How to Write a SaaS Subscription Agreement (2026): The Complete Guide

Three documents commonly get confused by founders, and the distinction matters for what you are actually contracting about.

The Terms of Service (or Terms of Use) is the public-facing document that governs the relationship between your company and any visitor to your website or app. It is displayed at sign-up and accepted by clicking a checkbox or by continued use (browsewrap). It addresses the generic rules: acceptable use, account responsibilities, IP ownership of content, dispute resolution, governing law. A ToS is written for the widest possible audience because you do not know who will be accepting it.

The End User License Agreement (EULA) is the license that governs on-device software. If a customer downloads your mobile app or your desktop agent, the EULA addresses the license grant, installation rights, reverse-engineering prohibitions, and software-specific warranty disclaimers. A EULA is about a piece of code the customer has possession of.

The SaaS Subscription Agreement is the paid-customer contract that governs the ongoing delivery of a hosted software service. It addresses three things the other two documents cannot: subscription mechanics (term, renewal, pricing, usage), service performance (SLA), and the commercial and data-processing relationship (invoicing, taxes, DPA incorporation). A SaaS customer who signs both a ToS and a Subscription Agreement is contracting under both, with the Subscription Agreement typically prevailing for anything the two address in conflict.

The practical implication: if you are running a SaaS that charges money and processes customer data, a public ToS alone is insufficient. The ToS does not address your SLA, does not structure your auto-renewal, does not carry your DPA by reference, and does not allocate your liability cap against paying customers in a way that a court will reliably enforce. The Subscription Agreement is the contract that does all of that, and in 2026 it is the contract that state Attorneys General read when they evaluate whether your auto-renewal program is deceptive.

“SaaS” covers a remarkably wide commercial surface area. A $9/month consumer photo editor and a $2M/year enterprise data platform are both SaaS, but almost nothing about their subscription agreements is the same. Eight templates cover the mainstream commercial patterns.

B2C consumer subscription. Individual consumers buying monthly or annual access. This is where state auto-renewal laws hit hardest — California CARL, New York GBL § 527-A, Massachusetts 940 CMR 38.00 all apply. Agreement is accepted via clickwrap at checkout with no negotiation. Credit card on file, auto-charge each period. SLA usually omitted or heavily disclaimed. Liability cap at fees paid or 12 months’ fees.

B2B SaaS (standard). Mid-market business customers, usually with an annual term. Most state ARLs exempt B2B so the compliance surface is lighter, but ROSCA still applies and Colorado’s 2026 amendment extends CARL-like rules to B2B in that state. Invoice or credit card. SLA typically 99.9%. DPA incorporated by reference. Liability cap at 12 months’ fees with standard uncapped carveouts.

Enterprise (MSA + Order Form). Large customers with negotiated commercial terms, often multi-year, almost always with a legal team on the other side. Structure is a Master Subscription Agreement (reusable general terms) plus one or more Order Forms (deal-specific commercial terms). SLA usually 99.95%, sometimes 99.99%. Enhanced liability cap (often 2x 12 months). Detailed DPA, often with supplementary measures and audit rights. Net-30 or Net-60 invoicing. See Section 3 for why the MSA+OF structure matters.

Per-seat licensing. Named-user pricing. The agreement needs to address seat provisioning (who counts as a user, when a seat is active, how seat additions are prorated, how seat reductions take effect at renewal). Common in collaboration and productivity SaaS. 14-day trial typical.

Usage-based (metered). API calls, gigabytes, compute units, tokens. The agreement defines the metering unit, the rate per unit, the billing cadence (usually monthly), and overage rates above any included allowance. Provider’s measurement records are conclusive absent manifest error. Critical for AI SaaS, observability tooling, and infrastructure.

Freemium with free-to-pay conversion. Free tier that converts to paid, or time-limited free trial that auto-charges at trial end. California AB 2863 explicitly covers free-to-pay conversions as of July 1, 2025; New York requires 3-to-21 days’ advance notice for trials longer than one month; Massachusetts requires calendar-date disclosure. The trial-conversion workflow is where consumer-SaaS compliance fails most frequently.

