SaaS Agreements in Israel: Critical Clauses Every Tech Company Must Know

Legal Fundamentals of SaaS Agreements in Israel

Software-as-a-Service (SaaS) agreements form the backbone of data flow and digital operations for companies in Israel. Unlike traditional software licensing agreements, SaaS agreements create an ongoing relationship between the provider and customer, encompassing maintenance, support, and data storage.

From a legal perspective, SaaS agreements in Israel are primarily governed by the Contracts (General Part) Law, 5733-1973, and the Contracts (Remedies for Breach of Contract) Law, 5731-1970. However, the unique nature of the SaaS model creates special legal challenges that require specific attention.

One of the most significant differences between SaaS agreements and traditional licensing agreements lies in the question of data ownership and access. While in traditional software licensing the customer receives a copy of the software, in SaaS agreements access to the software and data depends on the continuation of the contractual relationship.

Unique Characteristics of SaaS Agreements

• Subscription-based access: Customer pays for access to the service, not for purchasing the software
• Technological dependence: Customer's operations depend on the provider's service availability
• Automatic updates: Provider is responsible for maintaining software currency
• External data storage: Customer data is stored on the provider's servers
• Service levels: Definition of measurable parameters for service performance

These characteristics require a different approach to contract drafting, focusing on defining service levels, system availability, and data protection, rather than just software usage rights.

Liability Limitations in SaaS Agreements - Balancing Protection and Security

Liability limitation in SaaS agreements constitutes one of the most complex issues, due to the high level of dependence created between customer and provider. Israeli law permits liability limitation, but establishes important constraints that every SaaS company must understand.

Under the Contracts (Remedies for Breach of Contract) Law, 5731-1970, liability may be limited provided the limitation is not contrary to justice or good faith. In the context of SaaS agreements, courts tend to examine limitations more strictly, due to the inequality in bargaining power between the parties.

Common Types of Liability Limitations

• Quantitative limitation: Capping liability to a defined monetary amount - typically 12 months of payments
• Qualitative limitation: Limiting the types of damages for which liability applies
• Temporal limitation: Setting a time period for filing claims
• Causal limitation: Constraints on circumstances where liability applies

In Israeli case law, the Supreme Court held in Shapler v. Gayma Chemicals that "liability limitation must be reasonable in relation to the nature of the contract and the amount of consideration." This principle is particularly relevant to SaaS agreements, where the customer is highly dependent on the service.

Practical example: An Israeli SaaS company limited its liability to the amount of the customer's monthly payment. When a system failure caused damages of hundreds of thousands of shekels, the court ruled that the limitation was reasonable, due to the customer's express consent and its proportionality to the consideration.

Areas Where Liability Cannot Be Limited

It's important to understand that there are areas where liability limitation will not be valid:

1. Fundamental breach: Breach that undermines the main purpose of the contract
2. Gross negligence: Serious neglect of the provider's duties
3. Fraudulent acts: Intentional deception of the customer
4. Statutory violations: Such as breach of the Privacy Protection Law

Optimal drafting of liability limitation clauses requires a delicate balance between protecting the provider and maintaining customer trust and the clause's legal validity.

Data Privacy and Information Security in SaaS Agreements

Data privacy protection in SaaS agreements constitutes a critical issue, both from the perspective of legal compliance and building customer trust. The Privacy Protection Law, 5741-1981, together with regulations enacted under it, impose extensive obligations on SaaS providers operating in Israel.

In SaaS agreements, the provider gains access to significant amounts of personal and business information from the customer. The legal relationship can be complex - the provider may serve as a data processor for the customer, or alternatively as an independent database owner, depending on how the information is used.

Key Legal Obligations

• Data collection notice: Detailed disclosure of data collection purposes
• Obtaining consent: Obtaining explicit consent for usage purposes
• Information security: Implementing appropriate security measures
• Limited transfer: Restrictions on transferring information to third parties
• Individual rights: Providing ability for access, correction, and deletion

The Privacy Protection Authority has published specific guidelines for cloud service providers, including requirements for drafting clear and detailed data processing agreements. Non-compliance with guidelines can result in heavy fines and reputational damage.

