A Software as a Service agreement — whether called a Master Services Agreement, Subscription Agreement, Terms of Service or End User License Agreement — is a commercial contract governed by the Indian Contract Act, 1872, the Copyright Act, 1957 and, increasingly, the Digital Personal Data Protection Act, 2023. It defines the terms on which a customer accesses a software platform and the obligations of the provider and customer during and after the subscription. Badly drafted SaaS agreements create disputes about IP ownership, data handling obligations, liability on service failure and post-termination rights. Well-drafted ones prevent those disputes entirely.

Core SaaS Agreement Provisions

  • License grant — scope, restrictions, permitted users, sub-licensing
  • IP ownership — platform IP to provider, customer data to customer
  • SLA — uptime commitment, measurement, service credits
  • Data handling — processing purpose, security, breach notification, deletion
  • DPDPA 2023 — Data Processor obligations, Data Processing Agreement
  • Confidentiality — mutual obligations, standard of care, duration
  • Liability cap — total aggregate limit, uncapped carve-outs
  • Indemnities — IP infringement, data breach, third-party claims
  • Termination — for convenience, for cause, consequences
  • Post-termination — data return, deletion timeline, survival clauses

License Grant and IP Ownership

The SaaS agreement must clearly state that the provider grants the customer a limited, non-exclusive, non-transferable license to access and use the software platform during the subscription term, for the customer's internal business purposes, for the number of permitted users specified. The license grant must not include any right to copy, modify, reverse engineer, sub-license or transfer the software. All IP in the platform — software, algorithms, databases, user interface, documentation — belongs to the provider and is licensed, not transferred. Customer data — all data uploaded by the customer and all data generated by the customer's use of the platform — belongs to the customer. The provider has no right to use customer data except as necessary to provide the service and as directed by the customer. This is not a market standard provision that can be assumed — it must be explicitly stated in the agreement.

Service Level Agreement

The SLA defines the service quality commitment and the consequences of failure. Standard SaaS SLA provisions include: a monthly uptime commitment (99.5% or 99.9%), a definition of downtime (typically unavailability of all core features for a consecutive period — commonly five or ten minutes — excluding scheduled maintenance windows), a measurement methodology, and a service credit regime. Service credits — credits against future invoices proportional to excess downtime — are the standard remedy for SLA breaches. The agreement must state that service credits are the exclusive remedy for SLA failures and that the provider has no liability for consequential losses arising from downtime. Scheduled maintenance windows must be specified — typical SaaS agreements provide for weekly or monthly scheduled maintenance during off-peak hours with advance notice.

Data Handling and DPDPA Compliance

Under the Digital Personal Data Protection Act, 2023, a SaaS provider that processes personal data on behalf of a customer is a Data Processor. The customer who determines the purpose and means of processing is a Data Fiduciary. The Act requires that the Data Fiduciary process personal data only through Data Processors bound by a valid Data Processing Agreement (DPA). The DPA must specify: the categories of personal data being processed, the purpose of processing, the instructions of the Data Fiduciary, security obligations of the Processor, the Processor's obligation to assist the Fiduciary in responding to data principal rights requests, the obligation to notify on breach, and the obligation to delete or return data at the end of the engagement. SaaS providers must review their standard agreement terms to ensure they contain a compliant DPA embedded within or annexed to the main agreement.

Liability and Indemnities

A SaaS provider's standard position is a mutual limitation of liability capping each party's total aggregate liability to the fees paid by the customer in the twelve months preceding the claim. This cap is commercially reasonable in India for standardised SaaS products where the provider serves many customers on identical terms and cannot absorb unlimited downside risk from any single customer's consequential losses. Standard uncapped carve-outs include: death or personal injury caused by negligence, fraud or wilful misconduct, breach of confidentiality, IP infringement indemnity, and obligations to pay undisputed fees. The customer will seek to carve out data breach liability — particularly significant after DPDPA notification — from the cap. The SaaS provider must evaluate the risk profile of its customer base and the data it processes to determine whether a data breach uncap is commercially acceptable.

Termination and Post-Termination

The agreement must address termination for convenience (either party terminates on notice — typically 30 to 90 days), termination for cause (termination without notice period on material uncured breach, insolvency or regulatory breach), and the consequences of each. On termination, the customer must stop using the platform. The provider must continue to make customer data available for download for a defined period — typically 30 to 60 days after termination — and thereafter delete all customer data from its systems and backups. This obligation must be explicit in the agreement: a provider that deletes customer data without the required window, or retains it beyond the required period, is in breach. Survival clauses must specify which provisions continue after termination — confidentiality, liability limitations, governing law and dispute resolution survive in all well-drafted agreements.

Frequently Asked Questions

Can a SaaS provider limit liability in an Indian contract?

Yes. Limitation of liability clauses are enforceable in Indian contracts under the Indian Contract Act, 1872, provided they are not unconscionable and are clearly brought to the customer's attention. A total aggregate cap at 12 months' fees is standard market practice and enforceable in commercial contracts between parties of equal bargaining power. Liability caps typically cannot exclude liability for death, personal injury, fraud, wilful misconduct or breach of confidentiality — these are carved out as uncapped.

Who owns customer data uploaded to a SaaS platform?

Customer data uploaded to a SaaS platform belongs to the customer. The SaaS provider processes it as a Data Processor under the DPDPA 2023, acting under the customer's instructions. The agreement must explicitly state customer ownership, the provider's processing-only purpose, and the obligation to delete or return all data on termination. IP in the platform itself belongs to the SaaS provider.

What SLA provisions are standard in Indian SaaS agreements?

Standard SLA provisions include a monthly uptime commitment (99.5% or 99.9%), a definition of downtime (consecutive unavailability of core features, excluding maintenance), a credit regime (percentage of monthly fees proportional to excess downtime), and a statement that service credits are the exclusive remedy for SLA failures. Scheduled maintenance windows are typically notified in advance and excluded from the uptime calculation.