The SaaS legal stack — built around your product, not pulled off a shelf.

The seven documents in a clean SaaS legal stack

1. Master Subscription Agreement (MSA) or Terms of Service (TOS). The primary commercial document. MSAs are usually negotiated and signed for B2B enterprise customers; TOS is unilateral click-through for self-serve and mid-market. Both should cover scope, fees, term and renewal, IP ownership, license grant, warranties, indemnification, limitation of liability, and termination.
2. Order Form / Schedule. Commercial detail (price, seats, term, specific features) attached to the MSA. The MSA controls; the order form fills in the variables.
3. Data Processing Addendum (DPA). Required when the customer is a controller and you process personal data on their behalf. GDPR Art. 28 mandates specific terms; CCPA / CPRA has analogous requirements. Includes sub-processor list, security measures, breach notification, audit rights, and data-transfer mechanisms.
4. Privacy Policy. Public-facing, required for any service that collects personal data. CCPA / CPRA requires specific California-resident disclosures. GDPR requires Article 13/14 disclosures. State laws (Virginia, Colorado, Connecticut, Utah, etc.) add overlay requirements.
5. Acceptable Use Policy (AUP). Sets the boundaries on customer use: no spamming, no illegal content, no abuse of the service or other customers. Often incorporated by reference into the TOS / MSA.
6. AI Use Addendum (where applicable). If the service uses customer data to train models, integrates third-party AI providers (OpenAI, Anthropic, Google), or generates AI output, the AI Use Addendum addresses input ownership, output ownership, training-data restrictions, and indemnification for AI-generated infringement.
7. Service Level Agreement (SLA). Defines uptime commitments, response times for support, and remedies for breach (typically service credits). Often a separate document or schedule attached to the MSA.

Six SaaS legal scenarios that often require attention

Scenario 1: Building the stack from scratch (pre-launch)

Founder is launching a SaaS and needs the full stack before going live. The right approach is to build all seven documents at once with a consistent commercial position so the MSA, TOS, DPA, Privacy, AUP, and AI Use Addendum all line up. Ad hoc piecemeal documents create internal contradictions that expose the company at audit, due diligence, or contract negotiation.

Scenario 2: Enterprise customer demands MSA with redlines

Customer's legal team sends back the MSA with extensive redlines: liability caps, IP carve-outs, audit rights, MFN clauses, source-code escrow, increased indemnification. The work is to identify which redlines are deal-breakers, which are negotiable, and which are acceptable as-is. The case-evaluation memo plus contract redline service handles this; price depends on scope.

Scenario 3: GDPR / CCPA / state privacy compliance gap

SaaS has been operating without a proper DPA, sub-processor list, breach-notification mechanism, or California-specific Privacy Policy. The risk is regulatory action plus customer-contract breach. The fix is bringing the stack up to current standards: DPA template, sub-processor list, breach response plan, updated Privacy Policy with state-by-state coverage.

Scenario 4: AI feature added to existing SaaS

The SaaS now uses customer data to train models, integrates with OpenAI / Anthropic / Google, or generates AI output. The existing MSA and TOS do not cover AI inputs, outputs, training restrictions, or AI-related indemnification. The AI Use Addendum is bolted on; the Privacy Policy and DPA need updates for AI processing.

Scenario 5: Customer disputes invoices or refuses to renew

Customer challenges fees, claims the service did not perform, or refuses to auto-renew under the MSA terms. The collection path is in the contract: notice-and-cure, late-fee provision, attorney-fee clause, accelerated balance on default. The B2B Invoice Collection hub covers this in detail.

Scenario 6: Acquisition / due diligence

Acquirer's lawyers review the SaaS legal stack and find gaps: no DPA, no AI Use Addendum, inconsistent customer terms, missing sub-processor list, weak indemnification. Closing is delayed while the gaps are remediated. The fix is pre-acquisition cleanup of the stack so the company is acquisition-ready.

First-30-days action checklist when building or fixing a SaaS legal stack

1. Inventory what you have. Pull every contract template, click-through document, and Privacy Policy currently live. Note last revision date and who drafted.
2. Identify the gaps. Compare against the seven-document standard above. Any document missing or older than 18 months is a candidate for refresh.
3. Map the data flows. What data do you collect, where is it stored, who is your processor, what cross-border transfers are happening, and where do EU / UK / California / state-resident customers come from.
4. Identify the AI exposure. Are you using customer data to train? Do you have OpenAI / Anthropic / Google in the stack? Are AI outputs delivered to customers? Each affects the AI Use Addendum and the Privacy Policy.
5. Identify the regulatory layer. Healthcare (HIPAA), financial (GLBA / state financial-privacy laws), education (FERPA), child users (COPPA) all add overlays. The stack changes if any of these apply.
6. Build the stack. MSA / TOS, DPA, Privacy, AUP, AI Use Addendum, SLA, order-form template. Consistent commercial position across all seven.
7. Train the team. Who can sign what. When to escalate. How to handle customer redlines. The legal stack is only as strong as the operational discipline around it.
8. Calendar the renewals. Privacy laws change. State coverage expands. Sub-processors get added. The stack needs review at least annually.