Accurate
Country-specific legal content
Drafted with legal expertise for each jurisdiction, far more thorough than AI-generated drafts that copy generic clauses across borders.
BusinessUnited Kingdom
UK SaaS Subscription Agreement
Draft a UK SaaS Subscription Agreement (supplier-side terms and conditions) for a Software-as-a-Service product. Includes the full British statutory framework — <em>Consumer Rights Act 2015</em> for B2C customers, <em>Supply of Goods and Services Act 1982</em> + <em>Unfair Contract Terms Act 1977</em> for B2B, <em>UK GDPR</em> + <em>Data Protection Act 2018</em> Article 28 mandatory data processing terms, Computer Misuse Act 1990, NIS Regulations 2018. Free covers baseline T&Cs (term, fees, IP, customer data, UCTA 1977 limitation cap). Expert adds full Article 28 9-clause DPA, service credits matrix, ISO 27001 + SOC 2 certifications, source code escrow (NCC Group / Iron Mountain), business continuity plan with RPO/RTO targets, PI + cyber insurance, IP indemnity, and customer data indemnity.
Free to useInstant PDFNo account required
PDF (free) + editable Word (.docx) with Expert
SAAS SUBSCRIPTION AGREEMENT
Cardinal Saas Limited B2B · 4 June 2026
SUPPLIER
Cardinal SaaS Limited (Company No. 13456789)
Hexagon House, 6 Charles Street, London W1J 5DN
CUSTOMER
Westridge Hospitality Group Limited
Westridge House, 12 Lancaster Gate, London W2 3LH
Subscription £28,800 per annum · Term 36 months
99.9% uptime · B2B
THIS SAAS SUBSCRIPTION AGREEMENT is made on 4 June 2026 between Cardinal SaaS Limited, a company incorporated in England and Wales (Company No. 13456789), of Hexagon House, 6 Charles Street, London W1J 5DN (the "Supplier") and Westridge Hospitality Group Limited, of Westridge House, 12 Lancaster Gate, London W2 3LH (the "Customer").
The Supplier agrees to provide the Software-as-a-Service subscription described in clause 1 below to the Customer on the terms set out in this Agreement. This Agreement is a business-to-business contract governed by the Supply of Goods and Services Act 1982 and the Unfair Contract Terms Act 1977 limitation of liability reasonableness framework.
The Supplier agrees to provide the Software-as-a-Service subscription described in clause 1 below to the Customer on the terms set out in this Agreement. This Agreement is a business-to-business contract governed by the Supply of Goods and Services Act 1982 and the Unfair Contract Terms Act 1977 limitation of liability reasonableness framework.
1. The Service. Cardinal SaaS Platform — a multi-tenant cloud-hosted hospitality operations management platform comprising (i) reservation and channel management, (ii) revenue management and dynamic pricing, (iii) housekeeping and maintenance workflow, (iv) guest CRM and marketing automation, (v) reporting and analytics dashboards. Hosted on AWS UK-South region with 24/7 monitoring and UK-based support.
2. Subscription term and fees. The subscription begins on the date of this Agreement and continues for an initial term of 36 months, automatically renewing for successive terms of equal length unless either party gives written notice of non-renewal at least 30 days before the end of the then-current term. The subscription fee is £28,800 per annum, payable in advance.
3. Service levels and uptime. The Supplier shall use commercially reasonable endeavours to provide the Service with availability of at least 99.9% in any calendar month, measured excluding planned maintenance (notified at least 7 days in advance) and Force Majeure events.
4. Customer data and intellectual property. The Customer retains all rights in and to Customer Data uploaded to or generated through the Service. The Supplier processes Customer Data only as instructed by the Customer and for the purposes of providing the Service. The Supplier retains all intellectual property rights in the Service, the Supplier Software, and any improvements or derivatives. The Customer is granted a non-exclusive, non-transferable, revocable licence to use the Service for the subscription term, solely for its internal business purposes.
5. Limitation of liability. Subject to clause 5.1 (which excludes liability for death or personal injury caused by negligence, fraud, fraudulent misrepresentation, or any other liability which cannot be lawfully excluded), the aggregate liability of either party arising under or in connection with this Agreement shall not exceed the total fees paid or payable by the Customer in the 12-month period preceding the event giving rise to liability. The Customer acknowledges that this limitation is reasonable for the purposes of the Unfair Contract Terms Act 1977 having regard to the subscription fees, the nature of the Service, and the availability of insurance.
