Your First SaaS Contract: A Checklist for Sole In-House Counsel

There’s a particular kind of email that lands in your inbox in your first month in-house.

It’s from the CFO. There’s a 40-page PDF attached. The subject line is “Quick review please, needed by Friday.” The body says something like “can you take a look and let us know if this is fine to sign.”

You open it. It’s a Master Subscription Agreement from a SaaS vendor you’ve never heard of. You scroll. There are forty-seven defined terms. The indemnity section is two paragraphs of a single sentence. You don’t remember covering this exact thing in law school.

One general counsel described their first six months in-house this way: “It would take me days to write a contract.” Another put it more bluntly: “My first SaaS contract had me sweating bullets.”

If you’re new in-house, you’re not behind. SaaS contracts are a specific dialect, and nobody teaches it to you at a firm. What follows is the checklist you wish someone had handed you on day one.

This is the buyer-side checklist. You’re the in-house counsel for the company that is signing a vendor’s SaaS paper. If you’re on the vendor side drafting your own MSA, the angles flip, and we’ll touch on that at the end.

Before you open the contract

Read these three things first. They matter more than any clause.

1. The order form (or quote, or purchase order). This is where the price, the term, and the user count live. Almost everything in the MSA is modifiable by the order form. If something is wrong here, it overrides clean MSA language.
2. The customer’s own use case. What is your team actually going to do with this software? “Store regulated data” is a very different deal than “schedule meetings.” You can’t review the contract without knowing what’s flowing through it.
3. The Data Processing Addendum (DPA), if there is one. For any vendor touching personal data, the DPA is the contract that actually matters. Read it before you read the MSA.

If the vendor hasn’t sent you a DPA and the tool will touch personal data, ask for one before you start redlining. Half the painful clauses below get easier when the DPA is doing its job.

The fourteen clauses that actually matter

Most in-house counsel teams of one don’t have ten hours to audit a 60-page vendor contract. They don’t need to. These are the fourteen clauses where a missed line costs money or sleep. Get them right and you can sign with confidence.

1. Term and Auto-Renewal

What to look for: How long is the initial term? Does the contract auto-renew? How many days’ notice are required to cancel (30, 60, 90)? Is the renewal price the same as the initial price, or “at the then-current rates”?

Why it matters: Auto-renewal is the single most common financial leak in SaaS. One procurement manager described finding a “5-yr autorenew that was missed because internal stakeholder signed and kept the agreement for their own personal stash.” Another found a renewal clause buried in a PowerPoint deck. The cancellation window is usually the leverage; if it’s 90 days and you find out 89 days in, you’ve already lost.

The push: Cap auto-renewals at one year. Require written notice from the vendor 60 days before renewal. Lock the renewal price, or cap the increase at 5%.

2. Fees, Payment Terms, and True-Up

What to look for: Net 30, Net 45, Net 60? Late fees? What happens if you exceed your user count or API limit mid-term? Does it true-up at a higher rate?

Why it matters: True-up clauses are how a $50k contract becomes a $90k contract. Read them. Some vendors charge retroactively to the day you exceeded the limit, others prospectively. The difference can be tens of thousands of dollars on a fast-growing team.

The push: Net 45 or Net 60 if your AP needs the time. True-up at the same per-unit price as the original tier, prospectively only. No retroactive billing.

3. Limitation of Liability

What to look for: What’s the liability cap? Usually it’s “fees paid in the prior 12 months.” Are there carve-outs (uncapped categories)? Indemnity, data breach, confidentiality, IP infringement: are these subject to the cap or excluded from it?

Why it matters: As one sales rep put it on Reddit, “limits of liability is nearly always the issue.” For good reason. If a SaaS vendor breaches their security obligations and your customer data leaks, a 1× annual fee cap means a $50k vendor can leave you with a $5M loss.

The push: For data breach, willful misconduct, and IP indemnity, push for super-cap liability (often 2x-3x annual fees, or uncapped). For everything else, 1x annual fees is reasonable. Don’t accept “the lesser of fees paid or $100,000.” Small-dollar caps are a red flag.

