All insights
Insight

Your SaaS MSA only has three real knobs

Liability cap, indemnity scope, data ownership. Everything else is decoration. Negotiate the three, give ground on the rest.

Your SaaS MSA only has three real knobs

Liability cap. Indemnity scope. Data ownership.

Everything else is mostly interior decoration.

Below is a founder-focused article that treats those knobs as a governance and enterprise-value problem, not merely a legal drafting exercise.

Opening Hook: The Nine-Week Redline Marathon

Week 1: Your sales team finally lands a verbal yes from a large enterprise customer. Procurement sends over a 40-page redline to your SaaS MSA. Fonts are changed, headings are re-ordered, definitions are re-labelled. Legal teams on both sides spend hours debating whether “best efforts” should become “commercially reasonable efforts.”

Weeks 2–7: Everyone is busy. Counsel argue over audit rights you will never use, notice periods no one will remember, and whether an SLA report should be delivered within five days or seven. The redline counter reaches version 14.

Week 8: The customer's CISO and risk team finally join the call. They ask three questions:

  • What exactly is your liability cap, and what sits outside it?

  • What indemnities do you give us, and what indemnities do you expect from us?

  • Who owns, controls, and can exploit which data, including derived and anonymised data?

Suddenly, the deal is genuinely at risk. Your board is on the call. Your investors are watching. The rest of the MSA was noise. These three clauses determine whether the contract is survivable, for both the customer relationship and your company.

That is the point of this article: your SaaS MSA only has three real knobs. Everything else is mostly decoration.

What Actually Happened: An Ordinary Founder Mistake

Most founders treat the MSA as an operational hurdle to get the deal signed. The objective becomes reaching signature rather than arriving at a risk profile that remains workable across one hundred customers.

In practice, legal teams often begin with templates, sales teams are measured on bookings rather than downside exposure, and boards focus primarily on ARR rather than contractual risk allocation. The result is that companies spend weeks negotiating visible redlines while rarely stepping back to ask a much more important question: what have we actually agreed to on the three clauses that determine whether this contract can materially damage the company?

The reason this often goes unnoticed is simple. In the early years, volumes are small and even poorly drafted provisions are rarely tested. Most customers do not sue; they renegotiate, accept commercial compromises, or quietly churn. Data incidents and indemnity claims are infrequent events. However, when they do occur, they tend to arrive as portfolio-level problems rather than isolated disputes.

The legal language sat inside the MSA for years. The risk sat on the balance sheet the entire time.

Why This Matters More Than Founders Expect

1. Compliance and Indian Regulatory Exposure- For Indian SaaS companies, the Digital Personal Data Protection Act, 2023 (DPDP Act) has significantly increased the importance of contractual risk allocation. The legislation imposes obligations relating to notice, purpose limitation, security safeguards, and breach reporting, while also creating the possibility of substantial financial penalties for non-compliance.

Against that backdrop, the MSA becomes far more than a commercial document. It determines who is responsible for implementing security safeguards, who must notify customers and users after a breach, and who ultimately bears the cost of remediation and regulatory action. If your liability cap is limited to a relatively small amount of subscription revenue while your real-world regulatory and remediation exposure is significantly larger, the difference sits with your balance sheet and, ultimately, your founders and investors.

2. Governance and Board Oversight- Boards are expected to oversee risk, not merely revenue. A portfolio of MSAs containing uncapped liability, highly asymmetric indemnities, or commercially unrealistic commitments is a governance issue. These contractual positions directly affect how investors, independent directors, and future acquirers evaluate the company's risk management framework and oversight processes.

3. Risk Management and Operational Resilience- A poorly drafted indemnity can transform an ordinary customer dispute into a serious financial event. Overly broad indemnity language may require a SaaS provider to fund third-party disputes, defend claims it did not cause, or absorb liabilities arising primarily from a customer's own conduct.

Insurance, security certifications, and strong technical controls can reduce risk. They do not repair a fundamentally flawed allocation of risk inside the contract itself.

4. Investor Confidence and Enterprise Value- Any serious investor diligence exercise will include a review of key customer contracts. Investors look for liability caps that are proportionate to revenue and insurance coverage, clear ownership of data and intellectual property, and indemnity obligations that reflect a rational allocation of risk.

When investors discover inconsistent commitments made to early customers, they often reach a simple conclusion: the company traded away too much downside risk in exchange for growth. That conclusion can affect valuation, transaction structure, and in some cases whether the investment proceeds at all.

