AI and SaaS Vendor Agreement Red Flags

SaaS & Tech · 8 min read · Published 2026-05-29

Signing a SaaS or AI vendor agreement feels routine — click accept, enter credit card, get access. But buried in those terms are provisions that can lock you in, expose your data, limit your recourse, and leave you with no exit when things go wrong. Whether you're evaluating a $50/month tool or a $500,000 enterprise contract, these are the red flags to look for before you commit.

1. Broad rights to use your data for model training

AI vendors increasingly want the right to use customer data — including the data you input, the outputs you generate, and your usage patterns — to train and improve their models. For most customers, this is unacceptable.

What to look for in the contract:
• Does the vendor claim a license to use your input data for any purpose beyond providing the contracted service?
• Does the agreement allow the vendor to use "anonymized" or "aggregated" data for model training? "Anonymized" is not a guaranteed protection — re-identification is often possible.
• For AI services specifically: does the vendor claim ownership or a license to the outputs you generate using their platform?

What to push for:
• An explicit prohibition on using your data for model training or improving services for other customers
• A data processing agreement (DPA) under GDPR or applicable privacy law
• Clarity on who owns the outputs — you should own them

This issue is particularly critical for law firms, healthcare providers, and companies handling confidential business information. A broad training data license is not a minor footnote — it's a material risk.

2. Auto-renewal and price escalation clauses

SaaS contracts almost universally auto-renew, often with 30–90 day advance notice requirements to cancel. The combination of auto-renewal and annual price increases is one of the most common sources of unexpected SaaS spend.

Red flags:
• Auto-renewal with a notice period longer than 30 days (90-day notice windows for monthly products are predatory)
• Price escalation tied to "list price at time of renewal" rather than a defined cap (typically 3–5%)
• No right to terminate for convenience during the subscription term
• Evergreen clauses that extend the term indefinitely if not actively cancelled

What to negotiate:
• A written cancellation right with no more than 30 days' notice
• A price cap on annual increases (e.g., CPI or 5%, whichever is lower)
• A right to terminate for convenience with 30 days' notice and pro-rata refund of prepaid fees

For multi-year enterprise contracts, negotiate a price schedule for all years at signing — don't let the vendor hold renewal pricing hostage.

3. Unilateral right to modify terms

Many SaaS contracts include language allowing the vendor to modify the agreement — including pricing, features, acceptable use policies, and data terms — at any time, with notice posted to a website or sent by email.

This is a fundamental risk: you sign an agreement today, and the vendor can change material terms tomorrow.

What to look for:
• "We may update these terms at any time" without a right to object or exit
• Notice provisions that consider terms updated when posted to a URL (not when you receive and acknowledge the notice)
• No right to terminate if you object to a material change

What to push for in enterprise agreements:
• Any material change to pricing, data rights, or SLA requires mutual written amendment
• If the vendor unilaterally changes terms over your objection, you have the right to terminate with a pro-rata refund
• A defined "current terms" document that governs your specific subscription (not a constantly changing web page)

4. SLA that's all metrics and no remedies

Service level agreements (SLAs) define uptime commitments — typically 99.9% ("three nines") or better. But uptime percentages are meaningless without service credits or termination rights when the vendor fails to meet them.

The typical vendor SLA playbook:
• Promise 99.9% uptime (which allows 8.7 hours of downtime per year)
• Define "downtime" narrowly to exclude scheduled maintenance, "partial" outages, and third-party dependencies
• Cap service credits at 10% of monthly fees for any given month
• Make credits the "sole and exclusive remedy" for SLA failures

What a meaningful SLA looks like:
• Uptime calculated on a monthly basis, not annual (hiding one bad month across a good year is common)
• Service credits that scale with severity: 10% for 99.9–99.5%, 25% for below 99.5%, 50% for below 99%
• A termination right if the vendor misses SLA targets for two or more consecutive months
• No cap on the "sole and exclusive remedy" language — SLA failure shouldn't preclude other breach claims

If the vendor's SLA has remedies limited to 10% of monthly fees with no termination right, it's not really a service level commitment — it's a liability cap dressed up as a service commitment.

5. No right to export your data at termination

Vendor lock-in often doesn't reveal itself until you try to leave. SaaS contracts that don't address data portability leave customers stuck — unable to migrate to a competitor without significant cost or data loss.

What to look for:
• Is there an explicit right to export your data at any time, in a standard format?
• What happens to your data after termination — is there a grace period to export before deletion?
• What format will your data be provided in? CSV is often the minimum. For complex systems, you may need APIs or specific schemas.

What to require:
• A contractual right to export all your data at any time during the subscription, in machine-readable format
• A post-termination data retention period of at least 30 days (60–90 is better) during which you can export
• An explicit commitment to delete your data after the retention period (and a certificate of deletion on request)

For AI platforms specifically: ensure you can export not just your input data but also model configurations, fine-tuning datasets, and generated outputs that you want to retain.

6. Liability cap set below the value of the contract

Almost every SaaS agreement caps the vendor's liability at 12 months of fees paid — or sometimes just 3 months. For a $50/month tool, this cap is trivial. For a $100,000/year enterprise contract, this means the most you can recover if the vendor destroys your data, breaches your confidentiality, or causes business disruption is $100,000 — regardless of your actual damages.

Combined with a mutual exclusion of consequential damages (which typically covers lost revenue, lost profits, and business interruption), the net effect is that SaaS vendors have almost zero financial exposure for catastrophic failures.

What to negotiate:
• A liability cap at 12 months of fees is reasonable for general claims, but for data breaches and IP infringement, push for a carve-out with a higher cap (2–3x annual fees)
• Exclude your own consequential damages waiver for data breaches and gross negligence
• For sensitive use cases (healthcare, financial services, legal), require the vendor to carry adequate cyber insurance and name you as an additional insured

This is more negotiable than vendors let on in enterprise deals. The standard click-through terms are the starting point, not the final answer.

7. Acceptable use policy that can trigger immediate termination

SaaS contracts include acceptable use policies (AUPs) that define prohibited uses — typically illegal activity, abuse, and security violations. That's reasonable. The red flag is AUPs that are broad, vague, and enforce termination with no notice and no cure period.

Watch for:
• AUP violations defined broadly enough to cover ordinary business use ("excessive API calls," "automated access," "commercial purposes" without a clear definition)
• Termination rights triggered by AUP violations without prior notice or a cure period
• No obligation to restore service or provide a data export if the vendor terminates for AUP violation
• The vendor's right to determine, in its sole discretion, whether a violation has occurred

What to require:
• A specific, exhaustive list of prohibited activities (not open-ended catch-all language)
• Prior written notice and a 10–15 day cure period before termination for AUP violations
• A right to export your data even if the vendor terminates for an AUP violation
• A dispute mechanism if you believe the vendor's termination decision was incorrect

For AI-specific products, pay particular attention to "output restrictions" — some AI vendors prohibit using their services to generate content that competes with their own products or that they unilaterally deem harmful. Understand what this means for your use case before signing.