Technology Law

AI-SaaS Agreements

When the SaaS product is AI, the contract gains new dimensions: training-data provenance, output IP, customer-data training prohibitions, hallucination disclaimers, and POPIA s 71 automated-decision compliance.

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer

An AI-SaaS agreement is a SaaS subscription for an AI-powered product. It inherits the architecture of a standard SaaS contract — access grant, fees, SLA, IP, liability — and adds AI-specific layers: training-data warranties (the model was lawfully trained, free of third-party IP infringement), input/output IP allocation (who owns prompts, fine-tunes, outputs), customer-data training prohibition (vendor cannot use customer inputs to train the general model without consent), hallucination disclaimers, POPIA section 71 automated-decision compliance for decisions affecting natural persons, and output indemnification against third-party IP claims. The most-contested clause in modern AI contracts is output indemnification — leading vendors now offer it, but the carve-outs matter. From R15,000 for bespoke drafting.

The eight clauses that matter

1

Input / output IP

Who owns the prompts, fine-tunes, generated outputs, and any derivative datasets. Customer typically owns its inputs and outputs; vendor retains the model.

2

Training-data warranties

Provider warrants the model was trained on lawfully-obtained data, free of third-party IP infringement, and (for SA personal data) in compliance with POPIA.

3

Customer-data training prohibition

Explicit prohibition on using customer prompts, documents, or outputs to train the provider's general model — unless customer expressly consents. Critical for SA enterprise.

4

Hallucination + accuracy disclosure

Disclosure that AI outputs may be inaccurate; customer obligation to verify before relying on outputs in regulated contexts (legal, medical, financial advice).

5

Bias + fairness commitments

Provider's evaluation methodology, bias-testing programme, and notification of material findings. Increasingly required by enterprise customers.

6

POPIA automated decision-making (s 71)

Where the AI makes decisions with legal consequences for natural persons, section 71 of POPIA restricts automated decisions and requires safeguards including the data subject's right to make representations.

7

Output indemnification

Provider indemnification against third-party IP claims arising from outputs (e.g. infringement of copyrighted training material reproduced in outputs). One of the most contested clauses in modern AI contracts.

8

Model evolution + deprecation

Provider's right to update / retire models, with notice periods for breaking changes affecting integrated customer workflows.

Frequently asked

What is the difference between an AI-SaaS agreement and a regular SaaS agreement?

AI-SaaS agreements add several layers: training-data warranties (the model was lawfully trained); input/output IP allocation (who owns prompts, fine-tunes, outputs); customer-data training prohibitions (vendor cannot use customer inputs to improve the general model); hallucination and accuracy disclaimers; POPIA s 71 automated-decision compliance where the AI affects natural persons; and output indemnification against third-party IP claims arising from generated content.

Can my SA tech company be sued if an AI vendor's output infringes someone else's copyright?

Yes — and the question of who bears that risk is the most-contested clause in modern AI contracts. Best practice for SA customers: insist on a vendor indemnification against third-party IP claims arising from outputs, capped at a meaningful amount. Some leading AI vendors now offer "IP indemnification" as a feature, but the carve-outs (e.g. customer customisation, customer-specific fine-tuning) matter.

What does POPIA say about AI making decisions about natural persons?

Section 71 of POPIA prohibits a responsible party from making a decision concerning a data subject based solely on the automated processing of personal information that has legal consequences or significantly affects the data subject — unless the decision is required for a contract or authorised by law, with safeguards including the right to make representations. SA companies using AI for credit, employment, insurance, or other consequential decisions must comply.

How do I stop a vendor using my data to train its general model?

Negotiate an express clause prohibiting use of customer inputs or outputs to train the vendor's general model. Many enterprise-tier AI services offer this as standard; free or low-tier services often permit training use. Without an express prohibition, the implied licence may be broad enough to permit training, particularly if the vendor's standard T&Cs reserve broad rights.

Are AI-generated works protected by copyright in South Africa?

Unresolved. South African copyright law requires a human author. Purely AI-generated work without meaningful human creative input likely cannot attract copyright. Where a human directed the AI through detailed prompts and iteration, an argument exists for human authorship. Until SA courts or Parliament resolve this, prudent practice: document the human creative contribution to any AI-assisted output.

What is the typical cost of bespoke AI-SaaS agreement drafting?

For SA companies licensing AI capabilities to customers: from R15,000 for a single-tier AI-SaaS agreement; R20,000–R30,000 where multi-modal AI, fine-tuning rights, or output indemnification structures are involved. For SA buyers reviewing a foreign AI vendor's template: R7,500–R12,500 for a 24-hour review with redlined recommendations.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.