SaaS Agreement - SMB (Connecticut)
SOFTWARE AS A SERVICE AGREEMENT (SMB)
STATE OF CONNECTICUT
TABLE OF CONTENTS
- Parties and Recitals
- Definitions
- Access Rights and Restrictions
- Service Levels and Support
- Customer Obligations
- Fees and Payment
- Data Protection, Security, and Connecticut Data Privacy Act Compliance
- Intellectual Property and Feedback
- Confidentiality
- Warranties and Disclaimers
- Indemnification
- Limitations of Liability
- Term, Renewal, and Termination
- Beta and Free Trials
- Compliance
- Governing Law and Dispute Resolution
- Miscellaneous
- Signature Blocks
- Attachments
1. PARTIES AND RECITALS
This Software as a Service Agreement ("Agreement") is entered into as of [__/__/____] ("Effective Date") by and between:
Provider:
Name: [________________________________]
State of Organization: [________________________________]
Principal Address: [________________________________]
Email for Notices: [________________________________]
("Provider")
AND
Customer:
Name: [________________________________]
State of Organization: [________________________________]
Principal Address: [________________________________]
Email for Notices: [________________________________]
("Customer")
Provider and Customer are each a "Party" and collectively the "Parties."
RECITALS
WHEREAS, Provider has developed and operates a cloud-based software application available on a subscription basis;
WHEREAS, Customer desires to access Provider's application for internal business operations;
WHEREAS, Provider is willing to grant access subject to this Agreement and the applicable Order Form(s);
WHEREAS, the Connecticut Data Privacy Act (Conn. Gen. Stat. § 42-515 et seq.) establishes personal data privacy rights for Connecticut residents and imposes obligations on controllers and processors, and the Parties desire to ensure compliance;
WHEREAS, this Agreement shall be governed by the laws of the State of Connecticut;
NOW, THEREFORE, in consideration of the mutual covenants and for good and valuable consideration, the Parties agree as follows:
2. DEFINITIONS
2.1 "Affiliate" means any entity controlling, controlled by, or under common control with a Party (control = >50% voting interest).
2.2 "Acceptable Use Policy" or "AUP" means Provider's AUP in Attachment E.
2.3 "Authorized Users" means Customer's employees, contractors, and agents authorized to access the SaaS Platform, subject to Usage Limits.
2.4 "Business Day" means any day other than a Saturday, Sunday, or Connecticut state holiday.
2.5 "Confidential Information" means all non-public information designated or reasonably understood as confidential, including trade secrets, business plans, financial data, technical data, source code, algorithms, and Agreement terms.
2.6 "Consumer" means a Connecticut resident acting in an individual or household context, as defined under the CTDPA (Conn. Gen. Stat. § 42-515).
2.7 "Controller" means a person that determines the purposes and means of processing Personal Data, as defined under the CTDPA.
2.8 "Customer Data" means all electronic data submitted to the SaaS Platform by or on behalf of Customer, including Personal Data.
2.9 "Data Processing Addendum" or "DPA" means the data processing terms in Attachment D.
2.10 "Data Protection Assessment" means an assessment required under the CTDPA for processing that presents a heightened risk of harm.
2.11 "Documentation" means Provider's user guides, help resources, and specifications.
2.12 "Downtime" means unavailability excluding Scheduled Maintenance, emergency maintenance, and Force Majeure.
2.13 "Effective Date" means the date in the preamble.
2.14 "Fees" means all amounts payable by Customer.
2.15 "Force Majeure Event" means events beyond reasonable control, including acts of God, fire, flood, hurricane, earthquake, epidemic, pandemic, war, terrorism, government action, labor dispute, internet failure, power outage, or telecommunications failure.
2.16 "Intellectual Property" or "IP" means all patents, copyrights, trademarks, trade secrets, know-how, and other IP rights.
2.17 "Malware" means any virus, worm, Trojan horse, ransomware, spyware, or malicious code.
2.18 "Order Form" means each ordering document referencing this Agreement.
2.19 "Personal Data" means information linked or reasonably linkable to an identified or identifiable individual, as defined under the CTDPA and Conn. Gen. Stat. § 36a-701b.
2.20 "Processor" means a person that processes Personal Data on behalf of a Controller, as defined under the CTDPA.
2.21 "SaaS Platform" or "Service" means the cloud-based application(s) identified in the Order Form.
2.22 "Scheduled Maintenance" means routine maintenance during the designated window per the SLA.
