SaaS Agreement - SMB (Colorado)

Ready to Edit

SOFTWARE AS A SERVICE AGREEMENT (SMB)

STATE OF COLORADO


TABLE OF CONTENTS

  1. Parties and Recitals
  2. Definitions
  3. Access Rights and Restrictions
  4. Service Levels and Support
  5. Customer Obligations
  6. Fees and Payment
  7. Data Protection, Security, and Colorado Privacy Act Compliance
  8. Intellectual Property and Feedback
  9. Confidentiality
  10. Warranties and Disclaimers
  11. Indemnification
  12. Limitations of Liability
  13. Term, Renewal, and Termination
  14. Beta and Free Trials
  15. Compliance
  16. Governing Law and Dispute Resolution
  17. Miscellaneous
  18. Signature Blocks
  19. Attachments

1. PARTIES AND RECITALS

This Software as a Service Agreement ("Agreement") is entered into as of [__/__/____] ("Effective Date") by and between:

Provider:
Name: [________________________________]
State of Organization: [________________________________]
Principal Address: [________________________________]
Email for Notices: [________________________________]

("Provider")

AND

Customer:
Name: [________________________________]
State of Organization: [________________________________]
Principal Address: [________________________________]
Email for Notices: [________________________________]

("Customer")

Provider and Customer are each a "Party" and collectively the "Parties."

RECITALS

WHEREAS, Provider has developed and operates a cloud-based software application available on a subscription basis;

WHEREAS, Customer desires to access Provider's application for its internal business operations;

WHEREAS, Provider is willing to grant access subject to this Agreement and the applicable Order Form(s);

WHEREAS, the Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.) establishes personal data privacy rights for Colorado residents and imposes obligations on controllers and processors, and the Parties desire to ensure compliance with the CPA;

WHEREAS, this Agreement shall be governed by the laws of the State of Colorado;

NOW, THEREFORE, in consideration of the mutual covenants and for good and valuable consideration, the Parties agree as follows:


2. DEFINITIONS

2.1 "Affiliate" means any entity controlling, controlled by, or under common control with a Party (control = >50% voting interest).

2.2 "Acceptable Use Policy" or "AUP" means Provider's AUP in Attachment E.

2.3 "Authorized Users" means Customer's employees, contractors, and agents authorized to access the SaaS Platform, subject to Usage Limits.

2.4 "Business Day" means any day other than a Saturday, Sunday, or Colorado state holiday.

2.5 "Confidential Information" means all non-public information designated or reasonably understood as confidential, including trade secrets, business plans, financial data, technical data, source code, and Agreement terms.

2.6 "Consumer" means a Colorado resident identified or identifiable by Personal Data who is acting in an individual or household context, as defined under the CPA (C.R.S. § 6-1-1303(5)).

2.7 "Controller" means a person that, alone or jointly with others, determines the purposes and means of processing Personal Data, as defined under the CPA (C.R.S. § 6-1-1303(7)).

2.8 "Customer Data" means all electronic data, content, and information submitted to the SaaS Platform by or on behalf of Customer, including Personal Data.

2.9 "Data Processing Addendum" or "DPA" means the data processing terms in Attachment D.

2.10 "Data Protection Assessment" means an assessment required under C.R.S. § 6-1-1309 for processing that presents a heightened risk of harm to Consumers.

2.11 "Documentation" means Provider's user guides, help resources, and specifications for the SaaS Platform.

2.12 "Downtime" means any period of unavailability, excluding Scheduled Maintenance, emergency maintenance, and Force Majeure.

2.13 "Effective Date" means the date in the preamble.

2.14 "Fees" means all amounts payable by Customer under this Agreement.

2.15 "Force Majeure Event" means events beyond reasonable control, including acts of God, fire, flood, earthquake, epidemic, pandemic, war, terrorism, government action, labor dispute, internet failure, power outage, or telecommunications failure.

2.16 "Intellectual Property" or "IP" means all patents, copyrights, trademarks, trade secrets, know-how, and other IP rights.

2.17 "Malware" means any virus, worm, Trojan horse, ransomware, spyware, or malicious code.

2.18 "Order Form" means each ordering document referencing this Agreement.

2.19 "Personal Data" means information linked or reasonably linkable to an identified or identifiable individual, as defined under the CPA (C.R.S. § 6-1-1303(17)) and C.R.S. § 6-1-716.

