SaaS Agreement Red Flags: What to Check Before You Sign

SaaS / MSA · 6 min read · Published 2026-05-29

SaaS agreements are designed by vendor legal teams to favor the vendor. Most people click through them without reading. That's fine for a $10/month subscription — but for a $50,000/year enterprise tool, it can mean unexpected renewal commitments, no exit path for your data, and zero recourse when the software goes down during your most critical period. Here's what to look for.

1. Auto-renewal with a short cancellation window

The most costly SaaS contract provision for most buyers. The pattern: the contract automatically renews for another full term (often a year) unless you provide written notice of cancellation within a narrow window — typically 30–90 days before the renewal date.

Miss the window by a day, and you're locked into another year at the current price.

What to look for:
• **Notice period**: How many days of advance notice do you need to cancel before auto-renewal? 90 days is long. Push for 30.
• **Who must receive the notice**: Is email sufficient, or does cancellation require written notice via certified mail to a specific legal address? Unreasonable notice requirements can trap you even if you try to cancel on time.
• **Price escalation on renewal**: Does the vendor have the right to increase pricing on renewal? By how much? "At vendor's then-current rates" with no cap is a risk.
• **Calendar the date**: Whatever the notice period, calendar it the moment you sign. The most common auto-renewal trap is simply forgetting.

2. Liability caps that don't protect you

SaaS agreements almost always include a limitation of liability clause that caps the vendor's financial exposure to you. The typical cap: the fees you paid in the last 12 months.

This sounds reasonable until you consider the asymmetry: if the vendor's downtime costs your business $500,000 in lost productivity, and you paid them $20,000 that year, the cap means you can only recover $20,000.

What to negotiate for high-value tools:
• **Higher cap for data breach scenarios**: Many agreements exclude data breaches from liability caps. Push to make this standard.
• **Consequential damages**: Some agreements also exclude consequential damages (lost profits, lost business). For mission-critical software, this is a significant risk.
• **Mutual caps**: Ensure the liability cap is mutual — it should apply to both parties, not just the vendor.

For most small SaaS tools, the default cap is acceptable. For enterprise agreements that represent a material operational dependency, negotiate the cap up and carve out data security incidents.

3. Vague or hollow SLA commitments

Service Level Agreements (SLAs) promise a certain level of uptime and performance. But many SaaS SLAs are designed to look impressive while providing minimal actual protection.

Common SLA tricks:
• **"Commercially reasonable efforts"** to maintain uptime is not a binding commitment — it's an aspiration.
• **Scheduled maintenance exclusions** that aren't bounded: if the vendor can take the service down for maintenance at any time, the "99.9% uptime" guarantee is hollow.
• **Service credits as the sole remedy**: SLA breaches trigger a credit toward future service — not a refund and not a right to terminate. If the service has been down for a week, a credit doesn't compensate for the business disruption.
• **Complex claim procedures**: You must submit a credit claim within X days of the incident, with specific documentation. Many customers never collect credits they're owed because the process is too burdensome.

A meaningful SLA specifies uptime percentage, an explicit methodology for calculating downtime, what maintenance is excluded and when it can occur, specific credit percentages for specific downtime thresholds, and a termination right if SLA failures exceed a certain threshold in a contract period.

4. Data portability and exit rights

What happens to your data when you cancel? For many SaaS tools, the answer is: it disappears. Your CRM history, your processed documents, your customer data — all of it hosted on vendor infrastructure that you no longer have access to.

What to check:
• **Data export**: Does the contract guarantee you can export your data in a standard, machine-readable format (not a proprietary format that requires the vendor's software to read)?
• **Export window**: How long after cancellation do you have to export your data before it's deleted? 30 days is standard.
• **Deletion timeline**: When does the vendor delete your data after cancellation? Confirm this is in writing, especially if you're subject to GDPR, CCPA, or other privacy regulations.
• **Data ownership**: The contract should explicitly state that you own your data. Most do — but verify.

For tools holding sensitive data, negotiate an explicit data return and deletion schedule as a contractual obligation, not just a policy statement in the privacy policy.

5. Broad license grants and data use permissions

SaaS agreements require you to grant the vendor a license to host and process your data in order to provide the service. That's expected. What's not expected — but increasingly common — is language that allows the vendor to use your data for their own purposes.

Watch for:
• **AI training clauses**: "Vendor may use aggregated, de-identified data to improve its services and AI models." If you're uploading sensitive business documents, you may not want them in the training set.
• **Sharing with third parties**: Can the vendor share your data with their "service providers" or "partners" without specifically naming them?
• **"Derivative works"**: Some agreements grant the vendor rights to create derivative works from your data — an extremely broad clause.

What's reasonable: a license limited to providing, maintaining, and improving the specific services you've contracted for, with explicit prohibitions on selling or sharing data for unrelated purposes.

6. No termination for cause right

Most SaaS contracts give the vendor the right to terminate the agreement immediately for your breach. They rarely give you the same right.

What you should have:
• **Right to terminate for material vendor breach**: If the vendor persistently fails to meet SLA commitments, has a data breach, or fails to deliver material functionality, you should have the right to terminate and receive a pro-rated refund.
• **Notice and cure period**: Before either party terminates for breach, there should be a notice requirement (e.g., 30 days) and a cure period — time for the breaching party to fix the problem before termination takes effect.
• **Termination for convenience**: For agreements over 1 year, negotiate the right to terminate for convenience with reasonable notice (60–90 days) and a pro-rated refund for unused service.

Without termination rights, you can be locked into a contract with a vendor who has failed to deliver, with no exit path until the term expires.