2.23 "Sensitive Data" means Personal Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or immigration status, genetic or biometric data processed for identification, Personal Data of a known child, or precise geolocation data, as defined under the CTDPA.
2.24 "Service Level Agreement" or "SLA" means the commitments in Attachment B.
2.25 "Subscription Term" means the initial and renewal periods in the Order Form.
2.26 "Support" means technical support per the Support Policy (Attachment C).
2.27 "Updates" means bug fixes, patches, and releases available at no additional charge.
2.28 "Usage Limits" means the limits in the Order Form.
3. ACCESS RIGHTS AND RESTRICTIONS
3.1 License Grant
Subject to compliance and payment of Fees, Provider grants Customer a non-exclusive, non-transferable, non-sublicensable right to access and use the SaaS Platform during the Subscription Term for internal business purposes, per the Documentation and Usage Limits.
3.2 Authorized Users
(a) Unique credentials per user; no sharing.
(b) Customer responsible for Authorized User actions and compliance.
(c) Prompt deactivation of former Authorized Users.
3.3 Usage Limits
Excess usage may be charged or require an amended Order Form.
3.4 Restrictions
Customer shall not:
(a) Copy, modify, adapt, or create derivative works of the SaaS Platform;
(b) Reverse engineer, except as permitted by Connecticut or federal law;
(c) Sublicense, lease, rent, sell, or transfer access;
(d) Use for third-party benefit (service bureau, outsourcing, time-sharing);
(e) Remove proprietary notices;
(f) Interfere with or disrupt the SaaS Platform;
(g) Attempt unauthorized access;
(h) Transmit Malware or violate the AUP;
(i) Store infringing, defamatory, or unlawful content;
(j) Publish benchmarking results without consent;
(k) Allow competitor access where legally permissible to restrict.
3.5 API Access
Per Documentation and API terms. Provider may impose rate limits.
3.6 Third-Party Integrations
Customer assumes all risk. Provider has no liability for third-party applications.
4. SERVICE LEVELS AND SUPPORT
4.1 Uptime Commitment
Provider shall use commercially reasonable efforts to maintain [____]% monthly uptime (the "Uptime Target"), excluding Scheduled Maintenance and Force Majeure.
4.2 Uptime Measurement
Monthly uptime = ((Total Minutes - Downtime Minutes) / Total Minutes) x 100.
4.3 SLA Credits
| Monthly Uptime Percentage | Credit (% of Monthly Fees) |
|---|---|
| Below [____]% but at or above [____]% | [____]% |
| Below [____]% but at or above [____]% | [____]% |
| Below [____]% | [____]% |
Credits requested within thirty (30) days, applied to future Fees, capped at the affected month's Fees. SLA credits are Customer's sole remedy unless chronic failure triggers termination rights.
4.4 Support Services
| Severity | Description | Response Time |
|---|---|---|
| Severity 1 - Critical | Platform unavailable or core function inoperable | [____] hours |
| Severity 2 - High | Significant impairment, no workaround | [____] hours |
| Severity 3 - Medium | Impairment with workaround | [____] Business Days |
| Severity 4 - Low | Minor issue or inquiry | [____] Business Days |
Support Hours: [________________________________]
Support Channels: [________________________________]
4.5 Scheduled Maintenance
Window: [________________________________] (e.g., Sundays 2:00 AM - 6:00 AM ET). At least [____] hours' notice. Emergency maintenance with best-efforts notice.
5. CUSTOMER OBLIGATIONS
5.1 Account Security
Credential confidentiality, MFA where available, prompt notification of unauthorized access.
5.2 Acceptable Use
Compliance with AUP and all applicable laws, including the Connecticut Unfair Trade Practices Act (Conn. Gen. Stat. § 42-110b).
5.3 Data Accuracy
Accurate, lawful data with all necessary rights and consents.
5.4 Cooperation
Timely responses, system access, and designated primary contact.
5.5 System Requirements
Maintain per Documentation requirements.
5.6 Compliance with Laws
Customer shall comply with all applicable laws, including the CTDPA to the extent Customer is a Controller.
6. FEES AND PAYMENT
6.1 Subscription Fees
Per Order Form, invoiced:
☐ Annually in advance
☐ Quarterly in advance
☐ Monthly in advance
6.2 Usage-Based Fees
Overages at Order Form rates with usage reports.
6.3 Professional Services Fees
Per statement of work or Order Form.