Recommended Privacy Protection Clauses

Sample data protection clause: "The Provider undertakes to process Customer's personal information solely for the purpose of providing the Service, and will not transfer information to third parties without explicit consent. The Provider will implement advanced encryption measures and perform encrypted backups of the information."

Cross-border data transfers require special attention. Under the Privacy Protection (Transfer of Data Abroad) Regulations, 5770-2010, examination of the protection level in the destination country is required, and in certain cases, approval from the Privacy Protection Authority is also needed.

Required Security Measures

1. Encryption: Data encryption in transit and at rest
2. Limited access: Tiered authorization mechanism
3. Monitoring: Recording and monitoring of information access
4. Backups: Creating encrypted backup copies
5. Incident response: Procedures for handling data breaches

It's important to remember that privacy protection requirements evolve and change. Agreements should include mechanisms for updating requirements and adapting them to new or updated legal provisions.

Copyright and Intellectual Property Rights in SaaS Agreements

Defining intellectual property rights in SaaS agreements is particularly complex, due to the dynamic nature of software development and usage. Unlike selling a finished product, in SaaS agreements new information is created during usage, and the software itself undergoes continuous improvements and updates.

The Copyright Law, 5768-2007, protects software as a work, but does not provide clear guidance regarding rights to information generated from software usage, or to adaptations and improvements created based on specific customers' usage patterns.

Information Categories and Rights Therein

• Source code: Remains with the provider without question
• Customer data: Remains with the customer
• Metadata: Information about usage patterns - requires explicit arrangement
• Improvements: Updates resulting from experience with specific customers
• Aggregate analytics: Statistical insights from the entire customer base

One of the central challenges lies in mixed information - information created from combining customer data with the provider's algorithms and analysis tools. Who owns business insights generated from such analysis?

Practical case: An Israeli CRM company developed a sales prediction algorithm based on customer data. When the customer terminated the contract, a dispute arose over the right to use the insights generated. The agreement did not explicitly address this issue, leading to prolonged litigation.

Guiding Principles for Rights Division

1. Provider rights: The code, algorithms, and general software improvements
2. Customer rights: The data entered, content created, and specific configurations
3. Shared rights: Metadata and insights generated from the combination
4. Limited rights: Customer's right to use the software remains a usage right only

Trade Secret Protection

In addition to copyrights, SaaS agreements require trade secret protection. The Commercial Information Law, 5762-2002, protects commercially valuable information kept secret, but in SaaS agreements the boundary between exposed and protected information may be blurred.

Clear definition of what constitutes confidential information, and what types of information the provider may use for service improvement purposes, is essential for preventing disputes. Additionally, obligations at contract termination must be clearly defined - which information will be returned, which will be deleted, and which the provider may retain for archival purposes or legal obligations.

A good agreement will include a detailed appendix that establishes exactly which types of information are considered intellectual property of each party, under what circumstances they may be used, and how rights to mixed or derived information are handled.

Service Level Agreements (SLA) - Measuring and Enforcing Performance

Service Level Agreements (SLAs) constitute the heart of the contract in SaaS agreements, due to the customer's absolute dependence on service availability and performance. In Israel, there is no specific legal framework for SLA agreements, so they are governed by general contract law principles.

The uniqueness of the SaaS model is that the customer cannot collect from the provider only retrospectively - they need consistent and reliable performance. Therefore, quality SLA agreements must include not only performance metrics but also monitoring mechanisms, reporting, and compensation payments for non-compliance.

Key Performance Metrics

• Availability (Uptime): Percentage of time the service is available - typically 99.5% and above
• Response times: Duration for page loading or operation execution
• Technical support: Response and resolution times for support inquiries
• Backup and recovery: Backup frequency and recovery time in emergencies
• Security: Time metrics for detecting and responding to security incidents

It's important to understand that performance measurement must be objective and independent. Many customers have fallen into the trap of measurements made by the provider themselves, without possibility of external verification.

