SaaS Subscription Agreement Template

SAAS SUBSCRIPTION AGREEMENT

Master Services Agreement — Maplewood Analytics Inc. And Northwind Logistics Inc.

THIS SAAS SUBSCRIPTION AGREEMENT (the "Agreement") is made effective 2026-07-01 between Maplewood Analytics Inc., a corporation existing under the laws of the Province of Ontario (the "Provider"), and Northwind Logistics Inc., an enterprise business-to-business customer (the "Customer"). The Provider is the developer and operator of the cloud-hosted software-as-a-service platform identified below (the "Service") and agrees to provide the Customer with subscription access to the Service on the terms set out in this Agreement. This Agreement governs the relationship between the Provider and the Customer for the entire Subscription Term and any renewal.

The Provider grants the Customer subscription access to the MapleAnalytics Enterprise service, comprising the following modules and features:

Core Analytics — predictive demand forecasting + supply-chain optimisation.
AI Forecasting Add-On — large-language-model-powered demand-pattern explanation and anomaly detection.
API Access — full REST + GraphQL APIs (rate-limited to 1,000 requests / minute / authenticated user).
Single Sign-On (SSO) — SAML 2.0 + OpenID Connect.
Audit Logging — 13-month rolling audit log with export.

Instance type: multi-tenant cloud (Canadian region — AWS Central Canada ca-central-1). The Customer is entitled to 50 named users (the "Authorised Users") for the duration of the Subscription Term.

The initial subscription term is 24 month(s) from the Effective Date (the "Initial Term"). Following the Initial Term, this Agreement will automatically renew for successive periods of equal length (each a "Renewal Term") unless either Party gives the other written notice of non-renewal at least 60 day(s) before the end of the then-current term.

Termination for cause. Either Party may terminate this Agreement on 60 days' written notice if the other Party commits a material breach of this Agreement that is not cured within 30 days of written notice from the non-breaching Party.

Effect of termination. On termination, all Customer access to the Service will cease, the Customer will pay all amounts due for the period to the termination date, and the Customer Data will be returned to the Customer in a standard machine-readable format and securely deleted from the Provider's systems within 30 days (subject to legal-retention exceptions).

The Customer shall pay subscription fees of 5,000.00 CAD monthly, payable in advance, in CAD. Invoices are due and payable within 30 days of the invoice date.

Late payment. Overdue amounts bear interest at 1.5% per month (compounded monthly), calculated from the original due date to the date of payment in full. The Provider may suspend the Customer's access to the Service after 30 days of non-payment, on 10 days' prior written notice.

Taxes. All fees are exclusive of applicable sales taxes (GST/HST, PST, QST), which are payable by the Customer. The Customer shall not deduct any withholding taxes from the fees unless required by applicable law and shall provide a withholding tax certificate where applicable.

Subject to the Customer's compliance with this Agreement and the timely payment of all fees, the Provider grants the Customer a non-exclusive, non-transferable, non-sublicensable enterprise-wide licence to access and use the Service for the Customer's internal business purposes.

Geographic scope: the licence is valid for access from Canada and the United States (the Customer's primary operating geography).

Licence restrictions. The Customer shall not (and shall not permit any third party to): (a) sublicense, resell or commercially exploit the Service to any third party (except as expressly permitted under a reseller scope); (b) reverse-engineer, decompile or disassemble the Service, except to the extent expressly permitted by applicable law; (c) use the Service to develop a competing service or product; (d) use the Service in any unlawful manner or in any manner that infringes the rights of any third party; or (e) remove or alter any proprietary notices on the Service.

Liability cap. Except for the carve-outs below, each Party's total cumulative liability arising out of or relating to this Agreement is limited to the aggregate amount of fees actually paid by the Customer to the Provider in the 12-month period immediately preceding the event giving rise to the claim.

Exclusion of indirect damages. Neither Party shall be liable to the other for any indirect, incidental, consequential, special, exemplary or punitive damages — including without limitation loss of profits, loss of business, loss of data (subject to the DPA), loss of goodwill, or loss of opportunity — even if advised of the possibility of such damages.

Carve-outs (uncapped liabilities). The liability cap and exclusion of indirect damages do NOT apply to: (a) breach of the Provider's confidentiality obligations; (b) breach of the Customer's payment obligations; (c) any indemnification obligations expressly stated in this Agreement; (d) gross negligence, wilful misconduct or fraud by either Party; and (e) breach of applicable privacy laws (including PIPEDA, Quebec Law 25 and the provincial PIPA regimes).

Provider warranty. The Provider warrants that the Service will materially conform to its then-current published documentation during the Subscription Term and that the Service will be provided in a professional and workmanlike manner, in accordance with the security and availability standards stated in this Agreement.

