Software, cloud and platform services now underpin almost every aspect of modern digital infrastructure. Organisations depend on SaaS, CCaaS, PaaS and cloud environments to deliver core business functions, support customer communications, manage data at scale, and deploy AI-driven capabilities. As these systems evolve, they increasingly blend software functionality, communications elements, data governance, and outsourced operational risk.

This convergence means that SaaS and cloud arrangements are rarely just “IT contracts”. They must address complex regulatory frameworks, including data protection, AI governance, telecoms regulation, security and resilience requirements, and sector-specific compliance obligations. Providers and customers must also manage issues such as multi-vendor architecture, subcontracting chains, service resilience, cross-border data flows, and cloud exit or portability.

Bratby Law advises SaaS, CCaaS, PaaS and cloud providers, enterprise customers, digital infrastructure operators and investors on the regulatory and commercial aspects of designing, procuring and scaling digital services. The firm’s experience spans product development, platform commercialisation, regulatory perimeter analysis, privacy and AI governance, risk allocation, and dispute avoidance. Our advice is grounded in deep sector expertise and aligns commercial objectives with regulatory, operational and contractual requirements.”>Bratby Law advises SaaS, CCaaS, PaaS and cloud providers, enterprise customers, digital infrastructure operators and investors on the regulatory and commercial aspects of designing, procuring and scaling digital services. The firm’s experience spans product development, platform commercialisation, regulatory perimeter analysis, privacy and AI governance, risk allocation, and dispute avoidance. Our advice is grounded in deep sector expertise and aligns commercial objectives with regulatory, operational and contractual requirements.

Our experience

SaaS and cloud services transactions involve regulatory considerations that cut across data protection, telecoms and (where payment functionality is embedded) payments regulation. The UK GDPR governs the controller/processor relationship under Article 28, requiring a compliant data processing agreement. Where the service includes the conveyance of signals, it may constitute an electronic communications service under section 32 of the Communications Act 2003. Embedded payment features may trigger obligations under the PSRs 2017.

Key issues for clients

• Structuring and contracting: drafting and negotiating agreements, service level commitments and end-user terms.
• Data and AI compliance: ensuring solutions align with UK GDPR, Data Protection Act 2018 requirements and new AI governance obligations.
• Regulatory and telecoms issues: identifying whether cloud or communications functionality triggers Ofcom, NIS2 or other telecoms licensing obligations.
• Security and resilience: reviewing architecture, subcontracting models and incident-response frameworks.
• Intellectual property: licensing models and IP ownership structures, IP warranties and indemnities in vendor and customer contracts, ownership of customisations and integrations, open source licence compliance and contamination risk, and source code escrow and business continuity arrangements.
• Commercial and procurement strategy: aligning pricing, performance, risk allocation and contract governance with commercial and operational outcomes.

How we help

• Drafting and negotiating cloud, SaaS and platform agreements tailored to commercial models and operational requirements.
• Advising on regulatory perimeter questions where software services intersect with communications functionality or telecoms regulation.
• Designing data protection and AI governance frameworks for cloud-based products and services.
• Supporting incident-response planning, resilience obligations and supplier-management frameworks.
• Advising on the intellectual property dimensions of SaaS and cloud transactions, including software licensing structures (perpetual vs subscription, SaaS vs on-premise), IP warranty and indemnity negotiation, ownership of customisations and integrations, open source licence compliance, and source code escrow.
• Providing sector-specific risk analysis for investment, procurement and product rollout.

Intellectual property rights underpin the value of every SaaS business. We advise on the intellectual property dimensions of SaaS and cloud transactions, including software licensing structures, IP warranty and indemnity negotiation, ownership of customisations and integrations, open source licence compliance, and source code escrow. Our work on SaaS transactions draws on a foundation in IP licensing and software contracts. We also advise on related areas including data commercialisation and licensing.

How Bratby Law helps

SaaS and cloud agreements in the telecoms and payments sectors must address regulatory obligations under the Communications Act 2003 and, where applicable, the Payment Services Regulations 2017. We advise SaaS providers, cloud platforms, telecoms operators deploying cloud services, and enterprise customers on the regulatory, data protection, and commercial aspects of cloud and SaaS agreements.