2.20 "Processor" means a person that processes Personal Data on behalf of a Controller, as defined under the CPA (C.R.S. § 6-1-1303(19)).

2.21 "SaaS Platform" or "Service" means the cloud-based application(s) identified in the Order Form.

2.22 "Scheduled Maintenance" means routine maintenance during the designated window per the SLA.

2.23 "Sensitive Data" means Personal Data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sex life or sexual orientation, citizenship status, genetic or biometric data processed for identification, or Personal Data of a known child, as defined under the CPA (C.R.S. § 6-1-1303(24)).

2.24 "Service Level Agreement" or "SLA" means the commitments in Attachment B.

2.25 "Subscription Term" means the initial and renewal periods in the Order Form.

2.26 "Support" means technical support per the Support Policy (Attachment C).

2.27 "Updates" means bug fixes, patches, and releases available at no additional charge.

2.28 "Usage Limits" means the limits in the Order Form.


3. ACCESS RIGHTS AND RESTRICTIONS

3.1 License Grant

Subject to compliance and payment of Fees, Provider grants Customer a non-exclusive, non-transferable, non-sublicensable right to access and use the SaaS Platform during the Subscription Term for internal business purposes, per the Documentation and Usage Limits.

3.2 Authorized Users

(a) Unique login credentials per user; no credential sharing.

(b) Customer responsible for all Authorized User actions and compliance.

(c) Prompt deactivation of former Authorized Users.

3.3 Usage Limits

Excess usage may be charged at Provider's rates or require an amended Order Form.

3.4 Restrictions

Customer shall not:

(a) Copy, modify, adapt, or create derivative works of the SaaS Platform;

(b) Reverse engineer, except as permitted by Colorado or federal law;

(c) Sublicense, lease, rent, sell, or transfer access;

(d) Use for third-party benefit (service bureau, outsourcing, time-sharing);

(e) Remove proprietary notices;

(f) Interfere with or disrupt the SaaS Platform;

(g) Attempt unauthorized access;

(h) Transmit Malware or violate the AUP;

(i) Store infringing, defamatory, or unlawful content;

(j) Publish benchmarking results without consent;

(k) Allow competitor access where legally permissible to restrict.

3.5 API Access

Per Documentation and API terms. Provider may impose rate limits and restrictions.

3.6 Third-Party Integrations

Customer assumes all risk. Provider has no liability for third-party application issues.


4. SERVICE LEVELS AND SUPPORT

4.1 Uptime Commitment

Provider shall use commercially reasonable efforts to maintain [____]% monthly uptime (the "Uptime Target"), excluding Scheduled Maintenance and Force Majeure.

4.2 Uptime Measurement

Monthly uptime = ((Total Minutes - Downtime Minutes) / Total Minutes) x 100.

4.3 SLA Credits

Monthly Uptime Percentage Credit (% of Monthly Fees)
Below [____]% but at or above [____]% [____]%
Below [____]% but at or above [____]% [____]%
Below [____]% [____]%

Credits requested within thirty (30) days, applied to future Fees, capped at the affected month's Fees. SLA credits are Customer's sole remedy unless chronic failure triggers termination rights.

4.4 Support Services

Severity Description Response Time
Severity 1 - Critical Platform unavailable or core function inoperable [____] hours
Severity 2 - High Significant impairment, no workaround [____] hours
Severity 3 - Medium Impairment with workaround [____] Business Days
Severity 4 - Low Minor issue or inquiry [____] Business Days

Support Hours: [________________________________]
Support Channels: [________________________________]

4.5 Scheduled Maintenance

Window: [________________________________] (e.g., Sundays 1:00 AM - 5:00 AM MT). At least [____] hours' notice. Emergency maintenance with best-efforts notice.


5. CUSTOMER OBLIGATIONS

5.1 Account Security

Credential confidentiality, MFA where available, prompt notification of unauthorized access.

5.2 Acceptable Use

Compliance with AUP and all applicable laws, including the Colorado Consumer Protection Act (C.R.S. § 6-1-105).

5.3 Data Accuracy

Accurate, lawful data with all necessary rights and consents.

5.4 Cooperation

Timely responses, system access, and designated primary contact.

5.5 System Requirements

Maintain per Documentation requirements.

5.6 Compliance with Laws

Customer shall comply with all applicable laws, including the Colorado Privacy Act to the extent Customer is a Controller.