Marketplace / platform. Two-sided marketplace where the platform takes transaction fees from proceeds. Terms differ fundamentally from a seat or usage subscription: no subscription at all, just platform fees deducted at transaction time. SLA matters because marketplace downtime directly prevents sellers from earning revenue.

Prosumer / solo-operator. Individual freelancers and creators who behave commercially but are legally consumers. Treats as consumer for ARL purposes (CA, NY, MA apply) but the commercial expectations are higher — customer wants a proper SLA, not just a disclaimer, even though the price point is consumer.

The generator pre-fills sensible defaults for each template (which ARL jurisdictions apply, whether SLA is on by default, whether DPA is required, which liability-cap structure is standard) so the starting point matches the commercial reality of the template.

Enterprise SaaS uses two documents where SMB SaaS uses one. Understanding why is the most important commercial-drafting insight in the enterprise segment.

The Master Subscription Agreement contains the reusable terms that do not change deal to deal: definitions, service description framework, IP ownership, warranty, indemnity, liability cap, confidentiality, term, termination, DPA incorporation, governing law. An MSA is signed once between the parties and then survives across multiple transactions.

The Order Form contains the deal-specific commercial terms: the specific Services subscribed to, the subscription term (typically 1 or 3 years), the number of seats or usage allowances, the price, payment terms, the applicable SLA tier, and any non-standard commercial terms unique to that deal. An Order Form is signed each time the customer buys additional services or renews — so customers who expand over time accumulate Order Forms under a single MSA.

Two advantages of the structure. First, negotiation velocity: once the MSA is agreed, subsequent Order Forms can close quickly because only commercial terms need review. Second, internal clarity: the legal team owns the MSA and gets involved sparingly on renewals; the sales and finance teams own the Order Forms and process them as commercial documents. A single-document approach collapses this and forces legal review of every renewal, which does not scale.

The conflict-order clause matters: “In the event of any conflict between this Agreement and an Order Form, the Order Form controls as to the matters it specifically addresses.” This permits deal-specific overrides of general MSA terms (higher liability cap for this customer, longer notice period, specific security commitments) without needing to amend the MSA.

A drafting trap: Order Forms that do not recite the MSA by reference. An Order Form standing alone is not a subscription agreement; it is a purchase order referencing commercial terms. The enforceability flows from the MSA, so every Order Form should open with a recital like “This Order Form is entered into under the Master Subscription Agreement between Provider and Customer dated [date] and is governed by its terms.”

The generator’s Enterprise template builds both in a single output: the MSA as the main document and the Order Form as Schedule 1 at the end, reciting the MSA by reference and tabulating the commercial terms.

On July 8, 2025, a three-judge panel of the Eighth Circuit vacated the Federal Trade Commission’s Rule Concerning Subscriptions and Other Negative Option Plans — universally known as the Click-to-Cancel Rule — in its entirety, on procedural grounds. The case is Custom Communications, Inc. v. Federal Trade Commission, No. 24-3137, 2025 WL 1873489 (8th Cir. July 8, 2025).

The procedural defect was specific and narrow. Section 22 of the FTC Act, 15 U.S.C. § 57b-3, requires the FTC to conduct a preliminary regulatory analysis of proposed rules with an estimated annual economic impact of $100 million or more. The FTC’s initial economic estimate for the Click-to-Cancel Rule was under that threshold, and no preliminary analysis was conducted. During informal hearing proceedings before an Administrative Law Judge, the ALJ found that the actual economic burden would exceed $100 million — and at that point, the Eighth Circuit held, the FTC was required to conduct the preliminary analysis and put it out for comment. It did not, proceeding instead directly to final rulemaking. That procedural shortcut, the court ruled, was a fatal error that deprived petitioners of the opportunity to engage with the FTC on alternatives to the rule. Despite the rule’s severability clause, the court vacated it in its entirety.