4. Indemnification

What to look for: Two-way indemnity? Mutual or one-way? Specifically, does the vendor indemnify you against IP infringement claims (someone else suing because their tool infringes a third party’s patent)?

Why it matters: If a third party sues you because your vendor’s tool infringes their IP, you do not want to be the one defending it. IP indemnity is non-negotiable for any business-critical SaaS.

The push: IP indemnity should be mutual at minimum, and the vendor’s IP indemnity should be uncapped (or super-capped). If the vendor refuses, ask for a Certificate of Insurance covering the same risk. As we’ve written elsewhere about negotiation mistakes, trading a complex legal argument for a verified insurance policy often gives more actual protection than a 10-page clause.

5. Data Ownership and Portability

What to look for: Who owns the data you upload? What happens to it when the contract ends? Can you export it? In what format? How long does the vendor keep it after termination?

Why it matters: This is the clause your CFO will care about three years from now when you’re evaluating a competing vendor. If the data is locked in a proprietary format and the vendor deletes it 30 days after termination, you don’t have a tool. You have a hostage situation.

The push: Customer owns all customer data. Vendor provides export in a standard format (CSV, JSON) on request. Vendor retains data for at least 60 days post-termination so you can complete migration.

6. Data Processing, Security, and Sub-Processors (DPA)

What to look for: Does the vendor have SOC 2 Type II or ISO 27001? Where is the data hosted? Are sub-processors named in a public list, and do you get notice when they change? What’s the breach notification timeline? Is there a right to object to a new sub-processor without losing your right to terminate?

Why it matters: Different jurisdictions have different rules. The Australian Notifiable Data Breach scheme requires very fast notification, often within days. Singapore’s PDPA treats sub-processors as “data intermediaries,” and crucially, appointing a data intermediary does not relieve you of your PDPA obligations. You stay liable for their conduct, which means contractual flow-down is the only protection you have. Hong Kong’s PDPO works the same way. There is no statutory equivalent of GDPR Article 28, so if it isn’t in the contract, it isn’t your right.

The push: SOC 2 Type II or equivalent. Public, maintained sub-processor list. 30-day advance notice of new sub-processors, with a right to object and to terminate without penalty if a material objection isn’t resolved. Breach notification within 72 hours, or 3 days if your local law is stricter. Right to audit, or to rely on the vendor’s third-party audit report.

7. Cyber Insurance and Certificate of Insurance (COI)

What to look for: Does the vendor carry cyber liability insurance? What are the policy limits? Are you a named additional insured? Will they provide a Certificate of Insurance on request, and annually thereafter?

Why it matters: A liability cap is a contractual promise. Insurance is the asset that actually pays out when the promise is called. Without proof of cover, an indemnity from a thinly-capitalized SaaS startup is a piece of paper. Insurance is also the fastest negotiation shortcut for an indemnity clause that’s stuck in week three of redlines. Trade a complex legal argument for a verified policy.

The push: Cyber liability insurance with minimums proportional to your risk. A common floor is US$5M for SMB SaaS handling personal data, scaling up for enterprise tools. Named-insured or additional-insured status where the vendor’s policy permits. COI delivered at signing and on renewal.

8. AI and GenAI: Training Data, Outputs, and Zero Retention

What to look for: Does the tool use AI? If yes, does the vendor train models on your data? Do they retain your inputs and outputs, and for how long? Can sub-processors (OpenAI, Anthropic, AWS Bedrock, Azure OpenAI) train on your data? Does the vendor indemnify you against AI-output claims (copyright, defamation, hallucination harm)? Are outputs “as is” with no warranty?

Why it matters: This is the clause that didn’t exist three years ago and is now the most-redlined section in 2026 SaaS contracts. Most AI vendors default to using customer inputs to improve their models unless the contract says otherwise. Many retain inputs for 30 days for “abuse monitoring.” For any organization with proprietary data, trade secrets, or regulated information, this default is unacceptable. Once your data has been used in training, you cannot get it back. APAC in-house counsel are particularly cautious: ALITA’s 2025 survey found 77% of corporate in-house lawyers worried about AI hallucination risk, more than their law-firm peers.

