If you’ve ever opened up a SaaS contract and felt your eyes glaze over, you’re not alone. SaaS is now the backbone of modern business, and these agreements are usually drafted for the software provider’s convenience — designed to work across hundreds or even thousands of customers. The “one-size-fits-all” approach means the terms you’re handed might not align with the risks, costs or compliance obligations your business faces.

Knowing where you can (and should) push back is key. In the UK, this means balancing legislative requirements like the UK GDPR and UCTA, with market norms on liability, service levels and data security. Use the following guidance to turn the negotiation of a generic contract into a deal that protects your business and gives you more value.

1. Data Protection: GDPR & Emerging Legislation

Compliance with data privacy law is fundamental in SaaS and other software services agreements.

UK GDPR & EU GDPR Compliance: Contracts must include a Data Processing Addendum (DPA) that meets the requirements of UK and/or EU GDPR (see Article 28) where the provider is acting as a “Processor”. This addendum defines the obligations of the provider (typically the Processor) and the customer (the “Controller”).
Market Practice vs. Prescriptive law: While the GDPR is prescriptive (e.g., requiring Controller audit rights under Article 28(3)(h)), market practice often sees suppliers, especially large ones such as Microsoft, Google and Salesforce, etc resist bespoke DPAs and customer audits. Instead, they offer standardised DPAs and provide audit reports (e e.g. SOC 2 Type II, ISO 27001 certificates, penetration test summaries) as a substitute for direct audit rights. It’s advisable to push for robust, detailed reports and prompt breach notification clauses early on in negotiations.
Cross-Border Transfers: The agreement must stipulate the location of data processing and storage. Any transfer of personal data outside the UK/EU requires a valid transfer mechanism (e.g., Standard Contractual Clauses (SCCs), or the UK International Data Transfer Agreement (IDTA) or Addendum).
New EU Law: As of 12 September the EU Data Act gives customers statutory rights to switch providers or port data with only two months’ notice (even mid-contract), requires data to be exported within 30 days, and from 2027 bans most switching/egress fees. This should means less focus will be on fighting lock-in clauses, and more on what really matters — pricing, service quality, security and liability.

2. Liability Limits: The Test of Reasonableness

Liability clauses are among the most heavily negotiated terms.

Unfair Contract Terms Act 1977 (UCTA): In a business-to-business context, especially where one party contracts on the other’s written standard terms of business, exclusion or limitation clauses must satisfy the test of reasonableness.
Reasonableness Factors: The court assesses reasonableness by considering factors like the parties’ relative bargaining power, whether the customer received an inducement to agree to the term (e.g., accepting a lower cap for a lower price) and the availability of other suppliers.
Negotiating Liability Caps:

General Cap: Suppliers typically seek to cap general liability at a figure such as the fees paid by the customer in the preceding 12 months.
Carve-Outs: Customers should push for higher or uncapped liability for critical breaches, such as IP infringement indemnity, fraud/wilful misconduct, and, increasingly, data/security breaches (see point 4).

3. Intellectual Property (IP) & Indemnities

Adequate IP protection and indemnities are crucial for both parties.

IP Ownership: The agreement should clearly state that the supplier retains ownership of the underlying SaaS software/IP, while the customer retains full ownership of their data uploaded to or generated within the service.
Third-Party 'Pass Through' (Supplier Due Diligence): Suppliers must ensure they have all necessary licence rights for any third-party material (proprietary or open-source) included in their solution. The licence chain must be "unbroken" to legally pass on the right to use the service to customers.
IP Indemnity: Industry standard dictates that the supplier provides an uncapped indemnity to the customer for third-party claims alleging that the customer’s use of the service infringes their IP. Suppliers may seek to limit this by territory or scope, which customers should resist where possible. The supplier usually retains responsibility for the defence of any such claim.

4. Service Scope, SLAs and Data Liability

Beyond the core legal requirements, a strong SaaS agreement must clearly define the commercial transaction.

Scope and Specification: Clarity on the nature of the rights granted (e.g., number of authorised users, geographical restrictions, internal use vs. customer-facing etc) is vital. The accompanying tech specification should set out functionality clearly to give the customer recourse in the event of defective performance.
Service Levels (SLAs): While typically non-negotiable and standardised (e.g., 99.9% uptime), customers must understand the definitions (e.g., does "uptime" exclude planned maintenance periods?). Remedies for SLA breaches are often limited to service credits, which may not fully compensate for loss but are intended to incentivise improved performance.
Data and Security Liability: Data privacy and security breaches are important (and distinct) negotiation points. Customers should specifically negotiate a higher cap or a full carve-out for liability arising from breaches of the data protection and security clauses, pushing back against suppliers who attempt to bundle this into the general liability cap.

5. Term, Termination & Supplier Lock-in

The end of the contract is as important as the start.

Auto-Renewal and Lock-in: While the agreements often auto-renew, the incoming EU Data Act fundamentally changes the customer's termination rights, particularly for multi-year deals, by limiting notice periods. This shifts the commercial leverage toward the customer, forcing suppliers to rely more on continuous value delivery than contractual lock-in for retention.
Data Recovery and Exit Plan: The agreement must ensure the customer has a clear, time-bound right to recover all data in a machine-readable format upon termination. A defined exit assistance plan should also be included to facilitate a smooth transition to a new provider or an onsite solution.

6. Sector-Specific & Regulatory Obligations

In highly regulated sectors, the supplier's standard terms may require significant amendment.

Specific Sector Rules: Customers in areas like financial services, healthcare or critical infrastructure require bespoke clauses to ensure compliance with specific regulations (e.g., the EU's Digital Operational Resilience Act (DORA)). This often mandates more stringent obligations for the supplier regarding security, resilience, and audit rights.

Other Digital Acts: The EU Digital Services Act (DSA) and Digital Markets Act (DMA) may apply to the supplier's operations, even if they are based outside the EU, if they target or serve customers within the EU. While primarily aimed at platform providers, these acts create a complex regulatory framework that may indirectly affect contract terms, transparency, and data use.

Conclusion

A clear negotiation strategy, focusing on clarifying non-negotiable terms against areas of flexibility, ensures your core objectives (be they maximum uptime, rigorous data security or specific liability coverage) are never compromised.

By also taking into account the provider’s priorities, an agreement that provides both parties with certainty whilst securing the best possible terms for your business can be achieved.