The rule was scheduled to take full effect on July 14, 2025 — the compliance deadline having been extended from the original May 14, 2025 date to give businesses time to come into compliance. It did not take effect. As a formal legal matter, the rule is no longer law.

On January 30, 2026, the FTC submitted a draft Advance Notice of Proposed Rulemaking to the Office of Information and Regulatory Affairs, signaling intent to restart the Click-to-Cancel rulemaking process with proper procedural compliance. Both FTC Commissioners unanimously approved the submission. The ANPRM will trigger a 60-to-90 day public comment period, followed by a Notice of Proposed Rulemaking with its own comment window, followed by the FTC’s synthesis of comments and eventual final rule. The prior Click-to-Cancel rulemaking took about three years. The new one will take at least as long, and will face fresh legal challenge once final. A realistic operational expectation is that federal click-to-cancel requirements will remain in limbo through the end of 2027 at earliest.

The consequence for SaaS drafting in 2026: the federal floor has dropped, but the state ceiling has risen substantially. California, New York, Massachusetts, and Colorado have each enacted or amended auto-renewal laws since 2024, and enforcement activity at the state level has increased. The next three sections cover what each requires.

California’s Automatic Renewal Law, codified at California Business and Professions Code §§ 17600-17606 and originally enacted in 2010, was substantially amended by Assembly Bill 2863, signed by Governor Newsom on September 24, 2024. The amendments apply to any contract entered into, amended, or extended on or after July 1, 2025 — which means by April 2026, essentially every active subscription touching California consumers is within scope.

Five categories of obligation.

Scope expanded to free-to-pay conversions. The prior version of CARL covered automatic renewals and continuous service offers. AB 2863 expanded the definition to include “free-to-pay conversions” — arrangements where a consumer initially receives the service for free and is charged if they do not cancel within a specified period. The classic 14-day or 30-day free trial that converts to a paid monthly subscription is now explicitly within CARL. Freemium models that include a paid upgrade triggered by default action (rather than by affirmative purchase decision) are similarly in scope.

Express affirmative consent to the renewal, separate from contract consent. The old statute required affirmative consent to the agreement containing the auto-renewal terms. The new statute requires “express affirmative consent to the automatic renewal or continuous service offer terms” — standalone consent to the renewal provision specifically. In practice, this means a dedicated checkbox or equivalent affirmative act clearly tied to the renewal (not buried in a general acceptance of terms), collected before any charge. The statute further requires that businesses maintain verification of this consent for three years or one year after contract termination, whichever is longer. A clause that makes consent-recording the customer’s responsibility is not compliant; the vendor bears the retention obligation.

Annual reminders and price-change notice. The prior CARL required annual reminders only for subscriptions with terms of one year or more. The amendment requires annual reminders regardless of the term — meaning a monthly subscription running for more than a year triggers the annual-reminder obligation. Material price changes require advance notice through the medium the consumer used to sign up or is accustomed to interacting with the business.

Cancellation in the same medium as sign-up. Online sign-up must permit online cancellation. Phone sign-up must permit phone cancellation via a toll-free number prominently disclosed. Phone cancellation channels must be answered promptly during normal business hours and voicemails must be processed or returned within one business day. The California AG has been specific about this: automated phone trees that make cancellation functionally impossible violate the statute.

Click-to-cancel adjacent to save offers. Businesses may offer discounts or alternative plans during cancellation (“save offers”), but must display a prominent click-to-cancel button adjacent to any such offer. The click-to-cancel button must result in “prompt” cancellation — the statute does not define prompt, but dark-pattern save flows that require additional clicks after the customer declines the save are unlikely to satisfy the requirement.

Enforcement is by the California Attorney General, district attorneys, and private plaintiffs. California has an active plaintiffs’ bar that files CARL class actions, and because CARL is a private-right-of-action statute, settlements and individual awards can be substantial. The enforcement posture makes California the de facto national minimum for consumer SaaS auto-renewal compliance — many vendors simply build to CARL and apply the same workflow nationwide.