6.4 Invoicing and Payment
(a) Invoiced per Order Form frequency.
(b) Due within [____] days of invoice date.
(c) In United States dollars.
(d) Non-refundable except as stated.
6.5 Late Payment
(a) Interest at [____]% per month (or [____]% per annum), or the maximum permitted by Connecticut law, whichever is less.
(b) Connecticut Interest Rate Provisions: Under Conn. Gen. Stat. § 37-4, the general usury limit is twelve percent (12%) per annum. However, under Conn. Gen. Stat. § 37-9, the twelve percent cap does not apply to: (i) loans made by state or federal banks or credit unions; (ii) any mortgage over $5,000; or (iii) any business loan over $10,000. For commercial SaaS agreements where the outstanding obligations exceed $10,000, the parties may agree to a higher rate. If the exemption under § 37-9 applies, the parties may contract for any lawful rate. The late payment interest rate herein shall not exceed the maximum lawful rate under Connecticut law.
(c) Reasonable collection costs, including attorneys' fees.
6.6 Taxes
(a) All Fees are exclusive of taxes. Customer is responsible for applicable taxes except taxes on Provider's net income.
(b) Connecticut SaaS Tax Note: Connecticut imposes sales tax on SaaS. The applicable rate depends on the nature of use:
- SaaS used for non-business purposes (personal, household): taxed at the standard rate of 6.35% as a digital good.
- SaaS used for business purposes: may qualify as "computer and data processing services" and be taxed at a reduced rate of 1% under Conn. Gen. Stat. § 12-407.
Customer shall inform Provider of the applicable use classification. Provider shall collect and remit the appropriate tax rate. Customer shall provide a valid exemption certificate if applicable.
(c) If Provider is required to collect taxes, they shall be included on invoices.
6.7 Price Increases
At least [____] days' notice before renewal. Increase not to exceed [____]% unless agreed.
6.8 Disputed Invoices
Disputes within [____] days. Undisputed amounts due on time. Resolution within thirty (30) days. No suspension for good-faith disputes if undisputed amounts are paid.
7. DATA PROTECTION, SECURITY, AND CONNECTICUT DATA PRIVACY ACT COMPLIANCE
7.1 Security Safeguards
Provider shall implement administrative, technical, and physical safeguards, including:
(a) Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent);
(b) Role-based access controls with least-privilege and MFA;
(c) Regular vulnerability assessments and penetration testing;
(d) Intrusion detection and prevention;
(e) Audit logging and monitoring;
(f) Employee background checks and security training;
(g) Physical data center security;
(h) Incident response and disaster recovery plans.
7.2 Compliance Certifications
☐ SOC 2 Type II
☐ ISO 27001
☐ Other: [________________________________]
7.3 Data Breach Notification - Connecticut Requirements
(a) Provider shall notify Customer of any confirmed Security Breach without unreasonable delay and no later than [____] hours after determination.
(b) Connecticut Data Breach Notification Law (Conn. Gen. Stat. § 36a-701b): Notice to affected Connecticut residents must be provided without unreasonable delay and no later than sixty (60) days from discovery of the breach. Notice to the Connecticut Attorney General must be provided no later than when residents are notified.
(c) Identity Theft Prevention Services: The entity that owns or licenses the data must offer each affected resident whose Personal Data was breached appropriate identity theft prevention services and, if applicable, identity theft mitigation services at no cost for a period of not less than two (2) years.
(d) Enforcement: Failure to comply constitutes a violation of the Connecticut Unfair Trade Practices Act (CUTPA) (Conn. Gen. Stat. § 42-110b), exposing the violator to CUTPA enforcement actions and remedies.
(e) Provider shall cooperate with Customer in investigating, mitigating, and complying with all notification and identity theft service obligations.
(f) Notification content shall include: (i) description of breach; (ii) types of data involved; (iii) estimated individuals affected; (iv) measures taken; and (v) contact information.
7.4 Connecticut Data Privacy Act (CTDPA) Compliance
This Section 7.4 applies to the extent the SaaS Platform processes Personal Data of Connecticut Consumers subject to the Connecticut Data Privacy Act (Conn. Gen. Stat. § 42-515 et seq.).
7.4.1 CTDPA Applicability
The CTDPA applies to persons conducting business in Connecticut or producing products or services targeted to Connecticut residents that: (a) during the preceding calendar year, controlled or processed Personal Data of at least 35,000 Consumers (excluding data controlled or processed solely for payment transactions); or (b) controlled or processed Personal Data of Consumers and derived revenue from the sale of Personal Data.
