Your Terms of Service is the single most important document in your customer contracting stack. It governs every commercial relationship, defines your liability exposure, protects your intellectual property, and establishes the rules under which customers use your product. Every other document in your stack — your DPA, your SLA, your privacy policy — connects back to it.
Despite that, most founders either copy a template without reading it or pay a generalist attorney to draft something that doesn’t match their product. The result is a document that creates more risk than it prevents.
This post walks through the major sections a B2B SaaS Terms of Service should include, what each section does, why it matters, and how to think about the balance between protecting your business and not creating unnecessary friction in your deals.
A Note on Balance
Before diving into the sections: the goal of your Terms of Service is not to be maximally aggressive in your favor. It’s to be accurate, clear, and appropriately protective.
A terms document that overreaches on every provision will slow down enterprise deals as procurement teams redline the provisions they can’t accept. A terms document that’s too permissive leaves you exposed when something goes wrong. The right approach is balanced by default.
Definitions
The definitions section establishes the precise meaning of key terms used throughout the agreement. Ambiguity in definitions creates ambiguity everywhere those terms appear.
At minimum, your definitions should cover: “Customer” (who is bound by the agreement), “Service” (what you’re providing access to), “Customer Data” (the data the customer inputs or generates through the service), “Users” (the individuals the customer permits to access the service), “Documentation,” and “Order Form.”
The definition of Customer Data deserves particular attention. Draw a clear distinction between data the customer provides or generates (which they own) and aggregated, anonymized, or derived data that you generate from usage patterns across your customer base (which you should retain rights to). This distinction flows through your entire agreement and into your DPA and privacy policy.
Service Access and Usage Rights
This section defines what the customer is getting and how they’re permitted to use it. In a SaaS model, you’re granting access to a hosted service, not a license to software. The customer accesses your platform over the internet. You maintain control of the underlying code, infrastructure, and delivery.
Specify that access is non-exclusive, non-transferable, and limited to the customer’s internal business purposes. Reference the applicable Order Form for the specific service tier, user count, or usage limits the customer has purchased.
Acceptable Use
Acceptable use provisions define what customers can’t do with your service. The standard categories include prohibitions on illegal activity, security violations, abuse of shared resources in a multi-tenant environment, reverse engineering, and using the service to compete with you.
For SaaS products specifically, consider including provisions on API usage limits, automated data extraction, resale or redistribution of access, and — if your product includes AI features — restrictions on using outputs to train competing models.
Billing and Payment
Your billing terms need to match your actual pricing model. A template written for a subscription model won’t include the provisions needed for usage-based or hybrid pricing.
For subscription models, cover: payment frequency and timing, auto-renewal mechanics, how mid-term changes are handled, and price increase notice periods.
For usage-based models, cover: how usage is measured and who determines the authoritative count, overage calculation and invoicing, and the dispute process.
If your product includes agentic AI capabilities, address this explicitly. Autonomous agents can generate unpredictable usage patterns. Your terms should define how agent-driven usage is metered, whether customers can set spend caps, and how overage notifications work. Without these provisions, you’re setting up billing disputes where the customer is surprised by charges for actions they didn’t directly initiate.
Intellectual Property
The IP section establishes who owns what. For a pure SaaS product: you retain all ownership of the service, the underlying technology, the software, and any improvements. The customer retains all ownership of their Customer Data. Neither party acquires any rights in the other’s pre-existing intellectual property.
Your rights to aggregated, anonymized data derived from usage across your customer base should be explicitly stated here or in your definitions section.
AI-Generated Outputs
If your product includes AI or machine learning features, your terms need to address this explicitly. The key provisions to cover:
Ownership. To the extent ownable, the customer should own outputs generated from their inputs, and you retain all rights to the underlying models, algorithms, and training data. This is a developing legal area — copyright protection for AI-generated content remains unsettled — but the contractual allocation between the parties can be defined.
