Do SaaS terms also need a separate DPA?

If the SaaS processes personal data on behalf of customers, a data processing agreement is usually expected. Many providers ship the DPA as an addendum referenced from the terms.

Should the terms reference the AUP?

Yes. The acceptable use policy is the main basis for taking action against abusive accounts and should be cross-referenced from the terms.

SaaS terms of service checklist

A practical checklist for SaaS terms of service covering the service definition, account rules, subscriptions, data handling, support, suspension, and termination.

Service definition

Define the service in concrete terms. List the features included in each plan, the integrations the service supports, and the documented limitations. Avoid sales copy here; a customer reading the document expects a workable description.

Accounts and access

Describe how accounts are created, who can create them, how multiple users join an account, and how administrative roles work. State what a customer is responsible for at the account level, including credentials and authorized use.

Subscriptions and billing

Cover the subscription term, the renewal model, billing currency, taxes, and any usage-based fees. The payment workstream is currently being selected, so this article does not name a payment provider; the SaaS terms should state the chosen provider and the supported payment methods at the time of signing.

Customer data and ownership

Confirm that customer data remains owned by the customer. Describe the license the operator needs to run the service: store, transmit, back up, and process data as needed for the contract. Reference the privacy policy and any DPA.

Service level and availability

If the SaaS commits to availability targets, describe the targets, the measurement window, the exclusions (planned maintenance, force majeure, customer-side outages), and the remedies. Many small SaaS products start without a contractual SLA but still describe target availability for transparency.

Support

State the channels (email, in-app), the supported hours, and the typical response times. Distinguish between standard support included in the subscription and any premium support tiers.

Suspension and termination

Describe the conditions under which the operator can suspend or terminate the account: non-payment, breach of the AUP, regulatory orders, force majeure. Cover the customer's right to terminate, including any wind-down period and data export.

Data export and deletion

Explain how the customer can export data at any time during the subscription and after termination. State the retention window after termination and the path for permanent deletion. The SaaS should also explain how a customer can delete their own user account.

Confidentiality

Mark customer data and operator confidential information; describe the parties' obligations to protect each other's confidential information. A short clause is usually sufficient.

Limitation of liability and indemnity

State the limit on direct damages, exclude indirect damages where allowed, and describe any indemnity covering third-party IP claims. Be honest about local rules that may restrict the limits.

Governing law and dispute resolution

Pick a governing law and a forum. Many SaaS providers use arbitration with a small-claims carve-out. The terms should be consistent with the operator's actual ability to defend a claim in the chosen forum.

Cross-links

The SaaS terms reference the privacy policy, the DPA, the AUP, the refund policy, and any region-specific addendum (for example, an EU online-platforms addendum or a US data-transfer addendum).

Maintenance

Review the terms at least once a year, after any pricing change, after any change in the third-party stack, and after any new region the SaaS sells into.