7.4.2 Roles and Obligations
(a) Where Customer determines the purposes and means of processing Personal Data, Customer is the Controller and Provider is the Processor.
(b) As a Processor, Provider shall:
- Process Personal Data only on documented instructions from Customer;
- Ensure confidentiality obligations for all persons processing data;
- Delete or return Personal Data at the end of the service period, at Customer's choice;
- Make information available to demonstrate compliance;
- Allow and cooperate with reasonable assessments by Customer or an independent assessor.
(c) Provider shall not: (i) combine Personal Data obtained from Customer with data from other sources or its own interactions with Consumers, except as directed by Customer; or (ii) process Personal Data for purposes other than performing services under this Agreement.
7.4.3 Consumer Rights Facilitation
(a) The CTDPA grants Connecticut Consumers the following rights:
- Right to Access: Confirm processing and access Personal Data;
- Right to Correction: Correct inaccuracies;
- Right to Deletion: Request deletion of Personal Data;
- Right to Data Portability: Obtain data in a portable, readily usable format;
- Right to Opt-Out of: (i) sale of Personal Data; (ii) targeted advertising; and (iii) profiling in furtherance of decisions producing legal or similarly significant effects;
- Right to Know Profiling: Consumers have the right to know whether a Controller is engaging in profiling and, if feasible, to challenge profiling results and understand the reasoning behind profiling decisions.
(b) Provider shall assist Customer in responding to Consumer rights requests in a timely manner. Provider shall implement technical and organizational measures to facilitate Customer's ability to search, export, correct, and delete Personal Data.
(c) Response Timeline: Controllers must respond to Consumer rights requests within forty-five (45) days, with one forty-five (45) day extension if reasonably necessary, with notice.
7.4.4 Universal Opt-Out Mechanism
(a) Effective January 1, 2025, all Controllers subject to the CTDPA must honor opt-out preference signals sent by Consumers, including the Global Privacy Control (GPC) signal.
(b) To the extent Provider operates consumer-facing components on behalf of Customer, Provider shall implement technical capabilities to detect and honor universal opt-out signals and communicate opt-out status to Customer.
7.4.5 Data Protection Assessments
(a) Under the CTDPA, Controllers must conduct and document Data Protection Assessments for processing activities that present a heightened risk of harm, including: (i) targeted advertising; (ii) sale of Personal Data; (iii) profiling with risk of unfair treatment, financial or physical injury, or other substantial injury; and (iv) processing Sensitive Data.
(b) Provider shall cooperate with Customer in conducting Data Protection Assessments by providing information about processing activities, safeguards, and technical measures.
(c) Provider shall inform Customer if any instruction may violate the CTDPA.
7.4.6 Sensitive Data
(a) Processing of Sensitive Data requires the Consumer's consent. Customer warrants that it has obtained such consent before instructing Provider to process Sensitive Data.
(b) Provider shall implement heightened security safeguards for Sensitive Data.
7.4.7 Minors' Data Protections
(a) Under the CTDPA, Controllers are categorically prohibited from processing minors' (under 18) Personal Data for targeted advertising or sale, regardless of whether consent is obtained.
(b) The CTDPA prohibits the use of system design features that significantly increase, sustain, or extend a minor's use of an online service, product, or feature ("dark patterns").
(c) If the SaaS Platform may process data of known minors, Provider shall implement safeguards to prevent processing of minors' data for targeted advertising or sale and shall not employ dark patterns.
7.4.8 AI and Algorithmic Decision-Making (Effective July 1, 2026)
(a) Recent amendments to the CTDPA, effective July 1, 2026, impose additional requirements on businesses deploying AI and algorithmic decision-making tools, including: (i) public disclosures regarding the use of algorithmic decision-making; (ii) data protection impact assessments for AI deployments; and (iii) enhanced profiling disclosures.
(b) To the extent the SaaS Platform incorporates AI or algorithmic decision-making features, Provider shall: (i) provide Customer with information sufficient for Customer to make required public disclosures; (ii) cooperate with Customer's data protection impact assessments for AI features; and (iii) implement mechanisms for Consumers to challenge profiling decisions as required by law.
7.4.9 CTDPA Enforcement
(a) The CTDPA is enforced exclusively by the Connecticut Attorney General. There is no private right of action.
