Home › Practice areas › SaaS contracts

Practice area

SaaS contract review, redline, and disputes

I am Sergei Tokmakov, a California attorney (CA Bar #279869) who has reviewed and drafted SaaS contracts since 2011. This page covers what I do on the SaaS side: order-form negotiation, master-services-agreement redlines, indemnification and liability-cap fights, auto-renewal disputes under California law, data processing addenda, IP assignment for integration partners, and post-signature breach analysis. If you are a vendor, customer, channel partner, or investor reviewing SaaS terms before signature or after a deal goes sideways, this is the page you wanted to find.

Matters I handle in this area

Order forms and MSA redlines. Reviewing vendor paper for asymmetric terms, then producing a clean redline with attorney commentary. Common targets: uncapped indemnities, mutual versus one-way limitation of liability, IP indemnity carve-outs, service-level credits versus refunds.
Auto-renewal and cancellation disputes. Customers locked into multi-year terms after a missed cancellation window. California Business and Professions Code section 17602 (Automatic Renewal Law) applies to many B2C SaaS subscriptions and some B2B fact patterns.
Data processing addenda and security exhibits. CCPA/CPRA service-provider language, GDPR Article 28 controller-to-processor terms, sub-processor flow-down, and breach-notification windows that match the customer's downstream obligations.
Indemnification and liability cap negotiation. Carve-outs from the liability cap for IP indemnity, breach of confidentiality, data breach, gross negligence, and willful misconduct. Super-cap structures and insurance-required language.
Integration partner and reseller agreements. Revenue share, marketplace listing terms, OEM and white-label, technology partner programs, and the IP cross-license that almost always gets drafted too narrowly.
SaaS termination and data return. Customer offboarding, transition assistance, escrow of source code, and the data-return-or-destroy windows that almost always conflict with the customer's own retention obligations.
Breach and dispute work. Demand letters for non-payment, wrongful termination, failure to deliver promised features, and material breach claims. Pre-arbitration or pre-litigation posture, including AAA Commercial arbitration when the contract requires it.

Anonymized case studies

Each matter turns on its facts, applicable law, and the other side's response. Outcomes described below are not predictions for any future matter.

Series A SaaS vendor faced an uncapped IP indemnity from a Fortune 500 customer

Facts: An early-stage analytics company was about to sign a six-figure enterprise deal but the customer's redline demanded uncapped IP indemnification and a "sole and exclusive remedy" clause that did not include refund of prepaid fees. The vendor's existing liability cap was 12 months of fees. The customer's procurement team had pushed back twice on prior redlines.

What I did: I redlined the indemnity to a super-cap at 2x annual fees, added a procurement-side carve-out for the customer's contributory infringement, and rewrote the "sole and exclusive remedy" clause so that injunction and termination-with-refund remained available for material breach. I drafted a one-page negotiation memo for the founder to send back with the redline explaining why each change tracked customary enterprise SaaS practice.

Outcome: The customer accepted the super-cap and the contributory-infringement carve-out. The "sole and exclusive remedy" language was clarified to preserve termination rights. The deal closed on the original timeline.

Customer locked into a three-year auto-renewal after a missed cancellation notice

Facts: A small business customer subscribed to a marketing-automation SaaS at roughly $24,000 per year. The original term was one year with automatic renewal for successive three-year terms unless terminated 60 days before the renewal date. The customer missed the cancellation window by three days. The vendor invoiced for the full three-year renewal up front.

What I did: I reviewed the original click-through agreement, the renewal notice the vendor claimed to have sent, and the customer's email archive. The renewal notice did not satisfy the California Automatic Renewal Law's clear-and-conspicuous disclosure requirement for the renewal terms. I sent a demand letter citing Business and Professions Code section 17602 and demanding either a release from the renewal or a converted month-to-month term.

Outcome: The vendor agreed to convert the renewal to a one-year term at a discounted rate, with a clear cancellation reminder 90 days before the next renewal. The customer recovered roughly $40,000 of contested exposure.

API partner program demanded broad IP assignment for "co-developed integrations"

Facts: A boutique CRM integrator was signing a partner agreement with a large platform. The partner agreement included a clause assigning to the platform all IP in any "co-developed integration" without defining co-development and without carve-outs for the integrator's pre-existing tools and libraries.

What I did: I rewrote the assignment clause as a license-back. The integrator retained ownership of all pre-existing IP and any independently developed code. The platform got a non-exclusive, royalty-free license to use the integration within the marketplace, plus a right of first negotiation for exclusive resale. I also added a marketplace-removal cure period so the platform could not delist the integration without 30 days' notice and a stated reason.

Outcome: The platform accepted the license-back structure. The integrator preserved the right to sell similar integrations to competing platforms, which became a significant percentage of its revenue within twelve months.

