Is your SaaS contract worth signing?
I draft and redline the full SaaS contract stack, from terms of service and privacy policy to DPAs, MSAs, and order forms, and I send attorney demand letters when a software deal goes wrong. One California attorney across contract drafting, contract review, and demand letters.
Describe your SaaS situation
Tell me what is happening with your software business and I will point to the contract or letter that fits. A full document review is the $240 Written Attorney Consultation, not this chat. AI-generated legal information, attorney-supervised, not legal advice.
TOS vs EULA vs MSA, which one?
Do I need a DPA?
What does a SaaS contract redline cost?
What if a customer ignores my demand letter?
Terms of Service or EULA
Use it when: anyone can sign up and use your product online.
Tap for detailKey clauses: acceptance and clickwrap, license grant and restrictions, payment and auto-renewal, disclaimers, limitation of liability, governing law and dispute resolution, termination.
Watch-point: an unsigned, browsewrap TOS is weak. Use clickwrap acceptance at sign-up and keep dated versions so you can prove what the customer agreed to.
Open the Terms of Service generator Tap to flip backPrivacy Policy
Use it when: you collect any personal data, which is essentially always.
Tap for detailKey clauses: data collected, purposes, sharing and sub-processors, retention, user rights, cookies, international transfers, contact and complaints route.
Watch-point: the policy has to match what your product actually does. A copied policy that overpromises or omits a real data flow is a bigger risk than a plain accurate one.
Open the Privacy Policy generator Tap to flip backSLA
Use it when: you make uptime or support commitments to paying customers.
Tap for detailKey clauses: uptime percentage and measurement, exclusions and maintenance windows, support response times, service credits as the remedy, credit caps.
Watch-point: tie the customer's remedy to capped service credits, not open-ended damages, and define how uptime is measured so a bad month does not become a liability claim.
Open the SLA generator Tap to flip backAcceptable Use Policy
Use it when: you need clean grounds to suspend abusive or illegal use.
Tap for detailKey clauses: prohibited content and conduct, security and integrity rules, rate and resource limits, enforcement and suspension rights, reporting.
Watch-point: incorporate the AUP into the TOS by reference and reserve the right to suspend immediately for security or legal violations, so enforcement is contractual, not improvised.
Open the Acceptable Use Policy generator Tap to flip backOrder Form
Use it when: you sell paid plans or enterprise deals under a master agreement.
Tap for detailKey clauses: product and tier, quantity and seats, price and billing term, start date and renewal, the master agreement it incorporates.
Watch-point: keep commercial terms on the order form and legal terms in the MSA, so sales can close a deal without re-opening the negotiated contract every time.
Open the Subscription Terms generator Tap to flip backDPA
Use it when: you process personal data on a customer's behalf and they ask for one.
Tap for detailKey clauses: the Article 28(3) details (subject matter, duration, nature, data types, data subjects) plus the (a) to (h) obligations, sub-processor terms, transfer mechanism, deletion or return, audit cooperation.
Watch-point: a DPA that just names GDPR without the Article 28(3)(a) to (h) obligations will not survive an enterprise legal review. The obligations have to be in the text.
Open the DPA generator Tap to flip backSub-processor Terms
Use it when: you use vendors (hosting, email, analytics, payroll) that touch customer data.
Tap for detailKey clauses: authorization model (specific or general), notice of new sub-processors and the right to object, flow-down of the same data-protection obligations, a current sub-processor list.
Watch-point: Article 28(2) bars engaging a sub-processor without the controller's authorization; under general authorization you must give notice and an opportunity to object. Skipping that breaches the DPA.
Ask the analyst about sub-processor terms Tap to flip backSecurity Addendum
Use it when: customers want documented technical and organizational measures.
Tap for detailKey clauses: access controls, encryption in transit and at rest, logging, vulnerability management, incident response and breach notification timing, personnel and confidentiality.
Watch-point: commit to measures you actually run. Article 28(3)(c) ties the processor to Article 32 security, so an aspirational addendum you do not follow becomes a contractual gap.
Ask the analyst about a security addendum Tap to flip backBAA
Use it when: your SaaS touches protected health information for a HIPAA-covered customer.
Tap for detailKey clauses: permitted uses and disclosures of PHI, safeguards, subcontractor flow-down, breach notification, return or destruction at termination.
Watch-point: a BAA is a HIPAA-specific contract and does not replace a GDPR DPA or CCPA terms. If you serve health customers across regimes, you may need more than one data contract.
Open the HIPAA BAA generator Tap to flip backMSA
Use it when: you sell to enterprise customers who negotiate and sign.
Tap for detailKey clauses: services and order forms, fees and payment, confidentiality, IP ownership, warranties, indemnities, limitation of liability, term and termination, governing law.
Watch-point: the liability cap and indemnity are where enterprise deals are won or lost. Anchor your own paper rather than starting from the customer's redline if you can.