(b) Violations constitute unfair trade practices under CUTPA (Conn. Gen. Stat. § 42-110b), subjecting violators to CUTPA remedies.
(c) The Attorney General may issue a notice of violation and provide a sixty (60) day cure period before bringing an enforcement action (note: this cure provision may be subject to legislative amendment).
7.5 Data Processing
Provider shall process Customer Data only per documented instructions and this Agreement.
7.6 Sub-Processors
(a) General authorization with: (i) current sub-processor list; (ii) [____] days' prior notice; (iii) equivalent contractual protections.
(b) Objection within [____] days; termination right if unresolved.
7.7 Data Location
Customer Data stored in the United States unless otherwise agreed.
7.8 Incident Response
Annual testing of incident response plan. Post-incident findings shared upon request.
8. INTELLECTUAL PROPERTY AND FEEDBACK
8.1 Provider Intellectual Property
Provider retains all rights in the SaaS Platform, Documentation, and related IP.
8.2 Customer Intellectual Property
Customer retains all rights in Customer Data.
8.3 Usage Data
Provider may use aggregated, anonymized Usage Data for product improvement, provided it cannot identify Customer or any individual.
8.4 Feedback
Customer grants Provider a royalty-free, perpetual, irrevocable, worldwide license to use Feedback.
8.5 No Implied Rights
No rights except as expressly stated.
9. CONFIDENTIALITY
9.1 Confidentiality Obligations
For [____] years after termination: strict confidence, no unauthorized disclosure, use only for Agreement purposes, reasonable care.
9.2 Permitted Disclosures
Employees, contractors, and advisors with need to know, bound by comparable obligations.
9.3 Exclusions
Public information, prior possession, independent development, lawful third-party receipt.
9.4 Compelled Disclosure
Prompt notice (if permitted), cooperation for protective orders, limited disclosure.
9.5 Trade Secrets - Connecticut Law
(a) The Connecticut Uniform Trade Secrets Act (Conn. Gen. Stat. § 35-50 et seq.) protects trade secrets, with an expanded definition that includes drawings, cost data, and customer lists. Connecticut does not have a criminal trade secrets statute.
(b) Confidentiality obligations for trade secrets continue as long as the information qualifies as a trade secret, regardless of the time-limited period in Section 9.1.
(c) Under Conn. Gen. Stat. § 35-53, a court may award damages for actual loss and unjust enrichment. If willful and malicious misappropriation is shown, exemplary damages not exceeding twice the award may be imposed. Attorneys' fees may be awarded under § 35-54. The statute of limitations is three (3) years from discovery.
9.6 Return or Destruction
Return or destroy upon termination or request, with certification. One archival copy for legal purposes.
10. WARRANTIES AND DISCLAIMERS
10.1 Provider Warranties
(a) Conformance: SaaS Platform materially conforms to Documentation;
(b) Professional Services: Professional and workmanlike;
(c) No Malware: Commercially reasonable efforts;
(d) Authority: Full power and authority;
(e) Non-Infringement: To Provider's knowledge, no infringement;
(f) Compliance: Provider shall comply with applicable laws including the CTDPA and Conn. Gen. Stat. § 36a-701b;
(g) CTDPA Compliance: Provider shall process Personal Data in compliance with the CTDPA as a Processor.
10.2 Customer Warranties
(a) Full power and authority;
(b) Lawful use and no infringement;
(c) All necessary consents, including CTDPA-required consents for Sensitive Data.
10.3 Warranty Remedies
Provider shall correct or provide a workaround within [____] days; if not, Customer may terminate and receive a pro-rata refund.
10.4 Disclaimer
EXCEPT AS EXPRESSLY STATED, AND TO THE MAXIMUM EXTENT PERMITTED BY CONNECTICUT LAW INCLUDING THE UCC (CONN. GEN. STAT. § 42a-2-101 ET SEQ.), THE SAAS PLATFORM IS PROVIDED "AS IS." PROVIDER DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
10.5 Consumer Protection Carve-Out
Nothing herein shall waive rights under the Connecticut Unfair Trade Practices Act (CUTPA) (Conn. Gen. Stat. § 42-110b) to the extent they cannot be waived by contract. CUTPA prohibits unfair methods of competition and unfair or deceptive acts or practices in trade or commerce. Connecticut courts apply a three-part test: (1) whether the practice offends public policy; (2) whether it is immoral, unethical, oppressive, or unscrupulous; and (3) whether it causes substantial injury to consumers or other businesspersons.
