onTerms SaaS Module v1.0 — Standard Terms (England & Wales)

onterms:saas:1.0.0:EW · Status: v0.9 DRAFT · Not legal advice (requires E&W solicitor sign-off before production use).

How to read this. These Standard Terms are immutable and incorporated by reference from an Order (see spec/onterms-protocol.md). The Order is the only negotiable surface; it carries the constrained Elections below. Body text is adopt-verbatim. Defaults are the fair-middle position, benchmarked against Bonterms Cloud Terms and Common Paper CSA, with E&W overlays (UCTA 1977, CRA 2015, Contracts (Rights of Third Parties) Act 1999, Late Payment of Commercial Debts (Interest) Act 1998) hard-coded. Election names/values are stated exactly as encoded in schema/onterms-order.schema.json, which is the validated source of truth.

Capitalised terms have the meanings given in the onTerms Dictionary onterms:dict:1.0.0:EW, except as defined here.

0. Status of the parties (B2B-only)

[RT-fix] Each party warrants that it enters the Order in the course of its business and not as a consumer, and that the individual accepting has authority to bind it. These Terms are not for consumer contracts; if either party is a consumer, these Terms do not apply and the Order is outside onTerms (and ineligible for the "onTerms Verified" badge). This warranty is mirrored by the mandatory parties[].acting_in_business: true field in the Order schema, so a consumer order fails validation rather than relying on this recital alone.

1. Provision of the Service & Licence

The Provider will make the Service described in the Order available during the Subscription Term in accordance with these Terms, the Documentation and the applicable service levels. Subject to payment of the Fees and compliance with these Terms, the Provider grants the Customer a non-exclusive, non-transferable, non-sublicensable right to access and use the Service, and to permit its Authorised Users to do so, solely for the Customer's internal business purposes during the Subscription Term. The Provider may modify the Service provided it does not materially reduce the overall functionality or security of the Service during the Subscription Term. All rights not expressly granted are reserved.

Middle vs poles: "no material decrease in functionality" is the balanced lock (vendor-max: change anything; customer-max: change-freeze + prior approval). No election (scope/user count are Order line items, not knobs).

2. Customer Responsibilities & Acceptable Use

The Customer is responsible for: (a) its Authorised Users' use and compliance; (b) the accuracy, legality and its right to provide Customer Data; (c) credential confidentiality and prompt notice of unauthorised access; and (d) the equipment/networks/third-party services needed to use the Service. The Customer and its Authorised Users will not: (i) resell or provide the Service to a third party except as permitted; (ii) reverse engineer or copy the Service except where that restriction is prohibited by law; (iii) use the Service to store/transmit unlawful, infringing or malicious material or unsolicited communications; (iv) interfere with or circumvent its security, integrity or performance; or (v) use it in breach of applicable law. The Provider may issue reasonable Acceptable Use rules via the Documentation; in conflict, these Terms prevail.

3. Fees, Payment, Taxes & Price Changes

The Customer will pay the Fees in the Order. Unless the Order states otherwise, the Provider invoices in advance and the Customer pays each undisputed invoice within the elected number of days (commercial.payment_terms_days, default 30, range 7–60) in the stated currency. Fees are non-refundable except as expressly stated. Overdue undisputed amounts bear interest at 1.5% per month (or the maximum permitted by law, if lower), and the parties agree this contractual rate applies in place of the Late Payment of Commercial Debts (Interest) Act 1998 default. The Customer may withhold a good-faith disputed amount if it pays the undisputed balance and notifies the Provider promptly with reasons. Fees are exclusive of VAT and applicable taxes (excluding tax on the Provider's net income), grossed up for withholding subject to tax documentation. On each renewal the Provider may increase Fees subject to the elected renewal.renewal_uplift_cap (see clause 4).

Middle vs poles: Net 30 and 1.5%/month are balanced (vendor-max: net 14, higher interest; customer-max: net 60, no interest).

