The terms of service and subscription agreement are the most important legal documents a SaaS business will produce, and most companies treat them as a box-ticking exercise. A terms document copied from a competitor or generated from a generic template doesn't reflect your actual product, your actual data practices, or the liability profile of your specific business. When something goes wrong — a data breach, a disputed refund, an enterprise customer claiming damages — your terms are the first document anyone looks at.
Subscription terms vs terms of service: what's the difference
Terms of service govern the general use of your platform — acceptable use, account registration, prohibited conduct, and the general relationship between the user and the product. A subscription agreement governs the commercial relationship — plan pricing, billing cycles, cancellation, refunds, and enterprise-specific commitments.
Consumer-facing SaaS products typically combine both into a single terms of service document. B2B SaaS products, particularly those with enterprise or custom pricing, often maintain separate documents — public terms of service for standard accounts and a master subscription agreement (MSA) for enterprise customers.
The key is that both documents exist and are accessible. A terms of service buried in a footer link satisfies the legal requirement for notice, but it won't hold up as strongly in a dispute as one that was actively presented and accepted at account creation.
Data processing and privacy obligations
If your SaaS product processes personal data — which includes email addresses, usage analytics, payment information, and any data that can identify an individual — your terms must address how that data is collected, used, stored, and shared.
For Australian-based businesses, the Privacy Act 1988 and the Australian Privacy Principles (APPs) set the baseline obligations. If you have users in the European Union, GDPR applies to those users regardless of where your company is incorporated. If you handle health data, financial data, or children's data, additional sector-specific obligations apply.
Your terms should reference your privacy policy and, if you process data on behalf of enterprise customers, include a data processing addendum (DPA) that describes your processing activities, sub-processors, data retention practices, and security measures. Enterprise buyers increasingly require a DPA as a condition of procurement.
Uptime SLAs and service credits
Enterprise and mid-market customers will ask about your uptime commitment. An SLA (service level agreement) specifies the minimum level of service you commit to — typically expressed as a percentage of monthly uptime (99.9% is common; 99.99% is ambitious but sometimes required for critical infrastructure).
SLAs should define how uptime is calculated, what constitutes scheduled versus unscheduled downtime, the process for customers to claim service credits when the SLA is breached, and the remedies available (typically a credit against future invoices, not a refund).
Be careful about the SLA you commit to and the infrastructure you've built to support it. An SLA that you regularly breach — even if you're providing service credits — creates churn risk and reputational damage. Only commit to the level of service you can reliably deliver.
Fair use and acceptable use policies
Unlimited plans are never truly unlimited. A fair use policy or acceptable use clause defines the baseline level of usage that's included in each plan tier and gives you the right to charge for or restrict excessive usage.
Without this clause, a customer on a $99/month plan who sends ten million emails or makes ten thousand API calls per day can claim they're within their agreement. With it, you have a contractual basis for usage-based billing, throttling, or plan upgrades.
Acceptable use policies should also prohibit specific harmful uses — spam, phishing, generating illegal content, reverse engineering, and any use that violates applicable law. These clauses protect both your platform and your other users.
Liability limitations and indemnification
Limitation of liability is the most commercially important clause in your subscription terms. It caps your total liability to a customer — typically at the amount of fees paid in the twelve months prior to the claim — and excludes liability for indirect and consequential losses.
Without this clause, a customer who claims your platform caused them a business loss could seek damages that dwarf your annual revenue from that account. With it, your maximum exposure is defined and manageable.
The indemnification clause should specify that customers indemnify you against claims arising from their use of the platform, their content, and their violations of the terms. This is standard and reflects the reality that you cannot control how customers use your product.
Your terms of service are your primary legal protection in every customer relationship. Treat them as a living document — reviewed annually and updated when your product, your data practices, or the law changes.