SaaS contracts land on desks regularly in virtually every company - sometimes dozens per year. They are also far from legally straightforward: they blend elements of rental law (Art. 253 ff. CO), mandate law (Art. 394 ff. CO), and in some cases works contract law (Art. 363 ff. CO), without any single statutory framework to govern them. Anyone reviewing a SaaS contract with the help of AI needs a clear picture of what the technology can deliver today - and where it falls short.
Why SaaS contracts deserve close attention
A standard purchase agreement is self-contained. A SaaS contract is not. It governs an ongoing service relationship: availability, updates, data storage, support, termination, liability - and increasingly the vendor's own use of AI features within the product.
That creates legal review demands on several fronts at once. A missing liability cap can have serious financial consequences if service goes down. An unclear data deletion clause creates privacy exposure. And missed auto-renewal provisions can leave a company locked into a contract it intended to exit.
On top of that, many SaaS vendors are headquartered outside Switzerland or the EU. That raises questions about data sovereignty - particularly when personal data or trade secrets are involved.
What actually matters when reviewing a SaaS contract
Liability and service promises
SaaS vendors frequently write broad liability disclaimers into their terms while making performance commitments that do not hold up under scrutiny. Under Art. 100 para. 1 of the Swiss Code of Obligations (CO), any contractual exclusion of liability for intentional harm or gross negligence is void from the outset - a point that is easy to overlook when the exclusion clause is buried deep in the general terms.
A "99.9% availability" SLA sounds strong - but how is downtime defined? How is it measured? What remedies apply if the threshold is missed?
From practical review work: hyperscaler general terms routinely define "downtime" so narrowly that scheduled maintenance windows and partial regional outages fall outside it. An in-house team that reads the SLA without checking it against this definition will treat a clause as protective when it barely applies in practice.
Gaps between marketing language and contract text are among the most common negotiation points when reviewing SaaS agreements. For interpretation disputes, Art. 18 CO governs: the actual common intent of the parties controls, not the literal wording.
Data protection and data processing agreements
Anyone using a SaaS service that involves personal data needs a data processing agreement (DPA). In Switzerland, this obligation flows from Art. 9 revFADP (processing by a processor): the controller may only delegate data processing to a processor if that processor handles the data in a way the controller itself would be permitted to, and if no statutory confidentiality duty prohibits the transfer.
For transfers to countries without an adequate level of protection - such as the US - Art. 16 revFADP requires appropriate safeguards, typically Standard Contractual Clauses (SCCs) modelled on the FDPIC guidance or the EU Commission template. On the EU side, Art. 28 GDPR sets out the minimum content requirements for a DPA.
Getting a DPA from the vendor is usually straightforward. Checking whether it actually holds up is the real work: are the technical and organisational measures (TOMs) concrete enough? Are sub-processors listed transparently? What happens to the data if the vendor changes something - or if the contract ends?
A pattern observed repeatedly in practice: US-based hyperscalers consistently leave the post-termination deletion period field blank in their standard DPAs, or refer to internal "Data Retention Policies" that the customer cannot access. That is precisely where data protection risks arise during FDPIC reviews or internal audits. EDÖB guidance and Art. 16 revFADP more generally make clear that blanket references to vendor documentation do not constitute adequate safeguards.
For US-based vendors, a Transfer Impact Assessment (TIA) supporting the SCCs is not optional - it is expected by Swiss and EU supervisory authorities.
Termination, auto-renewal, and data migration
Many SaaS contracts address termination but say nothing about what follows. What happens to customer data after the contract ends? In what format is it returned? How long does the vendor retain it?
A frequently missed problem: the auto-renewal clause. Swiss in-house teams consistently identify the automatic renewal trigger - typically sitting in section 12 or 13 of hyperscaler general terms - only after the cancellation window has already closed. Contracts that auto-renew for another twelve months unless cancelled 90 days before expiry are market standard - but not unquestionable. Any team that does not actively track these deadlines in its contract management system risks paying for another full year it did not intend to commit to.
Leaving the data migration questions unresolved invites lock-in that only becomes visible when switching providers.