4. Term, Renewal, Termination & Suspension

The initial Subscription Term is commercial.order_term.initial_term_months (default 12, range 1–60). If renewal.auto_renew is true (default), it renews for successive periods of renewal.renewal_term_months (default 12) unless either party gives notice of non-renewal at least renewal.nonrenewal_notice_days (default 60, range 30–90) before the end of the then-current term. The price uplift on renewal is capped by renewal.renewal_uplift_cap.mode ∈ {none, fixed_pct, cpi, lower_of_cpi_or_fixed} (default lower_of_cpi_or_fixed); percent modes require fixed_pct (range 3–7%). Either party may terminate for cause on 30 days' written notice of an uncured material breach, and immediately for an incurable material breach or insolvency. If convenience_termination is true, the Customer may terminate for convenience mid-term and recover prepaid unused Fees pro rata (default false). The Provider may suspend the Service where: (a) undisputed Fees are 30+ days overdue after notice; (b) continued use poses a material security or legal risk; or (c) the Customer materially breaches Acceptable Use — limited to what is reasonably necessary and restored promptly. On expiry/termination the Customer's access ends, sums due are paid, and the data export/deletion provisions apply. Payment, confidentiality, data protection, IP, usage data, liability, indemnities, disclaimers, survival and governing law survive.

5. Service Levels / Uptime & Service Credits

The Provider will use commercially reasonable efforts to make the Service available at least sla_tier.uptime_pct of the time each calendar month (∈ {99.5, 99.9, 99.95, 99.99}; default 99.9), excluding scheduled/emergency maintenance, Force Majeure, Customer- or third-party-caused issues, and beta/trial features. If Monthly Uptime falls below the commitment and sla_tier.credits_sole_remedy is true (default), the Customer's sole and exclusive remedy is a service credit on the schedule in the Order/SLA addendum (default: 10% of the monthly Fee for the affected Service at 99.0–<99.9%, 25% at 95.0–<99.0%, 50% below 95%), claimed within 30 days and applied against future invoices. If sla_tier.chronic_failure_termination is true (default false), the Customer may also terminate for convenience and recover prepaid unused Fees if the commitment is missed in 3 consecutive months. Service credits are not refunds.

6. Support

During the Subscription Term the Provider will provide support through its standard channels during published business hours, using commercially reasonable efforts to meet any target response times in the Order/Documentation. (Reserved election — see "Reserved elections" below — support_tier.)

7. Data Protection & Security

To the extent the Provider processes personal data on the Customer's behalf, the parties are bound by onDPA (onterms:dpa:1.0.0:EW, incorporated by reference); where it includes the UK IDTA or EU SCCs, the parties agree to be bound by them and to populate and execute the required tables via onSign. [RT-fix] The DPA's non-derogable terms sit at the top of the precedence ladder (CORE §8 rung 6) and cannot be weakened by an Election — an Election may only make a parameter stricter. The Provider will implement appropriate technical and organisational measures consistent with data_protection.security_certification ∈ {none, cyber_essentials, cyber_essentials_plus, soc2_type2, iso27001, both} (default soc2_type2; cyber_essentials/_plus are the accessible UK-SMB baseline; a value other than none is a binding contractual commitment), maintain a subprocessor list, give notice of changes with a right to object where data_protection.subprocessor_objection_right is true (default), and remain responsible for subprocessors. The Provider will notify the Customer of a personal data breach within data_protection.breach_notice ∈ {undue_delay, 72h, 48h, 24h} (default 72h). On exit, Customer Data is deleted within data_protection.deletion_window_days ∈ {30, 60, 90} (default 60), excluding routine backups and law-required copies. data_protection.international_transfer_mechanism (UK IDTA / EU SCCs / DPF — the EU-US Data Privacy Framework and its UK Extension) is required whenever governing law is a UK/EU jurisdiction.