The push: Vendor will not train any model on customer data without separate written consent. Zero data retention on AI API calls, or a 30-day cap with no human review. The same restrictions flow down to every AI sub-processor by name. Output indemnity for IP claims arising from AI-generated content. Acknowledge AI outputs are probabilistic, not warranted, but require human-in-the-loop for any decision with legal effect.

9. Service Level Agreement (SLA) and Remedies

What to look for: What uptime does the vendor commit to? 99.5%? 99.9%? 99.99%? What’s the remedy if they miss (service credits, refund, termination right)?

Why it matters: 99.5% sounds great. It’s actually 3.5 hours of allowed downtime per month. For business-critical SaaS that’s a lot. And if the only remedy is “5% service credit on next month’s invoice,” your CFO is going to ask why we’re paying the same vendor that broke our operations for half a day.

The push: 99.9% minimum for business-critical SaaS. Tiered credits (5% / 10% / 25%) for missed SLA. Right to terminate for cause if SLA is missed multiple months in a row.

10. Termination Rights

What to look for: When can either party terminate? For cause only, or for convenience? What’s the cure period for a breach? What happens to fees paid in advance?

Why it matters: Many SaaS contracts let the vendor terminate for convenience while requiring the customer to stay locked in for the full term. This is asymmetric. If you can’t get out, neither should they.

The push: Mutual termination for material breach with 30-day cure period. Pro-rata refund of prepaid fees on termination for vendor breach. Right to terminate for convenience if the vendor materially degrades the service or sells to an unacceptable acquirer.

11. Assignment and Change of Control

What to look for: Can the vendor assign the contract without your consent? What happens if they’re acquired? Can they “merge” the contract into a larger acquirer’s terms?

Why it matters: SaaS gets acquired constantly. Your friendly mid-market vendor today could be a Fortune 500 conglomerate’s loss-leader tomorrow, with worse support, worse pricing, and a unilateral change to the terms.

The push: No assignment without written consent, with a reasonable carve-out for change-of-control to a non-competitor of equal or greater financial standing.

12. Confidentiality

What to look for: Mutual or one-way? How long does it last after termination? Is there a carve-out for “residual knowledge” (information the vendor’s employees remember)?

Why it matters: Residual knowledge clauses are a quiet way for vendors to walk away with whatever they learned about your business. They sound innocuous. They’re often not.

The push: Mutual confidentiality. Five-year survival post-termination minimum. Strike or limit residual knowledge clauses. If you’re handling especially sensitive data, get a separate NDA layered on top.

13. Governing Law and Dispute Resolution

What to look for: Which jurisdiction’s law governs? Where do disputes get heard? Is there a mandatory arbitration clause? Class-action waiver?

Why it matters: If your company is based in Singapore and the contract is governed by Delaware law with mandatory arbitration in San Francisco, you’ve effectively waived your right to sue in any practical sense. The cost of bringing a claim exceeds most contract values.

The push: Governing law and venue of your home jurisdiction, or a neutral one like Singapore or the UK if you’re multi-jurisdiction. If arbitration is required, in a venue you can actually access.

14. Audit and Reporting Rights

What to look for: Can you audit the vendor’s compliance with the contract? Their security practices? Their use of your data?

Why it matters: Without an audit right, you have no way to verify the vendor is doing what they said they’d do. Most vendors won’t let you audit directly but will share their SOC 2 report or other third-party attestation.

The push: Either a direct audit right (rare, but worth asking) or a guaranteed annual SOC 2 / ISO report. Include the right to request a remediation plan if findings are material.

Honourable mentions (read, but rarely redline)

These clauses matter but rarely break a deal. Skim them. Push back only if something looks aggressively non-standard.

