California attorney · CA Bar #279869

SaaS legal package attorney

I'm Sergei Tokmakov, a California attorney. If you're selling SaaS and enterprise procurement is asking for an MSA, DPA, security addendum, AI policy, and BAA, you need the full stack delivered at once, not redrafted by counsel three times. I deliver a procurement-ready package that clears enterprise security review.

1,500+contracts drafted
700+Upwork reviews
14+years in practice
100%job-success score
Cal. Civ. Code § 1798.100
Quick answer

A procurement-ready SaaS legal stack includes an MSA, TOS, Privacy Policy (CCPA Cal. Civ. Code § 1798.100, CPRA, and GDPR-aligned), a DPA with Article 28 processor terms and Standard Contractual Clauses for international transfers, a CCPA/CPRA addendum, an AI usage policy and DPIA template if generative AI is in the product, and Business Associate Agreements where Protected Health Information is in scope. Enterprise buyers in 2025-2026 read the documents before signing; templates fail at procurement. The package is interlocking by design so each document references the others without contradiction.

MSA + DPA
Two-doc core
Privacy
CCPA / CPRA compliant
SCC + DPA
If EU customers
Flat fee
$2,500 package

What I do for SaaS companies

1

Build the MSA and DPA to match data flows.

Master Services Agreement plus Data Processing Addendum is the core. I tune both to the actual data the SaaS handles, not boilerplate.

2

Wire DPA + SCC for EU customers.

EU customer footprint triggers GDPR Article 28 and Standard Contractual Clauses. I wire the DPA + SCC so the SaaS can sign EU deals without bespoke negotiations every time.

GDPR + SCC
3

Build CCPA / CPRA disclosure correctly.

California privacy law has specific disclosure, opt-out, and contact requirements. I build the privacy policy and consumer-rights flow to actual compliance, not template.

Civ. § 1798.100 et seq.
4

Balance indemnity and LOL to the deal.

Indemnity caps and limitation-of-liability are where SaaS deals leak risk. I balance them to the deal economics so the SaaS is not signing unlimited downside.

Why this calls for an attorney, not a template

DIY / template

What a self-written letter misses

  • Uses generic terms and a one-size privacy policy
  • Misses CCPA / CPRA-specific disclosures
  • Cannot wire DPA + SCC for EU customers
  • Leaves indemnity and LOL unbalanced
Attorney letter

What the attorney letter does

  • Tunes MSA, DPA, and privacy to actual data flows
  • Wires DPA + SCC for EU customer footprint
  • Builds CCPA / CPRA disclosure correctly
  • Balances indemnity and LOL caps to the deal economics

A SaaS legal package is not boilerplate, the MSA, DPA, and privacy stack are tuned to the actual data flow and the customer footprint.

The controlling law

California CCPA, Cal. Civ. Code § 1798.100 et seq.

This authority gives california consumers rights to access, delete

This authority gives California consumers rights to access, delete, correct, and opt out of the sale or sharing of their personal information. § 1798.140 defines "personal information" broadly. The Privacy Policy must disclose categories collected, sources, business purposes, third-party recipients, retention periods, and the rights mechanism. The Civil Rights Department and California Attorney General enforce.

California CPRA

(effective 2023) created the california privacy protection agency, added

(effective 2023) created the California Privacy Protection Agency, added sensitive personal information categories with their own treatment, extended limitation rights, and required a Do Not Sell or Share My Personal Information link in the website footer. Service-provider and contractor terms became more specific; the DPA addresses each requirement.

EU GDPR Article 28

This authority requires a written contract between controller and

This authority requires a written contract between controller and processor specifying processing scope, duration, nature, purpose, categories of data, and processor obligations on confidentiality, security, sub-processors, breach notification, and assistance to the controller. The 2021 Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) replaced the older versions and are the default international-transfer mechanism.

EU-US Data Privacy Framework

(effective july 10, 2023) restored a self-certification path for

(effective July 10, 2023) restored a self-certification path for US data importers, replacing the prior Privacy Shield invalidated in Schrems II. Companies self-certify with the US Department of Commerce. SCCs remain the alternative.