AI features in SaaS contracts
More and more SaaS vendors are embedding AI functionality into their products. The contractual implications are rarely spelled out clearly. Who is liable if AI-generated output is wrong? Are customer data used to train models? What disclosure obligations apply?
Since August 2025, the EU AI Act (AIA) imposes transparency obligations on providers of General-Purpose AI (GPAI) models under Art. 53 AIA. Providers must, among other things, maintain technical documentation and comply with copyright requirements. For Swiss companies using SaaS products with embedded GPAI models, the relevant question is whether the vendor meets these obligations - and whether the contract includes a corresponding warranty.
By end of 2026, the Federal Council will publish a consultation draft on a national AI regulatory framework, focusing on transparency, data protection, non-discrimination and oversight. Until a Swiss AI framework enters into force, the practical approach is to benchmark AI-related contract clauses against the EU AIA requirements where the vendor operates in the EU or serves EU users.
These are new questions, and standard contracts rarely cover them. They should not be skipped when reviewing a SaaS agreement.
Red-flag clause library: provisions that routinely cause problems in hyperscaler terms
The following reference table draws on practical contract review experience. It lists clause types that repeatedly emerge as problematic - with the typical vendor formulation, the associated risk, and a possible counter-position.
Clause type | Typical hyperscaler wording | Risk | Swiss counter-position |
|---|---|---|---|
Liability exclusion | "In no event shall Vendor be liable for any indirect, incidental or consequential damages" | Excludes consequential loss; void for intent/gross negligence under Art. 100 CO | Cap liability at annual fees; expressly include gross negligence |
SLA definition | "Downtime excludes scheduled maintenance and issues outside Vendor's reasonable control" | Practical protection close to zero; no remedy trigger | Broaden downtime definition; credits from first outage; termination right below threshold |
Auto-renewal | "Agreement auto-renews for successive 12-month periods unless cancelled 90 days prior" | Lock-in for another year if deadline missed | Reduce notice to 30 days; require active renewal confirmation |
Data use for training | "Customer data may be used to improve Vendor's services and models" | Breach of Art. 9 revFADP / Art. 28 GDPR without explicit DPA | Explicit opt-out from model training; DPA amendment required |
Post-termination deletion | "Vendor will delete Customer data within a reasonable time after termination" | "Reasonable time" undefined; data protection exposure | Fixed deadline (max. 30 days); specify export format; require deletion certificate |
Unilateral modification | "Vendor may modify these terms upon 30 days' notice" | Unilateral amendment without customer consent | Material changes require consent; extraordinary termination right on amendment |
Governing law and jurisdiction | "Exclusive jurisdiction: courts of [US State]; Governing law: [US State] law" | Swiss company must litigate in the US | Zurich or Geneva jurisdiction; Swiss law or English law alternatively |
This table is not an exhaustive checklist, but it shows where resistance in hyperscaler standard contracts is most likely to be worth the effort.
Before and after: what a clause rewrite looks like in practice
A liability clause is the most common rewrite scenario. The following shows a typical starting position and a negotiated version.
Original clause (vendor general terms):
"To the maximum extent permitted by applicable law, Vendor's total liability arising out of or related to this Agreement will not exceed the greater of (a) USD 500 or (b) the amounts paid by Customer in the three months preceding the claim."
Risk assessment: The USD 500 cap applies effectively to any significant loss event. Three months of fees are inadequate for annual contracts with material volume. Consequential losses are excluded entirely. Under Art. 100 para. 1 CO, any exclusion covering intentional harm or gross negligence is void regardless - but that has to be litigated first.
Negotiated counter-clause:
"Vendor's total aggregate liability arising out of or related to this Agreement shall not exceed the total fees paid or payable by Customer in the twelve (12) months immediately preceding the event giving rise to the claim. The foregoing limitation shall not apply to (i) Vendor's gross negligence or wilful misconduct, (ii) breaches of confidentiality obligations, or (iii) indemnification obligations under Section [X]."
What changes: The cap rises to twelve months of fees. Gross negligence and intent are expressly excluded from the cap (consistent with Art. 100 CO). Confidentiality breaches and indemnification obligations remain uncapped - particularly relevant for SaaS contracts with access to sensitive data.
