Legal Guide for SaaS Startups in Australia (Software as a Service)

Last updated: 22 March 2024

Legal Guide for SaaS Startups in Australia – In Australia, individuals and businesses are embracing monthly subscription services more than ever. This trend has catapulted Software as a Service (SaaS) startups to the forefront. The appeal? A steady stream of recurring monthly income makes SaaS businesses highly desirable to entrepreneurs and investors.

However, the SaaS legal landscape is not easy. In this guide, we break down the key legal issues faced by SaaS startups and offer suggestions and advice based on our years of online business legal experience.

TLDR: Quick Summary of this Legal Guide

  • Implement robust data privacy and security measures, including a comprehensive Privacy Policy, to protect customer data and comply with Australian regulations.
  • Have a data breach response plan ready (including a pre-written statement for customers) and notify customers/authorities promptly if a breach occurs, as Australia’s Notifiable Data Breaches scheme mandates.
  • For international customers, ensure compliance with data protection regulations like GDPR (EU/UK) and CCPA (California).
  • Determine if industry-specific regulations, such as healthcare data privacy laws or financial services licensing requirements, apply to your SaaS business.
  • Use a well-drafted SaaS Agreement outlining service details, data ownership, subscription terms, and dispute resolution with your subscribers.
  • Protect your intellectual property by trademarking your SaaS business name and logo and carefully reviewing open-source software licenses before integration.

Click on any of the questions below to jump to that section of this legal guide.

If you still have questions after reading this legal guide, get in touch. We’d love to add them to this comprehensive guide.

information icon

Definition: What Is SaaS?

SaaS, or Software as a Service, is a software delivery method where applications are delivered over the Internet through your web browser instead of being downloaded and installed on your computer. Popular SaaS businesses include:

  • Canva (for graphic design)
  • Dropbox (for document storage)
  • Google Workspace (for documents and spreadsheets)
  • Help Scout (for email support)
  • Hubspot (for inbound marketing)
  • Mailchimp (for email marketing)
  • Shopify (for eCommerce)
  • Slack (for team communication)
  • Stripe (for credit card processing)
  • Trello (for project management)
  • Xero (for accounting)
  • Zoom (for video conferencing)

SaaS Compliance and Regulations

Who regulates SaaS companies in Australia?

In Australia, SaaS businesses are regulated by the same regulators as any other Australian business. These include:

  • ACCC (Australian Competition and Consumer Commission) covers consumer protection, guarantees and misleading advertising.
  • OAIC (Office of the Australian Information Commissioner) covers privacy and data protection.
  • ASIC (Australian Securities and Investments Commission) covers financial reporting and corporate governance.
  • Industry-specific regulators such as APRA (Australian Prudential Regulation Authority) for finance sector businesses and ACMA (Australian Communications and Media Authority) for media and telecommunications businesses.

Australian SaaS businesses must adhere to various legislative and regulatory requirements, including:

  • Data Privacy: Obtaining consent to collect personal data, implementing security measures, and correcting or deleting data if asked.
  • Data Breach Notification: If you have a data breach and personal information is put at risk, notify subscribers and the government’s OAIC.
  • Australian Consumer Law: Avoid misleading advertising and unfair contract terms, and offer refunds if your services fall short of your promises.
  • Payment Processing: You must handle credit card data securely and comply with the Payment Card Industry Data Security Standard (PCI DSS).
  • Industry-specific Requirements: Applicable if you operate in the healthcare, finance or education sectors.

These requirements are discussed in more detail in the following sections.

What industry-specific regulations apply to Australian SaaS businesses?

The regulatory landscape for SaaS companies in Australia can vary significantly based on your chosen industry. For instance:

  • Healthcare: SaaS businesses must comply with the Health Records and Information Privacy Act 2002 and individual State and Territory privacy laws and record retention regulations, ensuring the strict confidentiality and security of ‘sensitive’ health information.
  • Finance: SaaS startups must follow the Australian Securities and Investments Commission’s (ASIC) regulations, which may, in some circumstances, require obtaining or maintaining a licence for ‘providing’ financial services.
  • Education: SaaS platforms must adhere to standards set for registration, curriculum, quality assurance, and student rights. These standards are set at both the State and Federal levels and regulated by a number of bodies and guidelines. These include the Tertiary Education Quality and Standards Agency (TEQSA), Australian Skills Quality Authority (ASQA), Australian Qualifications Framework (AQF), Education Services for Overseas Students (ESOS) Act 2000, etc.

