Key annexes to include in a SaaS agreement

A well-structured SaaS agreement goes beyond the main obligations of the parties. The annexes deserve equal attention.

Including well-drafted annexes is essential so that any reader — including those who were not involved in the negotiation — can clearly understand the scope of the agreement. The absence of detailed schedules can create uncertainty about each party’s commitments and responsibilities.

Here are the key documents to include in a SaaS agreement.

1. Schedule — Service description

This schedule sets out what the SaaS service covers:

Software features and scope of services (hosting, maintenance, support, updates, etc.).
Technical specifications and prerequisites for use.
Pricing and billing (amount, frequency, price revision terms).
Additional costs related to options or excess consumption.

This is a critical schedule — it enables a third party (e.g. a judge in the event of a dispute) to understand the purpose of the software and how it operates.

2. Schedule — Service Level Agreement (SLA)

The SLA sets out the vendor’s performance commitments:

Guaranteed availability (e.g. 99.9% uptime).
Response and resolution times in the event of an incident.
Key performance indicators (KPIs) and monitoring procedures.
Remedies in the event of a breach.

This document protects the customer in the event of underperformance and incentivises the vendor to maintain service quality. For further detail, see my article on SLA best practices.

3. Schedule — Data Processing Agreement (DPA)

Where a SaaS vendor processes personal data on behalf of a customer, a DPA is mandatory under Article 28 of the GDPR. This document sets out:

The purposes and categories of data processed, the data subjects concerned, and the nature of the processing operations.
The vendor’s responsibilities as data processor.
Notification obligations in the event of a data breach.
The conditions for data return or deletion at the end of the agreement.

The management of subprocessors and their access to personal data should also be addressed in the DPA.

4. Schedule — Security and quality assurance plan

This document describes the vendor’s strategy for ensuring a resilient infrastructure:

Security certifications (ISO 27001, SOC 2, etc.) to be maintained throughout the term.
Business continuity and disaster recovery plans (backups, restore testing).
Incident management and response protocols.
Infrastructure security (encryption, access controls, system redundancy).

I recommend that it be drafted by the technical or security team and reviewed by legal, to avoid any inconsistency between this document and the agreement. For further guidance on security in a SaaS agreement.

5. Schedule — Data reversibility plan

A reversibility plan sets out the conditions for data export at the end of the agreement: formats, timeframes, and any vendor assistance. Since the Data Act came into force, data portability has become a strengthened right for SaaS customers. Addressing this schedule proactively avoids bottlenecks at exit and demonstrates the vendor’s transparency. For more on this topic, see the article on termination and the Data Act.

Conclusion

Other schedules may be relevant depending on the project (code of conduct, training plan, etc.). But the schedules described above form the minimum foundation of a well-structured SaaS agreement. Neglecting them creates grey areas that can turn into disputes. For an overview of the key provisions, see the SaaS contracting guide. If you need to review your agreement schedules, book a call.

‍