A concrete workflow from practice
An in-house legal team at a Zurich technology company (approximately 400 employees, regular intake of enterprise SaaS agreements) introduced CASUS for SaaS contract review. Before the change, a standard SaaS contract including DPA and order form took an average of around 2.5 hours to process in an initial review: reading through the document, checking clauses against an internal review scheme, prioritising risks, and building a negotiation point list.
Using CASUS's Risk & Quality Review and Benchmark module - calibrated against an internal SaaS playbook - the same initial check now takes 35 to 45 minutes. Structured findings on liability gaps, missing deletion periods in the DPA, and auto-renewal clauses without adequate notice periods come out prioritised by severity. What the team still does: the legal assessment in context, the negotiation strategy, the call on which points matter most. Those steps have not disappeared - they now start from a better foundation.
In a separate exercise, the AI Data Room was used in a compliance audit context to review a portfolio of 47 existing SaaS contracts. It identified missing or incomplete DPA provisions in 19 agreements - including eight where post-termination deletion periods were absent entirely. Without parallel processing, that would have been several days of manual work.
How AI changes contract review
Traditionally, reviewing a contract means reading through the document, flagging clauses, noting risks, and building a list of negotiation points. That process is time-consuming and prone to gaps, especially with long documents reviewed under time pressure.
AI-assisted review can speed up this process without removing the legal assessment. The technology handles the initial analysis: which clauses are missing, where the contract deviates from market standard, and what risks arise for which party.
What remains is the legal judgment from experienced practitioners - working from an already structured analysis rather than a raw document.
What CASUS does when reviewing SaaS contracts
CASUS is a Swiss legal AI platform that works directly inside Microsoft Word and as a web app. Hosting is in Switzerland and the EU, with no data transfer to the US - relevant for Swiss companies that need to demonstrate data protection compliance under the revFADP when selecting tools.
Risk & Quality Review
The Risk & Quality Review identifies the contract parties and analyses risks from each party's perspective - not generically. Each finding is prioritised by severity (low / medium / high) and paired with concrete drafting options. Those suggestions can be applied directly in Word, correctly formatted, without manual reformatting.
For SaaS contracts, missing liability caps, one-sided termination rights, or vague SLA definitions come out as structured findings, ordered by urgency.
Benchmark
The Benchmark module checks a document against a defined standard - for example, an internal SaaS contract playbook or established best practices. The output shows which topic areas are missing (such as data protection, termination, or liability caps), which clauses are incomplete, and what percentage match the standard achieves overall.
Teams that review SaaS contracts regularly can store their own review framework and have each new document checked against it automatically.
AI Chat and Legal Research
Through the AI Chat, targeted questions can be asked about the contract - for example: "What applies in the event of data loss?" or "Under what conditions can the vendor terminate?" Answers are linked to the relevant contract passages, so jumping directly to the source text is straightforward.
The Legal Research mode draws on legal foundations from over 660,000 cantonal and federal court decisions as well as statutory law. Relevant reasoning sections are highlighted directly in the result - no separate lookup in a case law database needed. That is particularly useful when checking a clause against Art. 100 CO or the requirements of Art. 9 and Art. 16 revFADP.
AI Data Room
For teams that need to review not just one SaaS contract but an entire portfolio - for example during a compliance check or audit preparation - the AI Data Room handles parallel analysis. Dozens or hundreds of documents are processed at once, with results delivered in a user-defined table structure. Extraction fields are set by the user: liability limits, notice periods, SLA tiers, DPA status, AI training data clauses - column by column, exportable.
Practical implications for legal teams
For IT-adjacent legal teams or in-house counsel who work with SaaS contracts regularly, AI support does not change legal responsibility - but it changes the workflow.
Three pitfalls come up consistently in practical review work. First, the combination of a narrow SLA downtime definition and a sweeping liability exclusion is often only recognised as a connected risk when both clauses are read side by side - something that is easy to miss in a clause-by-clause review. Second, standard DPAs from US vendors reliably omit the post-termination deletion period field required under Art. 9 revFADP - it is simply absent, without making the document look obviously incomplete at first glance. Third, the governing law and jurisdiction clause in many hyperscaler contracts points to a US state, which in-house teams frequently accept as boilerplate on first reading, despite the material consequences it would have in a dispute.