Amendments to New York General Business Law §§ 527 and 527-A were signed by Governor Hochul on May 9, 2025 as part of the state budget bill (Part W of the 2025-2026 fiscal budget legislation). They took effect on November 5, 2025, 180 days after signing.

The baseline requirements mirror California: clear-and-conspicuous disclosure of material terms before requesting consent or billing information, express affirmative consent, simple cancellation. But two New York provisions are distinctively stricter than California, and both matter for SaaS drafting.

Cancellation through every medium by which consent can be given. California requires cancellation in the same medium as sign-up. New York requires cancellation in that medium and in every medium by which consent could have been given. If a consumer could have signed up online or by phone, they must be able to cancel online and by phone — regardless of which they actually used. The practical implication: if you offer multiple sign-up channels, you must maintain multiple cancellation channels.

Price-increase consent or 14-day refund. This is the genuine innovation. When a business raises the price on an existing subscription, it must either (a) obtain the consumer’s affirmative consent to the increase before charging the higher price, or (b) allow the consumer to cancel within 14 days after the first charge at the new price and provide a pro-rata refund of the unused portion. No other US state auto-renewal law has this structure. California requires notice but not consent-or-refund. Massachusetts requires notice and specific disclosures. New York is alone in the consent-or-refund choice.

For SaaS pricing, this has a subtle but important implication. A vendor that raises the annual subscription price from $100 to $120 on renewal cannot rely solely on a 30-day advance notice. It must either collect affirmative consent from the customer before the $120 charge posts (which will annoy customers and generate churn) or accept that for the 14 days following the first $120 charge, the customer has an unconditional right to cancel and receive a pro-rated refund. Most vendors will choose the second — but it needs to be in the contract explicitly and operationalised in the cancellation flow.

Free-trial notice. For free trials longer than one month, New York requires notice to the consumer between 3 and 21 days before the first chargeable period, through the medium the consumer selected, with clear cancellation instructions. This aligns with California and Massachusetts but the specific notice window and medium-selection requirement are New York-specific.

Enforcement is by the New York Attorney General under the General Business Law’s deceptive-practices provisions. The NY AG has been active: in June 2025, Attorney General Letitia James announced a $600,000 settlement with Equinox over subscription-cancellation practices, a signal that this enforcement will continue under the amended statute.

The Massachusetts Attorney General’s regulation 940 CMR 38.00 took effect on September 2, 2025. It is not a statute — it is a regulation promulgated by AG Andrea Joy Campbell under the Massachusetts Consumer Protection Act (Chapter 93A), which treats violations as unfair or deceptive acts subject to UDAP remedies including treble damages and attorneys’ fees.

Most of 940 CMR 38.00 is a reasonable adaptation of the ROSCA framework: clear and conspicuous material-terms disclosure, affirmative consent, simple cancellation. One provision is strikingly different from any other US state auto-renewal law, and it is the rule that every SaaS vendor selling monthly-billed subscriptions into Massachusetts needs to internalize.

For subscriptions with renewal terms longer than one month: A reminder notice must be sent 5 to 30 days before the cancellation deadline for the next renewal. The notice must disclose the charge amount, how to cancel, and the calendar date by which cancellation must occur. The notice medium must be “substantially similar” to the medium used for sign-up or a commonly-used medium affirmatively chosen by the subscriber. This tracks the CA/NY pattern.

For subscriptions with renewal terms of 31 days or less — the common monthly-subscription case for most SaaS — the regulation imposes one of two alternative obligations. The business must either (a) provide the same reminder notice 5 to 30 days before each cancellation deadline, or (b) send a receipt after every renewal that discloses the charge amount, the cancellation mechanism, and the calendar date by which cancellation must occur to avoid the next charge.