Example of precise drafting: "Service availability will be measured using an external monitoring tool accessible to the customer at all times. Availability below 99.8% in a month will entitle the customer to a 10% credit of the monthly payment, and availability below 99% will entitle them to a 25% credit."

Compensation and Remedy Mechanisms

Compensation for SLA non-compliance must be significant enough to create real incentive for the provider to maintain service level, but not so high as to make the business unprofitable. The most common compensation is account credit or service period extension.

1. Tiered credits: Compensation corresponding to the level of service impact
2. Maximum credit: Limitation on monthly or annual credit
3. Breach notification: Obligation for immediate notification of significant failures
4. Transparency reports: Publication of monthly availability reports

SLA Metric Exceptions

Every SLA agreement must clearly define what are the exceptions where performance metrics will not apply:

• Scheduled maintenance: Advance notice of maintenance hours
• Force majeure: Events beyond the provider's control
• Customer actions: Failures caused by the customer themselves
• Third-party services: Dependence on external providers
• Cyber attacks: DDoS and security breaches

Defining exceptions must be balanced - too broad and it will empty the SLA agreement of content, too narrow and the provider will be unfairly damaged by events beyond their control.

Contract Termination Procedures and Data Return in SaaS Agreements

Termination of SaaS agreements presents unique challenges arising from the technological and business dependence created during the contract period. Unlike traditional contracts, where termination brings cessation of mutual obligations, in SaaS agreements termination requires a planned process for data transfer, information deletion, and sometimes service transfer to an alternative provider.

Israeli contract law does not specifically address these issues, so it's crucial that the agreement explicitly regulates all aspects of termination. Lack of proper arrangement can lead to data loss, economic damages, and prolonged legal battles.

Types of Contract Termination

• Natural termination: End of contract period without renewal
• Early termination: Cancellation by one party with advance notice
• Termination for breach: Cancellation due to fundamental contract breach
• Emergency termination: Bankruptcy, change of control, or regulatory orders

Each type of termination requires different procedures and appropriate timelines. For example, in termination for breach, immediate access to data may be needed, while in natural termination a more orderly process can be planned.

Practical case: An Israeli startup relied on a CRM service without a proper data return agreement. When the provider announced service cessation with 30 days' notice, the company discovered it could not export customer data in a usable format, causing significant damage to its operations.

Data Return Process

Data return is the most complex component in SaaS agreement termination. The process must be defined in detail during original contract drafting:

1. Return timeframe: Minimum period for customer access to their data after termination
2. Data format: Definition of standard formats for export
3. Information integrity: Guarantee that all data will be returned without damage
4. Transfer costs: Who bears the costs of the return process
5. Transfer verification: Checking the integrity of transferred data

Data Deletion and Privacy

After data return, the provider must delete the information from all its systems. The Privacy Protection Law imposes clear obligations in this case:

• Complete deletion: Deleting information from all copies, including backups
• Deletion certificate: Written confirmation of deletion process completion
• Timeline: Performing deletion within a defined timeframe
• Exceptions: Information the provider may retain due to legal obligations

Post-Termination Obligations

Several obligations continue to apply even after agreement termination:

• Confidentiality: Maintaining confidential information disclosed during the contract
• Liability: Responsibility for damages caused before termination
• Intellectual property: Preserving intellectual property rights
• Non-compete: Limitations on using acquired knowledge (in appropriate cases)

Meticulous planning of termination processes during contract drafting is essential for preventing problems, costs, and unexpected damages. Investing time in defining procedures may seem unnecessary at the beginning of the relationship, but it's critical for protecting both parties' interests.

Payment and Billing Terms in SaaS Agreements - Models and Challenges

Payment models in SaaS agreements differ fundamentally from one-time product payments, creating unique legal and practical challenges. Legally, recurring payment creates a renewing obligation that requires meticulous arrangement regarding payment terms, grounds for stopping charges, and service termination procedures.

Israeli contract law and the Commerce Ordinance recognize various payment models, but developments in the SaaS world create situations that have not received detailed legislative arrangement. For example, the question of what happens when a customer changes service level mid-billing period, or how to handle overpayments and underpayments.