Controlling California statutes and federal authority

Below are the rules I most often apply or cite in SaaS work. This is a working list, not a treatise.

Cal. Civ. Code section 1668, voiding contractual exemptions from liability for fraud, willful injury, or violation of law.
Cal. Civ. Code sections 1670.5 and 1671, unconscionable contracts and liquidated damages.
Cal. Bus. and Prof. Code section 17602, the Automatic Renewal Law, applied to many SaaS subscriptions.
Cal. Bus. and Prof. Code section 17200, Unfair Competition Law, often pled alongside breach for deceptive renewal or termination practices.
Cal. Civ. Code section 1798.140 et seq., CCPA/CPRA, particularly service-provider and contractor obligations and the contractual language required to qualify.
Cal. Comm. Code Division 2, UCC Article 2 sales of goods, occasionally relevant when SaaS is bundled with hardware or licensed-and-delivered software.
Federal Defend Trade Secrets Act, 18 U.S.C. section 1836, for misappropriation tied to SaaS access.
CCPA/CPRA regulations issued by the California Privacy Protection Agency, including the recent automated decisionmaking and risk-assessment rules.
GDPR Articles 28 and 32, controller-to-processor terms and security of processing, when the customer has EU data subjects.
AAA Commercial Arbitration Rules and Mediation Procedures, when the contract requires AAA Commercial rather than Consumer rules.
California case law: Armendariz v. Foundation Health Psychcare Servs., 24 Cal.4th 83 (2000), on arbitration unconscionability; Sanchez v. Valencia Holding Co., 61 Cal.4th 899 (2015); McGill v. Citibank, 2 Cal.5th 945 (2017), on public injunctive relief; and Discover Bank v. Superior Court, 36 Cal.4th 148 (2005) (pre-Concepcion baseline on class waivers).

I confirm citations against the controlling statutes and rules before they go into a client deliverable. Statutes and AAA fee schedules change; the title page citation is not enough.

Sample contract issues I check on every SaaS review

This is the checklist I run on a typical vendor or customer paper review. Each item produces a concrete redline note.

Limitation of liability: is the cap symmetric, what is the multiple of fees, and what are the carve-outs.
Indemnification: is IP indemnity bilateral, is there a duty to defend, what are the procurement-side conditions.
Auto-renewal: how is renewal notice delivered, what is the cancellation window, does the disclosure satisfy Business and Professions Code section 17602.
Service levels: is uptime credit the sole remedy, is there a chronic-failure termination right, are credits stackable.
Data processing: is the DPA incorporated by reference, are sub-processors named, what are the breach-notice windows.
IP assignment versus license: who owns custom work, what survives termination, are background IP and feedback handled separately.
Dispute resolution: which forum, which arbitration rules, which seat, is there a class-action waiver, is there a public-injunctive-relief carve-out.
Termination for convenience and for cause: cure periods, refund of prepaid fees, transition assistance, data return or destruction.
Confidentiality: how long does it survive, what are the carve-outs, does the DPA layer on top properly.
Insurance: required policies, limits, additional-insured status, notice of cancellation.

What changes between a vendor SaaS review and a customer SaaS review

The clauses overlap. The instinct does not. On vendor paper I am usually looking for the carve-outs that protect the vendor's existing margin, and the integration-partner and reseller arrangements that allow the vendor to expand without re-papering. On customer paper I am usually looking for the cap structure, the data return mechanics on exit, and the SLA credit math that the vendor's commercial team has rounded off in its favor. A simple, recurring example: the same uptime SLA, written from the vendor side, makes service credits the sole and exclusive remedy and excludes scheduled maintenance from downtime; written from the customer side, it pairs credits with a chronic-failure termination right and tightens the maintenance-window definition. The contract is the same length; the leverage is different.

I also push customer-side reviews harder on the data processing addendum. The DPA is the document that survives the deal team's negotiation, gets signed under time pressure, and then quietly governs how your customer data is handled for the next two to four years. A DPA that does not name sub-processors, does not commit the vendor to a breach-notification window the customer can pass through to its own customers, and does not align sub-processor flow-down with the underlying customer contracts is the DPA I see the most often.

SaaS dispute work after the contract is signed

When a SaaS deal has already gone sideways, the playbook depends on who has stopped performing. If the customer has stopped paying and the vendor has stopped delivering, the contract usually has a sequencing problem: who breached first, and is the other side's non-performance excused by the first breach. I open dispute-side SaaS work by mapping the sequence: what was promised, what was delivered, what was paid, and what notice went out. The recurring pattern is that one side stopped working long before it told the other side, and the email record either supports that read or undermines it. I pull the email record before I draft anything.