HIPAA

At 45 cfr 164.504(e) requires a business associate agreement

At 45 CFR 164.504(e) requires a Business Associate Agreement between a covered entity and any business associate handling PHI. California's Confidentiality of Medical Information Act (CMIA), Cal. Civ. Code § 56 et seq., adds state-level requirements and a private right of action.

EU AI Act

(regulation (eu) 2024/1689) became enforceable in tiers starting february

(Regulation (EU) 2024/1689) became enforceable in tiers starting February 2025, with full applicability by August 2026. The Act classifies AI systems by risk (prohibited, high-risk, limited-risk, minimal-risk) and imposes obligations accordingly. SaaS providers serving EU customers in high-risk verticals (employment, education, critical infrastructure, justice administration) need to address Act obligations in the MSA and AI Addendum.

What enterprise procurement actually checks. Most enterprise security reviews follow a similar checklist: (1) DPA with Article 28 terms and current SCCs, (2) Privacy Policy aligned with the DPA processing categories, (3) sub-processor list with notice mechanism, (4) audit rights provision in the MSA, (5) breach notification timeline (typically 48-72 hours from awareness), (6) liability cap structure that does not exempt data-protection violations, (7) insurance certificates, and (8) AI provisions covering training data and model outputs. A complete stack passes review in days. An incomplete stack stalls the deal for weeks while counsel sends emails back and forth.

What clients send me

The package is built from a structured intake. Before drafting starts, I ask for the following:

  • A product description: what the SaaS does, who uses it, what data is collected, where it's stored, who else processes it
  • A list of subprocessors: cloud (AWS, GCP, Azure), email (SendGrid, Postmark), analytics (Segment, Mixpanel), CRM (Salesforce, HubSpot), AI inference (OpenAI, Anthropic), and any others
  • A customer-type breakdown: self-serve SMB, enterprise ACV deals, channel partners, resellers, and the rough percentage of each
  • The geographies you currently serve or plan to serve (US-only, EU, UK, Canada, APAC, regulated jurisdictions)
  • Whether the platform touches PHI, financial data subject to GLBA, student data subject to FERPA, or government data subject to FedRAMP or similar
  • Your current legal documents: existing TOS, Privacy Policy, MSA template, DPA template, AI policy, or BAA
  • Recent procurement redlines from enterprise customers, so I see what your buyers actually push back on
  • Insurance details: cyber, E&O, general liability limits and carriers
  • The brand voice (formal, friendly, technical) and any specific terminology your product uses
  • Your business entity, state of formation, and principal place of business

If you don't have everything, send what you have. I tell you what's missing and what affects scope before quoting.

What I send back

$349

SaaS Case Memo

  • Written legal memo scoping your stack needs
  • Customer-type and data-flow analysis
  • Recommendation on which documents to draft
  • Fixed-price quote for the next step
  • Standard turnaround 5-7 business days
$2,500

SaaS Legal Package

  • MSA + TOS + Privacy Policy
  • DPA with Article 28 + SCCs
  • CCPA/CPRA addendum
  • AI usage policy + DPIA template
  • Two revision rounds
  • Standard turnaround 2-4 weeks

For $349 (case memo):

  • A four-to-eight-page written memo scoping the legal stack your company actually needs
  • Mapping of customer types and data flows to specific document requirements
  • Recommendation on which documents to draft fresh and which existing documents to update
  • Fixed-price quote for the next-step engagement (single document, full package, or healthcare overlay)

For $2,500 (full SaaS package):

  • Master Service Agreement (MSA) tailored to your enterprise sales motion
  • Terms of Service (TOS) for self-serve users, with clickwrap enforceability provisions
  • Privacy Policy aligned with CCPA, CPRA, GDPR, and the multi-state US privacy laws
  • Data Processing Agreement (DPA) with Article 28 terms, Standard Contractual Clauses, and CCPA service-provider language
  • CCPA/CPRA addendum (when separate document is preferred)
  • AI usage policy and DPIA template (when generative AI is in scope)
  • Document handoff guide for your sales and customer-success teams
  • Two rounds of revisions based on client and procurement feedback

Healthcare BAA and EU AI Act high-risk overlays are scoped separately.