11. INDEMNIFICATION
11.1 Provider IP Indemnity
Provider shall indemnify Customer Indemnitees from third-party IP infringement Claims and pay damages, costs, and reasonable attorneys' fees.
11.2 Exclusions
No obligation for Claims from: (a) Customer Data; (b) unauthorized modifications; (c) combination with non-Provider products; (d) superseded versions; or (e) Agreement violations.
11.3 Remedies
Provider may: (a) procure continued use rights; (b) modify to non-infringing; or (c) terminate and refund.
11.4 Customer Indemnification
Customer indemnifies Provider Indemnitees from Claims arising from Customer Data, AUP violations, breach, or law violations.
11.5 Procedure
Prompt notice, sole defense control, cooperation, no settlement without consent.
11.6 Sole Remedy
Exclusive remedy for described Claims.
12. LIMITATIONS OF LIABILITY
12.1 Liability Cap
EACH PARTY'S AGGREGATE LIABILITY SHALL NOT EXCEED THE FEES PAID OR PAYABLE DURING THE [____]-MONTH PERIOD PRECEDING THE EVENT (EXCEPT CARVE-OUTS).
12.2 Consequential Damages Exclusion
NO INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING LOST PROFITS, REVENUE, GOODWILL, OR DATA (EXCEPT CARVE-OUTS).
12.3 Carve-Outs
(a) Indemnification (Section 11);
(b) Confidentiality breach (Section 9);
(c) Willful misconduct or gross negligence;
(d) Payment obligations;
(e) Data security and breach obligations, including identity theft services under Conn. Gen. Stat. § 36a-701b;
(f) CTDPA violations to the extent liability cannot be limited;
(g) Any liability that cannot be limited under Connecticut law.
12.4 Essential Purpose
Limitations apply even if a remedy fails. They reflect a fair allocation of risk.
12.5 Connecticut Law
Applied to the fullest extent permitted by Connecticut law.
13. TERM, RENEWAL, AND TERMINATION
13.1 Agreement Term
Commences on the Effective Date and continues until all Order Forms expire or terminate.
13.2 Renewal
Auto-renewal for equal periods unless [____] days' written non-renewal notice.
13.3 Termination for Convenience
[____] days' notice. Customer pays accrued Fees.
13.4 Termination for Cause
(a) Material breach uncured within [____] days ([____] for payment);
(b) Bankruptcy not dismissed within sixty (60) days;
(c) Cessation of business.
13.5 Suspension
Upon [____] days' notice for: (i) non-payment; (ii) AUP violation or security risk; (iii) legal requirement. Limited in scope; restored upon cure.
13.6 Effect of Termination
(a) Access ceases; (b) Accrued Fees payable; (c) Confidential Information returned or destroyed; (d) Customer Data export for [____] days, then deletion per DPA and CTDPA requirements.
13.7 Survival
Sections 2, 6 (accrued), 7.3, 7.4, 8, 9, 10.4, 11, 12, 13.6, 13.7, 16, and 17 survive.
14. BETA AND FREE TRIALS
14.1 Trial Access
Trial Services for evaluation only.
14.2 Trial Terms
"AS IS" without warranty, SLA, indemnity, or support. May be discontinued at any time.
14.3 Data Handling
Trial data may be deleted unless converted to paid subscription. CTDPA data deletion obligations apply regardless.
14.4 Feedback
Subject to Section 8.4.
15. COMPLIANCE
15.1 AUP
Compliance with Attachment E.
15.2 Export Controls and Sanctions
Compliance with EAR and ITAR. No access from sanctioned countries or by restricted parties.
15.3 Anti-Corruption
FCPA compliance. No facilitation payments. Accurate records.
15.4 Accessibility
Commercially reasonable efforts for Section 508 and WCAG 2.1 Level AA compliance.
15.5 Connecticut Regulatory Requirements
Customer is responsible for Connecticut industry-specific regulatory requirements. Provider shall cooperate with any Connecticut regulatory audit or inquiry to the extent required by law.
16. GOVERNING LAW AND DISPUTE RESOLUTION
16.1 Governing Law
Laws of the State of Connecticut, without conflicts of law principles.
16.2 Venue
State courts of Hartford County, Connecticut, or the United States District Court for the District of Connecticut (Hartford). Each Party consents to jurisdiction and venue.
