Skip to main content

XaaS Legal implications

What to consider when transitioning to a XaaS model

Most of these challenges can be minimized with good planning and a focus on the legal considerations. We hereunder list seven legal considerations to pay attention to for companies that envisage a move to a Xaas business model.

Identify the ongoing client agreements

Clients may have already bought products from the Xaas service provider before the transition of the latter to a Xaas business model. This agreement may include additional services or maintenance provisions. Depending on the contractual clauses, the client could be entitled to receiving these services for a determined period of time and the termination clause may not allow termination for convenience at any moment in time. Applicable legislation could also foresee an obligation to provide maintenance and repair services for a certain period of time or that spare parts need to be offered. Hence, the transition to a Xaas model may take some time and most probably requires a transition period.

Contractual relationship with the client under Xaas

Next, the format and type of the new (service) agreement to be entered into with the client will need to be identified. This will often be a more complex agreement than the terms and conditions of a sales contract. For example, as the XaaS service provider will offer services instead of products, the service levels thereof must be laid down in a comprehensible manner and in measurable terms. How important is the uptime and resolution time for the specific Xaas services? What are the remedies in case of a breach of the agreed service levels?


Linked with these service levels, the Xaas service provider will likely work with subcontractors to provide services that are part of the subscription model. The contractual relationship with all subcontractors must match the contractual relationship offered to the client, for instance, with respect to liability.

Security and Data Protection

In order to ensure a continuance of the services, it is important to ensure that the appropriate security measures, such as encryption, authentication and authorization requirements, data backup, and security incident management are foreseen.

Attention must also be paid to the GDPR, as both the client and the XaaS service provider will have obligations under data protection legislation in their capacity as data controller and/or data processor.

Data ownership, localization and confidentiality

The ownership of and access to the data must also be foreseen in the contractual relationship with the client. In the context of the European Digital Strategy, several regulations such as the Data Act, Data Governance Act, Digital Services Act, etc. may have significant impact on data (access) related aspects. Xaas service providers may encounter more stringent obligations, whereas clients (users) may enjoy specific rights.

Moreover, it is also important for the client to understand where his data is stored, as well as which (data protection) legislation may apply to data stored outside of the EU. In the latter case, compliance with the provisions in the GDPR on data transfers has to be verified.

Intellectual Property Rights

Clients may have specific needs or requests, which may include the development of specific solutions or add-ons. An agreement must be reached between the XaaS service provider and the client as to who retains the intellectual property rights in these developments. While the developments may be specific to a particular client’s need, the XaaS service provider may want to use the same developments for other clients and will hence be only prepared to grant a non-exclusive license.
Contract expiration, termination and exit provisions

Since the client is no longer the owner of a product he becomes more reliant on the Xaas service provider and the continuance of his services. Therefore, it is important for the Xaas service provider to think about this, and how the agreement can be terminated in such a way that the business continuance of the client, relying on the Xaas services, is not jeopardized.

The client should in any case be given access to its own data. Ideally, the agreement will foresee provisions regarding the transition of services to another supplier and at which cost.

Did you find this useful?

Thanks for your feedback

If you would like to help improve further, please complete a 3-minute survey