6. FEES AND PAYMENT

6.1 Subscription Fees

Per Order Form, invoiced:

☐ Annually in advance
☐ Quarterly in advance
☐ Monthly in advance

6.2 Usage-Based Fees

Overages at Order Form rates with usage reports.

6.3 Professional Services Fees

Per statement of work or Order Form.

6.4 Invoicing and Payment

(a) Invoiced per Order Form frequency.

(b) Due within [____] days of invoice date.

(c) In United States dollars.

(d) Non-refundable except as stated.

6.5 Late Payment

(a) Interest at [____]% per month (or [____]% per annum), or the maximum permitted by Colorado law, whichever is less.

(b) Colorado Interest Rate Provisions: Under C.R.S. § 5-12-101, the default rate of interest is eight percent (8%) per annum, compounded annually, if no other rate is agreed. Under C.R.S. § 5-12-103, parties may stipulate in writing to a higher rate not exceeding forty-five percent (45%) per annum. Interest exceeding forty-five percent per annum constitutes criminal usury, a class 6 felony under C.R.S. § 18-15-104. The late payment rate specified herein shall not exceed the maximum lawful rate.

(c) Reasonable collection costs, including attorneys' fees.

6.6 Taxes

(a) All Fees are exclusive of taxes. Customer is responsible for applicable taxes except taxes on Provider's net income.

(b) Colorado SaaS Tax Note: Colorado does not impose state sales tax on SaaS at the state level (2.9% state rate does not apply to SaaS). However, Colorado has a "home-rule" system where cities independently determine taxability. Several home-rule cities, including Denver (approximately 5.15% local rate), Colorado Springs, and Boulder, impose local sales or use tax on SaaS. Customer is responsible for identifying and remitting any applicable local taxes. Provider shall collect and remit local taxes where it has nexus and has determined the local jurisdiction taxes SaaS. The Parties shall cooperate to determine and adjust applicable local tax obligations.

(c) If Provider is required to collect taxes, they shall be included on invoices.

6.7 Price Increases

At least [____] days' notice before renewal. Increase not to exceed [____]% unless agreed.

6.8 Disputed Invoices

Disputes within [____] days with written notice. Undisputed amounts due on time. Resolution within thirty (30) days. No suspension for good-faith disputes if undisputed amounts are paid.


7. DATA PROTECTION, SECURITY, AND COLORADO PRIVACY ACT COMPLIANCE

7.1 Security Safeguards

Provider shall implement and maintain administrative, technical, and physical safeguards, including:

(a) Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent);

(b) Role-based access controls with least-privilege principles and MFA;

(c) Regular vulnerability assessments and penetration testing;

(d) Intrusion detection and prevention;

(e) Audit logging and monitoring;

(f) Employee background checks and security training;

(g) Physical data center security;

(h) Incident response and disaster recovery plans.

7.2 Compliance Certifications

☐ SOC 2 Type II
☐ ISO 27001
☐ Other: [________________________________]

7.3 Data Breach Notification - Colorado Requirements

(a) Provider shall notify Customer of any confirmed Security Breach without unreasonable delay and no later than [____] hours after determination.

(b) Colorado Data Breach Notification Law (C.R.S. § 6-1-716): Colorado imposes one of the strictest breach notification timelines in the United States. Notice to affected Colorado residents must be made in the most expedient time possible and without unreasonable delay, but not later than thirty (30) days after the date of determination that a security breach occurred. If the breach affects five hundred (500) or more Colorado residents, the covered entity must also notify the Colorado Attorney General within the same thirty (30) day period.

(c) Provider acknowledges this accelerated thirty (30) day timeline and agrees that its internal notification to Customer under Section 7.3(a) must be sufficiently prompt to allow Customer to comply with the thirty (30) day statutory deadline.

(d) Provider shall cooperate with Customer in investigating, mitigating, and preparing required notifications.

(e) Notification content shall include: (i) description of breach; (ii) types of Personal Data involved; (iii) estimated individuals affected; (iv) measures taken; and (v) Provider's security contact.

7.4 Colorado Privacy Act (CPA) Compliance

This Section 7.4 applies to the extent the SaaS Platform processes Personal Data of Colorado Consumers subject to the Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.) and the CPA Rules (4 CCR 904-3).

7.4.1 Roles and Obligations

(a) The Parties shall determine and document their respective roles under the CPA. Where Customer determines the purposes and means of processing Personal Data, Customer is the Controller and Provider is the Processor.