Please contact us if you need help checking the State or industry-specific regulations that apply to your SaaS startup.

What are my obligations if my SaaS business handles personal information?

Management of your customers’ personal data privacy carries some serious obligations and is covered by the Australian Privacy Principles rule book. Your obligations include:

  • Only collect the personal data that you need to provide your services
  • Obtain consent from your customers when you collect that personal data
  • The personal data is stored securely and with restricted access
  • If you have a data breach, you must inform customers and the OAIC
  • Respond to customers’ enquiries about their personal data
  • Update and correct customer’s personal data when requested to do so
  • Protect personal data if you transfer personal data to vendors or overseas
  • Publish all your personal data practices in a Privacy Policy
  • Train your employees on the correct handling of personal data

How do I comply with the Notifiable Data Breaches Scheme in Australia?

The Notifiable Data Breaches (NDB) scheme applies to SaaS businesses with an annual revenue of over $3 million. You should have a plan in place just in case of a data breach, even if you do not meet the annual revenue level. If you have a data breach, you need to act quickly, assess the severity of the breach, and notify your SaaS subscribers and the Government’s OAIC. Failure to comply with the NDB scheme could result in penalties, including fines of up to $2.1 million.

SaaS Agreements

What is a SaaS Agreement?

A SaaS Agreement, or SaaS Subscription Agreement, is a legal contract between a SaaS provider and a customer. It outlines the terms and conditions under which the SaaS product is offered to the customer and includes pricing, payment terms, data privacy, usage restrictions, disclaimers, termination, etc.

Do I need a SaaS Agreement?

Yes, absolutely! A solid SaaS Agreement is your best legal defence for running a SaaS business. It sets clear expectations, outlines your responsibilities and limits your liability. Without a well-drafted SaaS Agreement, you open yourself up to payment disputes and misunderstandings with your customers, lack of protection for your IP, and problems securing startup capital from potential investors.

What is the difference between a EULA and SaaS Agreement?

A EULA, or End-User Licence Agreement, typically applies to software purchased and installed on a computer or mobile phone. It grants the customer a licence to use the software, but the customer does not own the software code. A EULA focuses on any restrictions on the use or copying of the software.

By contrast, a SaaS Agreement applies to software accessed and used over the Internet. It grants customers the right to access and use the software during their subscription and focuses on service levels, uptime guarantees, payment terms, subscription renewal, etc.

What is the difference between an MSA and SaaS Agreement?

A Master Service Agreement (MSA) is an umbrella agreement that covers the general terms and conditions between a business and its vendor partners. It usually covers a range of services (e.g. software development, maintenance, consulting, etc.) and includes payment terms, service levels, confidentiality, IP protection, etc.

A SaaS Agreement is more specific. It only covers the SaaS offering and platform and details guaranteed service levels, data protection, automatic subscription renewal, payment terms, cancellation, etc.

What terms should my SaaS Agreement include?

A typical SaaS Agreement includes the following clauses:

  • Services Provided: A description of the features and functions of the SaaS.
  • Subscription Terms: Details of pricing, payment terms and billing cycle.
  • Access and Use: How the SaaS is accessed and any usage restrictions.
  • Data Privacy and Security: How customer data is collected, used, and protected.
  • Intellectual Property: Ownership rights and licenses, including trademarks, copyrights, or patents.
  • Confidentiality: How sensitive information will be kept confidential.
  • Warranties and Disclaimers: Guarantees regarding the software’s quality, performance, availability, and liability disclaimers.
  • Term and Termination: Duration of the agreement and conditions under which either party can terminate the contract.
  • Indemnification: Liabilities of each party in case of third-party claims, damages, or losses arising from using the SaaS software.
  • Governing Law and Jurisdiction: In case of disputes between the parties.

Who owns the data in a SaaS Agreement?