Common Payment Models

• Fixed subscription: Monthly or annual fixed payment regardless of usage volume
• Tiered pricing: Variable price based on number of users or usage volume
• Usage-based payment: Billing based on actual activity
• Hybrid model: Fixed basic payment plus variable payment
• Freemium model: Free basic service with paid add-ons

Each model requires different legal arrangement. In usage-based payment, for example, detailed definition of measurement units and reporting processes is needed. In the tiered model, it's crucial to arrange what happens when the customer moves between levels during the billing period.

Practical example: A digital marketing service provider offered tiered pricing based on number of campaigns. A customer who increased activity mid-month was surprised by retroactive billing for the entire month at the higher price level. Lack of clear arrangement in the contract led to dispute and customer compensation.

Collection Procedures and Service Suspension

One of the most sensitive aspects in SaaS agreements is handling non-payment. Unlike product sales, where non-payment prevents delivery, in SaaS agreements the service has already been provided and the customer is already dependent on it.

1. Reminder notices: Advance notice before service suspension
2. Grace period: Additional time for payment after due date
3. Graduated suspension: Activity limitation before complete termination
4. Collection costs: Right to collect collection expenses and late fees
5. Service restoration: Procedures for reactivation after payment

Taxation and Reporting

SaaS agreements in Israel are subject to VAT at the standard rate, but there are more complex situations:

• Foreign customers: VAT exemption under certain conditions
• Mixed services: Combination of software and consulting services
• International payments: Income tax reporting on transfers
• Foreign currency: Exchange rate arrangements and VAT calculation

Consumer Protection in SaaS Agreements

When the customer is a consumer (not a business), the Consumer Protection Law, 5741-1981, applies, imposing additional restrictions:

• Right of cancellation: Right to cancel up to 14 days from service start
• Lenient terms: Prohibition on unfair terms
• Price transparency: Full disclosure of all costs in advance
• Automatic renewal: Limitations on automatic subscription renewals

Proper arrangement of payment and billing terms is essential for preventing disputes and building a healthy business relationship. The arrangement should be detailed yet clear, and address all expected situations during the contract period.

International Aspects and Foreign Legislation Compliance

Israeli SaaS companies operating in the global market must deal with a complex system of international laws and criteria. The need to adapt agreements to requirements of multiple jurisdictions simultaneously creates significant legal and technological challenges, from data privacy to financial regulation.

The problem is particularly complex because in SaaS agreements, unlike physical products, the service is provided simultaneously in multiple countries. Every data pull from the server in Israel by a customer in Europe may be considered international data transfer subject to GDPR regulations.

Key Legislative Areas

• Data privacy: GDPR in Europe, CCPA in California, PIPEDA in Canada
• Cybersecurity: NIS Directive in Europe, sectoral security laws
• Financial regulation: PCI-DSS for credit cards, SOX for public companies
• Commercial contracting: Local contract laws, consumer protection regulations
• Digital taxation: VAT on digital services in various countries

GDPR (General Data Protection Regulation) constitutes the most prominent challenge for Israeli SaaS providers. The European regulation applies to all data processing of EU citizens, regardless of server or company location. Fines can reach 4% of annual turnover or 20 million euros - whichever is higher.

Example case: An Israeli SaaS company received a demand from a European regulator to investigate a GDPR breach after a customer in Italy claimed they did not receive access to their personal data within 30 days. The company was required to appoint a local representative in Europe and pay tens of thousands of euros in fines.

Foreign Legislation Compliance Strategies

1. Market analysis: Mapping relevant legislation in each target country
2. Modular agreements: Specific appendices for each jurisdiction
3. Global infrastructure: Adapting technological systems to local requirements
4. Legal representation: Local attorneys in key markets

Choice of Law and Jurisdiction

One of the most complex clauses in international SaaS agreements is choice of governing law and competent jurisdiction. Choosing Israeli law and Israeli courts is convenient for the Israeli provider, but may deter international customers.

