A SaaS company’s legal stack rests on three documents: the Master Services Agreement (MSA), the Statement of Work (SOW), and the Data Processing Addendum (DPA). Get these three right and 90% of customer disputes never escalate.
The MSA: the master frame
Signed once per customer. Covers the things that don’t change between engagements: payment terms, IP ownership, confidentiality, warranties, indemnities, limitation of liability, dispute resolution, and termination. A good MSA is dense but readable.
The SOW: what you’re actually doing
Per-project document. Covers scope, deliverables, timeline, acceptance criteria, and the specific commercials. The SOW references the MSA. Keep it short — one page where possible.
The DPA: GDPR / DPDP compliance
Required if you process personal data on behalf of the customer. Defines categories of data, processing purposes, sub-processors, security measures, breach notification, and the customer’s right to audit. India’s Digital Personal Data Protection Act, 2023, makes a DPA effectively non-negotiable for any B2B SaaS.
Clauses that get fought over most
- Limitation of liability: SaaS vendors usually cap liability at 12 months of fees. Enterprise customers push for higher caps or carve-outs (data breaches, IP infringement).
- SLA & service credits: what uptime do you commit to, and what does the customer get when you miss it?
- IP ownership: the platform is yours, customer data is theirs, custom development is negotiable.
- Termination for convenience: can either side walk with 30 days’ notice? Annual contracts usually disallow this.
The cost of doing it wrong
Using a free MSA template is the most expensive way to save money. Indian and US case law diverges sharply on warranties and liability — a US template may be unenforceable here. Invest in a proper drafting once; reuse the framework across hundreds of customers.