A SaaS agreement defines the obligations of the vendor and the customer. But how far does the vendor’s liability actually extend? In the event of an outage, data loss or cyberattack, who bears the consequences? A poorly structured allocation of contractual risk can prove costly.

Here is what you need to know to secure your agreement.

Service outages: what should the SaaS agreement provide for?

The SaaS vendor typically guarantees a level of availability through an SLA (Service Level Agreement). This document sets out the service accessibility rate (e.g. 99.9%), response times and the remedies available if those commitments are not met. The vendor is responsible for the proper hosting of its service and must ensure that it has robust contractual guarantees with its own infrastructure provider to limit its exposure.

The following points should be verified in the agreement between the vendor and the customer.

For the customer:

  • Verify the quantified SLA commitments.
  • Check whether financial penalties or service credits are provided, and the consequences of repeated SLA breaches.
  • Assess the impact of a prolonged outage on your operations.

For the vendor:

  • Set realistic and achievable KPIs.
  • Frame your liability to avoid disproportionate compensation — it is essential to strike the right balance between SLA penalties and liability limitation provisions.
  • Include exclusions for force majeure events and customer fault.

Who bears responsibility for data loss?

Data backup is a sensitive issue. A SaaS vendor has a systematic obligation to back up customer data, given the nature of the service. The agreement should specify who is responsible for storing and recovering data in the event of an incident.

For the customer:

  • Check whether the vendor commits to regular backups.
  • Ensure that data reversibility is addressed in the agreement.
  • Maintain independent copies if the data is business-critical. The vendor should enable you to perform this backup at any time.

For the vendor:

  • Clearly state the backup frequency and retention period.
  • Limit your liability in the event of accidental deletion by the customer.
  • Provide a data restitution procedure at the end of the agreement.

Who is liable in the event of a cyberattack?

A cyberattack can result in data theft or a service interruption. The SaaS vendor has a systematic security obligation, but its scope depends on the contractual commitments. The vendor must guarantee a level of protection consistent with industry standards, and ensure the monitoring of its infrastructure, access management and the protection of customer data.

For the customer:

  • Review the security measures in place (encryption, access controls, etc.) and verify that they meet your standards.
  • Check whether a prompt notification obligation is included.
  • Verify the scope of your audit rights, particularly in emergency situations.

For the vendor:

  • If you hold a security certification (ISO 27001, SOC 2), ensure that standards are maintained throughout the term of the agreement.
  • Implement an incident response plan to minimise the impact. This document can be provided to the customer upon request.

Data breach notification obligations

Beyond contractual commitments, the GDPR imposes specific obligations in the event of a personal data breach. The data controller must notify the supervisory authority within 72 hours (Article 33 GDPR) and inform the affected individuals where the breach presents a high risk to their rights and freedoms (Article 34 GDPR). The SaaS agreement should set out the notification procedure between the vendor (processor) and the customer (controller), including the timeframe and content of the alert. For further guidance on technical documentation in SaaS, which supports transparency on security matters.

Conclusion

SaaS security does not rest on technology alone. It also depends on the quality of the contractual framework that supports it. A precise SLA, documented backup commitments and a clear incident response policy limit the consequences of an issue — and ensure that both parties know their respective roles when one arises. For an overview of the key provisions in a SaaS agreement, see the SaaS contracting guide. If you need to strengthen your security provisions, book a call.

Other posts


Blog image
SaaS Exit Fees Under the Data Act: What You Can Challenge

The Data Act limits what SaaS vendors can charge when you switch providers. Permitted fees, prohibited charges, and the 2027 deadline explained.

Lire Plus
Blog image
How to Terminate a SaaS Agreement Under the Data Act: Practical Guide

Stuck in a SaaS contract your company no longer needs? The EU Data Act gives you a legal right to switch providers. Eligibility, process, and pitfalls.

Lire Plus

Let's build together to grow your business

Book a Call
Contact Me

I have been supporting software and SaaS companies for over 10 years, helping them structure their business, protect their intellectual property and strengthen their contracts.

Pacaud Avocat - Accueil
Pages
HomeServicesThe FirmPricesResourcesSaaS Contracting GuideTrademark Filing GuideContact Me
Services
IT AgreementsIntellectual PropertyE-CommerceFractional CLOTerminate my SaaS
Legal
Legal NoticePrivacy Policy
Consent Banner

Ourama - Website creation for lawyers