SaaS Terms of Service Red Flags: What to Check Before You Sign Up
8 min read · Updated April 2026
Every SaaS product you sign up for comes with a terms of service agreement. Most people click “I agree” without reading a word — and most of the time, that's fine. But some SaaS agreements contain clauses that can lock you into long contracts, give vendors rights over your data, or leave you with no recourse when things go wrong.
If you're a startup or small business evaluating software that will touch your customer data, financial information, or core operations — it's worth a 10-minute review. Here's exactly what to look for.
8 SaaS ToS red flags to check
Auto-renewal with short cancellation windows
HighMany SaaS contracts auto-renew annually unless cancelled within a specific window (often 30-90 days before renewal). Miss the window and you're locked in for another year. Look for: 'unless either party provides written notice of non-renewal at least [X] days prior to the end of the then-current term.'
What to do: Set a calendar reminder the moment you sign. Push for a 30-day cancellation window and month-to-month options.
Unilateral price change rights
HighSome ToS allow the vendor to change pricing with as little as 30 days notice — and your only recourse is to cancel. For annual contracts where you've already paid, this is particularly problematic. Look for: 'Provider reserves the right to modify pricing at any time with notice.'
What to do: Negotiate price lock guarantees for the contract term. At minimum, require 90 days notice and the right to terminate if price increases exceed a set percentage.
Data portability and exit clauses
HighWhat happens to your data when you leave? Some vendors provide data exports for a limited window post-termination (30-90 days), then delete everything. Others charge for exports. If the vendor shuts down, what happens to your data? Look for: deletion timelines, export formats, and whether exports are included in your plan.
What to do: Negotiate a minimum 90-day export window post-termination, data export included in your plan, and a data destruction certificate on request.
Broad data usage rights
HighSome SaaS agreements grant vendors broad rights to use your data — for product improvement, benchmarking, or even training AI models. This is especially concerning for confidential business data, customer information, or proprietary content. Look for: 'You grant Provider a license to use Customer Data to improve our services.'
What to do: Require explicit opt-out rights for AI training data use, and ensure customer data is excluded from any aggregated benchmarking.
Liability caps that exclude consequential damages
MediumMost SaaS ToS limit vendor liability to fees paid in the last 12 months — meaning if an outage costs you $500K in lost business, the vendor owes you only their $200/month fee. Exclusions of consequential and indirect damages are standard, but the cap amount matters.
What to do: For business-critical software, negotiate a higher liability cap (e.g., 3x annual fees) and carve-outs for data breaches caused by vendor negligence.
Mandatory arbitration with inconvenient venue
MediumIf things go wrong, arbitration clauses prevent you from suing in court. Many SaaS agreements require arbitration in the vendor's home city — which makes it impractical to pursue small claims. Look for: 'Any disputes shall be resolved by binding arbitration in [Vendor's City], [State].'
What to do: Negotiate for remote arbitration or arbitration in your jurisdiction. For low-value disputes, push for the right to use small claims court.
Unilateral right to modify the ToS
MediumMost SaaS terms include a clause allowing the vendor to change the agreement at any time with notice. This is common and largely unavoidable — but the notice period and what 'continued use' means matters. Some ToS treat continued use after 30 days as acceptance of new terms.
What to do: Look for at least 30 days notice for material changes, and the right to terminate if you don't agree to new terms without penalty.
Subprocessor disclosure gaps
MediumYour SaaS vendor likely uses subprocessors — third-party services that access your data (cloud providers, analytics tools, support platforms). Under GDPR and CCPA, you have rights to know who these are. Some vendors list subprocessors only in a separate, frequently-updated document — meaning new subprocessors can be added without notice.
What to do: Require notification of new subprocessors before they're added (not after). For EU data, ensure all subprocessors have appropriate SCCs or adequacy decisions.
When SaaS ToS actually matter most
For a $9/month productivity tool, these clauses matter less. But if your SaaS vendor handles any of the following, review carefully:
- →Customer personal data (names, emails, payment info)
- →Proprietary business data (financials, product plans, contracts)
- →Core business operations (if it goes down, you can't work)
- →Annual contracts over $5,000
- →Data subject to GDPR, HIPAA, SOC2, or other compliance requirements
Bottom line
Most SaaS terms are written by vendors to protect vendors. That doesn't make them predatory — it just means you need to know what you're agreeing to, especially for business-critical software. Focus your review on data rights, exit terms, liability caps, and renewal clauses. Everything else is usually boilerplate.
Reviewing a SaaS agreement?
Paste the terms into Clausix and get all 8 red flags checked automatically — with severity ratings and specific clauses flagged.
Analyze your contract freeNot legal advice — always consult a licensed attorney for high-stakes matters.