-identifiable confidential data. |
Customer-friendly | ||||
AI training use | Customer data cannot be used to train AI models without consent. | Legal, Commercial | High | Increasingly important for confidentiality, data protection and IP control. |
Balanced | ||||
Generated outputs | Customer owns outputs generated from its inputs, subject to platform IP. | Legal, Commercial | High | Relevant for AI-enabled SaaS and content generation tools. |
Supplier-friendly | ||||
Benchmarking restriction | Customer may not publish performance benchmarks without approval. | Commercial, Legal | Low | Protects supplier reputation but may limit transparency for customers. |
Publicity rights | Supplier may name customer as a client in marketing materials. | Commercial, Legal | Low | Customers may require prior written approval for brand use. |
Balanced | ||||
Assignment | Assignment requires consent, except for group restructuring or sale. | Legal, Commercial | Medium | Protects customer from unknown suppliers while enabling corporate transactions. |
Subcontracting | Supplier may subcontract but remains responsible for subcontractor acts. | Legal, Operational | Medium | Preserves delivery flexibility without diluting accountability. |
Force majeure | Neither party is liable for events beyond reasonable control. | Legal, Operational | Medium | Should not excuse payment obligations or avoidable continuity failures. |
Governing law | Agreement is governed by English law. | Legal | High | Usually preferred for UK-facing SaaS contracts and enforcement certainty. |
Jurisdiction | English courts have exclusive jurisdiction over disputes. | Legal | High | Avoids parallel proceedings and uncertainty over dispute forum. |
Dispute escalation | Operational disputes escalate to senior representatives before litigation. | Operational, Legal | Medium | Can resolve service issues quickly without formal proceedings. |
Notices | Formal notices must be sent to specified legal notice addresses. | Legal, Operational | Low | Important for termination, breach notices and renewal deadlines. |
Order of precedence | Negotiated order forms override standard online terms if inconsistent. | Legal, Commercial | High | Prevents standard terms undermining bespoke negotiated protections. |
Entire agreement | Contract excludes reliance on pre-contract statements except fraud. | Legal | Medium | Customers should ensure sales promises are written into the agreement. |
No waiver | Delay in enforcing rights does not waive them. | Legal | Low | Standard protection where parties tolerate minor breaches temporarily. |
Severance | Invalid provisions may be severed without invalidating the contract. | Legal | Low | Helps preserve the agreement if a clause is unenforceable. |
Third party rights | Third party enforcement rights are excluded unless expressly granted. | Legal | Low | Controls rights under the Contracts Rights of Third Parties Act 1999. |
What SaaS Agreement Terms Are Usually Most Negotiated In The UK?
Liability caps, data protection, service levels, termination rights and IP ownership are usually the highest-impact negotiation points. They determine the customer’s practical remedy if the service fails, the supplier’s maximum exposure, and whether the customer can exit or recover data if the relationship breaks down.
How Should UK SaaS Customers Approach Supplier-Friendly Terms?
Customers should pay particular attention to clauses that exclude indirect loss, cap liability at fees paid, disclaim service continuity, allow unilateral changes, or limit audit and security commitments. These provisions can be commercially acceptable, but only if the customer has assessed dependency on the SaaS, regulatory exposure and business continuity risk.
What UK Legal Issues Should Not Be Treated As Boilerplate?
- Data protection: UK GDPR and Data Protection Act 2018 obligations often require detailed processor clauses, security commitments and subprocessors controls.
- Unfair terms and reasonableness: exclusions and limitations may need to be reasonable under the Unfair Contract Terms Act 1977 in business contracts.
- IP and confidentiality: ownership of customer data, supplier software, feedback and generated outputs should be express to avoid disputes.
- Financial controls: price increases, auto-renewal, payment suspension and tax provisions can materially alter lifetime contract cost.
What Is A Balanced SaaS Negotiation Position?
A balanced SaaS agreement usually protects the supplier’s reusable platform and commercial model while giving the customer clear service commitments, workable data protection protections, transparent pricing, defined exit rights, and remedies proportionate to business impact.

FAQs
You Might Also Be Interested In