(b) As a Processor, Provider shall:

  • Process Personal Data only on behalf of and according to the documented instructions of Customer as Controller;
  • Ensure that each person processing Personal Data is subject to a duty of confidentiality;
  • Delete or return all Personal Data to Customer at the end of the service period, at Customer's choice, unless retention is required by law;
  • Make available to Customer all information necessary to demonstrate compliance with CPA obligations;
  • Allow and cooperate with reasonable assessments by Customer, or Customer's designated assessor, or arrange for an independent qualified assessor to conduct an assessment of Provider's policies and technical and organizational measures.
7.4.2 Consumer Rights Facilitation

(a) The CPA grants Colorado Consumers the following rights (C.R.S. § 6-1-1306):

  • Right to Access: Consumers may confirm whether a Controller is processing their Personal Data and access such data;
  • Right to Correction: Consumers may correct inaccuracies in their Personal Data;
  • Right to Deletion: Consumers may request deletion of their Personal Data;
  • Right to Data Portability: Consumers may obtain their Personal Data in a portable, readily usable format;
  • Right to Opt-Out: Consumers may opt out of: (i) the sale of their Personal Data; (ii) targeted advertising; and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects.

(b) Provider shall assist Customer in responding to Consumer rights requests in a timely manner. Provider shall implement technical and organizational measures to facilitate Customer's ability to respond to such requests, including the ability to search, export, correct, and delete Personal Data upon Customer's instruction.

(c) Provider shall not sell Personal Data or use it for targeted advertising or profiling except as expressly instructed by Customer and in compliance with the CPA.

7.4.3 Universal Opt-Out Mechanism

(a) Under the CPA and CPA Rules (4 CCR 904-3, Rule 5.10), Controllers must recognize and honor universal opt-out mechanisms, including the Global Privacy Control (GPC) signal, as a valid consumer opt-out request for the sale of Personal Data and targeted advertising.

(b) To the extent Provider operates any consumer-facing component of the SaaS Platform on behalf of Customer, Provider shall implement technical capabilities to detect and honor universal opt-out signals, including GPC, and communicate relevant opt-out status to Customer.

7.4.4 Data Protection Assessments

(a) Under C.R.S. § 6-1-1309, Controllers must conduct Data Protection Assessments for processing activities that present a heightened risk of harm, including: (i) processing for targeted advertising; (ii) sale of Personal Data; (iii) processing for profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, financial or physical injury, or other substantial injury; (iv) processing Sensitive Data; and (v) any processing that presents a heightened risk of harm.

(b) Provider shall reasonably cooperate with Customer in conducting Data Protection Assessments by providing information about Provider's processing activities, safeguards, and technical measures upon Customer's reasonable request.

(c) Provider shall promptly inform Customer if, in Provider's opinion, any instruction from Customer regarding processing of Personal Data may result in a violation of the CPA.

7.4.5 Sensitive Data

(a) If Customer instructs Provider to process Sensitive Data, Customer warrants that it has obtained the Consumer's express, affirmative consent for such processing, as required by C.R.S. § 6-1-1308(7).

(b) Provider shall implement heightened security safeguards for Sensitive Data as described in the DPA.

7.4.6 Biometric Data Protections

(a) Effective July 1, 2025, amendments to the CPA mandate affirmative consent for the collection of biometric identifiers (such as retina scans, fingerprints, voiceprints, and facial recognition data), limit retention periods, and require deletion protocols for biometric data.

(b) If the SaaS Platform collects, processes, or stores biometric identifiers, Provider shall: (i) obtain or enable Customer to obtain affirmative consent; (ii) adhere to the minimum retention periods prescribed by law; and (iii) implement deletion protocols for biometric data.

7.4.7 CPA Enforcement

(a) The CPA is enforced exclusively by the Colorado Attorney General and district attorneys. There is no private right of action under the CPA.

(b) Penalties may reach up to $2,000 per violation, not to exceed $500,000 for any related series of violations, and may also be subject to enforcement under the Colorado Consumer Protection Act (C.R.S. § 6-1-105).

(c) Prior to enforcement, the Attorney General must issue a notice of violation, and if a cure is deemed possible, the controller has sixty (60) days to cure (note: this cure period is subject to legislative amendment and should be confirmed).

