You're about to launch your SaaS product. Everything works. The pricing page is live. The signup flow is smooth.

Then an early adopter asks: "What's your SLA? Do you guarantee 99.9% uptime?"

You haven't thought about this yet.

Here's what you need to know about the three core legal documents every SaaS company needs: Terms of Service, Service Level Agreements, and Acceptable Use Policies.

The Three Documents Every SaaS Needs

Most SaaS companies need three interconnected legal documents:

  • Terms of Service (ToS): The master agreement governing how customers use your software
  • Service Level Agreement (SLA): Your commitments around uptime, performance, and support
  • Acceptable Use Policy (AUP): Rules about what users cannot do with your service

These work together to protect both you and your customers. Let's break down each one.

Terms of Service: The Foundation

Your Terms of Service is the legal agreement between you and your users. It's non-negotiable for a SaaS business.

What it covers:

  • Account creation: Who can create accounts, registration requirements
  • License grant: What rights users have to use your software
  • Payment terms: Subscription fees, billing cycles, auto-renewal, refunds
  • Cancellation: How users can cancel, what happens to their data
  • Intellectual property: Who owns what (your code, user data, user content)
  • Liability limits: What you're responsible for (and not responsible for)
  • Warranties and disclaimers: What you promise and don't promise
  • Termination: When you can suspend or terminate accounts
  • Changes to terms: How you can update the agreement

License vs. Ownership

You grant users a license to use your software, but you retain ownership. This is critical.

Common language:

"We grant you a non-exclusive, non-transferable, revocable license to access and use the Service for your internal business purposes, subject to these Terms."

This means:

  • Non-exclusive: You can grant the same license to others
  • Non-transferable: They can't resell or transfer their access
  • Revocable: You can terminate it if they violate terms

Liability Limitations

This is crucial for protecting your business from catastrophic lawsuits.

Standard protections:

  • Cap liability at the amount paid in the last 12 months (or 3 months for higher-risk services)
  • Exclude indirect damages like lost profits, data loss, business interruption
  • Disclaim warranties beyond what you explicitly promise

Example: If a customer pays $100/month and your service goes down for a day, your liability is capped at $1,200 (12 months × $100), not the millions they claim they "lost in revenue."

Note: These limitations may not be enforceable in all jurisdictions, but they're still important to include.

Data Ownership

Be crystal clear about who owns what:

  • User owns their data: Customer information they upload
  • You own the platform: Your code, infrastructure, documentation
  • Anonymized/aggregated data: Often you retain rights to use this for analytics and improvements

Don't claim ownership of user data. Customers (especially enterprise) will reject this immediately.

When You Need It

  • Before you launch your SaaS product
  • Required for accepting payments via Stripe, PayPal, etc.
  • Essential for B2B sales and enterprise customers
  • Protects you from liability claims

In other words: Day one.

Service Level Agreement (SLA): Promises You Can Keep

An SLA is your promise to customers about service quality and what happens if you don't meet it.

What it typically includes:

  • Uptime guarantee: "99.9% uptime per month"
  • Support response times: "Email support responds within 24 hours"
  • Performance benchmarks: "Page load time under 2 seconds"
  • Remedies/credits: What customers get if you fail to meet commitments
  • Exclusions: What's not covered (scheduled maintenance, force majeure, user error)

Common SLA Tiers

Tier Uptime Downtime/Month Typical For
Standard 99.0% 7.2 hours Free/low-tier plans
High 99.9% 43 minutes Standard SaaS
Enterprise 99.95% 22 minutes Premium plans
Mission-critical 99.99% 4 minutes Enterprise+ only

99.9% uptime is standard for most SaaS products. Don't promise 99.99% unless you have the infrastructure and monitoring to back it up.

Service Credits: What Happens When You Miss Your SLA

If you miss your SLA, you typically offer service credits (not cash refunds). Common structure:

  • 99.9% to 99.0%: 10% service credit
  • 99.0% to 95.0%: 25% service credit
  • Below 95.0%: 50% service credit or right to cancel

Service credits apply to the next billing cycle, not immediate refunds. This limits your financial exposure while still compensating customers.