How the engagement runs

1
Send facts

Email a paragraph + key documents.

2
Identify theory

I map the facts to the CA statute.

3
Draft letter

Attorney letter on letterhead.

4
You approve

Two revision rounds included.

5
Send certified

USPS certified + email delivery.

6
Negotiate

Three negotiation responses included.

Choose your path

Start here if

Case memo

$349
  • You want a contract-stack audit first
  • You are deciding on a TOS or MSA approach
  • No procurement deadline yet
Accept memo - $349
Most common

Five-doc SaaS package

$2,500
  • Launching or selling and need procurement-ready docs
  • Five flat-fee documents covering the stack
  • Includes AI Addendum and DPA
Accept package - $2,500
Start here if

Hourly review

$240/hr
  • You only need one document reviewed
  • Counterparty sent a redline you want sanity-checked
  • No-retainer hourly billing
Accept hourly - $240

Pricing

SaaS Case Memo

$349 · flat fee
  • Written legal memo scoping your stack needs
  • Customer-type and data-flow analysis
  • Recommendation on which documents to draft
  • Fixed-price quote for the next step
  • Standard turnaround 5-7 business days

SaaS Legal Package

$2,500 · flat fee
  • MSA + TOS + Privacy Policy
  • DPA with Article 28 + SCCs
  • CCPA/CPRA addendum
  • AI usage policy + DPIA template
  • Two revision rounds
  • Standard turnaround 2-4 weeks

Related on Terms.Law

Hub
SaaS Legal Package Hub
Hub
Healthcare SaaS Hub (BAA + CMIA)
Hub
SaaS Enterprise Contract Hub
Generator
AI Platform Terms of Use Generator
Free Opus tool
Clause Risk Analyzer + AI Redline
Hub
All California practice areas