5. Fundraising and Exits- Acquirers and late-stage investors routinely commission contract risk reviews. If a company's largest customer agreements contain uncapped liability, expansive data indemnities, or unclear rights relating to training data and derived analytics, the consequences frequently include valuation reductions, transaction-specific indemnities, escrow arrangements, and holdbacks.

The common founder reactionre"but that's just legal boilerplate", rarely survives contact with experienced M&A counsel.

The Three Knobs: How the Problem Develops

Think of each SaaS MSA as setting three dials. Over time, as more enterprise contracts are signed, those dials collectively create the company's risk profile.

Knob 1: Liability Cap

Liability caps are often compromised early in a company's growth journey. A major enterprise prospect insists on uncapped liability for data breaches or confidentiality obligations, and the founder agrees because the logo is valuable, the security posture appears strong, and the risk feels remote.

The immediate benefit is obvious: the deal closes and the customer is added to the sales deck. The hidden cost is less visible. That contract becomes a benchmark for future negotiations, contractual exposure begins growing faster than insurance coverage, and downside scenarios remain absent from financial planning.

The weakness only becomes apparent when an incident occurs. A breach involving a third-party vendor, a security event, or a significant service disruption can trigger claims from multiple enterprise customers simultaneously. At that point, the company discovers that its contractual promises are significantly larger than its ability to absorb them.

Management attention shifts from growth to settlement discussions, regulatory engagement, and damage control.

Knob 2: Indemnity Scope

Indemnity provisions often begin life as copied language from foreign SaaS templates. The clause may broadly promise to indemnify customers against any third-party claim "arising out of or relating to" the service, together with regulatory penalties, assessments, and related losses.

Initially, the clause appears harmless. Procurement teams view it favourably and the contract moves forward without prolonged debate. The problem is that broad language can create obligations extending far beyond risks the vendor can reasonably control.

Under Indian law, certain regulatory penalties may not be insurable or indemnifiable as a matter of public policy, regardless of what the contract says. More importantly, vague indemnities can pull vendors into disputes that originate from customer behaviour, inaccurate data inputs, or regulatory issues entirely outside the vendor's control.

The problem becomes visible when a regulator investigates a customer and the customer attempts to shift responsibility back to the SaaS provider on the basis that the issue somehow "arose out of" the service. Even where the vendor ultimately prevails, the cost, time, and distraction can be significant.

Knob 3: Data Ownership and Control

Many SaaS products depend heavily on customer data for analytics, benchmarking, product improvement, and machine learning initiatives. To avoid slowing down negotiations, companies sometimes grant themselves broad rights to use customer data without carefully distinguishing between raw customer data, outputs, anonymised datasets, aggregated insights, and derived analytics.

Initially, this creates flexibility for product and data teams. The company avoids another negotiation point and retains freedom to innovate.

Over time, however, the ambiguity becomes a governance problem. Indian privacy regulation increasingly focuses on purpose limitation, transparency, and lawful use of personal data. Enterprise customers, particularly those operating in regulated industries, want precise answers regarding how their data is used, where it flows, and whether it contributes to services delivered to other customers.

The issue eventually surfaces during diligence or a major customer audit. At that point, founders are expected to explain exactly which data the customer owns, which rights the company merely licenses, how anonymisation works, and what happens when a customer leaves. Inconsistent answers across customer contracts can delay investments, acquisitions, and large enterprise deals.

What Regulators, Investors, Auditors, and Diligence Teams Look For

When a company matures, the same three knobs become central diligence items.

Fundraising and M&A Due Diligence- Law firms and investors reviewing customer agreements focus on a handful of questions. Are liability caps aligned with revenue and insurance coverage? Are carve-outs reserved for genuinely catastrophic risks such as IP infringement, wilful misconduct, or major data breaches? Do indemnities reflect a rational allocation of responsibility? Is data ownership clearly documented with appropriate licences, anonymisation standards, and portability rights?

A small number of unusually aggressive customer contracts can trigger requests for special indemnities, valuation adjustments, or conditions requiring those contracts to be renegotiated before a transaction proceeds.

Internal Audits and Risk Reviews- As organisations mature, internal audit teams, risk functions, and governance advisors increasingly compare contractual promises against operational reality. They assess whether security controls, vendor management processes, and incident response procedures are capable of supporting the obligations the company has assumed.

