A SaaS agreement defines the obligations of the vendor and the customer. But how far does the vendor’s liability actually extend? In the event of an outage, data loss or cyberattack, who bears the consequences? A poorly structured allocation of contractual risk can prove costly.

Here is what you need to know to secure your agreement.

Service outages: what should the SaaS agreement provide for?

The SaaS vendor typically guarantees a level of availability through an SLA (Service Level Agreement). This document sets out the service accessibility rate (e.g. 99.9%), response times and the remedies available if those commitments are not met. The vendor is responsible for the proper hosting of its service and must ensure that it has robust contractual guarantees with its own infrastructure provider to limit its exposure.

The following points should be verified in the agreement between the vendor and the customer.

For the customer:

  • Verify the quantified SLA commitments.
  • Check whether financial penalties or service credits are provided, and the consequences of repeated SLA breaches.
  • Assess the impact of a prolonged outage on your operations.

For the vendor:

  • Set realistic and achievable KPIs.
  • Frame your liability to avoid disproportionate compensation — it is essential to strike the right balance between SLA penalties and liability limitation provisions.
  • Include exclusions for force majeure events and customer fault.

Who bears responsibility for data loss?

Data backup is a sensitive issue. A SaaS vendor has a systematic obligation to back up customer data, given the nature of the service. The agreement should specify who is responsible for storing and recovering data in the event of an incident.

For the customer:

  • Check whether the vendor commits to regular backups.
  • Ensure that data reversibility is addressed in the agreement.
  • Maintain independent copies if the data is business-critical. The vendor should enable you to perform this backup at any time.

For the vendor:

  • Clearly state the backup frequency and retention period.
  • Limit your liability in the event of accidental deletion by the customer.
  • Provide a data restitution procedure at the end of the agreement.

Who is liable in the event of a cyberattack?

A cyberattack can result in data theft or a service interruption. The SaaS vendor has a systematic security obligation, but its scope depends on the contractual commitments. The vendor must guarantee a level of protection consistent with industry standards, and ensure the monitoring of its infrastructure, access management and the protection of customer data.

For the customer:

  • Review the security measures in place (encryption, access controls, etc.) and verify that they meet your standards.
  • Check whether a prompt notification obligation is included.
  • Verify the scope of your audit rights, particularly in emergency situations.

For the vendor:

  • If you hold a security certification (ISO 27001, SOC 2), ensure that standards are maintained throughout the term of the agreement.
  • Implement an incident response plan to minimise the impact. This document can be provided to the customer upon request.

Data breach notification obligations

Beyond contractual commitments, the GDPR imposes specific obligations in the event of a personal data breach. The data controller must notify the supervisory authority within 72 hours (Article 33 GDPR) and inform the affected individuals where the breach presents a high risk to their rights and freedoms (Article 34 GDPR). The SaaS agreement should set out the notification procedure between the vendor (processor) and the customer (controller), including the timeframe and content of the alert. For further guidance on technical documentation in SaaS, which supports transparency on security matters.

Conclusion

SaaS security does not rest on technology alone. It also depends on the quality of the contractual framework that supports it. A precise SLA, documented backup commitments and a clear incident response policy limit the consequences of an issue — and ensure that both parties know their respective roles when one arises. For an overview of the key provisions in a SaaS agreement, see the SaaS contracting guide. If you need to strengthen your security provisions, book a call.

Other posts


Blog image
SaaS Master Agreement and Order Form: How to Align Them

SaaS master agreement and order form: order of precedence, liability cap, term, pricing. The alignment pitfalls between the two, and how to avoid them.

Blog image
How Much Does It Cost to Register a Trademark in 2026? The Real Budget

What a French or EU trademark really costs: INPI and EUIPO fees, clearance searches, legal fees and renewal, by an IP lawyer.

Let's build together to grow your business