The other recurring SaaS dispute is a feature-delivery failure where the vendor missed a critical promised feature and the customer wants a refund. The contract usually does not allow a refund; service-credit-as-sole-remedy clauses do most of the work to prevent that. The leverage comes from the implied covenant of good faith and fair dealing, from any "material breach" definition tied to the feature in the SOW or the order form, and occasionally from misrepresentation if the feature was sold in writing as already shipped. I lay out the leverage in a one-page memo before the demand letter so the client can decide whether the realistic outcome is a partial refund, a credit toward an extended term, or a termination with a structured wind-down.

Typical fee ranges

Single demand letter (one target, certified mail)$575

Demand letter plus draft complaint or arbitration demand$1,200

Full SaaS contract review (analysis memo, no redline)$349

SaaS contract review with redline and revision$599 to $999

Complex multi-document review (MSA + DPA + SOW + order form)Scoped quote

Negotiation support after review (per hour)$240/hr

30-minute consultation$125

The bracket above is the menu, not a quote. Long enterprise paper, multi-jurisdictional DPAs, or aggressive procurement counterparts move the price toward a scoped quote. I will tell you which tier fits before you pay.

Indemnification language patterns I recommend or push back on

Indemnification is the clause that determines who pays when the deal goes wrong, and the recurring failure mode is asymmetric drafting that nobody reads carefully until a claim arrives. A working pattern: bilateral IP indemnity (vendor indemnifies for the service infringing third-party IP; customer indemnifies for customer-supplied data infringing third-party IP), with mutual procurement-side conditions (prompt notice, right to control defense, customer cooperation), and a defined exclusion for combinations and modifications by the customer. The defense obligation should be paired with a "settle with consent" clause that does not allow either side to settle without the other's reasonable consent if the settlement imposes a non-monetary obligation on the indemnified party.

I push back on three drafting patterns regularly. First, "sole and exclusive remedy" clauses paired with an IP indemnity, which can render the indemnity nominal if the cap is low. Second, indemnity carve-outs for "open-source components" without a defined list, which can swallow most modern SaaS stacks. Third, "duty to defend" language that imposes the cost of defense on the indemnitor but does not transfer control of the defense, creating a structural conflict that surfaces only after a claim is filed.

Frequent questions I get on SaaS engagements

Can you turn a redline around in 48 hours? On standard length paper (under 20 pages), yes. I will tell you in the intake reply whether the timeline is realistic. Multi-document packages take longer.

Do you negotiate directly with the counterparty? I do, on request, at the hourly rate. Many clients prefer to negotiate themselves with my one-page negotiation memo in hand. Either model works.

Can you sign as outside general counsel? No. I take defined-scope engagements. If you need ongoing outside-counsel coverage, I refer to a small set of boutique firms that do that work; I will not pretend to be that firm.

What if the contract has already been signed? Then the matter is in dispute or amendment territory. I review the signed paper, identify the realistic dispute or amendment leverage, and tell you what an attorney letter or a structured amendment proposal would change about the conversation.

How do you handle privilege when I send you a copy of the contract by email? An initial intake email about a matter, sent for the purpose of seeking legal advice, is generally privileged. I do not share intake content with anyone. Once an engagement letter is in place, the privilege scope is formalized in writing.

How quickly do you respond? Same business day or next business day for intake. Engagement letter typically goes out within one business day of a clear scope. Substantive deliverables are scoped against your timeline; I tell you on the front end whether the timeline is realistic.

When to engage me, when to handle it internally, when to go to a large firm

Engage me when the deal value is in the five to mid-six figures, the paper is between five and forty pages, and you want a working redline with attorney commentary and one negotiation pass. Founders, in-house counsel, and operators who want a second set of eyes on a vendor's "standard" paper are the natural fit. Cross-border SaaS deals with US, Canadian, UK, Singapore, or Hong Kong counterparts are inside my lane.

Handle it internally when the contract is your own template, the counterparty has accepted it without redline, and there is no DPA or IP-assignment overlay. A clean template signed without redline by both sides is rarely a SaaS problem; it is a sales motion working as designed.

Go to a large firm when the deal value crosses seven figures, when the contract is part of an M&A or financing process with disclosure-schedule and rep-and-warranty exposure, or when the dispute has matured into a multi-party class action or a regulatory enforcement action. A boutique attorney is not the right operator for a Wilson Sonsini, Gunderson, or Cooley level transaction; for those, hire the firm and let me consult on the SaaS-specific clauses if you want a second view.

Send the SaaS situation summary

Email me with the agreement attached and a few lines on your role and timeline. I respond personally, usually within one business day.

What to include: the agreement file or link, whether you are vendor or customer, the deal value or contested amount, the signature or renewal deadline, and one paragraph on what you want changed or recovered.

Email the SaaS intake

This page is informational and does not constitute legal advice. Reading it does not create an attorney-client relationship. Engagement begins only after written conflict check and a signed scope agreement. Sergei Tokmakov is licensed in California (Bar #279869); out-of-California matters are accepted only where California or federal authority controls or where local counsel is associated.