EXCEPT AS EXPRESSLY SET OUT IN THIS AGREEMENT, the Service is provided "AS IS" and the Provider disclaims all other warranties, whether express or implied, including any warranty of merchantability, fitness for a particular purpose, non-infringement, and any warranty arising from a course of dealing or usage of trade. The Provider does not warrant that the Service will be uninterrupted or error-free, except to the extent of the SLA commitment in the SLA Schedule (where applicable).

The Provider commits to the following Service Level Agreement (SLA) for the duration of the Subscription Term:

Uptime commitment. The Service will be available for use by the Customer for at least 99.9% of each calendar month, measured at the Provider's edge (excluding scheduled maintenance windows and any unavailability caused by the Customer or by a force majeure event).

Service-credit ladder. If the Service's monthly availability falls below the uptime commitment, the Customer is entitled to the following service credits, applied against the next monthly invoice:
- Availability below 99.9% but at or above 99.5%: 10% service credit.
- Availability below 99.5% but at or above 99.0%: 25% service credit.
- Availability below 99.0%: 50% service credit (the maximum credit per month).

Scheduled maintenance window: Sundays 02:00 to 05:00 Eastern Time (excluded from the uptime calculation; advance notice given by email at least 48 hours in advance).

Support response times. The Provider will acknowledge and respond to Customer support tickets within the following targets:
- Priority 1 (Service down or critical functionality unavailable): 1 hour(s) initial response, 24x7.
- Priority 2 (Major functionality degraded but workaround available): 4 hours initial response, business hours.
- Priority 3 (Minor issue, no material business impact): 1 business day initial response.

Service credit as exclusive remedy. Service credits are the Customer's exclusive remedy for any breach of the SLA, except where the breach also constitutes a material breach of this Agreement (in which case the Customer's termination right applies).

The Provider and the Customer agree to the following Data Processing Addendum (DPA) under the federal Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA) and Quebec's Act respecting the protection of personal information in the private sector, CQLR c. P-39.1 (as substantially amended by Law 25, fully in force since 22 September 2023), supplemented (where applicable) by Alberta's Personal Information Protection Act, S.A. 2003, c. P-6.5 and British Columbia's Personal Information Protection Act, S.B.C. 2003, c. 63.

Data controller / processor allocation. The Customer is the controller of the Customer Data and the Provider acts as the processor on the Customer's behalf, processing the Customer Data only for the purposes of providing the Service.

Data residency. Customer Data will be stored and processed in the Canadian regions of Amazon Web Services (Toronto, ca-central-1) and Microsoft Azure (Toronto, Canada Central) for redundancy. For Customer Data subject to Quebec Law 25, the Provider has completed a Privacy Impact Assessment confirming that the data-residency location provides an adequate level of protection comparable to the protection under Quebec law.

Sub-processors. The Provider may engage sub-processors to process the Customer Data, subject to: (a) a written agreement imposing on the sub-processor obligations equivalent to those in this DPA; (b) prior written notice to the Customer of any new sub-processor (Customer may object on reasonable grounds within 15 days); and (c) the Provider remaining fully liable for the acts and omissions of its sub-processors.

Breach notification. The Provider will notify the Customer without undue delay, and in any event within 72 hour(s) of becoming aware, of any personal information breach (within the meaning of section 10.1 of PIPEDA) involving the Customer Data, including a description of the breach, the categories and approximate number of affected individuals, the likely consequences, and the measures taken or proposed to mitigate.

Data subject rights. The Provider will assist the Customer in responding to data-subject requests for access, correction, deletion, portability and consent withdrawal, within the time limits prescribed by applicable Canadian privacy law.

Return and deletion of Customer Data. On termination of this Agreement, the Provider will return all Customer Data in a standard machine-readable format and securely delete the Customer Data from the Provider's systems within 30 days, subject to legal-retention exceptions.

Penalties. The Parties acknowledge the substantial penalties under Quebec Law 25 (up to CAD 25,000,000 or 4% of global turnover, whichever is greater) and the more modest but still material penalties under PIPEDA (up to CAD 100,000 per violation under section 14, plus civil-damages exposure).

Security framework. The Provider maintains an information security program based on industry-standard frameworks, currently including: SOC 2 Type II (audited operating effectiveness over a 6-month minimum review period); and ISO/IEC 27001 certification. The Provider will provide an executive summary of the most recent attestation report on the Customer's reasonable request.

Encryption. All Customer Data is encrypted at rest using AES-256 or stronger and in transit using TLS 1.3 or stronger.