8. Customer Data, Feedback, Usage Data & AI Training

As between the parties, the Customer owns and retains all right, title and interest in Customer Data, and grants the Provider a non-exclusive licence to host, process, transmit, display and otherwise use it solely to provide, secure and support the Service and as permitted by these Terms and onDPA. During the Subscription Term and for the deletion window in clause 7, the Customer may export Customer Data in a standard format. The Provider may use Feedback without restriction. The Provider may collect and use Usage Data to operate, maintain, secure and improve its products, provided any external disclosure is only in de-identified, aggregated form that does not identify the Customer, any Authorised User or any individual. The Provider will not use Customer Data, inputs or outputs to train or fine-tune AI/ML models except to the limited extent necessary to provide the Service to the Customer, unless ai.training_on_customer_data is set to opt_in (default off; opt-in also requires the ai-addendum module to be incorporated and a human-in-the-loop affirmation, per the schema).

9. IP & IP Indemnity

The Provider and its licensors retain all right, title and interest in the Service, Documentation and related IP. The Provider will defend the Customer against third-party claims that the Service as authorised infringes that party's IP, and indemnify against damages/costs finally awarded or agreed; on such a claim it may (a) procure a continued-use right, (b) modify to be non-infringing, or (c) terminate the affected Service and refund prepaid unused Fees. No obligation for claims from combination with non-Provider items, unauthorised modification, use contrary to the Documentation/Terms, Customer Data, or use after notice to stop. AI-generated outputs are excluded from this indemnity by default unless ai.output_in_ip_indemnity is conditional_shield (default carved_out), which extends cover to outputs only where the Customer used unmodified generally-available features and did not disable guardrails. ai.output_ownership (∈ {customer, provider}, default customer) governs output ownership. The Customer will defend/indemnify the Provider against claims arising from Customer Data or breach of clause 2. This clause states each party's sole liability and exclusive remedy for third-party IP claims.

10. Warranties & Disclaimers

The Provider warrants that during the Subscription Term the Service will perform materially in accordance with the Documentation, and that any professional services will be performed in a professional and workmanlike manner. For non-conformity notified within 30 days of discovery, the Provider will use commercially reasonable efforts to correct it or provide a workaround within 30 days, failing which the Customer may terminate the affected Service and receive a refund of prepaid unused Fees — the Customer's exclusive warranty remedies. Except as expressly stated, and to the fullest extent permitted by law, the Service is provided "as is" and the Provider disclaims all other warranties, express, implied or statutory, including satisfactory quality, fitness for a particular purpose, title and non-infringement. Nothing excludes terms that cannot lawfully be excluded.

11. Limitation of Liability

Nothing in these Terms limits or excludes either party's liability for: death or personal injury caused by negligence; fraud or fraudulent misrepresentation; the Customer's obligation to pay Fees; or any liability that cannot be limited or excluded by law. Subject to that, and to the fullest extent permitted by law, neither party is liable for loss of profits, revenue, anticipated savings, goodwill or business, or for indirect, consequential, special, incidental, exemplary or punitive loss.

Subject to the foregoing, each party's total aggregate liability is limited to the greater of (a) liability.general_cap_multiple × the Fees paid or payable in the 12 months before the event (multiple ∈ {1, 1.5, 2, 3}; default 1) and (b) liability.general_cap_floor (the "General Cap"). For Enhanced Claims — claims within liability.super_cap_triggers (∈ {security_breach, data_protection, confidentiality}; default [security_breach, data_protection]) — each party's aggregate liability is limited to liability.super_cap_multiple × the General Cap (multiple ∈ {0, 2, 3, 5}; default 3; 0 means no separate super-cap). The General Cap and Super-Cap do not apply to the uncapped matters above, or to the Provider's IP indemnity, breach of confidentiality, or either party's breach of the AI-training restriction in clause 8.

[RT-fix] UCTA reasonableness (no self-serving recital). The parties acknowledge these limits were available for negotiation, are reasonable under the Unfair Contract Terms Act 1977 having regard to: the parties' equal bargaining power as businesses; the availability of the Provider's insurance (clause 13); the price paid for the Service; the mirror application of the caps to each party; and the real monetary floor at the General Cap. Badge rule: an Order with general_cap_floor absent or 0 on a sub-threshold ACV — i.e. a cap that could collapse to a derisory sum on a low-usage first year (cf. St Albans v ICL, Goodlife v Hall) — is badge-ineligible; the recommended floor is ≥ £25,000 or ≥ 50% of annual Fees.

