Navigating Software-as-a-Service (SaaS) agreements can be complex, particularly when it comes to drafting a Statement of Work (SOW) that protects your business interests whilst ensuring regulatory compliance.
With 45% of IT spending shifting to cloud-based solutions by 2024 and major privacy law reforms modernising Australian privacy compliance to align with international frameworks like GDPR, understanding the legal landscape for SaaS SOWs has never been more critical.
Whether you’re a technology company offering SaaS services or a business purchasing cloud-based software solutions, this comprehensive guide will help you understand the essential legal components needed for effective SaaS Statements of Work under Australian law.
For businesses requiring legal assistance with commercial agreements, our Software and SaaS Lawyers can provide tailored solutions for your specific requirements.
Key Takeaways
- SaaS SOWs must comply with Australian Consumer Law, including consumer guarantees and unfair contract terms provisions that expanded significantly in November 2023
- Privacy obligations under the Privacy Act 1988 and the recent Privacy and Other Legislation Amendment Act 2024 require specific data handling, breach notification, and cross-border transfer provisions
- Security requirements should align with Australian standards including Essential Eight frameworks, ISM controls, and industry-specific requirements like APRA CPS 234
- Liability limitations and service level agreements must balance commercial risk whilst avoiding unfair contract terms issues in standard form contracts
- Government procurement requires compliance with additional frameworks including the Hosting Certification Framework and Protective Security Policy Framework
Understanding the Legal Framework for SaaS SOWs
1. Australian Consumer Law Compliance
The Australian Consumer Law (ACL) forms the foundation of SaaS contract obligations in Australia. The ACL is part of the Competition and Consumer Act 2010 (Cth) and stipulates certain guarantees which all Australian consumers are entitled to, including services provided through SaaS platforms and certain B2B transactions.
It is illegal for businesses to exclude or modify these guarantees. Where a SaaS product is offered broadly to customers, the Terms of Use will often be considered a standard form contract, which is particularly relevant given recent reforms to the unfair contract terms regime.
2. Unfair Contract Law Compliance
The unfair contract term (UCT) provisions have been significantly strengthened, expanding the circumstances in which a term may be considered unfair and increasing penalties for non-compliance.
From November 2023, small business coverage expanded to include businesses with fewer than 100 employees or less than $10 million turnover, capturing many more SaaS providers and customers.
Key considerations include:
Avoiding unilateral variation clauses without corresponding termination rights.
Ensuring liability caps are reasonable and do not exclude essential legal guarantees.
Ensuring service credits are not the only available remedy, as this may breach UCT rules.
Learn more about the UCT regime in our detailed guide.
3. Privacy Law Revolution
Australia’s privacy landscape has transformed dramatically with the passage of the Privacy and Other Legislation Amendment Act 2024 (Amendment Act).
The Amendment Act aims to give consumers more control over their personal data and force organisations to improve transparency, security, and accountability, affecting tech startups, e-commerce businesses, healthcare providers, and small businesses collecting customer information.
Key changes that directly impact SaaS SOWs include stricter consent requirements, new data deletion rights (“right to be forgotten”), and significantly higher penalties reaching up to $50 million for serious breaches.
Separately from the ACL and UCT reforms, Australia’s Notifiable Data Breaches scheme requires organisations to promptly notify affected individuals and the OAIC when an eligible data breach occurs. SaaS providers must have clear processes in place to detect, assess, and report data breaches in compliance with these obligations.
The Amendment Act received Royal Assent on 10 December 2024 and most provisions are now in effect, with some provisions having grace periods.
Need help drafting or reviewing your SaaS agreements? Our experienced SaaS lawyers can ensure your contracts are compliant, commercially sound, and tailored to your business needs.
Essential Components of SaaS Statements of Work
Service Definition and Scope
Your SaaS SOW must clearly define the software services being provided, including specific modules, environments (production and non-production), API access, and usage metrics. This includes what software your customer has access to and how they can use it (for example, cloud-based access), with further specification about services in your SLA including tech support, hosting, and updates.
The distinction between configuration and customisation should be explicitly addressed, as this affects intellectual property ownership and ongoing maintenance obligations. Avoid committing to bespoke code development unless it’s governed by robust change control processes and clear IP allocation terms.
Data Privacy and Security Obligations
Given the enhanced privacy law requirements, your SOW must include comprehensive data handling provisions. Businesses must implement robust data privacy and security measures, including comprehensive Privacy Policies, and have data breach response plans ready with prompt customer and authority notification.
For a deeper dive into how SMEs can proactively embed privacy-by-design into their operations, read our article: Privacy by Design for SMEs.
Cross-border data transfer provisions are particularly critical. If you’re offering SaaS products to international customers, you might need to comply with personal data protection laws and cross-border data transfer regulations in their jurisdiction, including GDPR for UK and EU customers and CCPA for California customers.
