Cloud Software | GDPR Compliant | SLA Guarantee | Data Processing | Multi-Jurisdictional
This Master Service Agreement (MSA) effective [Date] between [Provider/SaaS Company] (Provider) and [Customer/End User] (Customer) governs provision of cloud software-as-a-service (SaaS): [Service Name/Description]. Legal Framework: BGB §433 (Services Contract - German), GDPR 2016/679 (Data Protection), UCC §2-201 (Statute of Frauds - US), FCRA §1602 (Unfair/Deceptive Acts).
1.1 Service Description: Per BGB §433(1) (Obligation to deliver):
• Provider grants Customer non-exclusive, non-transferable license to access the SaaS Platform per [URL: ________]
• Features included: [List: Authentication, Data Storage, Analytics, API access, etc.]
• Storage: [X GB] per account per [billing period]
• Users: Up to [X] concurrent users per [subscription tier]
• Access: 24/7 via web/mobile application per BGB §280 (Duty of performance)
1.2 Support & SLA Coverage: Per BGB §280-281 (Liability for performance):
• Support Level: [24/7 / Business hours (9am-5pm UTC)]
• Critical Issues (platform down): Response within [1 hour] per BGB §281 (Default)
• High Priority: Response within [4 hours]
• Normal Priority: Response within [24 hours]
2.1 Fees & Billing: Per BGB §433(2) (Obligation to pay):
• Subscription Fee: EUR/USD [X] per [month / year]
• Billing Frequency: [Monthly / Annually] in advance
• Payment Method: [Credit card / Bank transfer / ACH]
• Overage Charges (if applicable): EUR/USD [X] per [unit: GB / user / API call]
2.2 Payment Terms & Late Fees: Per German Late Payment Act (UStG):
• Invoice Due: [Net 30 days] from invoice date per BGB §286 (Delay of payment)
• Late Payment Interest: [1.5% / 2% monthly] per UStG §1 (Late fees)
• Suspension Right: Provider may suspend access after [30 days] non-payment per BGB §280
• Taxes: All fees exclude VAT/Sales Tax (Customer responsible for applicable taxes per UStG (German VAT))
3.1 Uptime Guarantee (BINDING COMMITMENT): Per BGB §280 (Liability):
• Target Uptime: [99.5% / 99.9%] monthly per BGB §280(1)
• Measurement: Availability monitored from multiple global locations per [monitoring service]
• Exclusions: [Scheduled maintenance, Customer network, Force majeure] per BGB §275 (Impossibility)
• Scheduled Maintenance: [Sundays 2-4am UTC] (planned for during low-traffic windows)
3.2 SLA Credits (Customer Remedy): Per BGB §286 (Breach remedy):
• Uptime 99.0-99.4%: 5% monthly fee credit per BGB §286(2)
• Uptime 98.0-98.9%: 10% monthly fee credit
• Uptime <98%: 25% monthly fee credit (or termination right per BGB §323 (Right to withdraw))
• Request: Customer must request credits within 30 days of incident per BGB §286
4.1 Data Processing Agreement (MANDATORY): Per GDPR Art. 28 (Data Processor):
✓ Separate Data Processing Agreement (Schedule A) attached, incorporated herein per Art. 28(3)
✓ Provider = Data Processor (handles data on behalf of Customer = Data Controller) per Art. 28(1)
✓ Processing only per Customer instructions per Art. 28(3)(a)
✗ NO use of data for Provider's own purposes without separate consent per Art. 28(3)(a) (violation = 20M EUR fine or 4% revenue per Art. 83(4))
4.2 Security Measures (TOM - Technical & Organizational Measures): Per GDPR Art. 32 (Security):
✓ Encryption in Transit: TLS 1.2+ per Art. 32(1)(b)
✓ Encryption at Rest: AES-256 for sensitive data per Art. 32(1)(a)
✓ Access Control: Role-based access + Multi-factor authentication (MFA) per Art. 32(1)(b)
✓ Backup & Recovery: Daily backups, tested quarterly per Art. 32(1)(c)
✓ Audit Logs: 90-day retention of access logs per Art. 32
4.3 Data Breach Notification (72-HOUR REQUIREMENT): Per GDPR Art. 33-34 (Breach Notification):
• Provider notifies Customer of breach within [24 hours] of detection per Art. 33(1)
• Customer reports to authorities within 72 hours per Art. 33(1) (failure = 10-20M EUR fine per Art. 83(3))
5.1 Initial Term & Auto-Renewal: Per BGB §309 (Unreasonable terms):
• Initial Term: [1 year / month-to-month] from [Start Date] per BGB §309(1)
• Automatic Renewal: Automatically renews for successive [1-year / monthly] periods unless written notice given per BGB §309(8)(a)
• Cancellation Notice: Either party may terminate with [30 days] written notice (email acceptable) per BGB §130 (Form of notice)
• Termination Right (SLA Breach): Customer may terminate for convenience if uptime <98% (without cause) per BGB §323 (Right to withdraw)
5.2 Data Export & Deletion (POST-TERMINATION): Per GDPR Art. 28(3)(g) (Return of data):
• Customer Data Export Window: [30 days] after termination for download per Art. 28(3)(g)
• Secure Deletion: All Customer data deleted within [60 days] of term end per Art. 28(3)(g) (with certifications)
• Backup Deletion: Backup copies deleted within [90 days] per Art. 28(3)(g)
• Retention: No retention of Customer data after deletion (except legally required) per GDPR Art. 5(1)(e)
6.1 Limitation of Liability: Per BGB §307 (Unreasonable disadvantage) & UCC §2-719 (Limitation of consequential damages):
• Max Liability: Limited to [12 months of fees paid] or [EUR 100k, whichever is greater]
• EXCLUSION: NO liability for indirect, incidental, special, consequential damages (lost profits, lost data) per UCC §2-719(3)
• EXCEPTIONS (UNLIMITED): Personal injury, IP infringement, gross negligence, data breaches per BGB §276 (Intent/Gross Negligence)
6.2 Indemnification (Provider Protects Customer): Per BGB §280 (Liability):
• Provider indemnifies Customer for third-party claims that SaaS infringes IP rights (patent, copyright, trademark) per BGB §280
• Provider liable for security breaches caused by Provider negligence per GDPR Art. 82 (Damage)
Applicable Law & Jurisdiction: ☐ German (BGB) ☐ [US State] | Disputes resolved through:
☐ DIS Arbitration (Berlin-based) per German Arbitration Institute
☐ Courts: [District Courts / Courts of ____] per 28 USC §1332 (Diversity jurisdiction)
Provider: ____________ | Customer: ____________ | Effective Date: [Date]