2. Subscription term and fees. The subscription begins on the date of this Agreement and continues for an initial term of 36 months, automatically renewing for successive terms of equal length unless either party gives written notice of non-renewal at least 30 days before the end of the then-current term. The subscription fee is £28,800 per annum, payable in advance.
3. Service levels and uptime. The Supplier shall use commercially reasonable endeavours to provide the Service with availability of at least 99.9% in any calendar month, measured excluding planned maintenance (notified at least 7 days in advance) and Force Majeure events.
4. Customer data and intellectual property. The Customer retains all rights in and to Customer Data uploaded to or generated through the Service. The Supplier processes Customer Data only as instructed by the Customer and for the purposes of providing the Service. The Supplier retains all intellectual property rights in the Service, the Supplier Software, and any improvements or derivatives. The Customer is granted a non-exclusive, non-transferable, revocable licence to use the Service for the subscription term, solely for its internal business purposes.
5. Limitation of liability. Subject to clause 5.1 (which excludes liability for death or personal injury caused by negligence, fraud, fraudulent misrepresentation, or any other liability which cannot be lawfully excluded), the aggregate liability of either party arising under or in connection with this Agreement shall not exceed the total fees paid or payable by the Customer in the 12-month period preceding the event giving rise to liability. The Customer acknowledges that this limitation is reasonable for the purposes of the Unfair Contract Terms Act 1977 having regard to the subscription fees, the nature of the Service, and the availability of insurance.
6. Data processing — UK GDPR Article 28. Where the Supplier processes personal data on behalf of the Customer in providing the Service, the Supplier acts as processor and the Customer acts as controller within the meaning of the UK GDPR (UK General Data Protection Regulation, incorporated by the European Union (Withdrawal) Act 2018) and the Data Protection Act 2018.
6.1 Subject matter, duration, nature, purpose. Processing of personal data of Customer's hotel guests (names, contact details, payment card last-4, stay history, preferences) and Customer's personnel (operational user accounts).
6.2 Types of personal data and categories of data subjects. Account credentials; guest names, email, phone, address, nationality, date of birth, ID document number (passport / driver's licence) where collected; payment card token (last-4 only — full PAN not stored); booking and stay history; loyalty program data; staff user accounts and access logs.
6.3 Documented instructions. The Supplier shall process Customer personal data only on documented instructions from the Customer, including with regard to international transfers, save where required to do so by UK law.
6.4 Confidentiality. The Supplier ensures that persons authorised to process Customer personal data are subject to confidentiality obligations.
6.5 Security (Article 32 UK GDPR). The Supplier implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption in transit and at rest, access controls, regular vulnerability scanning, penetration testing, and incident response procedures.
6.6 Sub-processors. The Customer grants general authorisation for the engagement of sub-processors, subject to the Supplier notifying the Customer of any intended changes (including additions or replacements) at least 30 days in advance and the Customer's right to object.
6.7 International transfers. No personal data is transferred outside the United Kingdom in the ordinary course of operations. The Supplier maintains the option to engage UK-based sub-processors only without further authorisation. Any future transfers outside the UK would be subject to the International Data Transfer Agreement (IDTA) and a Transfer Impact Assessment.
6.8 Audit rights. The Supplier shall make available to the Customer all information necessary to demonstrate compliance with this clause and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
6.9 Return / deletion at end of services. At the choice of the Customer, the Supplier shall return or delete all Customer personal data after the end of the provision of services, save to the extent that UK law requires retention.
6.1 Subject matter, duration, nature, purpose. Processing of personal data of Customer's hotel guests (names, contact details, payment card last-4, stay history, preferences) and Customer's personnel (operational user accounts).
6.2 Types of personal data and categories of data subjects. Account credentials; guest names, email, phone, address, nationality, date of birth, ID document number (passport / driver's licence) where collected; payment card token (last-4 only — full PAN not stored); booking and stay history; loyalty program data; staff user accounts and access logs.