7.5 Data Processing

Provider shall process Customer Data only per Customer's documented instructions and this Agreement.

7.6 Sub-Processors

(a) General authorization with: (i) current sub-processor list; (ii) [____] days' prior notice; (iii) equivalent contractual protections.

(b) Objection within [____] days; termination right if unresolved.

7.7 Data Location

Customer Data stored in the United States unless otherwise agreed.

7.8 Incident Response

Annual testing of incident response plan. Post-incident findings shared upon request.


8. INTELLECTUAL PROPERTY AND FEEDBACK

8.1 Provider Intellectual Property

Provider retains all rights in the SaaS Platform, Documentation, and related IP.

8.2 Customer Intellectual Property

Customer retains all rights in Customer Data.

8.3 Usage Data

Provider may use aggregated, anonymized Usage Data for product improvement, provided it cannot identify Customer or any individual.

8.4 Feedback

Customer grants Provider a royalty-free, perpetual, irrevocable, worldwide license to use Feedback.

8.5 No Implied Rights

No rights or licenses except as expressly stated.


9. CONFIDENTIALITY

9.1 Confidentiality Obligations

For [____] years after termination: strict confidence, no unauthorized disclosure, use only for Agreement purposes, and reasonable care.

9.2 Permitted Disclosures

To employees, contractors, and advisors with need to know, bound by comparable obligations.

9.3 Exclusions

Public information, prior possession, independent development, lawful third-party receipt.

9.4 Compelled Disclosure

Prompt notice (if permitted), cooperation for protective orders, disclosure limited to legal requirements.

9.5 Trade Secrets - Colorado Law

(a) The Colorado Uniform Trade Secrets Act (C.R.S. § 7-74-101 et seq.) defines "trade secret" broadly to include any scientific or technical information, design, process, procedure, formula, improvement, confidential business or financial information, or other information relating to any business which is secret and of value and for which the owner has taken measures to prevent disclosure.

(b) Confidentiality obligations for trade secrets continue as long as the information qualifies as a trade secret, regardless of the time-limited period in Section 9.1.

(c) Under C.R.S. § 7-74-104, a court may award damages for actual loss and unjust enrichment, and exemplary damages not exceeding twice any award if willful and malicious misappropriation is established. The statute of limitations is three (3) years from discovery.

9.6 Return or Destruction

Return or destroy upon termination or request, with certification. One archival copy permitted for legal purposes.


10. WARRANTIES AND DISCLAIMERS

10.1 Provider Warranties

(a) Conformance: SaaS Platform materially conforms to Documentation;

(b) Professional Services: Professional and workmanlike;

(c) No Malware: Commercially reasonable efforts;

(d) Authority: Full power and authority;

(e) Non-Infringement: To Provider's knowledge, no third-party IP infringement;

(f) Compliance: Compliance with applicable laws including the CPA and C.R.S. § 6-1-716;

(g) CPA Compliance: Provider shall process Personal Data in accordance with the CPA and CPA Rules to the extent applicable to Provider as a Processor.

10.2 Customer Warranties

(a) Full power and authority;

(b) Lawful use and no infringement;

(c) All necessary consents, including CPA-required consents for Sensitive Data.

10.3 Warranty Remedies

Provider shall correct or provide a workaround within [____] days; if not, Customer may terminate and receive a pro-rata refund.

10.4 Disclaimer

EXCEPT AS EXPRESSLY STATED, AND TO THE MAXIMUM EXTENT PERMITTED BY COLORADO LAW INCLUDING THE UCC (C.R.S. § 4-2-101 ET SEQ.), THE SAAS PLATFORM IS PROVIDED "AS IS." PROVIDER DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

10.5 Consumer Protection Carve-Out

Nothing herein shall waive rights under the Colorado Consumer Protection Act (C.R.S. § 6-1-105) to the extent they cannot be waived by contract. A person engages in deceptive trade practice when they knowingly or recklessly engage in any unfair, unconscionable, deceptive, or fraudulent act or practice. Damages may include the greater of actual damages, $500, or treble damages.


11. INDEMNIFICATION

11.1 Provider IP Indemnity

Provider shall indemnify Customer Indemnitees from third-party IP infringement Claims and pay damages, costs, and reasonable attorneys' fees.

11.2 Exclusions

No obligation for Claims from: (a) Customer Data; (b) unauthorized modifications; (c) combination with non-Provider products; (d) superseded versions; or (e) Agreement violations.