Accuracy disclaimers. AI outputs are probabilistic, not deterministic. Your terms should clearly disclaim any warranty that AI-generated content is accurate, complete, error-free, or suitable for any particular purpose. Without this disclaimer, you’re implicitly warranting the accuracy of every output your AI produces.
Training and model improvement. Address directly whether customer data is used to train or improve your AI models. Enterprise procurement and security teams ask this first. Your terms should answer it clearly — and consistently with your DPA and privacy policy.
Third-party AI providers. If your AI features are powered by third-party models, your terms should acknowledge this and your subprocessor list should reflect it.
Confidentiality
Standard provisions include: a definition of what constitutes confidential information, the obligation to protect it using reasonable care, permitted disclosures, and the duration of the obligation.
One drafting trap: think carefully about whether your definition of Confidential Information includes Customer Data. If it does, and your limitation of liability section carves out breaches of confidentiality from the general cap, you’ve created an unintended liability exposure. Every data incident becomes a confidentiality breach that sits outside your cap. The cleaner approach is to exclude Customer Data from the definition of Confidential Information and govern it through the DPA instead.
Limitation of Liability
This is arguably the highest-stakes section in your entire agreement. It defines the maximum financial exposure either party faces if something goes wrong.
The typical structure: a flat cap on aggregate liability set at twelve months of fees, with carve-outs for willful misconduct and fraud. What’s evolved in the market, particularly with enterprise customers, is a three-tiered structure:
- General cap: twelve months of fees, covering the majority of obligations
- Supercap: two to three times the general cap, for elevated-risk obligations like data security incidents and confidentiality breaches
- Full carve-outs: for willful misconduct, fraud, and IP infringement
The section should also include a mutual exclusion of consequential, incidental, and indirect damages. Without it, a single service disruption could expose you to claims for every downstream loss your customer experiences.
One drafting requirement founders often miss: in many US jurisdictions, limitation of liability language must be set in all caps or otherwise made conspicuous in the agreement to be enforceable. If this section is in the same font as the rest of your agreement, it may not hold up when you need it most.
Indemnification
Indemnification provisions define when one party agrees to defend and hold the other harmless against specific categories of claims. In most B2B SaaS agreements, this covers third-party claims — not first-party losses.
Watch for enterprise customers who try to expand indemnification beyond third-party claims to include first-party losses. First-party indemnification effectively turns the obligation into a separate damages recovery mechanism that can operate outside your limitation of liability framework.
Scope the indemnification obligations carefully, and make sure they’re subject to your limitation of liability.
Term and Termination
Cover the initial term, renewal mechanics (auto-renewal is standard), termination for cause with a cure period, and termination for convenience if offered.
One provision most templates miss: annual price increases on renewal. If you’re entering multi-year relationships with auto-renewal, you need a contractual mechanism to increase pricing over time or your margins erode. Include a provision allowing price increases on renewal at the greater of a fixed percentage (3–5%) or CPI growth. Build this in from the start — introducing price escalation into an existing customer relationship without a contractual basis creates friction.
Governing Law and Dispute Resolution
Specify your home state as the governing law and venue. Consider including a mandatory arbitration clause and a class action waiver. Both provide meaningful protection: arbitration is generally faster, less expensive, and confidential; class action waivers prevent aggregated claims.
Like the limitation of liability exclusion, jury trial waivers typically need to be conspicuous (all caps) to be enforceable.
Bringing It Together
The sections above aren’t independent provisions. They form an integrated framework where each section references and reinforces the others. Your billing terms connect to your termination provisions. Your limitation of liability connects to your indemnification obligations. Your definitions of Customer Data flow through to your confidentiality section, your DPA, and your privacy policy.
When reviewing or drafting your Terms of Service, read them as a system, not as a collection of standalone clauses. The strength of the document comes from the consistency across sections, not from any individual provision.
No Boiler provides self-service legal document generation and educational content. This material is general in nature and is not a substitute for legal advice. Please have a qualified attorney review any documents before relying on them.