6.3 Documented instructions. The Supplier shall process Customer personal data only on documented instructions from the Customer, including with regard to international transfers, save where required to do so by UK law.
6.4 Confidentiality. The Supplier ensures that persons authorised to process Customer personal data are subject to confidentiality obligations.
6.5 Security (Article 32 UK GDPR). The Supplier implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption in transit and at rest, access controls, regular vulnerability scanning, penetration testing, and incident response procedures.
6.6 Sub-processors. The Customer grants general authorisation for the engagement of sub-processors, subject to the Supplier notifying the Customer of any intended changes (including additions or replacements) at least 30 days in advance and the Customer's right to object.
6.7 International transfers. No personal data is transferred outside the United Kingdom in the ordinary course of operations. The Supplier maintains the option to engage UK-based sub-processors only without further authorisation. Any future transfers outside the UK would be subject to the International Data Transfer Agreement (IDTA) and a Transfer Impact Assessment.
6.8 Audit rights. The Supplier shall make available to the Customer all information necessary to demonstrate compliance with this clause and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
6.9 Return / deletion at end of services. At the choice of the Customer, the Supplier shall return or delete all Customer personal data after the end of the provision of services, save to the extent that UK law requires retention.
7. Service credits. Where the Supplier fails to meet the 99.9% uptime commitment in clause 3, the following service credits apply:
Uptime 99.9% target. Service credits: (a) uptime 99.0%-99.89% = 5% credit of monthly fee; (b) uptime 95.0%-98.99% = 10% credit; (c) uptime 90.0%-94.99% = 25% credit; (d) uptime below 90.0% = 50% credit. Credits applied against the next monthly invoice. Maximum total credits in any month: 50% of monthly fee.
Service credits are the Customer's sole and exclusive remedy for breach of the uptime commitment.
Uptime 99.9% target. Service credits: (a) uptime 99.0%-99.89% = 5% credit of monthly fee; (b) uptime 95.0%-98.99% = 10% credit; (c) uptime 90.0%-94.99% = 25% credit; (d) uptime below 90.0% = 50% credit. Credits applied against the next monthly invoice. Maximum total credits in any month: 50% of monthly fee.
Service credits are the Customer's sole and exclusive remedy for breach of the uptime commitment.
8. Security certifications. The Supplier maintains the following certifications:
• ISO 27001:2022 certified — Information Security Management System
• SOC 2 Type II report available
Certifications are renewed annually and report copies are available to the Customer on reasonable request, subject to NDA.
• ISO 27001:2022 certified — Information Security Management System
• SOC 2 Type II report available
Certifications are renewed annually and report copies are available to the Customer on reasonable request, subject to NDA.
9. Business continuity, source code escrow, and insurance.
9.1 Source code escrow. The Supplier shall deposit the source code of the Service with a recognised UK escrow agent (typically NCC Group or Iron Mountain). The escrow agreement provides for release to the Customer on defined trigger events including Supplier insolvency, persistent failure to maintain the Service, or material breach of this Agreement.
9.2 Business continuity plan. Cardinal SaaS maintains a documented BCP with RPO (Recovery Point Objective) of 4 hours and RTO (Recovery Time Objective) of 12 hours. Backups are stored across two AWS UK regions with cross-region replication. Incident response, communication, and post-incident review procedures are tested quarterly.
9.3 Insurance. Professional indemnity insurance £5,000,000 per claim with AIG (UK) Limited. Cyber liability insurance £10,000,000 per claim with AXA XL. Public liability £5,000,000. Annual renewal cycle.
9.1 Source code escrow. The Supplier shall deposit the source code of the Service with a recognised UK escrow agent (typically NCC Group or Iron Mountain). The escrow agreement provides for release to the Customer on defined trigger events including Supplier insolvency, persistent failure to maintain the Service, or material breach of this Agreement.
9.2 Business continuity plan. Cardinal SaaS maintains a documented BCP with RPO (Recovery Point Objective) of 4 hours and RTO (Recovery Time Objective) of 12 hours. Backups are stored across two AWS UK regions with cross-region replication. Incident response, communication, and post-incident review procedures are tested quarterly.
9.3 Insurance. Professional indemnity insurance £5,000,000 per claim with AIG (UK) Limited. Cyber liability insurance £10,000,000 per claim with AXA XL. Public liability £5,000,000. Annual renewal cycle.
