What legal documents does a SaaS company typically need?

Many SaaS companies use Terms of Service, a Privacy Policy, and an Acceptable Use Policy. For customers who require signature, they often use an MSA plus Order Forms. Some businesses also use a DPA and a Security Addendum.

Do SaaS companies need Terms of Service?

Most self-serve SaaS products rely on Terms of Service accepted online to govern customer access and use of the service, including billing terms, acceptable use, and liability limitations.

What is an Acceptable Use Policy (AUP) for SaaS?

An AUP defines prohibited uses of the service, such as abuse, illegal activity, security attacks, or spamming. It is often incorporated into the Terms of Service or MSA.

When do you need a Data Processing Addendum (DPA)?

A DPA is commonly used when you process personal data on behalf of customers and need contractual terms addressing privacy law requirements (for example GDPR-related provisions).

Explainer

What legal documents does a SaaS company need?

Software companies typically rely on a small set of core agreements to govern how customers access and use their services.

The short answer

Most SaaS companies operate using a combination of the following documents:

Terms of Service
Privacy Policy
Acceptable Use Policy
Master Subscription Agreement (MSA)
Order Form
Data Processing Addendum (DPA)
Security Addendum

Not every company uses all of these documents in every situation, but these are the most common components of a SaaS contract framework.

Terms of Service

They typically address topics such as:

permitted use of the service
subscription and billing terms
intellectual property rights
limitations of liability

For many self-serve products, customers accept the Terms of Service online during signup or checkout.

If you're unfamiliar with this structure, see:

Do I need a contract to charge for software?

Privacy Policy

A Privacy Policy explains how a company collects, uses, and shares personal information.

This document is typically required for any service that collects user data.

Privacy policies often address:

what personal information is collected
how the information is used
how long data is retained
user rights related to their data

Acceptable Use Policy (AUP)

An Acceptable Use Policy defines prohibited uses of the service.

This document helps prevent misuse of the platform by restricting activities such as:

illegal activity
security attacks
spamming or abuse
intellectual property violations

Many SaaS companies incorporate their AUP into their Terms of Service or MSA.

Master Subscription Agreement (MSA)

An MSA is typically used when customers require a signed contract.

The MSA establishes the legal framework for the relationship between the software vendor and the customer.

It often includes provisions addressing:

confidentiality
liability limitations
intellectual property
data protection

For a deeper explanation, see:

Order Forms

An Order Form contains the commercial details of a specific subscription.

These typically include:

pricing
subscription term
usage limits
billing structure

The Order Form usually incorporates the MSA by reference and applies it to a particular purchase.

For more detail, see:

What is a SaaS Order Form?

Data Processing Addendum (DPA)

A DPA governs how a vendor processes personal data on behalf of customers.

DPAs are commonly used when SaaS providers process customer data that may be subject to privacy laws such as GDPR.

They typically describe:

roles of controller and processor
data security obligations
subprocessor use
international data transfers

Security Addendum

A Security Addendum describes the vendor’s security practices for protecting customer data.

These documents often provide high-level information about topics such as:

access controls
encryption
incident response
infrastructure security

A common SaaS contract framework

Many software companies combine these documents into a structured system:

Terms of Service for self-serve users
MSA for customers who require a signed agreement
Order Forms for individual subscriptions
Privacy and security policies referenced by the agreements

This approach allows the same legal framework to support different sales motions while keeping contracts consistent.

Prefer a ready-to-use contract pack?

Baseline Terms provides a standardized bundle of SaaS contracts designed for founders who want consistent, non-negotiable legal terms.

The bundle includes all of the core documents described above, along with a short implementation guide explaining how they work together.

Get the Pack — $179