Documents to include as an appendix to a SaaS contract

This article is the third in a series on the SaaS contract. A well-structured SaaS contract is not limited to the main obligations of the parties. It is therefore important not to overlook the appendices.

It is essential to include adapted annexes so that the reader, who has not participated in the negotiation discussions, can clearly understand the object of the contract, and to minimize the risks for the parties involved. Indeed, the absence of detailed annexes can create uncertainty about everyone's commitments and responsibilities.

Here are the essential documents, but not limited to, that should be included in a SaaS contract.

1. Appendix - Description of services

This appendix specifies what the SaaS service covers:

Software features and scope of services (hosting, maintenance, support, updates, etc.).
Technical specifications and prerequisites necessary for use.
Pricing and billing (amount, frequency, price revision conditions).
Additional costs related to consumption options or overruns.

This is a very important appendix in that it will allow a third party (for example a judge in the event of a dispute) to understand the purpose of the software and its mode of operation.

2. Appendix - Service Level Agreement (SLA)

The SLA sets out the provider's performance commitments:

Guaranteed availability (e.g. 99.9% of the time).
Intervention and resolution times in case of an incident.
Performance indicators (KPIs) and follow-up procedures.
Penalties in case of non-compliance with commitments.

This document protects the customer in the event of a failure and encourages the service provider to guarantee optimal service.

3. Appendix - Personal Data Protection Clauses (DPA)

When a SaaS provider processes personal data on behalf of a customer, a Data Processing Agreement (DPA) is mandatory, in order to comply with Article 28 of GDPR. In particular, this document formalizes:

The purposes and categories of data processed, the persons concerned by the processing, and the nature of the operations carried out on the personal data.
The responsibilities of the service provider as a subcontractor.
Notification requirements in the event of a data breach.
The conditions for returning or deleting data at the end of the contract.

It is possible to use clauses proposed by the CNIL as a work base to ensure that the essential elements are included.

4. Appendix - Quality and Safety Assurance Plan

This plan describes the provider's strategies to ensure a resilient infrastructure in terms of security and service quality, by integrating continuous improvement processes and rigorous quality controls to meet market requirements:

Security certifications (ISO 27001, SOC 2, etc.) to be maintained for the duration of the contract.
Business Continuity and Recovery Plans (backups, restore tests).
Incident management and response protocols.
Infrastructure security (encryption, restricted access, system redundancy).
Data protection against intrusions and losses.
Incident Management in the event of a security breach.

It can also take the form of a security document. I recommend that it be written by the technical or security team, and that it be reviewed by the legal team, in order to avoid any contradiction between this document and the contract.

Conclusion

It is possible to include other annexes when relevant to the project or required by the contractual policies of one of the parties (for example a code of conduct, etc.).

In general, integrating these annexes into a SaaS contract is not only a measure to anticipate risks and avoid disputes, but is a crucial step, too often overlooked, that strengthens legal security and improves the transparency of commitments. These ancillary documents deserve particular attention and are not secondary.

Whether you are a service provider or a customer, can assist you in drafting, reviewing and strengthening your SaaS contracts and their annexes, in order to verify that all the necessary elements are there and to better protect your interests.