Disaster recovery commitments. The Provider commits to a Recovery Time Objective (RTO) of 4 hour(s) and a Recovery Point Objective (RPO) of 1 hour(s) in the event of a major disaster affecting the primary hosting environment. The Provider maintains a documented business continuity plan and performs disaster-recovery testing at least annually.

Acceptable Use Policy. The Customer and the Authorised Users shall not use the Service to: (a) violate any applicable law (including Canada's Anti-Spam Legislation — CASL, S.C. 2010, c. 23 — for any commercial electronic message sent using the Service); (b) infringe any third-party intellectual property right; (c) transmit any malware, viruses or harmful code; (d) attempt to gain unauthorised access to the Service or to other customers' data; (e) conduct any penetration testing without prior written authorisation; or (f) use the Service in a manner that materially degrades the experience of other Provider customers.

Where the Service incorporates artificial-intelligence or machine-learning features (the "AI Features"), the following terms apply:

No training on Customer Data. The Provider will NOT use the Customer Data to train, fine-tune or improve any AI model — either the Provider's own models or any third-party model used by the Service — unless the Customer affirmatively opts in by separate written consent. Customer Data is processed only for the purposes of providing the Service to the Customer.

Output ownership. As between the Parties, the Customer owns all outputs generated by the AI Features in response to the Customer's inputs (the "Outputs"). The Provider hereby assigns to the Customer all right, title and interest in and to the Outputs (subject to the Provider's underlying intellectual property in the Service itself).

Accuracy disclaimer. AI Outputs are generated automatically and may contain inaccuracies, biases or hallucinations. The Customer is solely responsible for reviewing and validating the Outputs before relying on them for any business, legal, medical, financial or other consequential purpose.

Canadian AI regulatory status. The Parties acknowledge that, as at the Effective Date of this Agreement, Canada has no enacted federal Artificial Intelligence statute (Bill C-27, which contained the proposed Artificial Intelligence and Data Act — AIDA, died on the Order Paper in January 2025 on the prorogation of Parliament). AI Features are governed by PIPEDA principles, the Office of the Privacy Commissioner of Canada's voluntary AI guidance, any applicable sectoral codes (financial-services OSFI, healthcare PIPEDA, etc.), and the provincial human-rights codes (including any high-impact-employment-decision restrictions).

High-impact AI disclosure. Where the AI Features are used by the Customer to make decisions affecting employment, credit, insurance, healthcare, criminal justice or other high-impact areas, the Provider will provide the Customer with a plain-language description of the AI logic, the inputs used, the principal factors considered, the limitations of the system, and the Customer's options for human review of the AI Output. This is intended to satisfy emerging Canadian and international expectations for high-impact AI transparency.

Each Party (the "Receiving Party") shall hold in confidence all non-public information disclosed to it by the other Party (the "Disclosing Party") under or in connection with this Agreement (the "Confidential Information"), and shall: (a) use the Confidential Information only for the purposes of performing its obligations or exercising its rights under this Agreement; (b) protect the Confidential Information with at least the same degree of care it uses to protect its own confidential information of similar sensitivity (and in no event less than a commercially reasonable degree of care); (c) disclose the Confidential Information only to its officers, employees, agents and professional advisors who have a reasonable need to know and who are bound by equivalent confidentiality obligations; and (d) return or securely destroy the Confidential Information on the Disclosing Party's request at the end of the Subscription Term. The confidentiality obligation does not apply to information that is (i) publicly available through no fault of the Receiving Party, (ii) independently developed by the Receiving Party without use of the Confidential Information, (iii) lawfully received from a third party without confidentiality obligations, or (iv) required to be disclosed by applicable law or by a court order (in which case the Receiving Party shall give the Disclosing Party prompt notice and cooperate in seeking protective measures).

This Agreement shall be governed by and construed in accordance with the laws of the Province of Ontario and the federal laws of Canada applicable therein. The Parties attorn to the exclusive jurisdiction of the courts of Ontario for all disputes arising out of or in connection with this Agreement, except that either Party may seek injunctive or other equitable relief in any court of competent jurisdiction to protect its intellectual property or confidential information.

This Agreement (together with any Schedules, Statements of Work, Data Processing Addendum, and Order Forms referenced or attached) constitutes the entire agreement between the Parties with respect to the Service and supersedes all prior negotiations, representations and agreements between them on that subject. No amendment is effective unless made in writing and signed by both Parties (or, in the case of online click-through acceptance of updated Provider documentation, in accordance with the Provider's then-current change-management process, provided that no material adverse change to the Customer's rights takes effect without 60 days' prior written notice). This Agreement may be signed in counterparts, including by electronic signature, each of which is deemed an original.

IN WITNESS WHEREOF, the parties have executed this Agreement as of the date indicated.