Ask the analyst about an MSA Tap to flip backSubscription Agreement
Use it when: you bill on a recurring basis and need clean renewal and cancellation terms.
Tap for detailKey clauses: subscription term, auto-renewal and notice, fees and increases, suspension for non-payment, data on termination, refund policy.
Watch-point: auto-renewal terms are regulated. Build in the required notice and clear cancellation so a renewal does not turn into a consumer-protection complaint.
Open the Subscription Terms generator Tap to flip backCommercial SLA
Use it when: an enterprise customer wants a contractual uptime and support commitment.
Tap for detailKey clauses: tiered uptime, escalation paths, named support contacts, credit schedule, chronic-failure termination right.
Watch-point: enterprise SLAs often add a termination right for repeated misses. Cap that exposure and define measurement so credits stay the primary remedy.
Open the SLA generator Tap to flip backReseller or Partner Agreement
Use it when: another company sells, bundles, or refers your product.
Tap for detailKey clauses: appointment and territory, pricing and margin, who owns the customer relationship and data, marketing rules, term and termination, post-termination handling.
Watch-point: be explicit about who contracts with the end customer and who carries the DPA obligations, or a data request can land on the wrong party.
Ask the analyst about reseller terms Tap to flip backAPI Terms
Use it when: you expose an API or developer platform to third parties.
Tap for detailKey clauses: license scope, rate limits and quotas, acceptable use, data handling and user-data restrictions, deprecation and change rights, branding rules.
Watch-point: reserve a clear right to change, throttle, or deprecate the API, and restrict what developers may do with end-user data they pull through it.
Open the API License Agreement generator Tap to flip backBeta Agreement
Use it when: you give early access to pre-release features.
Tap for detailKey clauses: as-is disclaimer, feedback license, confidentiality, no-SLA and no-warranty terms, right to discontinue, data handling during the trial.
Watch-point: keep beta strictly as-is with no SLA, and take a license to feedback, so an experimental feature does not create production-grade obligations.
Ask the analyst about a beta agreement Tap to flip backSuccess-fee or Contingent SaaS
Use it when: your pricing is a percentage of a recovery, refund, or tax credit you help find.
Tap for detailKey clauses: precise fee trigger and base, what counts as a success, refund and clawback if a credit is reversed, scope of the service, disclaimers about who is and is not giving tax advice.
Watch-point: percentage-of-credit pricing sits in a heightened-scrutiny enforcement area. Circular 230 limits contingent fees for matters before the IRS, and the success-fee structure should be reviewed before launch, not assumed permissible.
Read the payroll tax-credit compliance lab Tap to flip backGDPR Article 28: the processor contract
What a DPA must contain when you process personal data on a customer's behalf
- Process only on the controller's documented instructions, including for international transfers. (Art. 28(3)(a))
- Ensure people authorized to process the data are under confidentiality. (Art. 28(3)(b))
- Take all security measures required under Article 32. (Art. 28(3)(c))
- Respect the sub-processor authorization and flow-down conditions in Article 28(2) and (4). (Art. 28(3)(d))
- Assist the controller in responding to data-subject rights requests. (Art. 28(3)(e))
- Assist with the obligations in Articles 32 to 36 (security, breach notice, DPIAs, prior consultation). (Art. 28(3)(f))
- Delete or return all personal data at the end of services, at the controller's choice. (Art. 28(3)(g))
- Make available the information needed to demonstrate compliance and allow for and contribute to audits, including inspections. (Art. 28(3)(h))
CCPA / CPRA: service-provider and contractor contracts
What a California service-provider contract has to say
- A service provider (Civ. Code 1798.140(ag)) must be under a written contract that prohibits selling or sharing the personal information, prohibits using or disclosing it beyond the specified business purposes or outside the direct business relationship, and prohibits combining it with information from other sources, subject to enumerated regulatory exceptions.
- A contractor (Civ. Code 1798.140(j)) is subject to the same prohibitions plus a certification that it understands and will comply with the restrictions.
Success-fee and contingent pricing: the federal backdrop
Why percentage-of-recovery SaaS pricing needs a closer look
- Circular 230 (31 CFR 10.27(b)) generally prohibits a practitioner from charging a contingent fee for services in connection with a matter before the IRS, with three narrow exceptions, and 10.27(c)(1) defines a contingent fee to include a percentage of the refund or tax saved.
- On September 14, 2023, the IRS announced a moratorium on processing new Employee Retention Credit claims, citing aggressive ERC marketing and a surge of questionable claims, and said some honest businesses were misled by promoters who oversimplified eligibility.
- 2025 federal enforcement provisions (the One, Big, Beautiful Bill) strengthened ERC enforcement, including barring allowance or refund of Q3 and Q4 2021 ERCs for claims filed after January 31, 2024, and imposing due-diligence penalties on certain promoters.