This is the monthly-subscription trap. Most SaaS auto-renewal flows are built around monthly billing. Most state auto-renewal laws impose negligible obligations on monthly subscriptions (the logic being that the consumer sees the charge every month and can cancel any time). Massachusetts alone requires either a pre-renewal reminder or a post-charge receipt for every single monthly billing cycle. Operationally, most vendors choose option (b) — sending a receipt after each renewal — because it integrates naturally with the existing billing-and-receipts workflow and is simpler than the calendar-based reminder logic.

The receipt must include three elements. The charge amount (routine). The cancellation mechanism (how to cancel — typically a link and instructions). The calendar date by which cancellation must occur to avoid the next charge (this is the non-trivial piece — if the customer is on a rolling monthly subscription, the date is one day before the next renewal date). A receipt that says “you were charged $10, cancel in account settings” is non-compliant; it needs to say “to avoid the next charge on [next renewal date], cancel by [next renewal date minus 1 day]” or equivalent.

As of early 2026, Massachusetts is the tightest state for monthly-billed SaaS products. Connecticut’s SB3 (effective July 2026) and Tennessee’s pending legislation may tighten further, but 940 CMR 38.00 is currently the ceiling that defines monthly-subscription compliance in the United States.

A Service Level Agreement converts engineering capability into contractual commitment. Four tiers are conventional in commercial SaaS, and the choice should track your actual infrastructure, not your marketing copy.

The realism test. Commit to the tier your infrastructure can reliably meet in its worst months, not its average. A single quarter-long outage (AWS us-east-1 regional failure; Cloudflare routing issue; database migration gone wrong) can blow past a 99.9% monthly commitment and trigger maximum service credits across every customer simultaneously. 99.95% and 99.99% commitments require multi-region active-active architecture, not just “we mostly stay up.” Over-commitment is the most common SLA drafting mistake and it is very expensive: if you commit to 99.99% and deliver 99.9%, you owe maximum credits to every enterprise customer for every month you miss.

Exclusions. Standard SLA drafting excludes three categories from the uptime calculation: (1) scheduled maintenance announced at least 48 hours in advance; (2) force majeure events beyond the vendor’s reasonable control; (3) downtime caused by customer systems, networks, or misuse. Also usually excluded: beta or preview features, third-party service failures outside the vendor’s control, and internet backbone or ISP issues. The broader the exclusion, the less the SLA commits — sophisticated customers negotiate the maintenance exclusion down to a specific maintenance window (e.g., “Sunday 2-6am Eastern”) and require maintenance in excess of 4 hours per month to count against uptime.

Sole remedy. Vendor-favorable, market-standard drafting makes service credits the customer’s sole and exclusive remedy for any SLA failure. This caps vendor exposure to the fees paid. Customer-favorable drafting removes the sole-remedy clause or adds a termination-for-chronic-failure provision: if the vendor misses the SLA in X out of Y months (typically 3 of 12 or 2 of 6 consecutive), the customer may terminate for cause without penalty. Enterprise customers will always negotiate for chronic-failure termination.

Credit request mechanics. Customer must submit a written request within a specified window (typically 30 days from the end of the month in which the miss occurred), specifying the affected dates and times. Credits apply to the next invoice or to the customer’s account for future use; they are not redeemable for cash. The 30-day request window is important because without it, years of missed SLAs can accumulate into a large liability.

Support is part of the SLA. Uptime is one dimension; support response is the other. Standard tiers: Sev 1 (service unavailable) 1 hour; Sev 2 (major impairment) 4 business hours; Sev 3 (minor impairment) 1 business day; Sev 4 (non-urgent) 3 business days. Support hours (business-hours, extended, 24/7) are a separate negotiation and often differ by customer tier — SMB gets business-hours, enterprise gets 24/7.

If your SaaS processes personal data of EU, UK, or Swiss individuals on behalf of your customers, GDPR Article 28(3) requires a written data-processing contract. There is no de minimis exception — a $50/month SaaS with a single European customer needs it as much as a $2M/year enterprise deal.

The question is not whether but where. Two structures.