10. IP licences and indemnities.
10.1 Customer licence scope. Non-exclusive, non-transferable, revocable licence to access and use the Service for the Customer's internal business purposes, limited to up to 50 named users at any time. No right to copy, modify, reverse-engineer, decompile, or extract the underlying source code or database schema.
10.2 Supplier IP indemnity. The Supplier shall indemnify the Customer against any claim that the Customer's use of the Service in accordance with this Agreement infringes any third-party intellectual property rights, subject to the liability cap in clause 5 and to the Customer giving the Supplier prompt notice and reasonable cooperation.
10.3 Customer indemnity. The Customer shall indemnify the Supplier against any claim arising out of the Customer Data, the Customer's use of the Service outside this Agreement, or the Customer's breach of applicable law.
10.1 Customer licence scope. Non-exclusive, non-transferable, revocable licence to access and use the Service for the Customer's internal business purposes, limited to up to 50 named users at any time. No right to copy, modify, reverse-engineer, decompile, or extract the underlying source code or database schema.
10.2 Supplier IP indemnity. The Supplier shall indemnify the Customer against any claim that the Customer's use of the Service in accordance with this Agreement infringes any third-party intellectual property rights, subject to the liability cap in clause 5 and to the Customer giving the Supplier prompt notice and reasonable cooperation.
10.3 Customer indemnity. The Customer shall indemnify the Supplier against any claim arising out of the Customer Data, the Customer's use of the Service outside this Agreement, or the Customer's breach of applicable law.
11. Termination and governing law. Either party may terminate this Agreement for material breach not cured within 30 days of written notice, on the insolvency of the other party, or as otherwise provided in this Agreement. On termination, the Customer may export Customer Data for a period of 30 days, after which the Supplier shall delete Customer Data in accordance with the data processing terms in clause 6.9. This Agreement is governed by the law of England and Wales and the parties submit to the exclusive jurisdiction of the courts of England and Wales.
IN WITNESS WHEREOF, the parties have executed this Agreement as of the date indicated.
SIGNED FOR AND ON BEHALF OF THE SUPPLIER
Mr Adrian Patrick Donnelly
Chief Executive Officer · 4 June 2026
Date: ____________________
SIGNED FOR AND ON BEHALF OF THE CUSTOMER
Westridge Hospitality Group Limited
Chief Operating Officer (Mr Stephen John Westridge) · 4 June 2026
Date: ____________________
Available as a print-ready PDF or an editable Microsoft Word (.docx) file.
What Is a UK SaaS Subscription Agreement?
A UK SaaS Subscription Agreement is the supplier-side terms and conditions governing the provision of Software-as-a-Service to a UK customer. The agreement covers subscription term, fees, service levels (uptime SLA), customer data, intellectual property, limitation of liability, data processing under UK GDPR, and termination. SaaS contracts dominate British technology services — almost every UK enterprise software deployment is now delivered as a hosted subscription rather than an on-premises licence.
The UK statutory framework depends on whether the customer is a business (B2B) or a consumer (B2C). For B2B, the <em>Supply of Goods and Services Act 1982</em> implies a term of reasonable care and skill in the provision of the Service, and the <em>Unfair Contract Terms Act 1977</em> imposes a reasonableness test on limitation of liability clauses. For B2C, the <em>Consumer Rights Act 2015</em> implies stricter terms — services must be performed with reasonable care and skill (s.49), as described (s.50), and within a reasonable time (s.52); section 62 imposes a fairness test on consumer contract terms, meaning unfair terms are not binding on the consumer. Our template adapts the wording automatically based on customer type.
Where the Supplier processes personal data on behalf of the Customer in providing the Service, <em>Article 28 UK GDPR</em> imposes nine mandatory data processing terms: subject matter / duration / nature / purpose; types of personal data; categories of data subjects; documented instructions; confidentiality; security (Article 32); sub-processor authorisation; international transfers (IDTA / UK Addendum to SCCs); return / deletion at end of services; and audit rights. Our Expert template generates all nine sub-clauses of an Article 28-compliant DPA. The Supplier and Customer should also consider ISO 27001:2022 (Information Security Management System), SOC 2 Type II (Service Organisation Controls), source code escrow (NCC Group / Iron Mountain) for business continuity protection, and PI + cyber liability insurance.