The SOW should specify data storage locations, sub-processor arrangements, and the customer approval process for new overseas sub-processors. Include vendor obligations to provide breach notifications within 24-72 hours to enable customer compliance with the 30-day assessment requirement under the Notifiable Data Breaches scheme.
Security Controls and Compliance
Modern SaaS SOWs should reference appropriate security baselines, including Essential Eight maturity levels and ISM-aligned controls covering encryption, identity management, vulnerability management, and backup procedures. Industry-specific regulations such as healthcare data privacy laws or financial services licensing requirements may apply to your SaaS business.
For APRA-regulated entities, ensure contractual alignment with CPS 234 requirements for information security capability and third-party controls. Government customers may require compliance with the Hosting Certification Framework and Protective Security Policy Framework for sensitive or protected data.
Legal Tip: Get peace of mind with guidance from an experienced software lawyer. Our team includes dedicated software licensing lawyers who can assist with licensing terms, data security obligations, and risk management for your SaaS product.
Service Levels and Performance Management
Availability and Support Commitments
Define specific uptime percentages, maintenance windows, support tiers, and response times. However, avoid making service credits the exclusive remedy for all breaches, as this may create unfair contract terms issues in standard form contracts.
It’s important to disclaim liability for risks outside your control, such as third-party hosting faults, while seeking to limit liability more generally, though you should state that you do not guarantee software suitability for specific user requirements.
Liability and Risk Allocation
Balance liability caps with appropriate limitation of liability carve-outs for data breaches, intellectual property infringement, and fraud. There are tangible commercial risks associated with providing SaaS products, particularly for B2B software where businesses rely on your product for their commercial endeavours, and it’s important to consider legislative guarantees you are required to uphold.
Ensure professional indemnity, cyber, and public liability insurance requirements are commensurate with the risk profile and sector expectations. For regulated industries like financial services, insurance requirements should align with prudential standards.
Practical Checklist for SaaS SOW Development
When developing your SaaS Statement of Work, ensure you address:
- Technical Specifications: Clear service definitions, API documentation, integration requirements, and performance metrics with measurable acceptance criteria for any onboarding or migration deliverables
- Commercial Terms: Transparent pricing metrics, indexation mechanisms, overage calculations, and audit procedures, ensuring any price variation clauses include corresponding termination rights to avoid UCT issues
- Legal Compliance: Consumer guarantee acknowledgements, privacy law compliance statements, security control requirements, and appropriate warranty disclaimers that comply with Australian Consumer Law
- Operational Management: Change control processes, release management procedures, incident response protocols, and termination procedures including comprehensive exit assistance and data return processes
- Risk Management: Balanced liability provisions, appropriate insurance requirements, intellectual property protections, and dispute resolution mechanisms suitable for cross-jurisdictional operations
Frequently Asked Questions
What are the key privacy law changes affecting SaaS contracts in 2024?
The updated Privacy Act introduces stricter consent rules, new data rights, significantly higher penalties, and businesses must now allow consumers to request data deletion with the Privacy Act modernised to align more closely with international frameworks like GDPR.
These changes affect how SaaS providers collect, store, and process personal information, requiring updated privacy policies and enhanced security measures. Most existing privacy policies will need revision to reflect new consumer rights and obligations.
How do unfair contract terms provisions affect SaaS agreements?
The expanded unfair contract terms regime now covers businesses with fewer than 100 employees or less than $10 million turnover.
For SaaS agreements offered on a standard form basis, avoid unilateral variation clauses without corresponding termination rights, ensure liability caps are reasonable with proportionate carve-outs, and make service credits proportionate rather than the exclusive remedy for all breaches. Transparency and fairness in automatic renewals are also crucial.
What security standards should be referenced in SaaS SOWs?
SaaS SOWs should reference Essential Eight target maturity levels, ISM-aligned controls including encryption at rest and in transit, multi-factor authentication, logging and retention requirements, vulnerability management, and backup with defined recovery point and time objectives.
For government customers, alignment with the Hosting Certification Framework and PSPF may be required. Regular assurance artefacts such as penetration test summaries and IRAP assessments should be specified.
Are there specific requirements for cross-border data transfers?
Yes, under APP 8 of the Privacy Act, cross-border disclosure requires reasonable steps to ensure overseas recipients handle personal information in accordance with Australian Privacy Principles.
Your SOW should specify data storage locations, require customer approval for new overseas sub-processors, and include contractual safeguards for international transfers.
What should be included in SaaS termination and exit provisions?
Comprehensive exit provisions should include termination rights for convenience with fair notice periods, termination for breach with reasonable cure periods, detailed data export requirements specifying formats and timeframes, cut-over cooperation obligations, secure deletion procedures, and certificates of destruction.
For critical infrastructure or government contexts, ensure alignment with any incident response and cooperation obligations under the Security of Critical Infrastructure Act.
Reach out to Prosper Law’s experienced Saas lawyers today to find out more.