Typically, a SaaS customer retains ownership of their own data. The SaaS provider acts as a custodian of the data and is responsible for securing and processing it in accordance with the SaaS Agreement.

Platform data, such as system logs, usage statistics, and aggregated customer data, is typically owned by the SaaS provider. Your SaaS Agreement should clearly state who owns what and how long the data is stored after the termination of any services.

Do I need to inform subscribers of changes to my SaaS Agreement?

Definitely! If you’re tweaking the terms of your SaaS Agreement, give your users a heads-up. It’s not just about being polite; it’s about trust and transparency. If the changes to your SaaS Agreement are material, you may, in some instances, need to have subscribers agree to your terms again. Plus, it often helps to keep things smooth and avoid any misunderstandings down the line.

Website Legals

Do I need Website Terms and Conditions?

Yes. Website Terms and Conditions are for your website visitors and outline how visitors can use your website, what’s allowed, and what’s off-limits. By contrast, your SaaS Subscription Agreement is for your SaaS customers and applies after customers have signed up. You will need both for your SaaS startup.

Do I need a Privacy Policy?

Yes. A Privacy Policy is necessary if you collect personal information on your website, such as names and email addresses. It’s not just about ticking a box; it’s about being open with your visitors. Tell them what information you’re collecting, why you need it, and how to keep it safe. It builds trust and shows you’re serious about protecting their privacy.

Do I need a EULA?

It depends. Many SaaS applications are just accessed through a web browser and don’t involve downloading any software or code – just HTML, CSS, and JavaScript. In this case, a EULA is not required. In fact, a EULA is discouraged – you don’t want to give your subscribers licensing rights to the software itself.

However, if your SaaS application requires software or code snippets to be downloaded to your subscribers’ computers or mobile phones to run correctly, then you will need them to agree to your EULA. In this case, your code is downloaded to their devices, and you need to protect yourself from having your code copied or misused.

Probably. A Cookie Policy isn’t legally required for Australian websites and SaaS applications. But it is required for UK, EU, and Californian customers – and many jurisdictions may soon follow suit. If your website and SaaS application use cookies, then it’s an easy fix to add a Cookie Policy notice and make things transparent for your customers.

International SaaS

If you’re offering a SaaS product to international customers, you might have to comply with personal data protection laws and cross-border data transfer regulations in their jurisdiction. For example, for customers in the UK and EU, you must comply with GDPR (General Data Protection Regulation); for customers in California, you must comply with CCPA (California Consumer Privacy Act).

lightbulb icon

45% of IT spending will be on cloud-based solutions by 2024

Globally, large enterprises increasingly use SaaS solutions to streamline their operations. A report by Gartner indicates that by 2024, more than 45% of IT spending on system infrastructure, infrastructure software, application software, and business process outsourcing will shift from traditional solutions to cloud-based offerings.

Do I need to comply with GDPR in the EU and CCPA in California?

Yes, if you have customers or are marketing in the UK, EU, or California, then GDPR and CCPA regulations will apply to you.

The General Data Protection Regulation (GDPR), which applies globally, focuses on giving EU and UK residents control over their personal data. The California Consumer Privacy Act (CCPA) similarly safeguards Californians’ privacy rights. Both sets of regulations establish stringent data protection standards and impose significant penalties for non-compliance.

Is a SaaS provider a data processor under GDPR in the UK?

Under GDPR, if you collect, store and ‘process’ personal data on behalf of a customer (like an email marketing list), you may be seen as a data processor. You then have different responsibilities over and above just keeping personal data safe. These include helping your SaaS users meet GDPR obligations, not transferring data outside the UK or EU without appropriate safeguards, providing data breach notifications, etc.

Handling legal disputes across borders can be tricky. The key is to have clear terms in your agreements about how disputes will be managed. This involves specifying which country’s laws will apply and govern where disagreements will be resolved. A Governing Law clause in your SaaS Subscription Agreement is the best way to achieve this.

How to Start a SaaS Business

What business structure should I use for my SaaS business?