Teams using AI tools in legal work should have clear processes for how outputs are used - and who holds final legal responsibility. AI output does not replace legal review, but it can prepare and structure it.
Try CASUS
Teams that review SaaS contracts regularly and want to speed up the initial check can try CASUS directly. The platform runs in Microsoft Word and as a web app, with data hosted in Switzerland and the EU. Technical security details are at /security. A free trial is available at app.getcasus.com/signup.
FAQ
What is most important when reviewing a SaaS contract?
When reviewing a SaaS contract, particular attention should go to liability caps (including consistency with Art. 100 CO), SLA definitions, data protection and DPA terms under Art. 9 revFADP, notice periods, auto-renewal clauses, and post-termination data handling. Contracts that include AI features also raise questions about data use for model training and liability for AI-generated output - and since August 2025, transparency obligations for GPAI providers under Art. 53 EU AI Act.
How can AI help with reviewing SaaS contracts?
AI tools analyse contracts in a structured way: they identify missing clauses, prioritise risks by severity, and flag deviations from a standard. In practice, an initial review of a standard SaaS contract including DPA can be completed in 35 to 45 minutes with AI support, compared to 2 to 3 hours manually.
Does AI replace the legal review of a SaaS contract?
No. AI delivers source-based, structured analysis - not final legal advice. The legal judgment in the context of a specific organisation and any negotiation strategy remain the responsibility of qualified lawyers. AI changes how the review starts, not who makes the final call.
What must a data processing agreement (DPA) for SaaS cover?
Under Art. 9 revFADP, the DPA must ensure the processor handles data only in ways the controller itself would be permitted to. In terms of content, it needs: processing purpose, data categories, technical and organisational measures (TOMs), a list of sub-processors, and provisions on deletion, data subject rights, and audit. For vendors outside Switzerland and the EU, Art. 16 revFADP requires appropriate safeguards - typically SCCs.
What does the auto-renewal clause actually mean in practice?
Most hyperscaler contracts auto-renew for twelve months unless cancelled 60 to 90 days before expiry. This clause typically sits in a later section of the general terms and is missed in initial review. Any team without active calendar reminders for these deadlines risks committing to another full year unintentionally. In negotiation, it is worth pushing for a 30-day notice period and an active renewal confirmation requirement.
What risks arise from SaaS contracts that include AI features?
Contracts that do not clearly address the vendor's AI functionality leave open: who is liable for incorrect AI output, whether customer data are used for model training, and which disclosure obligations apply. Since August 2025, Art. 53 of the EU AI Act imposes transparency obligations on providers of GPAI models. Swiss companies should check whether their SaaS vendor meets these obligations and whether the contract includes a corresponding warranty.
How does a SaaS contract differ legally from a traditional software purchase?
A software purchase transfers ownership or a permanent licence. A SaaS contract is time-limited and typically combines elements of rental law (Art. 253 ff. CO), mandate law (Art. 394 ff. CO), and in some cases works contract law (Art. 363 ff. CO). That has implications for warranties, termination rights, and what happens to data after the contract ends - with no single statutory framework governing the mix.
Can AI analyse many SaaS contracts at the same time?
Yes. Platforms like CASUS offer an AI Data Room for this purpose: dozens or hundreds of documents are processed in parallel, and results are delivered in a configurable table structure. This suits compliance reviews, portfolio assessments, or audit preparation - for example to identify missing DPA provisions or absent deletion periods across an entire contract portfolio.
What data protection requirements apply to AI tools used for contract review?
It depends on what data are fed into the tool. Personal data are governed by Art. 9 and Art. 16 revFADP (Switzerland) and Art. 28 and Art. 32 GDPR (EU). Key factors are the hosting location, zero data retention policy, and whether data are transferred to third countries. CASUS hosts in Switzerland and the EU, does not transfer data to the US, and retains no data after processing. Technical details are at /security.