Regulatory Reviews and Sectoral Oversight- Customers operating in fintech, healthtech, education, and critical infrastructure sectors are subject to increasing regulatory scrutiny. Regulators increasingly expect clear accountability for data breaches and operational failures, together with meaningful customer rights relating to audits, logs, and data portability.

The MSA serves as the documentary evidence of how those responsibilities have been allocated.

Real-World Style Lessons (Drawing from Market Experience)- While confidential details remain confidential, certain patterns appear repeatedly in the market.

A fintech SaaS provider once agreed to effectively uncapped liability to a banking customer for losses "arising out of the services." Following an incident, the primary cause was ultimately traced to the bank's own configuration decisions. Nevertheless, settlement discussions began from an extremely high number because the contract language gave the customer substantial leverage.

Similarly, a marketing automation provider granted itself broad rights to use customer data for machine learning and commercial purposes. When a regulator later questioned cross-customer training practices, the company spent months rebuilding its data governance framework and explaining its position to prospective enterprise customers.

The lesson is straightforward: these issues do not remain academic. They emerge during fundraises, acquisitions, audits, investigations, and high-stakes customer negotiations.

Key Risks Tied to the Three Knobs

The risks created by these provisions generally fall into five categories:

  • Legal and regulatory risk arising from privacy, data protection, and sector-specific obligations.

  • Financial risk resulting from uncapped or commercially unrealistic liability exposure.

  • Contractual and operational risk caused by broad indemnities and unclear data rights.

  • Reputation and diligence risk when investors or acquirers discover inconsistent contractual positions.

  • Governance risk where boards fail to understand the exposure embedded in major customer agreements.

Red Flags Founders and Boards Should Watch For

Use this as a working checklist when reviewing existing or proposed MSAs:

  • Liability caps that are uncapped, unusually high, or tied to losses that cannot realistically be hedged.

  • Liability carve-outs so broad that the cap effectively becomes meaningless.

  • Vendor indemnities covering any claim "in connection with the services" without linking liability to specific misconduct.

  • Missing or inadequate customer indemnities.

  • Data provisions that fail to distinguish between raw customer data, outputs, aggregated data, and derived analytics.

  • Unclear obligations regarding data deletion, return, or portability upon termination.

  • Contractual commitments that exceed the company's actual insurance coverage, security controls, or incident response capabilities.

Any one of these may deserve attention. Several together should be viewed as a governance issue.

Practical Solutions: How to Fix the Three Knobs

Immediate Fixes (Next 30–60 Days)

The first step is understanding the exposure that already exists within your customer portfolio.

  • Inventory your top 10–20 customer MSAs.

  • Review liability caps, carve-outs, indemnities, and data rights.

  • Benchmark contractual commitments against insurance coverage, security posture, and financial capacity.

  • Identify and prioritise contracts that create outsized risk.

Medium-Term Improvements (Next 3–6 Months)

Once the current position is understood, standardisation becomes critical.

A strong house MSA should include a rational liability framework, narrowly defined indemnities tied to controllable risks, and clear distinctions between customer-owned data and company-owned intellectual property. Customer licences, anonymisation rights, and data portability provisions should be transparent and internally consistent.

Equally important is the creation of escalation playbooks that define which deviations can be approved by management and which require board-level review.

Long-Term Governance Measures

As the company scales, these three knobs should become part of routine governance reporting. Material customer contracts should be accompanied by a concise summary of liability, indemnity, and data positions alongside commercial metrics such as ARR.

The company's DPDP compliance programme, incident response framework, security controls, and insurance coverage should all align with contractual commitments. High-risk legacy contracts should also be periodically reviewed and renegotiated as bargaining power improves.

Proactive remediation is almost always cheaper than reactive defence.

Conclusion: The Three Knobs Discipline

SaaS founders do not need to become contract technicians. They do, however, need to become disciplined about the three provisions that determine whether their MSAs are survivable: liability caps, indemnity scope, and data ownership.

Everything else is fine-tuning. These three clauses shape exposure to regulators, courts, customers, investors, and acquirers. They influence governance, determine risk allocation, and directly affect enterprise value.

The mature operator's rule of thumb is simple: never sign an MSA where the revenue upside is clear but the three knobs remain a mystery. If you cannot explain your risk allocation to your own board in two minutes, you are not negotiating a contract, you are gambling with enterprise value.

 

Want this kind of thinking inside your business?

Start a conversation