Choosing the proper business structure for your SaaS venture is crucial. You have three options in Australia: sole trader, partnership, or Pty Ltd company. Each has its own legal and tax implications. A sole trader setup is straightforward but doesn’t offer liability protection for your personal assets. A partnership is excellent for collaboration, but you share the liability and are responsible for your partners’ debts. While more expensive to maintain, a Pty Ltd company structure offers personal liability protection and can boost your professional credibility.

Check out our feature article, ‘How to Choose the Right Business Structure‘ for more details.

How can I protect my IP in Australia?

You enjoy automatic copyright protection if you create or write software code and publish it on your SaaS website. If your software has novel or unique features, consider patenting them, but this process can be time-consuming and expensive. At the very least, you should trademark your SaaS business name, logo, and original visual features or designs.

Also, consider having Confidentiality Agreements (or NDAs) with your employees, subcontractors, consultants and potential investors. Ideas, before being turned into functioning SaaS products, are difficult to protect – but you should take this step seriously and not skip over it.

Yes. You should trademark your SaaS business name and logo. This protects you from copycats and is an essential step in the long-term defence of your brand. We have lost count of the number of online business owners who have come to us after their online brand was copied and they failed or forgot to trademark it as soon as they got up and running.

Check out our feature article, ‘How to Trademark Your Business Name‘ for more details.

Can I use open-source software in my SaaS app?

Yes, but you must understand the conditions under which you can use certain open-source code. Open-source licences vary considerably – some are pretty relaxed, while others have strict conditions requiring you to release your code publicly. Violating these terms can lead to legal troubles, so seek legal advice or opt for open software code with clear terms if in doubt.

Should I register my SaaS business for GST?

If your business generates more than $75,000 annually in Australia, you must register for GST. Registering for GST means adding a 10% surcharge to your prices, but it also allows you to claim GST credits for many of your business purchases. In general, published prices for B2C consumers must include GST, but published prices for B2B customers do not have to include GST. And remember, you don’t add GST to sales made to non-Australian consumers or businesses.

Here’s a checklist of legal agreements and notices you’ll need to run your SaaS business successfully:

  1. Choose an optimal business structure (Sole Trader, Partnership, Pty Ltd Company)
  2. Determine if any industry-specific regulations apply (e.g. healthcare, finance, education)
  3. Draft a comprehensive SaaS Agreement covering service details, data ownership, terms, etc.
  4. Specify governing law and jurisdiction for legal disputes in the SaaS Agreement
  5. Draft Website Terms & Conditions and Privacy Policy
  6. Add a EULA if software/code is downloaded to user devices
  7. Make legal agreements easily accessible on your website
  8. Implement robust data privacy and security measures per Australian Privacy Principles
  9. Have a data breach response plan ready per the Notifiable Data Breaches scheme
  10. For international customers, have a Cookie notice and ensure compliance with GDPR (EU/UK) and CCPA (California)
  11. Use Confidentiality Agreements with subcontractors and employees to protect trade secrets
  12. Trademark your SaaS business name and logo
  13. Register for GST if annual Australian revenue exceeds $75,000
  14. As your business evolves, inform subscribers of any changes to the SaaS Agreement terms, etc.

Ticking these boxes doesn’t just keep the legal eagles at bay; it builds trust with your users and lays a solid foundation for your SaaS business. Keep this checklist handy, and your SaaS journey will be as smooth as your software!

We hope you found this Legal Guide for SaaS Startups in Australia helpful.

vanessa emilio of legal123

About the Author: Vanessa Emilio

Vanessa Emilio (BA Hons, LLB, ACIS, AGIA) is the Founder and CEO of Legal123.com.au and Practice Director of Legal123 Pty Ltd. Vanessa is a qualified Australian lawyer with 20+ years experience in corporate, banking and trust law. Click for full bio of or follow on LinkedIn.

Disclaimer: We hope you found this article helpful, but please be aware that any information, comments or recommendations are general in nature, do not constitute legal advice and may not be suitable for your specific circumstances. Whilst we try our best to ensure that the information is accurate, sometimes there may be errors or new information that has yet to be included. Any decisions you take based on information on this website are made at your own risk and we cannot be held liable for any losses you suffer. Contact us directly before relying on any of this information.