SaaS Contract Negotiation Templates: 7 Copy-Paste Agreements

PRICE LOCK CLAUSE Section X.X: Pricing Stability (a) Price Freeze: During the Initial Term of this Agreement, the fees set forth in the Order Form shall not increase. Vendor waives any right to apply escalation, CPI adjustment, or any other price increase mechanism during the Initial Term. (b) Renewal Escalation Cap: In the event Customer exercises any renewal option under this Agreement, any increase in fees for the Renewal Term shall not exceed the lesser of: (i) three percent (3%) per year, or (ii) the percentage increase in the U.S. Consumer Price Index (All Urban Consumers, CPI-U) for the 12-month period ending 30 days prior to the renewal date. (c) No Price Changes Without Notice: Vendor shall provide no less than 90 days' written notice before any pricing change takes effect, including changes to usage-based fees, platform fees, or add-on module pricing. (d) Most Favored Customer: If Vendor offers equivalent services to any other customer at a lower per-unit price than Customer's current rate, Vendor shall notify Customer and extend the lower price to Customer within 30 days.

SLA LIABILITY AND SERVICE CREDIT CLAUSE Section X.X: Service Level Agreement and Remedies (a) Uptime Commitment: Vendor guarantees System Availability of 99.9% in any calendar month, excluding Scheduled Maintenance. "System Availability" means the percentage of time the core features of the Service are accessible and functional, measured monthly. (b) Scheduled Maintenance Window: Scheduled Maintenance shall not exceed 4 hours per calendar month. Vendor shall provide no less than 72 hours' advance notice for all Scheduled Maintenance. Scheduled Maintenance performed with less than 72 hours' notice shall be counted as Downtime for purposes of calculating System Availability. (c) Automatic Service Credits — No Claim Required: In the event Vendor fails to meet the Uptime Commitment in any calendar month, Vendor shall automatically apply service credits to Customer's account within 10 business days of the end of the affected calendar month. Credits shall be calculated as follows: - 99.0% – 99.9% uptime: Credit equal to 10% of monthly fees - 98.0% – 98.99% uptime: Credit equal to 25% of monthly fees - 95.0% – 97.99% uptime: Credit equal to 50% of monthly fees - Below 95.0% uptime: Credit equal to 100% of monthly fees Credits shall be applied to the following invoice. Credits are cumulative and not subject to a monthly cap. (d) Credit as Non-Exclusive Remedy: Service credits are in addition to, not in lieu of, any other remedies available to Customer at law or in equity. In the event of repeated SLA failures (3 or more months failing to meet 99.9% uptime in any rolling 12-month period), Customer may terminate this Agreement for cause without penalty and receive a pro-rated refund of prepaid fees. (e) Uptime Reporting: Vendor shall maintain a publicly accessible status page showing real-time and historical uptime data. Customer may request detailed incident reports for any Downtime event exceeding 30 minutes.

DATA EXPORT AND PORTABILITY RIGHTS Section X.X: Customer Data Ownership and Portability (a) Ownership: Customer retains full ownership of all Customer Data processed through the Service. Vendor acquires no ownership, license, or intellectual property rights in Customer Data except as strictly necessary to provide the contracted Service. (b) Export During Term — No Fees: Customer may export all Customer Data at any time during the term of this Agreement at no additional charge. Vendor shall provide export functionality in at least one machine-readable, industry-standard format (CSV, JSON, XML, or API access). API rate limits shall not unreasonably impede bulk data export. (c) Post-Termination Access Window: Upon expiration or termination of this Agreement for any reason, Customer shall have a period of not less than 90 days ("Export Window") during which Customer may continue to access the Service solely for the purpose of exporting Customer Data. Vendor shall maintain the Service in read-only mode during the Export Window at no additional charge. (d) Export Assistance: If Customer requires assistance exporting data in a specific format, Vendor shall provide such assistance at Vendor's then-current professional services rates not to exceed $150 per hour. Vendor shall provide a written estimate before commencing any paid export assistance. (e) Deletion Certification: Upon expiration of the Export Window or upon Customer's written request, Vendor shall securely delete all Customer Data (including all backup copies) within 30 days and provide written certification of deletion, specifying the deletion method used. (f) No Data Hostage Tactics: Vendor shall not condition data export or deletion on payment of outstanding invoices that are subject to a bona fide dispute between the parties.

CONSOLIDATION ADDENDUM This Addendum is incorporated into the Master Subscription Agreement between Customer and Vendor. Section X.X: Consolidated Platform Pricing (a) Platform Discount: Customer is purchasing the following Products from Vendor under this consolidated agreement: - [Product A]: [Quantity] licenses at $[X]/license/year - [Product B]: [Quantity] licenses at $[X]/license/year In recognition of Customer's consolidated commitment, Vendor agrees to apply a platform discount of [X]% to the combined annual fees for the Products listed above ("Platform Discount"). The Platform Discount shall apply throughout the Initial Term and any Renewal Terms. (b) Future Product Discount: If Customer elects to add additional Vendor products to this Agreement during the term, such additional products shall receive a discount of not less than [X]% off Vendor's then-current list price ("Expansion Discount"). The Expansion Discount reflects Customer's existing platform commitment and shall not be conditioned on minimum additional spend. (c) Unified Renewal Date: The renewal date for all Products under this Addendum shall be aligned to a single annual date of [DATE], regardless of when individual Products were added. This allows for consolidated renewal negotiations. (d) True-Up Protection: If Customer's actual usage of any Product exceeds contracted quantities, Vendor shall notify Customer in writing before charging any overage. Overages shall be charged at the platform-discounted rate, not at list price.