Separate DPA incorporated by reference. Market-standard structure. The DPA is a standalone document (often living at a URL like /dpa/ or /legal/dpa, or attached to the customer’s account) that is incorporated into the Subscription Agreement by reference: “the parties’ Data Processing Agreement, executed between the parties or available at [URL] and incorporated herein by this reference, forms an integral part of this Agreement.” Advantage: the DPA can be updated independently as GDPR, Schrems II, or successor regulations evolve, without amending the commercial subscription terms.

DPA as Schedule. Less common. The DPA is attached as Schedule A or Annex to the Subscription Agreement. Advantage: single document for execution. Disadvantage: updating the DPA requires amending the Subscription Agreement, which is operationally expensive at scale.

Either way, one clause is non-negotiable: a conflict-order provision confirming that where the DPA and the Subscription Agreement conflict with respect to the processing of personal data, the DPA prevails. This matters because the Subscription Agreement’s general terms (liability cap, indemnification, termination) may not align with the DPA’s specific data-protection terms, and Article 28’s mandatory clauses cannot be overridden by inconsistent general terms.

What the DPA itself needs. The DPA is a full subject of its own. In summary: Article 28(3)’s eight mandatory clauses (documented instructions, confidentiality, Article 32 security, sub-processors, data-subject-rights assistance, compliance assistance, deletion or return, audit rights); SCC Module 2 (controller-to-processor) or Module 3 (processor-to-processor) for transfers outside the EEA; UK Addendum or IDTA for UK transfers; Transfer Impact Assessment for non-adequacy destinations; Annex I (parties and processing), Annex II (technical and organisational measures), Annex III (sub-processors). The GDPR DPA guide covers all of this in detail, and the DPA Generator builds the DPA itself.

US-only SaaS. GDPR does not apply, but most US state privacy laws do — California CPRA, Virginia CDPA, Colorado CPA, and the 12-plus successor state privacy statutes that adopted the CPRA service-provider model. Each requires a written contract between the business (controller) and the service provider (processor) that limits use of personal information to the specified purposes and flows service-provider obligations through. A DPA satisfies all of these simultaneously, which is why sophisticated US-only SaaS vendors build and execute DPAs even absent European exposure. It is a single document that satisfies a patchwork of state obligations.

Three IP allocations define most SaaS agreements: who owns the Services, who owns Customer Data, and what the vendor may do with usage data.

Provider IP. The Services, the underlying software, the Documentation, and all intellectual property rights in them remain with the Provider. The customer receives a limited, non-exclusive, non-transferable right to access and use the Services during the Subscription Term — a license, not a transfer. This is uncontroversial and standard.

Customer Data. Customer retains all right, title, and interest in Customer Data (any data, content, or information the customer submits to or stores in the Services, including end-user data). Provider gets a limited license to process Customer Data solely to provide the Services. This is the critical allocation: without a clear Customer-owns-Customer-Data clause, the default legal position under copyright and data-ownership law is ambiguous, and Providers sometimes attempt to claim broader rights.

Feedback license. Suggestions, comments, and feedback from the customer are licensed to the Provider on a perpetual, irrevocable, worldwide, royalty-free, sublicensable basis, without attribution or compensation. This is market-standard and important: without it, a customer who suggests a feature and the Provider implements it could later claim IP in the feature.

Aggregated data. Provider may create and use aggregated, de-identified, or statistical data derived from the customer’s use of the Services for product improvement, benchmarking, analytics, and marketing, provided such aggregated data cannot reasonably be used to identify the customer or any individual. This is how vendors publish benchmarks (“the average customer sees a 35% lift”) and improve their products without compromising customer-specific confidentiality.

The 2026 AI-training question. Since late 2023, and increasingly through 2024-2026, enterprise customers have been negotiating explicit AI-training opt-outs into SaaS agreements. The concern: customer data — particularly for AI-adjacent SaaS (coding assistants, productivity tools, support software) — may be used to train generally-available machine-learning models that subsequently serve other customers or third parties. The 2026 best-practice drafting is a clause along the lines of: “Provider will not use Customer Data to train generally available machine-learning or AI models without Customer’s prior written consent. This restriction does not apply to models trained exclusively on Aggregated Data, or to security and abuse-detection models that operate only on metadata.”