16.3 Escalation
(a) Operational contacts meet within ten (10) Business Days;
(b) Executive escalation if unresolved within twenty (20) Business Days;
(c) Optional mediation in Hartford, Connecticut, with shared costs.
16.4 Jury Waiver
Connecticut courts have held that express commercial contractual jury trial waivers entered into prior to litigation are presumptively enforceable, in accordance with public policy favoring freedom of contract and efficient dispute resolution. The party seeking to avoid the waiver bears the burden of showing it clearly did not intend to waive. Connecticut courts consider: (1) conspicuousness of the waiver; (2) whether parties were represented by counsel; (3) gross disparity in bargaining power; (4) business experience of the opposing party; and (5) opportunity to negotiate terms.
TO THE FULLEST EXTENT PERMITTED BY CONNECTICUT LAW, EACH PARTY KNOWINGLY, VOLUNTARILY, AND IRREVOCABLY WAIVES ANY RIGHT TO JURY TRIAL IN ANY ACTION ARISING OUT OF OR RELATING TO THIS AGREEMENT. EACH PARTY CONFIRMS THAT THIS WAIVER IS CONSPICUOUSLY SET FORTH, EACH PARTY HAS HAD THE OPPORTUNITY TO CONSULT COUNSEL, AND EACH PARTY MAKES THIS WAIVER FREELY AND WITH FULL UNDERSTANDING.
16.5 Attorneys' Fees
Prevailing Party recovers reasonable attorneys' fees and costs.
16.6 Injunctive Relief
Either Party may seek injunctive relief to prevent irreparable harm or enforce Sections 3, 8, or 9, without bond or proof of actual damages.
17. MISCELLANEOUS
17.1 Assignment
No assignment without consent (not unreasonably withheld); permitted to Affiliates or successors. Void if in violation.
17.2 Subcontracting
Permitted; Provider remains responsible.
17.3 Notices
Written, deemed given: (a) upon personal delivery; (b) one (1) Business Day after overnight courier; (c) three (3) Business Days after certified mail; or (d) upon confirmed email receipt.
17.4 Force Majeure
No liability for delay due to Force Majeure (except payment). Prompt notice, mitigation, and resumption. Termination if exceeding [____] days.
17.5 Order of Precedence
(highest to lowest): (a) DPA / Security Addendum; (b) Main Agreement; (c) Order Form; (d) SLA; (e) Support Policy; (f) AUP.
17.6 Severability
Invalid provisions modified to minimum extent; remainder continues.
17.7 Amendments
Written, signed by both Parties.
17.8 Waiver
Failure to enforce is not a waiver.
17.9 Entire Agreement
This Agreement and all attachments supersede all prior agreements.
17.10 Counterparts
May be executed in counterparts.
17.11 Electronic Signatures
Valid under the Connecticut Uniform Electronic Transactions Act (Conn. Gen. Stat. § 1-266 et seq.), effective since October 1, 2002, and the federal E-SIGN Act (15 U.S.C. § 7001 et seq.). Under Conn. Gen. Stat. § 1-272, a record or signature shall not be denied legal effect solely because it is in electronic form.
17.12 Headings
For convenience only.
17.13 Third-Party Beneficiaries
None.
17.14 Relationship of the Parties
Independent contractors. No partnership, joint venture, agency, or employment.
17.15 Publicity
No use without consent; Provider may include Customer in customer list.
17.16 Construction
Fair construction, not against drafter. "Including" means "including, without limitation."
18. SIGNATURE BLOCKS
IN WITNESS WHEREOF, the Parties execute this Agreement as of the Effective Date.
