Software-as-a-Service (“SaaS”) is a delivery model in which software features, applications and services are made available to customers via the Internet, typically hosted on a cloud platform and where customers are charged for consumption of the services on a subscription basis. This delivery model contrasts with software licence model which is delivered either in physical form or downloaded via the internet.

Over the past decade, the SaaS model has included very popular services as examples of its success, including Office 365, Dropbox, Slack, and Salesforce.

When planning to adopt the SaaS model, it will be useful to consider the following points to be addressed in the SaaS agreement or Terms of Use:


At risk of stating the obvious, the subject matter of the services or features being made available to a paying customer should be clear. Also, to which parties (single or multiple) such services will be made available, to the subscriber only, its employees, or other third party users?

Whether the SaaS are made available to business users or private consumers may determine if the local consumer protection laws, such as the Malaysian Consumer Protection Act 1999, will apply.


The agreement should address the payment obligations of the customers, i.e. when is payment due – whether time based (monthly or upfront) or consumption based (by units or usage), how payment should be made (credit card, bank transfer or through a payment portal), renewal and recurrence of the subscription, and the consequences of not making timely payment (temporary suspension, or automatic termination of the users account and data).


In a traditional software license, the licensee purchases the software and is granted a right to download, copy and/or install and use the software on their own devices. With SaaS agreements, the services are typically accessed by users through a website or platform hosted on the internet.

As such, users will not possess a copy of the software providing the service and will typically only be granted a non-exclusive, non-transferable, and revocable license to access and use the service, rather than a license for the software or application itself.

In certain situations, the users should also grant the service provider a license to use any of their user generated content necessary to provide the service. Ownership of the user generated content should also be considered.

Service Level

In a typical SaaS business, the service provider will be expected to make available the subscribed services for a minimum amount of time (eg 99.5% of the time for 365 days a year). This commitment should of course exclude:

  • scheduled downtimes for maintenance, which should be done during off-peak hours and communicated to the users in advance;
  • and general outages caused by events beyond one’s control, eg. Natural disasters and thirdp-party failures.

Another common feature in SaaS business models will be to set out how quickly the service provider will respond to troubleshoot problems that arise, and the mandated response times depending on severity levels.

Data ownership and protection

Enforcement of the Personal Data Protection Act 2010 (“PDPA”) has commenced in Malaysia (see link here). From the other side of the globe, the General Data Protection Regulations (“GDPR”) has come into force in the European Union, which may even affect businesses outside of Europe (see link here).

As such, both service providers and users will need to put in sufficient thought into the flow of personal data and data protection policies, particularly when the services might be hosted on third-party cloud platforms.

Service providers that will receive personal data from users will want to ensure that the users have obtained the consent from the relevant data subjects. Further, the data subjects should be informed of what their personal data will be used for, including:

  • if it will be shared with third parties, and if yes which third parties; and
  • if the data subjects will be subjected to targeted advertising and marketing.

The treatment and use of the data upon termination of the business relationship will also need to be considered. It is vital that personal data is not kept for longer than necessary, and the GDPR will further grant to data subjects to “right to be forgotten”, i.e. the right to request that their personal data be deleted from the data user’s database.


This article was written by Shawn Ho (Partner) & Ian Liew (Associate) from the corporate practice group of Donovan & Ho.  Feel free to contact us if you have any queries.


What is Manual Labour?
Bubble Tea Wars: Tealive Loses Again; Stay of Execution Dismissed

Latest Articles

The Cornerstone of a M&A Journey: Going Beyond the Basic Terms of a Term Sheet

by | March 13, 2024 |

LinkedIn Facebook Twitter Gmail Print Friendly The initial stages of a Merger and Acquisition (“M&A”) often involve parties trying to establish a meeting of minds on essential commercial terms, to […]

How ESG Trends and Laws Will Impact Early-Stage Fundraising for Malaysian Start-ups and SMEs

by | December 22, 2023 |

LinkedIn Facebook Twitter Gmail Print Friendly In Malaysia’s dynamic business landscape, Start-ups and Small-Medium Enterprises (SMEs) continue to be pivotal contributors to the nation’s economic growth. As responsible and sustainable […]

Proposed Amendments to Malaysia’s Companies Act 2016 – Enhancing Transparency on Beneficial Ownership 

by | December 15, 2023 |

LinkedIn Facebook Twitter Gmail Print Friendly Introduction In an effort to improve Malaysia’s corporate legal framework, a series of amendments to the Companies Act 2016 have been proposed by the […]

Share This