11.3 Remedies

Provider may: (a) procure continued use rights; (b) modify to non-infringing; or (c) terminate and refund.

11.4 Customer Indemnification

Customer indemnifies Provider Indemnitees from Claims arising from Customer Data, AUP violations, breach, or law violations.

11.5 Procedure

Prompt notice, sole defense control, cooperation, no settlement without consent.

11.6 Sole Remedy

Exclusive remedy for described Claims.


12. LIMITATIONS OF LIABILITY

12.1 Liability Cap

EACH PARTY'S AGGREGATE LIABILITY SHALL NOT EXCEED THE FEES PAID OR PAYABLE DURING THE [____]-MONTH PERIOD PRECEDING THE EVENT (EXCEPT CARVE-OUTS).

12.2 Consequential Damages Exclusion

NO INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING LOST PROFITS, REVENUE, GOODWILL, OR DATA (EXCEPT CARVE-OUTS).

12.3 Carve-Outs

(a) Indemnification (Section 11);

(b) Confidentiality breach (Section 9);

(c) Willful misconduct or gross negligence;

(d) Payment obligations;

(e) Data security and breach obligations;

(f) CPA violations to the extent liability cannot be limited;

(g) Any liability that cannot be limited under Colorado law.

12.4 Essential Purpose

Limitations apply even if a remedy fails of its essential purpose. They reflect a fair allocation of risk.

12.5 Colorado Law

Applied to the fullest extent permitted by Colorado law.


13. TERM, RENEWAL, AND TERMINATION

13.1 Agreement Term

Commences on the Effective Date and continues until all Order Forms expire or terminate.

13.2 Renewal

Auto-renewal for equal periods unless [____] days' written non-renewal notice.

13.3 Termination for Convenience

[____] days' notice. Customer pays accrued Fees.

13.4 Termination for Cause

(a) Material breach uncured within [____] days ([____] for payment);

(b) Bankruptcy not dismissed within sixty (60) days;

(c) Cessation of business.

13.5 Suspension

Upon [____] days' notice for: (i) non-payment; (ii) AUP violation or security risk; (iii) legal requirement. Limited in scope; restored upon cure.

13.6 Effect of Termination

(a) Access ceases; (b) Accrued Fees payable; (c) Confidential Information returned or destroyed; (d) Customer Data export for [____] days, then deletion per DPA and CPA requirements.

13.7 Survival

Sections 2, 6 (accrued), 7.3, 7.4, 8, 9, 10.4, 11, 12, 13.6, 13.7, 16, and 17 survive.


14. BETA AND FREE TRIALS

14.1 Trial Access

Trial Services for evaluation only.

14.2 Trial Terms

"AS IS" without warranty, SLA, indemnity, or support. May be discontinued at any time.

14.3 Data Handling

Trial data may be deleted unless converted to paid subscription. CPA data deletion obligations apply regardless.

14.4 Feedback

Subject to Section 8.4.


15. COMPLIANCE

15.1 AUP

Compliance with Attachment E.

15.2 Export Controls and Sanctions

Compliance with EAR and ITAR. No access from sanctioned countries or by restricted parties.

15.3 Anti-Corruption

FCPA compliance. No facilitation payments. Accurate records.

15.4 Accessibility

Commercially reasonable efforts for Section 508 and WCAG 2.1 Level AA compliance.

15.5 Colorado Regulatory Requirements

Customer is responsible for Colorado industry-specific requirements. Provider shall cooperate with any Colorado regulatory audit or inquiry affecting the SaaS Platform to the extent required by law.


16. GOVERNING LAW AND DISPUTE RESOLUTION

16.1 Governing Law

Laws of the State of Colorado, without conflicts of law principles.

16.2 Venue

State courts of Denver County, Colorado, or the United States District Court for the District of Colorado (Denver). Each Party consents to jurisdiction and venue.

16.3 Escalation

(a) Operational contacts meet within ten (10) Business Days;

(b) Executive escalation if unresolved within twenty (20) Business Days;

(c) Optional mediation in Denver, Colorado, with shared costs.

16.4 Jury Waiver

Colorado courts enforce contractual jury trial waivers in commercial contracts between parties of relatively equal bargaining power where the waiver is knowing, voluntary, expressed in clear and unambiguous language, and the contract is fairly entered into. Courts apply a four-factor test considering: (1) the existence or nonexistence of a duty to the public; (2) the nature of the service; (3) whether the contract was fairly entered into; and (4) whether the intention is expressed in clear and unambiguous language.

