A Buyer’s Checklist for SaaS and Software Vendor Contracts

Start with the order form and the master agreement together

Most SaaS contracts come in two pieces: an order form (the short document with the price, term, and signed by both parties) and a master subscription agreement or terms of service (the long document the order form references). Important terms live in both, and they sometimes conflict. The renewal mechanics, pricing terms, and SLA may be in the order form; the data rights, liability cap, and termination terms are usually in the master agreement. If they disagree, the contract usually specifies which governs — typically the order form.

Read both documents before you sign anything. Buyers regularly sign the order form thinking that is the whole deal, only to discover the binding terms were in the master agreement they never opened. Ask for both, read both, and treat the order form plus everything it incorporates as the contract.

Pricing and renewal

Confirm exactly what you are paying, when, and how it can change:

• Is the price a per-seat, per-usage, or flat fee? Are there overage charges?
• What is the initial term length? Month-to-month, annual, or multi-year?
• Does the contract auto-renew? If yes, what notice is required to cancel, and how is notice delivered?
• Can the vendor raise prices on renewal? Is there a cap on the increase?
• Is the renewal price tied to current rates, or is it locked for any period?
• Are there any taxes, transaction fees, or other charges not included in the listed price?

Data ownership and license

Your data is often the most valuable thing in the relationship. Confirm:

• Does the contract clearly state you own all your data?
• Is the license you grant the vendor narrowly scoped to providing the service, or does it extend to "improvement," "training," "research," or other purposes?
• Can the vendor use your data to train AI models? Is there explicit language excluding training, or an opt-out?
• How is "Customer Data" defined? Does it cover the metadata about your usage, or only the content you upload?
• Are there limits on third-party data sharing? Who else can the vendor share your data with?

Security and privacy

For any service handling sensitive data, security commitments are core to the deal:

• What security certifications does the vendor maintain (SOC 2, ISO 27001, HITRUST)? Can they provide reports?
• Is there a Data Processing Addendum (DPA) covering any personal data?
• What is the incident-notification timeline if there is a breach?
• Where is your data hosted geographically? Does it cross borders in ways that may create regulatory issues for you?
• Are there encryption commitments — both in transit and at rest?
• What access controls are in place? Are there role-based permissions, audit logs, and SSO options?

Service levels (SLA)

The uptime number is the headline; the surrounding mechanics determine whether the SLA actually protects you:

• What is the uptime commitment? (99.9% means up to 8.76 hours of downtime per year.)
• What is excluded from uptime calculations — scheduled maintenance, force majeure, third-party failures, your own issues?
• How are SLA remedies structured — service credits as a percentage of fees?
• Do you have to claim credits within a defined window, or are they automatic?
• Is there a termination right for chronic or sustained SLA failure?
• Who measures uptime — the vendor, a third-party monitor, a public status page?

Liability and indemnification

The risk-allocation clauses are where the most damage usually hides:

• What is the overall liability cap? (12 months of fees is more reasonable than 1 month.)
• Is the cap mutual?
• Are indemnification obligations capped, or do they sit outside the cap?
• Is there a one-way or mutual indemnification for breach, third-party claims, IP infringement?
• Are "consequential" and "indirect" damages excluded? If so, what categories of harm does that exclude?
• Are there carve-outs from the cap for the most serious risks (data breaches, willful misconduct, IP indemnity, confidentiality)?

Support and service commitments

Beyond uptime, what response can you actually get when something is wrong?

• What support tiers are included, and what costs extra?
• What are the response-time commitments for different priority levels?
• Are commitments in business hours or 24x7?
• What channels are available — email, chat, phone, dedicated success manager?
• Is there a defined escalation path for critical issues?

Exit: termination, data export, deletion

How you leave is as important as how you join:

• Can you terminate for cause, and what counts as cause? Is there a cure period?
• Can you terminate for convenience? With what notice and what cost?
• On termination, how long do you have to export your data?
• In what formats is data export available? Is bulk export possible?
• When will the vendor delete your data, and what carve-outs apply (legal retention, backups)?
• Are there transition-assistance obligations to help you move to a successor system?

Modification and continued-use clauses

Can the vendor change the deal on you?

• Does the contract require mutual written agreement to amend?
• If there is a continued-use-is-acceptance clause, what notice is required for changes?
• Do you have a right to terminate without penalty if the vendor materially modifies the terms?
• Is "material change" defined, or left to the vendor’s discretion?

Vendor stability and continuity

A few terms address what happens if the vendor changes, struggles, or is acquired:

• Do your protections survive a change of control or assignment?
• Is there a source-code escrow option for mission-critical software?
• What happens if the vendor enters bankruptcy or ceases operations?
• How long has the vendor been in business? What is their financial profile?

Practical implementation details

Beyond the legal terms, a few operational items can quietly shape your experience:

• What is the implementation timeline and any required setup fees?
• What training is included, and what is extra?
• How are user provisioning and SSO configured?
• What integrations are available, and do they cost extra?
• How is API access priced and rate-limited?

Negotiation strategy — pick three priorities

The checklist will surface more issues than you can reasonably negotiate. The mistake is to try to fix everything at once; the result is usually that nothing gets fixed because the vendor tunes out a buyer treating the contract as forty equal battles. Instead, pick the two or three items that matter most for your specific situation, frame them as reasonable requests, and concentrate there. For most buyers the highest-leverage items are some combination of: a price-increase cap on renewal, a meaningful termination right tied to SLA failures, narrowed data-use rights including no AI training, and a workable liability structure that does not exclude the risks that matter most to you.

Vendors expect negotiation on a small set of items and tune out broad rewrites; a focused, professional list usually produces real movement. The items you do not raise will sit in the default position, so make sure the ones you raise are the ones whose default position would actually hurt you.

Red flags that should slow you down

A handful of patterns deserve a hard look before you sign, even if everything else looks fine:

• A vendor that refuses to provide a copy of the master agreement before signing the order form.
• A vendor that refuses a DPA for any personal data you will be sharing.
• A liability cap set at one month of fees, paired with broad indemnity obligations for you.
• An auto-renewal with a notice window longer than 60 days and no reminder.
• A right to modify terms unilaterally with continued use treated as acceptance.
• A complete absence of any termination right outside the renewal date.
• A vendor that promises capabilities verbally and refuses to put them in the contract.

How to use this checklist

You do not need to fully resolve every item on this list before you sign — for ordinary purchases, knowing the answers to the most important ones is enough. But the checklist serves three roles: it makes sure you have read the contract end to end, it surfaces the items that are negotiable and worth pushing on, and it gives you a record of what you understood you were buying. For larger or more strategic vendor relationships, use it as a working document — fill in the answers, flag the gaps, and use the gaps as your negotiation list before you commit.

If you would rather have the checklist run for you on a specific vendor contract, ClauseAudit reviews software agreements in about a minute and reports on every category above — pricing and renewal, data rights, security, SLA, liability, support, exit, and the rest — with plain-English explanations of where the contract stands on each. It turns a long, dense document into a structured decision you can actually make.

The bottom line

A software vendor contract is a procurement decision dressed up in legal language. The same clusters of terms — pricing and renewal, data rights, security, service levels, liability, support, and exit — decide most of the value and most of the risk in nearly every SaaS deal. Work through them deliberately before you sign, and you will buy software that fits your business rather than software that traps it. If you want help running the checklist on a specific contract, ClauseAudit reviews vendor agreements in about a minute and produces a clean report of where each category stands — so you commit budget and data with confidence rather than crossed fingers.