What should B2B SaaS terms of service include?
By SuLe · Updated 7 June 2026
Solid B2B SaaS terms cover nine things: the subscription and licence, acceptable use, service levels and support, fees and payment, data protection, IP ownership, confidentiality, liability limits, and term, suspension and termination — under a stated governing law. They are the contract that decides who bears the risk when something goes wrong, so vague or borrowed terms tend to fail exactly when you need them.
Key facts
- Core B2B SaaS terms cover the licence, acceptable use, service levels, fees, data, IP, confidentiality, liability and termination.
- Liability caps are common — often set at around 12 months' fees — but must be reasonable under the Unfair Contract Terms Act 1977.
- You can never exclude liability for death or personal injury from negligence, or for fraud.
- If you process personal data for the customer, UK GDPR Article 28 requires a data processing agreement, usually attached as a schedule.
- The standard IP split: you keep the platform, the customer keeps their data.
What are the essential clauses in SaaS terms?
They fall into a familiar set. The subscription and licence grant define what the customer is buying — access to the hosted service, not the software itself — and the acceptable use policy sets the limits on how they use it.
Service levels and support say what uptime and help the customer can expect; fees and payment cover price, billing and late payment. Data protection, IP and confidentiality then allocate the sensitive stuff.
Finally, liability caps limit your exposure, and the term, suspension and termination clauses decide how the relationship ends. Governing law and jurisdiction — normally England and Wales — close it out.
How should I handle data and IP in the contract?
With a clear split and, where personal data is involved, a proper data processing agreement. The market-standard IP position is that you retain ownership of your platform and the customer retains ownership of the data they put in.
Say that expressly, and grant yourself only the licence you genuinely need to operate and improve the service. Set out what happens to customer data on exit — typically an export window followed by deletion.
If you process personal data on the customer's behalf, you are their processor, and UK GDPR Article 28 requires a written data processing agreement. Attach it as a schedule so the commercial terms and the DPA are signed together, not left as a loose end.
How far can I limit my liability?
Further than in a consumer contract, but not without limits. A common commercial approach is to cap total liability at around 12 months' fees, and to exclude indirect or consequential loss.
The constraint is the Unfair Contract Terms Act 1977. In B2B contracts, exclusion and limitation clauses only bite if they pass its reasonableness test, so an aggressive, one-sided cap can be struck down — leaving you with more exposure than a fair one would have.
Two things can never be excluded: liability for death or personal injury caused by negligence, and liability for fraud. A clause that pretends otherwise is void to that extent and undermines confidence in the rest.
| Clause | What it does | Startup watch-out |
|---|---|---|
| Licence & acceptable use | Grants access, sets limits | Licence the service, not the code |
| Service levels & support | Sets uptime and response promises | Don't promise SLAs you can't meet |
| Fees & payment | Price, billing, late payment | Include suspension for non-payment |
| Data protection | Governs personal data | Attach a UK GDPR Article 28 DPA |
| IP ownership | Splits platform vs customer data | State it expressly both ways |
| Liability cap | Limits exposure | Keep it reasonable under UCTA 1977 |
| Term & termination | Ends the relationship | Define data export and deletion |
When should terms be negotiated versus click-through?
It depends on your buyer. For self-serve and smaller customers, click-through terms accepted at sign-up are efficient and enforceable if presented clearly before use.
Enterprise customers will redline your terms and push on liability caps, security commitments and the DPA. Expect to negotiate, and know your walk-away positions in advance.
Keep one master set of terms as your baseline so every negotiation starts from your paper. Signing each big customer's bespoke contract is how a small SaaS ends up with inconsistent obligations.
Worked example
Priyanka runs Shiftmesh, a workforce-scheduling SaaS, selling to mid-size hospitality groups. Her terms grant a subscription licence, attach an acceptable use policy, and promise a realistic uptime target she can actually hit.
She keeps ownership of the Shiftmesh platform and confirms customers own their rota and staff data. Because that staff data is personal data she processes for them, she attaches an Article 28 DPA as a schedule. Liability is capped at the last 12 months' fees, with the unexcludable carve-outs preserved.
A national chain redlines the cap upward and demands a tighter security schedule. Priyanka negotiates from her master terms and signs — without letting the chain's paper become her new default.
Where founders go wrong
Copying a US SaaS template.
US terms lean on US law and consumer regimes that do not map onto UCTA 1977 or UK GDPR.Over-aggressive liability caps.
A cap that fails the reasonableness test can be struck down, leaving you more exposed than a fair one.Forgetting the DPA.
If you touch personal data for the customer, Article 28 makes the processing agreement mandatory, not optional.Signing every customer's bespoke terms.
Without a master set, your obligations fragment into contradictions that surface at renewal or exit.
Related questions
Can I cap my liability in B2B SaaS terms?
Yes, and you should — a common approach is to cap liability at around 12 months' fees. But in B2B contracts any exclusion or limitation must pass the reasonableness test of the Unfair Contract Terms Act 1977, and you can never exclude liability for death or personal injury from negligence, or for fraud. Overreaching caps risk being struck down entirely.
Do I need a separate data processing agreement with my SaaS terms?
Usually yes. If you process personal data on your customer's behalf you are their processor, and UK GDPR Article 28 requires a written data processing agreement. It is normally attached to the terms as a schedule rather than left out, so the customer signs the commercial terms and the DPA together.
Who owns the data and IP in a SaaS contract?
The standard split is that you keep ownership of your platform and its IP, and the customer keeps ownership of the data they put in. Good terms say this expressly, grant you only the licence you need to run the service, and set out what happens to customer data on termination — typically export then deletion.
What is an acceptable use policy?
An acceptable use policy lists what customers and their users may not do with your service — no illegal content, no reverse engineering, no overloading the system, no reselling without permission. It lets you suspend or terminate abusers without arguing about it later, and it is usually built into or attached to the main terms. [More: What is a master services agreement (MSA)?]
SaaS terms look boilerplate until a customer disputes a bill, a deal dies over your liability cap, or an enterprise buyer rejects your DPA — then every clause earns its keep. A SuLe solicitor can build you a master set of terms that hold up in negotiation and in court. Book a free compliance check call and stop selling on borrowed paper.
Keep reading: What is a master services agreement (MSA)? · What is a data processing agreement (DPA) and when do I need one? · Do I need terms and conditions and a privacy policy for my startup? · Are e-signatures legally valid in the UK? · What does UK GDPR require from an early-stage startup? · What should an AI product's terms of service cover?
Primary sources: GOV.UK — Data protection · Unfair Contract Terms Act 1977