Three things to notice. The clause carves out aggregated-data models (so the Provider can still train benchmarking and recommendation models on data that has been de-identified). It carves out security and abuse-detection models (so Provider can train spam, fraud, and intrusion-detection models on metadata). It addresses “generally available” models specifically (so Provider can still train customer-specific models for that customer’s own benefit). Customers who care about this will negotiate harder specificity; vendors who want to preserve future flexibility will resist.

As of 2026, this clause is not universal, but it is increasingly expected in enterprise SaaS. Consumer and SMB SaaS contracts often omit it, which creates a competitive angle for vendors who include it proactively.

The limitation-of-liability clause is the most negotiated section of every commercial SaaS agreement because it is where the risk actually lives.

The exclusion. The first move is to exclude categories of damage regardless of cap: “In no event shall either party be liable for any indirect, incidental, special, consequential, or punitive damages, or for lost profits, lost revenue, lost data, or cost of substitute services, even if advised of the possibility.” This keeps vendor exposure bounded to direct damages, which are already limited by causation and foreseeability. The exclusion should itself carve out the uncapped tier (see below), so fraud or IP-infringement claims can still recover consequential damages.

The cap. Three structures dominate.

• 12-month-fees cap (market standard). Aggregate liability capped at fees paid or payable by Customer in the 12 months preceding the event giving rise to the claim. Aligns vendor exposure with revenue from the customer. Acceptable to most SMB and mid-market customers. Often unacceptable to enterprise customers for data-breach scenarios where the 12-month fees may be a trivial fraction of the real exposure.
• 2x 12-month-fees (customer-favorable). Cap doubled across the board. Common in negotiated enterprise deals. The customer trades negotiation time for the higher cap.
• Tiered cap (enterprise compromise). 2x 12-month fees for claims arising from breach of data-protection or confidentiality obligations; 1x 12-month fees for all other claims. This structure has become increasingly common in enterprise SaaS over 2024-2026 because it recognizes that data-breach exposure is qualitatively different from normal commercial disputes, without doubling the cap for every claim.

Uncapped carveouts. Certain categories should be outside the cap regardless of structure:

• Indemnification obligations. The IP indemnity is a direct liability to a third party; it cannot be capped without making the indemnity meaningless.
• Gross negligence and wilful misconduct. Contractual caps on fraud or wilful misconduct are unenforceable in most jurisdictions; the carveout just makes that explicit.
• Amounts owed. Customer’s payment obligations under the Agreement are not capped — the cap would let the customer walk away from a fully-performed service without paying.
• Breach of confidentiality. Often carved out in enterprise deals where confidential information disclosure is a serious risk. Vendor-side drafting resists this; customer-side drafting insists on it.

The carveouts matter more than the cap. A 12-month cap with broad uncapped carveouts protects the customer more than a 2x cap with no carveouts, because the uncapped tier is where the worst-case scenarios live. In enterprise negotiation, sophisticated customers focus on expanding the carveouts even when they accept the standard cap.

IP indemnification. Vendor indemnifies customer against third-party claims that the Services infringe IP rights. Standard carveouts: claims arising from customer data, customer modifications, combinations with non-Provider items, or use not in accordance with the Documentation. Vendor’s remedies on an IP claim: procure the right to continue using, modify to be non-infringing, or terminate and refund. This is the standard “procure, modify, or terminate” clause and is market-uniform.

Customer usually provides a reciprocal indemnity against claims arising from Customer Data and Customer’s misuse of the Services. This is less sophisticated — it is just the flip-side of the IP indemnity for the Customer-controlled risks.

Three developments are worth tracking through 2026 and into 2027.