Frequently asked questions

You
What's in a SaaS legal package?
S
A procurement-ready SaaS legal package contains the documents a sophisticated buyer asks for during security review. The default stack: a Master Service Agreement (MSA) with the commercial terms; a Terms of Service (TOS) for self-serve users; a Privacy Policy that satisfies CCPA, CPRA, GDPR, and the state-level privacy laws now in force; a Data Processing Agreement (DPA) with Article 28 processor terms and Standard Contractual Clauses for international transfers; a CCPA/CPRA addendum; an AI usage policy and DPIA template if the platform uses generative AI; and Business Associate Agreements (BAAs) if the platform touches Protected Health Information. The point is to deliver the whole stack at once so enterprise buyers stop emailing you for the missing piece.
You
Why do I need a separate DPA?
S
The DPA (Data Processing Agreement) is the document enterprise procurement, GDPR auditors, and California Attorney General investigators look for to establish how customer personal data is handled. Article 28 GDPR requires a written contract between controller and processor specifying processing scope, subject matter, duration, nature, purpose, categories of data, and obligations on confidentiality, security, sub-processors, breach notification, and assistance. CCPA Civ. Code § 1798.140(ag) and CPRA require similar terms for service providers handling consumer personal information. The MSA can incorporate a DPA by reference, but the DPA itself is a discrete document. Skipping it kills enterprise deals.
You
Does the AI Addendum matter if I just use OpenAI behind the scenes?
S
Yes. Enterprise buyers in 2025-2026 are asking pointed questions about how customer data flows to underlying AI models, what training rights you have over customer inputs, what data retention happens at the model layer, and how outputs are governed (hallucinations, IP infringement, defamation). An AI Addendum (or AI-specific provisions in the MSA) addresses these questions in writing. The EU AI Act adds another layer for European customers depending on the risk classification of your use case. The AI usage policy is also where you commit to (or carve out of) using customer data to train models, which is a binary procurement gate at most enterprises.
You
What if I'm in healthcare?
S
Healthcare adds a Business Associate Agreement (BAA) on top of the standard stack. HIPAA at 45 CFR 164.504(e) requires a BAA between a covered entity and any business associate that handles Protected Health Information (PHI). If your SaaS touches PHI, you cannot accept the data without a BAA in place. California adds its own layer through the Confidentiality of Medical Information Act (CMIA), Civ. Code § 56 et seq. The healthcare SaaS package includes the BAA and the CMIA-specific provisions, with separate pricing because the regulatory work is significantly more involved.
You
What's the difference between TOS and MSA?
S
TOS (Terms of Service) is a unilateral, click-through agreement for self-serve users who sign up online; it is drafted with enforceability concerns front of mind (clickwrap, conspicuous notice, prominent acceptance). MSA (Master Service Agreement) is a negotiated, mutually signed contract for enterprise customers who go through procurement; it tends to have negotiated indemnity, liability caps, audit rights, SLAs, and termination clauses. Most SaaS companies need both: TOS governs the free tier and self-serve plans; MSA governs annual contract value (ACV) deals.
You
How does CCPA/CPRA affect a SaaS Privacy Policy?
S
CCPA (Cal. Civ. Code § 1798.100 et seq.) and CPRA add disclosure requirements that go beyond a generic privacy policy. The policy must list categories of personal information collected, sources, business and commercial purposes, third parties shared with, retention periods, and user rights (access, delete, correct, opt out of sale and sharing). CPRA added sensitive personal information categories with their own treatment. The policy must include a Do Not Sell or Share My Personal Information link in the website footer (with the specified format). California Attorney General enforcement has issued fines against companies whose privacy policies did not match their actual data practices, so the policy needs to align with how data actually flows in the product.
You
What about international customers?
S
GDPR applies to processing of EU resident personal data, regardless of where the SaaS is hosted. The DPA needs Article 28 processor terms, and international transfers (any data flow from the EU to the US) need either Standard Contractual Clauses (SCCs) from the European Commission's 2021 update or an adequacy decision (the EU-US Data Privacy Framework, which restored a self-certification path for US importers in July 2023, is the current mechanism). The UK has its own International Data Transfer Agreement (IDTA). Switzerland has its own SCCs. The DPA in the package handles each of these as separate exhibits so the customer's data-protection team has what it needs.
You
Can I just use a template I found online?
S
Templates work for the cocktail-napkin version of a SaaS launch but fail at enterprise procurement. Buyers in 2025-2026 read the contract before signing, ask for redlines, and refuse to commit ACV unless the documents reflect the actual product and the actual data flow. A template DPA that lists processing categories the platform does not actually do, or that fails to include the SCCs required for EU transfers, gets rejected and stalls the deal. The attorney-drafted package is built around your specific product, your specific data flows, and your specific target customers, which means procurement teams sign instead of redlining.
You
How long does the SaaS package take to deliver?
S
Two to four weeks for the standard $2,500 package, depending on intake responsiveness. Week one is intake and information gathering (product walkthrough, data flow mapping, customer-type analysis). Week two is drafting. Week three is the first revision round based on client feedback. Week four is the second revision round and final delivery. Healthcare and EU AI Act overlays add another one to two weeks. I do not push the package out faster because rushed legal documents fail at procurement; the timeline is what produces documents that close enterprise deals.
You
What if I just need one document?
S
Single-document work is available at $349 for a written memo or $599+ for a focused review/revision of a single agreement. The $2,500 package is usually the better value once a SaaS company is selling to enterprise because the documents are interlocking (MSA references DPA, DPA references SCCs, Privacy Policy aligns with DPA processing categories). If you have a one-off TOS or Privacy Policy that needs a check, start with the $349 memo and we can scope from there.

Need the full SaaS stack? Let me deliver it.

Email me a short paragraph about your product, customers, and what enterprise procurement is asking for. I'll respond same day with a scoped flat-fee quote.

Email owner@terms.law