PROVIDER:
| Signature | _________________________________ |
| Printed Name | _________________________________ |
| Title | _________________________________ |
| Date | [__/__/____] |
| _________________________________ |
CUSTOMER:
| Signature | _________________________________ |
| Printed Name | _________________________________ |
| Title | _________________________________ |
| Date | [__/__/____] |
| _________________________________ |
19. ATTACHMENTS
- Attachment A: Order Form
- Attachment B: Service Level Agreement (SLA)
- Attachment C: Support Policy
- Attachment D: Data Processing Addendum (DPA) / Security Addendum
- Attachment E: Acceptable Use Policy (AUP)
ATTACHMENT A: ORDER FORM (TEMPLATE)
| Field | Details |
|---|---|
| Order Form Number | [________________________________] |
| Effective Date | [__/__/____] |
| SaaS Platform / Product | [________________________________] |
| Subscription Term | [________________________________] |
| Auto-Renewal | ☐ Yes ☐ No |
| Renewal Term Length | [________________________________] |
| Non-Renewal Notice Period | [____] days |
| Number of Authorized Users | [____] |
| Storage Limit | [________________________________] |
| API Call Limit | [________________________________] |
| Subscription Fees | $[____] per [________________________________] |
| Usage-Based Fee Rate | $[____] per [________________________________] |
| Billing Frequency | ☐ Annual ☐ Quarterly ☐ Monthly |
| Payment Terms | Net [____] days |
| SaaS Use Classification | ☐ Business Use (1% tax) ☐ Non-Business Use (6.35% tax) |
| Provider Notice Address | [________________________________] |
| Customer Notice Address | [________________________________] |
| Customer Primary Contact | [________________________________] |
| CTDPA Controller/Processor Roles | ☐ Customer is Controller / Provider is Processor |
| Special Terms | [________________________________] |
ATTACHMENT B: SERVICE LEVEL AGREEMENT (TEMPLATE)
1. Uptime Target: [____]%
2. Measurement Period: Calendar month
3. Exclusions: Scheduled Maintenance, Force Majeure, Customer-caused outages
4. SLA Credit Table:
| Monthly Uptime | Credit |
|---|---|
| [____]% - [____]% | [____]% of monthly Fees |
| [____]% - [____]% | [____]% of monthly Fees |
| Below [____]% | [____]% of monthly Fees |
5. Credit Request: Written within 30 days
6. Maximum Credit: 100% of monthly Fees
7. Chronic Failure: Below [____]% for [____] months triggers termination
ATTACHMENT C: SUPPORT POLICY (OUTLINE)
1. Support Hours: [________________________________]
2. Support Channels: [________________________________]
3. Severity and Response: (See Section 4.4)
4. Escalation: Levels 1-4
5. Maintenance: [________________________________]
ATTACHMENT D: DATA PROCESSING ADDENDUM (SUMMARY)
1. Scope: Processing of Personal Data by Provider (Processor) on behalf of Customer (Controller)
2. CTDPA Roles: Customer = Controller; Provider = Processor
3. Processing Instructions: Per Agreement and documented instructions
4. Security: Section 7.1
5. Sub-Processors: Section 7.6
6. Breach Notification: Section 7.3 (60-day CT timeline; 2-year identity theft services)
7. Consumer Rights: Provider shall assist Customer per Section 7.4.3
8. Data Protection Assessments: Provider shall cooperate per Section 7.4.5
9. Data Deletion/Return: Section 13.6
10. Universal Opt-Out: Section 7.4.4 (GPC compliance)
11. Minors' Data: Section 7.4.7 (no targeted advertising or sale of minors' data)
12. AI and Algorithmic Decision-Making: Section 7.4.8 (effective July 1, 2026)
13. CTDPA Compliance: Conn. Gen. Stat. § 42-515 et seq.
ATTACHMENT E: ACCEPTABLE USE POLICY (OUTLINE)
1. Prohibited Activities:
- Unauthorized access or interference
- Malware distribution
- Unsolicited communications
- Law violations
- Third-party rights infringement
2. Content Standards:
- No unlawful, defamatory, obscene, or harmful content
- No IP-infringing content
- No privacy violations
- No dark patterns targeting minors
3. Resource Usage:
- No excessive consumption
- No unauthorized data extraction
4. Enforcement:
- Suspension with notice and cure
- Repeated violations may result in termination
This template is provided for informational purposes only and does not constitute legal advice. Legal counsel licensed in Connecticut should review and customize this Agreement before execution. The CTDPA is subject to ongoing legislative amendments (including July 1, 2026 AI provisions) -- verify all provisions and citations are current before use.
About This Template
A contract is a written record of what two or more parties agreed to and what happens if someone does not follow through. Clear language, defined terms, and clean signature blocks keep disputes small and enforceable. The most common mistakes in contracts come from vague promises, missing details about timing or payment, and skipping standard protective clauses like governing law and dispute resolution.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: July 2026
Get your SaaS Agreement - SMB (Connecticut), done and ready to use
Fill it in for your situation, adjust it for your state, and download the finished Word and PDF. Let the AI do it in about 5 minutes, or finish it yourself in the editor. $99 one time, or go Pro for access to every document and every Ezel app.