• Warranties and disclaimers. Vendors usually disclaim implied warranties of merchantability and fitness for purpose. That’s standard. What’s not standard: disclaiming the express warranties they made in the security exhibit. Make sure the disclaimer doesn’t swallow the security commitments.
• Publicity and logo use. Almost every vendor MSA includes a right to use your logo as a customer reference. If your brand is sensitive (regulated industry, stealth-mode startup, recent acquisition), strike it or require prior written consent per use.
• Force majeure. No longer boilerplate. Make sure pandemic, cyberattack on the vendor’s infrastructure, and supply-chain failures are listed. Make sure SLA credits and the right to terminate after extended force majeure (typically 30+ days) survive.
• Order of precedence. State explicitly which document wins in a conflict. Usually the Order Form, then the DPA, then the MSA. Without this clause, conflicts get resolved by whoever has the better lawyer.
• Anti-bribery, sanctions, and export controls. Especially material for APAC counterparties. Singapore’s Prevention of Corruption Act, Australia’s anti-bribery regime, and US FCPA exposure all flow through standard reps. The clause is usually fine; just confirm it exists.
• Acceptable use. Can the vendor suspend service mid-term for an alleged AUP violation? Push for prior written notice and a cure period before suspension. Exempt good-faith disputes from immediate cut-off.
• Notices and amendment formality. Notices in writing, via email to a specified address. No oral amendments. No unilateral “click-through” updates to material terms.

These won’t make the partners proud, but they catch the surprises.

Before you send your redlines

Three things to do before you hit send.

One. Re-read the order form. Make sure your MSA redlines don’t contradict it. If they do, decide which document should win (usually the more specific one), and state it explicitly.

Two. Pick your battles. If you redline all fourteen clauses you’ll get pushback on all fourteen. Pick the three or four where the risk is real and the language is genuinely bad. As one lean-legal team put it: “success isn’t about out-working the other side; it’s about having the focus to ignore the academic noise and zero in on the three or four ‘landmine’ clauses that actually carry risk.”

Three. Capture your decisions. Whatever you redline, save the reasoning somewhere your future self can find it. The second time you see this vendor’s MSA, or a similar one from another vendor, the answers should already be there. This is the start of your own contract playbook, and it compounds fast.

After signature

The work doesn’t end at signature. Three things will save you pain later.

• Store it somewhere findable. One in-house counsel quoted on Legal.io described having to call former employees to find old agreements: “I’m calling former employees to see if they have copies of agreements we signed.” Don’t be that person. Store the executed PDF, the order form, and the DPA together, and tag the renewal date.
• Set the renewal alert at signature. 90 days before renewal is the minimum. 120 days is better. Whoever owns the renewal decision (usually the team using the tool) needs to know before the cancellation window closes.
• Note the obligations. Auto-renewal notice deadlines. Audit rights. SLA monitoring requirements. Any “must notify within 30 days” clauses. These get forgotten. They’re how a 9% chunk of contract value leaks out of most companies.

A note on the vendor side

If you’re not the buyer here, if your company is the SaaS vendor and you are the one drafting the MSA your customers will redline, the angles invert. You want the auto-renewal, the broad indemnity carve-outs, the assignment freedom, the 1× liability cap. Your playbook job is the opposite: how much can you concede on each of these fourteen clauses before the deal economics break? We’ve written separately about MSA mistakes on the vendor side and the clauses every MSA needs.

The good news: the fourteen clauses are the same. Whichever side you’re on, this is the negotiation playbook for SaaS.

Closing thoughts

Your first SaaS contract feels like a lot because nobody trained you on the dialect. But the dialect is finite. Fourteen clauses, plus a handful of honourable mentions. A predictable set of moves. After your tenth contract, you’ll see them coming.

The job isn’t to redline every line. It’s to know which lines matter and to spend your hours there.

When you’re ready, a CLM purpose-built for in-house teams of one can carry the rest: the playbook, the renewal alerts, the searchable repository, the audit trail your CFO will thank you for. Until then, this checklist will do.

You’ve got this. Stop sweating bullets. Start checking boxes.