FTC ANPRM and the new Negative Option Rule timeline. As covered in Section 4, the FTC submitted a draft ANPRM to OIRA on January 30, 2026, signalling revived rulemaking. A realistic timeline: ANPRM published mid-2026, 60-90 day public comment period, NPRM published late 2026 or early 2027, further comment period, final rule late 2027 or early 2028, legal challenge, effective date late 2028 at earliest if the FTC avoids procedural defects this time. Operational planning should assume federal click-to-cancel rules remain in limbo through 2027.

Colorado SB25-145 extending to B2B. Effective February 16, 2026, Colorado’s auto-renewal law extends to business-to-business subscriptions. This is notable because every other state ARL in force in 2026 exempts B2B. Colorado’s expansion is an early indication of a trend — B2B subscription practices have attracted enforcement attention (dark-pattern cancellation flows are as common in B2B SaaS as in consumer SaaS), and other states may follow. SaaS vendors selling into Colorado in 2026 need to apply CARL-analogous rules to B2B customers, not just consumers.

EU Digital Services Act and consumer SaaS. The DSA came into full force February 17, 2024, and has been enforced increasingly through 2025-2026. For SaaS offerings that meet the DSA’s online platform definition (hosting and disseminating user content), particularly the Very Large Online Platform tier (45 million EU users), the DSA imposes distinct obligations including transparency reporting, content-moderation due diligence, risk assessment, and algorithmic accountability. Most conventional B2B SaaS is outside scope, but consumer-facing SaaS with user-generated content or marketplace dynamics should audit against the DSA obligations separately from auto-renewal compliance.

One broader trend worth naming: the auto-renewal enforcement environment has intensified from 2023 through 2026, and will continue to intensify regardless of what happens to federal rulemaking. State AGs have consumer-protection authority, active plaintiffs’ bars, and well-documented patterns of harm. The safe operational posture is to build to the strictest applicable state standard (Massachusetts for monthly, California for annual, New York for price changes) and apply it nationally, rather than to gamble on state-by-state variation.

What actually works, in order.

Step 1. Classify your business. Which of the 8 templates fits? B2C, B2B, enterprise, per-seat, usage-based, freemium, marketplace, prosumer. The template determines the default ARL coverage, SLA tier, DPA requirement, and liability structure.

Step 2. Map your customer geography. Which of the ARL jurisdictions apply? California (almost always for consumer SaaS), New York, Massachusetts, Colorado, Connecticut, Minnesota, plus ROSCA baseline. If you sell to US consumers broadly, assume at least CA + NY + MA apply. If you sell into Colorado post-Feb 2026, B2B applies too.

Step 3. Audit your billing flow. Monthly billing with MA customers? You need either reminders or post-renewal receipts. Annual billing into California with free trials that convert? You need AB 2863 consent collection and 3-year retention. Price increases? You need NY’s consent-or-14-day-refund workflow.

Step 4. Set the SLA tier honestly. What does your actual infrastructure reliably deliver in its worst month, not its average? Commit one tier below that. 99.9% is right for most mid-market SaaS; 99.99% almost never is.

Step 5. DPA by reference or not. If you process personal data of EU/UK/Swiss individuals, you need a DPA. Separate document incorporated by reference is the better architecture for long-term maintenance.

Step 6. Liability cap and carveouts. 12-month cap for SMB, 2x or tiered for enterprise. Carveouts should always include indemnification, gross negligence, wilful misconduct, and payment amounts. Breach of confidentiality carveout is enterprise-negotiated.

Step 7. Use the tool. The SaaS Subscription Agreement Generator builds all of this in 15 minutes. It ships with the 8 templates pre-configured, the ARL jurisdictions with effective-date accurate citations, SLA tiers with realistic service-credit schedules, and a compliance scorecard that flags what supervisory authorities and state AGs actually audit. For high-value subscriptions, high-risk industries, or non-standard commercial structures, have a qualified attorney review the output before signing — but the structured output dramatically shortens the attorney review.