12. Confidentiality

Confidentiality is governed by CORE §7 (core-1.0-ew.md), incorporated by reference — protection standard, Permitted Recipients, required-by-law disclosure, return/destruction, and remedies. [round-3 de-dup] This module no longer restates confidentiality (removing the drift risk of two copies). Two consequences follow from CORE §7: (a) the survival tail runs from the date of disclosure (CORE §7.5), not from the end of the Subscription Term — so an onNDA→Order journey shares one clock and never resets; the tail length is confidentiality.confidentiality_tail_years (∈ {2, 3, 5}; default 3), perpetual for trade secrets and Personal Data; and (b) any prior onNDA/onEval pinned in confidentiality.prior_instruments[] is brought forward and preserved under CORE §7.8 (relation-back; the entire-agreement clause cannot extinguish it; tail from the later of disclosure/termination).

13. Insurance

During the Subscription Term the Provider will maintain, with reputable insurers, insurance appropriate to the Service, including professional indemnity / technology E&O and cyber liability cover, and Employers' Liability cover meeting the statutory minimum where it has UK employees, and will provide a certificate on reasonable written request (no more than annually). (Reserved elections — cyber_eo_limit_gbp, additional_insured — see below.)

14. Force Majeure

Neither party is liable for delay/failure to perform (other than payment) caused by an event beyond its reasonable control (acts of God, war, terrorism, civil unrest, pandemic, strikes, utility/network/internet failure). The affected party will mitigate and notify. If the event continues for more than 30 consecutive days, either party may terminate the affected Service on notice. (Reserved election — fm_termination_days.)

15. Boilerplate (SaaS-specific deltas)

Governing law & jurisdiction: these Terms and any non-contractual obligations are governed by the law of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales — unless a different governing_law pack is elected (see spec/ §4). Third-party rights: no person other than a party has rights under the Contracts (Rights of Third Parties) Act 1999, except the Provider's Affiliates and indemnified persons may enforce clauses for their benefit. Assignment: no assignment without consent, except to a successor in a merger/acquisition/sale of substantially all assets on notice; other purported assignment is void. Subcontracting: permitted, Provider remains responsible. Notices: in writing; routine notices by email; breach/termination/legal notices also by post or courier. Entire agreement: these Terms, the Order and incorporated documents, save that nothing excludes liability for fraudulent misrepresentation. Variation: only in writing signed by both parties (no oral modification — Rock Advertising v MWB). Severance / waiver / counterparts / e-signature: standard. Dispute resolution: if onterms:dispute:1.0.0:EW is incorporated, the tiered ladder in that module applies before/alongside the elected forum (see modules/dispute-resolution.md).

Consolidated Elections — encoded in the Order schema

These align exactly with schema/onterms-order.schema.json elections (+ two commercial knobs). The schema enforces ranges, enums and conditionals.

Hard-coded E&W overlays (not elections): governing law E&W; CRTPA 1999 excluded (carve-back for Affiliates/indemnified persons); death/PI and fraud never excluded; UCTA-reasonable caps, mirrored, with a real floor; contractual late-payment interest displaces the 1998 Act default; onDPA incorporated with the non-derogable floors riding above Elections.

Reserved elections (per-module schema roadmap). The following are defined by this module but not yet in the v0.x envelope schema; they will be added to the per-module elections schema (onterms:saas MINOR bump) without breaking existing Orders (see spec/ §3.4): support_tier {standard_business_hours, priority, 24x7}; cyber_eo_limit_gbp {1m, 2m, 5m}; additional_insured bool; fm_termination_days {15, 30}; high_risk_data_permitted bool; audit_mechanism {report_only, audit_on_notice}.