What it costs to work with me
Flat fees, no hourly surprises on the defined scope. Drafting and redline is one ladder; demand letters and escalation are another. Overflow on unusually large matters bills at $240 per hour.
Create or Redline a SaaS Contract
I draft or redline one SaaS agreement (TOS, privacy policy, DPA, MSA, subscription, order form, SLA, AUP, API terms, reseller). Up to three rounds of email revisions. Brief written comments on the key issues. Overflow at $240 per hour.
Written Attorney Consultation
Send your question, a short factual summary, and the key documents. I send back a written attorney response on the main legal issues, risks, leverage points, and next steps. The $400 1-Hour Zoom Strategy Session is the live option.
Attorney Demand Letter
One attorney letter on firm letterhead for a SaaS dispute, USPS certified plus email, up to two client revision rounds, review of the first response, and a narrow counter-response where strategic. The $1,200 Litigation-Leverage Demand Package adds a court-ready draft complaint or arbitration demand.
Larger matters: the $1,200 Litigation-Leverage Demand Package and the $1,500 Pre-Litigation Negotiation Phase are described in the escalation section. Filing or appearing as counsel of record in California is a separate, quoted engagement.
If you received one of my demand letters and you are reading this to judge whether I follow through: I do. A demand letter is the first move, not the only move. When a demand is ignored or no settlement is reached, I escalate where the facts and economics support it.
What is the difference between a TOS, an EULA, and an MSA for my SaaS?
A terms of service (TOS) governs an online, self-serve relationship and is usually accepted by clickwrap at sign-up. An EULA is a software license, more common when you ship installable software or an app rather than a hosted service. A master service agreement (MSA) is a negotiated, signed contract used for enterprise or higher-value customers, with order forms and statements of work hanging off it. Many SaaS companies use a clickwrap TOS for self-serve customers and an MSA for enterprise. I draft and redline all three.
Do I need a DPA, and what has to be in it?
If you process personal data of EU or UK individuals on a customer's behalf, GDPR Article 28(3) requires a written contract (a DPA) that sets out the subject matter, duration, nature and purpose of processing, the type of personal data, and the categories of data subjects, and that imposes the specific processor obligations in Article 28(3)(a) through (h): documented instructions, confidentiality, Article 32 security, sub-processor controls, assistance with data-subject rights, assistance with Articles 32 to 36, deletion or return of data at the end, and audit cooperation. For California consumers, the CCPA requires service-provider contract terms under Civil Code 1798.140(ag). I draft DPAs that track these requirements; the exact terms depend on whether you are a processor, a sub-processor, or a controller.
Enterprise customers are demanding audit rights and a DPA before signing. How do I respond?
This is normal enterprise procurement. GDPR Article 28(3)(h) requires a processor to make available the information needed to demonstrate compliance and to allow for and contribute to audits, including inspections, by the controller or an auditor it mandates. Most SaaS vendors satisfy this through a DPA that offers a security questionnaire, third-party audit reports such as SOC 2, and audit rights scoped to reasonable notice, frequency, and confidentiality rather than open-ended on-site inspection. I redline customer DPAs and audit clauses so they meet the legal standard without exposing your operations to unbounded inspection.
Can I charge a percentage success fee on tax credits I find for SaaS customers?
This is a heightened-scrutiny area. Circular 230 (31 CFR 10.27) generally prohibits a practitioner from charging a contingent fee for services rendered in connection with a matter before the IRS, with narrow exceptions, and the IRS has publicly criticized aggressive contingent-fee promoter marketing around the Employee Retention Credit. Whether a software-only platform that merely surfaces potential credits is a practitioner caught by that rule, and whether percentage-of-credit pricing for a discovery tool is itself prohibited, are matter-specific questions I do not resolve without a Circular 230 and practitioner-status analysis. State contingent-fee and consumer-protection exposure is separate. If your model includes success-fee pricing, treat the fee structure as a legal-review item, not a settled assumption.
Which SaaS contracts should I prioritize first?
For a self-serve SaaS launching to the public, the first priority is a clickwrap TOS and a privacy policy, because those govern every sign-up and your data practices. If you handle personal data on behalf of customers, a DPA comes next, since customers will require one before signing. An order form and an SLA matter once you sell paid plans or make uptime commitments. An MSA, reseller terms, and API terms come in as you move upmarket or open a partner channel. I can sequence this with you in a written consultation.
What happens if the other side ignores a demand letter you send for my SaaS dispute?
I do not stop at the letter. When a demand is ignored or no settlement is reached, I tell you honestly whether the economics support escalation. The demand letter and the $1,500 Pre-Litigation Negotiation Phase are the pre-litigation steps. Filing a complaint, initiating arbitration, and appearing as counsel of record are a separate, separately quoted engagement, California only. I file complaints and represent clients in California when the matter calls for it; that is a separate engagement, not an automatic add-on, and the California-only limit applies to appearing as counsel of record.