Search legal guides

Search MJ Kotze Inc legal guides and articles

Technology Law

AI-SaaS Agreements

When the SaaS product is AI, the contract gains new dimensions: training-data provenance, output IP, customer-data training prohibitions, hallucination disclaimers, and POPIA s 71 automated-decision compliance.

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

Last reviewed:

Quick answer

The eight clauses that matter

1

Input / output IP

Who owns the prompts, fine-tunes, generated outputs, and any derivative datasets. Customer typically owns its inputs and outputs; vendor retains the model.

2

Training-data warranties

Provider warrants the model was trained on lawfully-obtained data, free of third-party IP infringement, and (for SA personal data) in compliance with POPIA.

3

Customer-data training prohibition

Explicit prohibition on using customer prompts, documents, or outputs to train the provider's general model — unless customer expressly consents. Critical for SA enterprise.

4

Hallucination + accuracy disclosure

Disclosure that AI outputs may be inaccurate; customer obligation to verify before relying on outputs in regulated contexts (legal, medical, financial advice).

5

Bias + fairness commitments

Provider's evaluation methodology, bias-testing programme, and notification of material findings. Increasingly required by enterprise customers.

6

POPIA automated decision-making (s 71)

Where the AI makes decisions with legal consequences for natural persons, section 71 of POPIA restricts automated decisions and requires safeguards including the data subject's right to make representations.

7

Output indemnification

Provider indemnification against third-party IP claims arising from outputs (e.g. infringement of copyrighted training material reproduced in outputs). One of the most contested clauses in modern AI contracts.

8

Model evolution + deprecation

Provider's right to update / retire models, with notice periods for breaking changes affecting integrated customer workflows.

Frequently asked

What is the difference between an AI-SaaS agreement and a regular SaaS agreement?

AI-SaaS agreements add several layers: training-data warranties (the model was lawfully trained); input/output IP allocation (who owns prompts, fine-tunes, outputs); customer-data training prohibitions (vendor cannot use customer inputs to improve the general model); hallucination and accuracy disclaimers; POPIA s 71 automated-decision compliance where the AI affects natural persons; and output indemnification against third-party IP claims arising from generated content.

Can my SA tech company be sued if an AI vendor's output infringes someone else's copyright?

Yes — and the question of who bears that risk is the most-contested clause in modern AI contracts. Best practice for SA customers: insist on a vendor indemnification against third-party IP claims arising from outputs, capped at a meaningful amount. Some leading AI vendors now offer "IP indemnification" as a feature, but the carve-outs (e.g. customer customisation, customer-specific fine-tuning) matter.

What does POPIA say about AI making decisions about natural persons?

Section 71 of POPIA prohibits a responsible party from making a decision concerning a data subject based solely on the automated processing of personal information that has legal consequences or significantly affects the data subject — unless the decision is required for a contract or authorised by law, with safeguards including the right to make representations. SA companies using AI for credit, employment, insurance, or other consequential decisions must comply.

How do I stop a vendor using my data to train its general model?

Negotiate an express clause prohibiting use of customer inputs or outputs to train the vendor's general model. Many enterprise-tier AI services offer this as standard; free or low-tier services often permit training use. Without an express prohibition, the implied licence may be broad enough to permit training, particularly if the vendor's standard T&Cs reserve broad rights.

Are AI-generated works protected by copyright in South Africa?

Often, yes. Since the 1992 amendment, the Copyright Act 98 of 1978 has expressly catered for computer-generated works: the author of a computer-generated literary or artistic work is the person who undertook the arrangements necessary for its creation, and the author of a computer program is the person who exercised control over its making. So an author can usually be identified for AI-assisted output. The genuinely open questions are whether a purely AI-generated work with no meaningful human input satisfies the originality requirement, and how much human direction is enough — no SA court has decided that yet. Prudent practice: document the human creative contribution to any AI-assisted output.

Full guide: AI-generated software & copyright

What is the typical cost of bespoke AI-SaaS agreement drafting?

For SA companies licensing AI capabilities to customers: from R15,000 for a single-tier AI-SaaS agreement; R20,000–R30,000 where multi-modal AI, fine-tuning rights, or output indemnification structures are involved. For SA buyers reviewing a foreign AI vendor's SaaS agreement: R12,300 for a review with redlined recommendations, delivered within 48 hours.

For the businesses we act for

The Keystone Workspace

The attorney-designed platform the businesses we act for use to run their contracts, e-signatures and company secretarial work in one place.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration 17444.

This guide is general information, not legal advice for your specific matter.