What to Exclude from Your SLA

Your SLA should explicitly exclude:

  • Scheduled maintenance: "Planned maintenance windows announced 48 hours in advance"
  • Force majeure: Natural disasters, war, pandemics, internet outages beyond your control
  • User-caused issues: Misconfiguration, exceeding usage limits, DDoS attacks targeting the user
  • Third-party failures: AWS outages, DNS provider failures (unless you guarantee multi-region redundancy)
The SLA paradox

Don't promise an SLA you can't meet. It's better to have no SLA and over-deliver than promise 99.9% uptime and consistently miss it. Enterprise customers will forgive occasional outages if you're transparent. They won't forgive broken promises.

When You Need an SLA

  • When enterprise customers ask for it (and they will)
  • When you're confident in your infrastructure reliability
  • When you want to differentiate on reliability
  • When your service is mission-critical for customers

Early-stage startups can skip SLAs initially. But have one ready before your first enterprise sales call.

Acceptable Use Policy (AUP): Setting Boundaries

An AUP defines what users cannot do with your service. It protects you from abuse.

Common prohibitions:

  • Illegal activity: Phishing, malware distribution, piracy, fraud
  • Spam: Sending unsolicited commercial email
  • Abuse: Harassment, hate speech, violent content
  • Resource abuse: Excessive API calls, DDoS attacks, crypto mining
  • Circumvention: Reverse engineering, bypassing usage limits
  • Reselling: Unauthorized resale of your service

Your AUP gives you clear grounds to suspend or terminate accounts that violate these rules.

Enforcement

Your AUP should explain:

  • How you monitor: "We monitor for unusual activity and abuse"
  • What happens on violation: "First warning, then suspension, then termination"
  • Appeals process: "Contact [email protected] to appeal"

When You Need It

  • If users can send emails or messages through your platform
  • If you offer API access
  • If resource abuse could impact other users
  • If you need clear grounds to ban abusive users

Most SaaS companies include AUP either as a standalone document or as a section within their Terms of Service.

How These Documents Work Together

Terms of Service: The master legal agreement
SLA: Your specific performance commitments (referenced by ToS)
AUP: The rules of the road (also referenced by ToS)

Typical structure:

  • Terms of Service references both the SLA and AUP
  • Violating the AUP is a breach of Terms of Service
  • Failing to meet SLA triggers remedies defined in Terms of Service

Common Mistakes to Avoid

Copying Another Company's Terms Without Customization
Your terms must reflect your actual business model. If you promise features you don't offer or exclude things you actually do, it's unenforceable.

Promising an SLA You Can't Meet
If you promise 99.9% uptime but your infrastructure can't deliver it, you're exposing yourself to constant service credit claims.

Making Terms Too Restrictive
Don't scare away customers with overly aggressive terms. Balance protection with customer-friendliness.

Not Updating Terms as You Scale
Your early-stage ToS won't work when you're serving enterprise customers. Review and update annually.

Hiding Important Terms in Fine Print
Critical terms (auto-renewal, cancellation policies, refunds) should be clear and prominent, not buried in legalese.

Quick Implementation Checklist

Before Launch:

  • Create Terms of Service
  • Add Privacy Policy
  • Consider basic AUP (or include in ToS)

When You Have Paying Customers:

  • Formalize your refund and cancellation policies in ToS
  • Document support expectations
  • Monitor actual uptime to prepare for SLA commitments

Before First Enterprise Deal:

  • Create a formal SLA
  • Prepare a DPA (Data Processing Agreement)
  • Have security documentation ready
  • Get legal review for enterprise terms

Where to Display These Documents

  • Website footer: Link to all legal documents on every page
  • Signup flow: "By signing up, you agree to our Terms of Service"
  • Pricing page: Link to SLA (especially for higher-tier plans)
  • Dashboard: Make legal docs accessible from user account settings
  • Sales materials: Include SLA commitments in enterprise proposals

The Bottom Line

Legal documents aren't just checkbox compliance items. They're trust signals.

Professional, clear terms show customers you're a legitimate business. An honest SLA shows you're confident in your infrastructure. A fair AUP shows you're thoughtful about platform governance.

Start with solid Terms of Service. Add an SLA when you're confident in your reliability. Include an AUP if users can create content or abuse resources.

And remember: these documents evolve with your business. Review them annually, update them as you add features, and don't be afraid to improve them based on real customer feedback.