TO THE FULLEST EXTENT PERMITTED BY COLORADO LAW, EACH PARTY KNOWINGLY, VOLUNTARILY, AND IRREVOCABLY WAIVES ANY RIGHT TO JURY TRIAL IN ANY ACTION ARISING OUT OF OR RELATING TO THIS AGREEMENT. EACH PARTY CONFIRMS THAT THIS WAIVER IS MADE FREELY, WITH FULL UNDERSTANDING OF ITS IMPLICATIONS, AND THAT EACH PARTY HAS HAD THE OPPORTUNITY TO CONSULT LEGAL COUNSEL.

16.5 Attorneys' Fees

Prevailing Party recovers reasonable attorneys' fees and costs.

16.6 Injunctive Relief

Either Party may seek injunctive relief to prevent irreparable harm or enforce Sections 3, 8, or 9, without bond or proof of actual damages.


17. MISCELLANEOUS

17.1 Assignment

No assignment without consent (not unreasonably withheld); permitted to Affiliates or successors. Void if in violation.

17.2 Subcontracting

Permitted; Provider remains responsible.

17.3 Notices

Written, deemed given: (a) upon personal delivery; (b) one (1) Business Day after overnight courier; (c) three (3) Business Days after certified mail; or (d) upon confirmed email receipt.

17.4 Force Majeure

No liability for delay due to Force Majeure (except payment). Prompt notice, mitigation, and resumption. Termination if exceeding [____] days.

17.5 Order of Precedence

(highest to lowest): (a) DPA / Security Addendum; (b) Main Agreement; (c) Order Form; (d) SLA; (e) Support Policy; (f) AUP.

17.6 Severability

Invalid provisions modified to minimum extent; remainder continues.

17.7 Amendments

Written, signed by both Parties.

17.8 Waiver

Failure to enforce is not a waiver.

17.9 Entire Agreement

This Agreement and all attachments supersede all prior agreements.

17.10 Counterparts

May be executed in counterparts.

17.11 Electronic Signatures

Valid under the Colorado Uniform Electronic Transactions Act (C.R.S. § 24-71.3-101 et seq.) and the federal E-SIGN Act (15 U.S.C. § 7001 et seq.).

17.12 Headings

For convenience only.

17.13 Third-Party Beneficiaries

None.

17.14 Relationship of the Parties

Independent contractors.

17.15 Publicity

No use without consent; Provider may include Customer in customer list.

17.16 Construction

Fair construction, not against drafter. "Including" means "including, without limitation."


18. SIGNATURE BLOCKS

IN WITNESS WHEREOF, the Parties execute this Agreement as of the Effective Date.

PROVIDER:

Signature _________________________________
Printed Name _________________________________
Title _________________________________
Date [__/__/____]
Email _________________________________

CUSTOMER:

Signature _________________________________
Printed Name _________________________________
Title _________________________________
Date [__/__/____]
Email _________________________________

19. ATTACHMENTS

  • Attachment A: Order Form
  • Attachment B: Service Level Agreement (SLA)
  • Attachment C: Support Policy
  • Attachment D: Data Processing Addendum (DPA) / Security Addendum
  • Attachment E: Acceptable Use Policy (AUP)

ATTACHMENT A: ORDER FORM (TEMPLATE)

Field Details
Order Form Number [________________________________]
Effective Date [__/__/____]
SaaS Platform / Product [________________________________]
Subscription Term [________________________________]
Auto-Renewal ☐ Yes ☐ No
Renewal Term Length [________________________________]
Non-Renewal Notice Period [____] days
Number of Authorized Users [____]
Storage Limit [________________________________]
API Call Limit [________________________________]
Subscription Fees $[____] per [________________________________]
Usage-Based Fee Rate $[____] per [________________________________]
Billing Frequency ☐ Annual ☐ Quarterly ☐ Monthly
Payment Terms Net [____] days
Provider Notice Address [________________________________]
Customer Notice Address [________________________________]
Customer Primary Contact [________________________________]
CPA Controller/Processor Roles ☐ Customer is Controller / Provider is Processor
Special Terms [________________________________]

ATTACHMENT B: SERVICE LEVEL AGREEMENT (TEMPLATE)