• International arbitration: Compromise acceptable to both parties
• Local jurisdiction: Customer remains in familiar jurisdiction
• Mixed law: Israeli law for technical matters, local law for regulatory matters
• Subject-based choice: Different laws for different topics

Data Transfer Arrangements

Cross-border data transfer requires special legal arrangement. The European Union recognizes the adequacy of Israeli data protection, but this doesn't solve all problems:

• Standard Contractual Clauses (SCCs): Standard data processing agreements
• Binding Corporate Rules: Internal rules for corporate groups
• Additional safeguards: Technical and organizational security measures
• Impact assessment: Risk assessment for certain transfers

International Digital Taxation

The global digital taxation trend requires consideration within agreements:

• Digital VAT: VAT registration in destination countries
• Digital tax: New taxes on digital services
• Automatic reporting: Reporting obligations to foreign tax authorities
• Incentive eligibility: Utilizing double taxation treaties

Dealing with international challenges requires strategic approach and professional consultation. Many companies find that investment in preliminary adaptation to international legislation creates significant long-term savings in costs and risks.

Best Practices and Implementation Recommendations for SaaS Companies in Israel

Implementing quality SaaS agreements requires deep understanding not only of legal issues but also of their business and technological implications. Successful technology companies adopt a holistic approach that integrates legal, operational, and business considerations.

The most common mistake Israeli SaaS companies make is treating the agreement as a static document written once and remaining unchanged. SaaS agreements are living, breathing documents - they need to be updated with changes in technology, legislation, and the company's business model.

SaaS Agreement Development Process

1. Business analysis: Understanding the business model, target audience, and unique risks
2. Legislative mapping: Identifying all relevant laws and regulations
3. Competitive review: Examining competitor agreements and industry standards
4. Framework building: Creating the basic agreement template
5. Specific customization: Designing appendices for special customers
6. Review and update: Periodic review and adaptation to changes

It's important to remember that a good agreement is a balanced agreement - it protects the provider's interests without deterring potential customers. Overly convoluted legal language may cause customers to choose competitors with simpler agreements.

Golden rule from practice: "If the customer's technology manager doesn't understand the agreement after first reading, it's probably too complicated. Perfect is the enemy of good."

Checklist for SaaS Companies

Every SaaS company should ensure their agreements include the following components:

• Clear definitions: Technical and business terms explained in detail
• Service description: Precise specification of what the customer receives
• Measurable SLA: Concrete performance metrics with enforcement mechanisms
• Privacy policy: Detailed approach to data protection
• Liability limitation: Reasonable protection without harming customer trust
• Termination procedures: Orderly process for data return and deletion
• Intellectual property: Ensuring customer doesn't lose rights to their data
• Updates: Arrangement of changes in software and agreement

Legal Risk Management

Proactive approach to legal risk management includes:

• Professional liability insurance: Coverage for cyber damages and product liability
• Incident response procedures: Fast notification and repair processes
• Activity documentation: Detailed recording of system performance
• Employee training: Instruction on security and privacy issues
• Periodic audits: Examining agreement and procedure validity

Recommendations for Startups

Companies in early stages face special challenges:

1. Start simple: Basic but comprehensive agreement better than complex agreement with gaps
2. Invest in template: Good agreement saves future legal work
3. Prepare for growth: Agreement that can handle larger customers
4. Learn from mistakes: Every customer complaint is improvement opportunity
5. Maintain flexibility: Ability to customize for strategic customers

Indicators for Choosing Legal Counsel

Choosing the right legal advice is critical for success:

• Technology experience: Knowledge of SaaS world and its challenges
• International competence: Ability to handle multi-jurisdictional legislation
• Business approach: Understanding legal implications on daily operations
• Availability: Ability to provide quick response on urgent matters

Proper investment in quality SaaS agreements constitutes a foundation for long-term company establishment. Good agreements not only protect against legal risks but also enable rapid and efficient growth, without needing to stop and deal with legal problems down the road.

The information contained in this article is general in nature and does not constitute legal advice. For advice tailored to the specific circumstances of your company, we invite you to contact our firm.

Written by

Adv. Or Elyashiv

Founder of Or Elyashiv Law Firm, specializing in technology law, privacy protection, intellectual property, and commercial law. Advising tech companies, startups, and international investors.