What's Covered in This Template
Our UK SaaS Subscription Agreement template generates a supplier-side T&Cs aligned with the British statutory framework and current 2026 market practice.
B2B / B2C Customer Type
Wording adapts automatically — UCTA 1977 reasonableness for B2B; Consumer Rights Act 2015 fairness for B2C with 14-day cooling-off.
Service Description
Detailed Service definition (modules, features, hosting region, support) — limits the scope of supplier liability.
Subscription Term + Auto-Renewal
Initial term (12-36 months typical), auto-renewal with 30-day non-renewal notice (or manual renewal).
Uptime SLA + Service Credits (Expert)
Tiered service credits based on monthly uptime achieved — typically 5%-50% of monthly fee.
Customer Data Ownership
Customer retains data ownership; Supplier processes only on Customer instructions.
Supplier IP Retention
Supplier retains IP in the Service and Supplier Software; Customer granted non-exclusive licence for subscription term.
UCTA 1977 Liability Cap
12-month fee cap typical — limited by UCTA 1977 reasonableness test (B2B) or CRA 2015 fairness test (B2C).
UK GDPR Article 28 DPA (Expert)
Full 9-clause DPA — subject matter, types, instructions, confidentiality, Art.32 security, sub-processors, transfers, audit, return/deletion.
ISO 27001 + SOC 2 (Expert)
Industry-standard security certifications — increasingly required by UK enterprise customers.
Source Code Escrow (Expert)
NCC Group / Iron Mountain — protects Customer against Supplier insolvency, persistent failure, or material breach.
Business Continuity + Insurance (Expert)
RPO / RTO targets, multi-region backup, quarterly testing; PI £5m+ and cyber £10m+ insurance.
IP Indemnity + Customer Indemnity (Expert)
Supplier IP indemnity (subject to cap); Customer indemnity for Customer Data and use outside agreement.
How to Create a UK SaaS Subscription Agreement
Follow these steps to draft a UK SaaS supplier-side T&Cs.
- 1
Identify the Supplier, Customer, and Customer Type
Enter the Supplier (UK company name, Companies House number, registered office, signing director), the Customer (name, address, signatory for B2B), and select the customer type (B2B or B2C consumer). The template adapts the statutory wording automatically.
- 2
Define the Service, Term, and Fees
Describe the Service precisely (modules, features, hosting region, support). Enter the subscription fee, fee frequency (monthly / annual / one-off), initial term (typically 12-36 months), and whether auto-renewal applies. Select the governing UK jurisdiction.
- 3
Set the Service Levels, Data Ownership, IP, and Liability Cap
Enter the uptime SLA (typically 99.5%-99.9%), confirm customer data ownership, confirm Supplier retains IP in the Service, and set the liability cap (typically 12 months' fees, capped by UCTA 1977 reasonableness for B2B or CRA 2015 fairness for B2C).
- 4
Add UK GDPR Article 28 DPA Detail (Expert)
In Expert mode, confirm whether the Supplier processes personal data. If yes, set out the subject matter, duration, nature, and purpose of processing; types of personal data; categories of data subjects; sub-processor authorisation (general / specific / none); international transfers framework (IDTA / UK Addendum to SCCs).
- 5
Add Security, BCP, Insurance, and Indemnities (Expert)
In Expert mode, set out the service credits matrix (tiered by uptime achieved), ISO 27001:2022 and SOC 2 Type II certification status, source code escrow (NCC Group / Iron Mountain), business continuity plan with RPO / RTO targets, insurance coverage (PI £5m+, cyber £10m+), customer licence scope (user count, internal business purpose), and IP indemnities (Supplier indemnifies Customer for IP infringement; Customer indemnifies Supplier for Customer Data).
Why Doxuno documents are different
Four things that make our templates more thorough than AI-generated drafts and more current than static template libraries.
Always current
Always current with the law
Templates carrying statute references are continuously updated as the law changes. Your document always reflects the current legal framework.
Free PDF
Print-ready PDF
Free to download. Vector text, embedded fonts, statute citations baked in. Print, sign, file. Ready for any signing flow including electronic signature.