1. Uptime Target: [____]%

2. Measurement Period: Calendar month

3. Exclusions: Scheduled Maintenance, Force Majeure, Customer-caused outages

4. SLA Credit Table:

Monthly Uptime Credit
[____]% - [____]% [____]% of monthly Fees
[____]% - [____]% [____]% of monthly Fees
Below [____]% [____]% of monthly Fees

5. Credit Request: Written within 30 days

6. Maximum Credit: 100% of monthly Fees

7. Chronic Failure: Below [____]% for [____] months triggers termination


ATTACHMENT C: SUPPORT POLICY (OUTLINE)

1. Support Hours: [________________________________]

2. Support Channels: [________________________________]

3. Severity and Response: (See Section 4.4)

4. Escalation: Levels 1-4

5. Maintenance: [________________________________]


ATTACHMENT D: DATA PROCESSING ADDENDUM (SUMMARY)

1. Scope: Processing of Personal Data by Provider (Processor) on behalf of Customer (Controller)

2. CPA Roles: Customer = Controller; Provider = Processor (C.R.S. § 6-1-1305)

3. Processing Instructions: Per Agreement and documented instructions

4. Security: Section 7.1

5. Sub-Processors: Section 7.6

6. Breach Notification: Section 7.3 (30-day Colorado timeline)

7. Consumer Rights: Provider shall assist Customer per Section 7.4.2

8. Data Protection Assessments: Provider shall cooperate per Section 7.4.4

9. Data Deletion/Return: Section 13.6

10. Universal Opt-Out: Section 7.4.3

11. CPA Compliance: C.R.S. § 6-1-1301 et seq. and 4 CCR 904-3


ATTACHMENT E: ACCEPTABLE USE POLICY (OUTLINE)

1. Prohibited Activities:

  • Unauthorized access or interference
  • Malware distribution
  • Unsolicited communications
  • Law violations
  • Third-party rights infringement

2. Content Standards:

  • No unlawful, defamatory, obscene, or harmful content
  • No IP-infringing content
  • No privacy violations

3. Resource Usage:

  • No excessive consumption
  • No unauthorized data extraction

4. Enforcement:

  • Suspension with notice and cure
  • Repeated violations may result in termination

This template is provided for informational purposes only and does not constitute legal advice. Legal counsel licensed in Colorado should review and customize this Agreement before execution. The Colorado Privacy Act and its regulations are subject to ongoing rulemaking — verify all provisions and citations are current before use.

Ezel AI
Hi! Want this done for you? Tell me your situation and I'll fill in every section and tailor it to your state.
You get the finished Word & PDF in about 5 minutes. $99 one time for this document, or $249/mo for access to every document and every Ezel app. Want me to start?
AI Legal Assistant
Ezel AI
Hi! Want this done for you? Tell me your situation and I'll fill in every section and tailor it to your state.
You get the finished Word & PDF in about 5 minutes. $99 one time for this document, or $249/mo for access to every document and every Ezel app. Want me to start?

Insert Image

Insert Table

Watch Ezel in action (sample case)

All changes saved
Save
Export
Export as DOCX
Export as PDF
Generating PDF...
saas_agreement_smb_co.pdf
Ready to export as PDF or Word
AI is editing...
Chat
Review

Get your finished document

Filled in for your situation. Drafting from scratch takes hours; finish yours in about 5 minutes for $99 one time.

  • Deep Legal Knowledge
    Understands case law, statutes, and legal doctrine specific to Colorado.
  • Court-Ready Formatting
    Proper captions and local-rule compliance.
  • AI-Powered Editing
    Tailor every section to your case.
  • Export as PDF & Word
    Ready to file or send.
Secure checkout via Stripe
Need to customize this document?

About This Template

A contract is a written record of what two or more parties agreed to and what happens if someone does not follow through. Clear language, defined terms, and clean signature blocks keep disputes small and enforceable. The most common mistakes in contracts come from vague promises, missing details about timing or payment, and skipping standard protective clauses like governing law and dispute resolution.

Important Notice

This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.

Last updated: July 2026

Get your SaaS Agreement - SMB (Colorado), done and ready to use

Fill it in for your situation, adjust it for your state, and download the finished Word and PDF. Let the AI do it in about 5 minutes, or finish it yourself in the editor. $99 one time, or go Pro for access to every document and every Ezel app.