DATA PROCESSING AGREEMENT (ABBREVIATED) This Data Processing Agreement ("DPA") is entered into between Customer ("Controller") and Vendor ("Processor") and is incorporated into the Master Subscription Agreement. 1. SUBJECT MATTER AND PURPOSE Processor shall process Personal Data only on behalf of Controller, only for the purposes specified in Schedule 1 (Description of Processing), and only in accordance with Controller's documented instructions. 2. DATA LOCATION AND TRANSFER (a) All Personal Data shall be stored within [EU/EEA / United States / specify region]. (b) Any transfer of Personal Data outside the EEA shall be subject to the Standard Contractual Clauses (EU Commission Decision 2021/914, Controller-to-Processor, Module 2), which are hereby incorporated by reference. (c) Processor shall not transfer Personal Data to a new jurisdiction without prior written consent from Controller. 3. SUB-PROCESSORS (a) Controller authorizes Processor to engage the sub-processors listed in Schedule 2 as of the DPA effective date. (b) Processor shall notify Controller at least 30 days in advance before engaging any new sub-processor or making material changes to existing sub-processors. (c) Controller may object to a new sub-processor within 15 days of notice. If the parties cannot resolve the objection, Controller may terminate the Agreement without penalty. 4. BREACH NOTIFICATION (a) Processor shall notify Controller without undue delay, and no later than 24 hours after becoming aware of a Personal Data Breach. (b) Notification shall include: nature of the breach, categories and approximate number of data subjects affected, and measures taken or proposed to address the breach. 5. DATA SUBJECT RIGHTS Processor shall assist Controller in responding to data subject requests (access, deletion, portability, correction) within 5 business days of Controller's request. 6. SECURITY MEASURES Processor implements and maintains the technical and organizational measures described in Schedule 3, including at minimum: AES-256 encryption at rest, TLS 1.2+ in transit, access controls with audit logging, annual penetration testing. 7. RETENTION AND DELETION Upon termination or expiration of the Agreement, Processor shall delete all Personal Data within 30 days and provide written certification of deletion. SCHEDULE 1: Subject matter: [describe service]. Purpose: [describe]. Duration: Term of Agreement. Data types: [list]. Data subject categories: [list]. SCHEDULE 2: Sub-processors: [list current sub-processors with location]. SCHEDULE 3: Security measures: [reference SOC 2 Type II report or list specific controls].

SECURITY AND COMPLIANCE ADDENDUM Section 1: Baseline Security Requirements Vendor shall maintain, throughout the term, the following minimum security controls: (a) Certification: SOC 2 Type II certification, with Security as a covered Trust Service Criterion. Vendor shall provide Customer with the current SOC 2 Type II report annually under mutual NDA. (b) Encryption: AES-256 encryption for data at rest. TLS 1.2 or higher for data in transit. Encryption keys managed by Vendor with documented key rotation schedule (minimum annual rotation). (c) Access Controls: Role-based access control limiting employee access to minimum necessary. Multi-factor authentication required for all vendor employee access to production systems. Access logs retained for minimum 12 months. (d) Vulnerability Management: Annual penetration test by qualified independent third party. Critical and high-severity findings remediated within 30 days and 90 days respectively. Bug bounty program or equivalent active vulnerability disclosure process maintained. (e) Incident Response: Written incident response plan maintained and tested annually. Dedicated security team or equivalent function with on-call coverage. Section 2: Audit Rights (a) Documentation: Upon written request no more than once per year, Vendor shall provide: (i) most recent SOC 2 Type II report, (ii) summary of annual penetration test findings and remediation status, (iii) summary of security incidents in the prior 12 months, (iv) list of sub-processors with locations. (b) Right to Audit: In the event of a material security incident involving Customer Data, Customer may, with 30 days' written notice, engage a qualified third-party auditor to assess Vendor's security controls. Customer shall bear the cost of such audit unless the audit reveals material non-compliance with this Addendum. Section 3: Enhanced Liability for Security Failures (a) The limitation of liability provisions in the Master Agreement shall not apply to: (i) Vendor's breach of this Security Addendum, (ii) unauthorized disclosure of Customer's confidential information or Personal Data, (iii) Vendor's gross negligence or willful misconduct. (b) In the event of a confirmed data breach attributable to Vendor's failure to maintain the controls in Section 1, Vendor shall reimburse Customer for: (i) reasonable costs of breach notification to affected individuals, (ii) reasonable costs of credit monitoring services required by applicable law, (iii) regulatory fines directly attributable to Vendor's non-compliance.

TERMINATION FOR CONVENIENCE Section X.X: Customer's Right to Terminate for Convenience (a) Termination Right: Customer may terminate this Agreement for any reason or no reason upon 30 days' prior written notice to Vendor ("Termination Notice"). (b) No Early Termination Fee: Upon termination for convenience, Customer shall pay all fees accrued through the effective date of termination. No early termination fee, breakage fee, or remaining contract value shall be owed by Customer. (c) Pro-Rated Refund: If Customer has prepaid any fees for the period beyond the effective date of termination, Vendor shall refund the pro-rated unused portion within 30 days of the termination effective date. (d) Data Return: Vendor shall comply with all data return and deletion obligations in Section [Data Portability] regardless of the reason for termination. (e) Transition Assistance: Upon request made prior to or within 30 days of the Termination Notice, Vendor shall provide reasonable transition assistance, including: (i) data export in machine-readable format, (ii) API access for data migration, (iii) up to 10 hours of technical support for data migration questions, at no additional charge. (f) Vendor's Termination Right: Vendor may terminate this Agreement for convenience upon 90 days' prior written notice to Customer. In such event, Vendor shall refund all prepaid unused fees and provide a 90-day continuation of service at no charge to facilitate Customer's transition.