Word · .docx
Editable Word (.docx)
Continue editing in Word after download. Add custom clauses, reuse the template for similar agreements, or share with a colleague for collaborative review.
Requires Expert one-time unlock or any paid Doxuno subscription.
Legal Considerations
UK SaaS contract drafting is a specialism — the statutory framework is distinctive and customer expectations are increasingly sophisticated.
This template is for informational purposes only and does not constitute legal advice. UK SaaS contracting is technical — consult a qualified UK technology / commercial solicitor before signing material SaaS subscription agreements, particularly for enterprise deployments, regulated industries (financial services, healthcare), or where significant personal data processing arises.
Reviewed for England & Wales technology / commercial law and UK GDPR
B2B Framework — SGSA 1982 + UCTA 1977
For B2B contracts, the Supply of Goods and Services Act 1982 implies a term of reasonable care and skill (section 13) and reasonable time (section 14). These implied terms can be limited or excluded by clear contractual wording, subject to the UCTA 1977 reasonableness test. Section 3 UCTA 1977 imposes a reasonableness test on limitation of liability in standard-form B2B contracts; section 11 + Schedule 2 set out the reasonableness factors (relative bargaining power, availability of insurance, the difficulty of the obligation, etc.). A 12-month-fee liability cap is the UK market norm and is generally considered reasonable — but the test is applied case-by-case.
B2C Framework — Consumer Rights Act 2015
For B2C contracts, the Consumer Rights Act 2015 implies stricter terms: section 49 (services must be performed with reasonable care and skill), section 50 (services must match the description), section 52 (services must be performed within a reasonable time), section 54 (price reasonable if not agreed). Section 62 imposes a fairness test — a term is unfair if "contrary to the requirement of good faith, it causes a significant imbalance in the parties' rights and obligations under the contract, to the detriment of the consumer". Unfair terms are not binding on the consumer (s.67). Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 give a 14-day cooling-off right for online consumer SaaS subscriptions.
UK GDPR Article 28 — Mandatory Data Processing Terms
Where the Supplier processes personal data on behalf of the Customer in providing the Service, Article 28 UK GDPR imposes 9 mandatory contractual terms: (a) subject matter, duration, nature, purpose of processing; (b) types of personal data; (c) categories of data subjects; (d) controller obligations and rights; (e) processor obligations including (i) process only on documented instructions, (ii) confidentiality of personnel, (iii) Article 32 security measures, (iv) sub-processor authorisation, (v) assistance with data subject rights and controller compliance, (vi) return / deletion at end of services, (vii) audit rights. Failure to comply with Article 28 is an infringement of Article 83(4) UK GDPR, attracting administrative fines up to £8.7 million or 2% of global annual turnover. The Information Commissioner's Office (ICO) has issued detailed guidance on Article 28 DPA wording.
Industry-Standard Security Certifications and Risk Allocation
UK enterprise customers increasingly require their SaaS suppliers to maintain industry-standard security certifications: <strong>ISO 27001:2022</strong> (Information Security Management System, certified by accredited bodies under UKAS); <strong>SOC 2 Type II</strong> (Service Organisation Controls — security, availability, confidentiality, processing integrity, privacy — auditor-attested over a defined observation period, typically 6-12 months); <strong>Cyber Essentials Plus</strong> (UK Government scheme, baseline cyber hygiene). Source code escrow with a recognised UK agent (NCC Group, Iron Mountain) protects the Customer against Supplier insolvency, persistent failure, or material breach — the escrow agreement provides for source code release to the Customer on defined trigger events. Professional indemnity insurance (£5m+) and cyber liability insurance (£10m+) are now standard SaaS supplier insurance markers.
Frequently Asked Questions
Draft Your UK SaaS Subscription Agreement Now
Use our free template to draft a UK SaaS Subscription Agreement (supplier-side T&Cs) for B2B or B2C customers. Full statutory framework — Consumer Rights Act 2015, Supply of Goods and Services Act 1982, Unfair Contract Terms Act 1977, UK GDPR Article 28. Service levels with service credits matrix, ISO 27001 + SOC 2, source code escrow, business continuity, insurance coverage, IP and customer indemnities — all in one execution-ready agreement.
Free PDF · Editable Word with Expert · No account required