Why does a SaaS startup need its own legal stack?
Because a software company’s only real assets — its code, its customer data and its cap table — are each created, by default, in the wrong hands under South African law unless a document fixes it. The developer owns the copyright. The customer’s personal data triggers statutory duties. A handshake equity split leaves a departed co-founder holding a dormant stake forever. Each of these is a one-line fix today and a deal-breaking problem at diligence.
The most expensive of them is intellectual property. Under the Copyright Act, the author of a work is its first owner — so a contractor who writes your code keeps it unless they sign it over.
This guide groups the documents by the stage at which you actually need them, links each to a detailed explainer, and shows where one fixed-fee package covers the whole customer-and-data layer at once.
How to use this guide
Work through the six stages in order. Each stage opens with a one-line summary, then a table of the documents it involves: what each is, why you need it, and when — tagged Day one, Before first sale, Before fundraise, or When it applies. Where a document maps to a fixed-fee service, there is a direct link to have it reviewed or drafted. If you would rather put the core stack in place in a single engagement, the SaaS / Commercial Starter package does exactly that.
A.Formation: incorporate and set up the cap table
Before a single customer or line of code, you need a real legal person to own the intellectual property, hold the equity and sign contracts. A South African startup is a private company — a (Pty) Ltd — incorporated under the Companies Act 71 of 2008. This is Day one.
| Document | What it is | Why you need it | When |
|---|---|---|---|
| Company registration (CIPC) + customised MOI | The CoR forms that bring your (Pty) Ltd into existence, plus its binding constitution. | Contracts, IP, revenue and equity can only live in a company — and the standard MOI lacks the share classes and post-2024 buy-back machinery that vesting needs. | Day one |
| Founders' / Shareholders' Agreement | Sets the equity split, decision-making, exit and restraint between co-founders. | Co-founder fallout is the single biggest startup killer; you fix the split while the company is worth nothing. | Day one |
| Share Subscription Agreement + Securities Register | Records each valid share issue and maintains the statutory register (Companies Act s 50). | On diligence, the register must match what everyone believes they own — or the round stalls. | Day one |
| Cap table | The live, fully-diluted record of who owns what. | The first artefact every investor asks for; it must reconcile to the register and the BO filing. | Day one |
| Beneficial Ownership (BO) declaration | The CIPC filing of the natural persons who own or control 5% or more. | CIPC hard-stops your annual return without it — no good standing, and banks may freeze onboarding. | Day one |
| Founder vesting / reverse-vesting | Founders earn or keep their shares over time (commonly a one-year cliff, then monthly). | Protects the cap table if a founder leaves early; investors expect it and it fixes the tax base while shares are cheap. | Before fundraise |
| Directors' service agreements | The founder-director role, pay, duties and IP (Companies Act s 76). | Documents director pay for SARS and diligence, and ties down director IP and conflicts. | Before fundraise |
B.IP protection: own the product you sell
For a SaaS company the codebase is the company. Under South African law copyright in a work vests in its author by default — and a contractor keeps the IP they create unless they assign it to you in writing. The missing contractor assignment is the most common fatal finding in startup due diligence.
| Document | What it is | Why you need it | When |
|---|---|---|---|
| Founder IP assignment | Founders assign all code, brand and pre-incorporation work to the company. | Copyright vests in the author, not the company they happen to run — without an assignment the company does not own its own product. | Day one |
| Employee confidentiality + IP assignment | Confidentiality plus a present assignment of work product in every employment contract. | Closes the grey edges of "course of employment" and adds a POPIA security undertaking. | Day one |
| Independent-contractor agreement with written IP assignment | Assigns the deliverables of every freelancer and dev shop to the company. | Contractor IP does not auto-vest — paying the invoice gives you, at most, an implied licence. | Before first sale |
| Non-Disclosure Agreement (NDA) | Binds investors, pilots and partners to keep your information secret. | Know-how and algorithms are only legally protectable as confidential information. | Day one |
| Trade-mark application & licence | Registers the product name and licenses the brand to the operating company. | Protects the brand you are building; early CIPC filing avoids an expensive rebrand. | Before first sale |
C.Customer contracts: how you sell the software
How you sell determines your contract. Self-serve online means a clickwrap agreement; negotiated enterprise deals mean a master services agreement and order form. Electronic acceptance is fully binding in South Africa under the ECTA. The decision table below picks the right one.