• Drafting and negotiating SaaS subscription agreements, cloud services contracts, and platform terms
• Data protection compliance for cloud deployments, including international transfer mechanisms and UK GDPR Article 28 processor agreements
• Advising on the interaction between telecoms regulation and cloud services where operators provide bundled offerings
• Service level agreements, uptime commitments, and liability frameworks for mission-critical cloud services
• Exit and migration provisions, data portability, and vendor lock-in protections
• Regulatory due diligence on SaaS and cloud acquisitions
• FCA and PRA outsourcing requirements for regulated firms using cloud infrastructure

Representative experience

Recent and representative matters include:

• Drafted and negotiated enterprise SaaS agreements for a telecoms software provider, including data processing terms compliant with Article 28 and service level commitments aligned with the customer’s regulatory obligations.
• Advised a cloud communications platform on the regulatory classification of its services, confirming that certain hosted PBX and UCaaS offerings constituted ECS under the Communications Act 2003.
• Structured the data protection and commercial terms for a multi-tenant cloud platform processing financial services data, including sub-processor controls, international transfer mechanisms and exit provisions.
• Advised on the regulatory implications of embedding payment initiation services within a SaaS platform, assessing whether the activity required FCA authorisation under the PSRs 2017.
• Negotiated cloud infrastructure agreements for a regulated telecoms provider, addressing TSA security obligations, data residency requirements and Ofcom information access provisions.

Related transactions pages

See also our other transactions pages:

• Mergers and Acquisitions (M&A)
• Private equity
• Subsea cables
• MVNOs and MVNEs
• Interconnection, peering and access agreements
• Network sharing and co-location agreements
• Data commercialisation and licensing
• Digital Infrastructure Projects

Frequently asked questions

What legal frameworks apply to SaaS and cloud services in the UK?

SaaS and cloud arrangements are governed primarily by contract law, but they are shaped by several regulatory frameworks: UK GDPR, the Data Protection Act 2018, sector-specific regulatory requirements, the Online Safety Act (where platforms are in scope), telecoms regulation where communications functionality is offered, and security requirements informed by NCSC guidance. Cross-border services may also trigger EU GDPR, the EU AI Act and ENISA cloud certification considerations.

Do SaaS providers ever fall within telecoms regulation?

Yes. Where a SaaS or CCaaS platform includes or underpins electronic communications functionality, elements may fall within Ofcom’s regulatory perimeter. This includes services that allocate numbers, route calls, or provide messaging or communications features at scale. Proper analysis of the General Conditions and related guidance is essential to avoid inadvertent non-compliance.

What are the key contractual risks in SaaS and cloud agreements?

Key issues include service definition, uptime and availability, support models, subcontracting and supply-chain transparency, security and resilience commitments, data-processing terms, limitation of liability, exit and portability, and disaster-recovery provisions. The balance between commercial flexibility and regulatory accountability is often central to negotiation.

What should organisations consider when transferring personal data into the cloud?

Organisations must ensure UK GDPR and DPA 2018 compliance, including a clear legal basis, controller-processor allocation, data-processing terms, security measures, records of processing and, where relevant, international transfer mechanisms. Continuous monitoring and supplier governance are required where processing is ongoing, dynamic or high-risk.

How do AI governance obligations interact with SaaS and cloud deployments?

Cloud environments frequently support AI models, inference services or automated decision-making. Providers and customers should assess how model development, data inputs, transparency, testing, bias mitigation, and monitoring obligations interact with cloud architecture. Recent UK guidance and the EU AI Act impose additional governance expectations on providers and deployers of AI systems.

What due diligence should customers undertake when procuring SaaS or cloud solutions?

Typical assessments include regulatory perimeter checks, data-protection compliance, security controls aligned to NCSC and ISO/IEC 27000-series standards, operational resilience, supplier financial stability, service architecture, service levels, roadmap and end-of-life policies, and exit or transition planning.

Do cloud providers need to support data portability and exit?

Yes. Portability, data extraction, transition assistance and clear exit pathways are essential, both legally and commercially. In some cases, these are mandated by regulatory frameworks (e.g. EU free flow of non-personal data). Even where not required by law, exit clarity is a key risk-management concern for customers.

How can Bratby Law help?

Frequently asked questions

Who owns customisations and integrations built on a SaaS platform?

Ownership depends on the contractual terms. The default position under the Copyright, Designs and Patents Act 1988 is that copyright vests in the author (or employer). SaaS agreements should specify whether customisations, integrations and derivative works are owned by the vendor, the customer, or jointly, and what licence rights each party retains on termination.