| Document | What it is | Why you need it | When |
|---|---|---|---|
| Cloud Services Agreement (clickwrap) | Your master customer terms, accepted online at sign-up. | Enforceable under ECTA; it is the core contract behind your subscription revenue. | Day one |
| Master Service Agreement (MSA) + order form | A negotiated framework for enterprise and B2B deals. | For bespoke commercial terms that go beyond a standard clickwrap. | Before first sale |
| End-User Licence Agreement (EULA) | A per-user licence for a consumer app or downloadable product. | For end-user licensing rather than a hosted service. | When it applies |
| Website Terms of Use | The terms governing use of your public website or app. | A site-level contract that limits liability and sets the rules; ECTA s 43 disclosures sit here. | Before first sale |
| SLA addendum | Uptime commitments, service credits and maintenance windows. | Enterprise customers will demand availability terms before they sign. | Before fundraise |
| Support addendum | Support tiers, severity levels and response targets. | Defines what "support" actually obliges you to do. | When it applies |
| Professional services / SOW addendum | Onboarding, implementation and bespoke work under a statement of work. | Paid setup work needs its own scope, acceptance and price. | When it applies |
| AI features addendum | Inputs and outputs, training-data use, and automated-decision disclosures. | Needed the moment your product ships AI or machine-learning features. | When it applies |
| Acceptable Use Policy | Bars abuse of the platform and lets you suspend bad actors. | Gives you a contractual right to act against misuse. | When it applies |
D.Data & POPIA: process personal information lawfully
The moment you process a customer’s personal information you become a "responsible party" — and where you process it for a customer, an "operator" — under the Protection of Personal Information Act 4 of 2013 (POPIA). For the full picture, see our POPIA hub; here are the operative documents.
| Document | What it is | Why you need it | When |
|---|---|---|---|
| Data Protection Addendum (operator agreement) | The POPIA s 21 operator terms you sign with customers and sub-processors. | POPIA makes the written operator agreement mandatory — it is not optional. | Day one |
| Information Officer registration | Appoint and register your Information Officer with the Regulator. | A POPIA precondition; non-compliance exposes you to fines up to R10 million. | Day one |
| Website Privacy Policy (POPIA s 18) | The public notice of what you collect and why. | POPIA s 18 requires you to notify data subjects when you collect their information. | Before first sale |
| Data-breach response procedure (s 22) | Your playbook for notifying the Regulator and affected people. | POPIA s 22 requires breach notification "as soon as reasonably possible". | Before first sale |
| PAIA manual | Your access-to-information manual. | A legally required document for most companies. | Before first sale |
| Cross-border transfer terms (s 72) | The lawful basis for hosting or sub-processing data offshore. | AWS, GCP or Azure regions outside SA need s 72 cover. | Before fundraise |
| Cookie policy | Discloses cookies and trackers on your site. | Transparency, and it interacts with the s 69 electronic-marketing rules. | When it applies |
| Aggregate & anonymised data addendum | Permits analytics and AI training on de-identified data. | Lets you re-use data lawfully once it is genuinely de-identified. | When it applies |
E.Fundraising: get raise-ready
Raising money — even a single angel cheque — turns your loose documents into a data room. Get raise-ready first: the cleaner your formation and IP files, the faster and cheaper the round.
| Document | What it is | Why you need it | When |
|---|---|---|---|
| Convertible note / SAFE | Early money now that converts to equity later. | The fast, founder-friendly instrument for a first raise. | Before fundraise |
| Share Subscription Agreement | The mechanics of a priced equity round. | The document a priced round actually runs on. | Before fundraise |
| Employee Share Scheme (ESOP) | An option pool to attract and keep the team. | Hiring leverage — and investors expect a pool to exist. | Before fundraise |
| Updated MOI + BO filing | The constitution and ownership housekeeping a term sheet requires. | These are conditions precedent to most investments. | Before fundraise |
F.People: hiring, founders and the team
Your first hire makes you an employer bound by the BCEA and the LRA. South Africa has no "at-will" employment: dismissals must follow the Code of Good Practice: Dismissal (in force 4 September 2025, replacing Schedule 8), and parental leave follows the post-Van Wyk position.
| Document | What it is | Why you need it | When |
|---|---|---|---|
| Employment agreement (s 29 particulars) | A written employment contract with the BCEA-mandated particulars. | Required by the BCEA, and the place you secure IP and confidentiality. | Before first sale |
| Workplace policies pack | Disciplinary, grievance, leave, harassment and POPIA-at-work policies. | Aligns to the 2025 Dismissal Code and is what makes discipline defensible at the CCMA. | Before first sale |
| Restraint of trade | Post-employment limits on competing and soliciting. | Enforceable in South Africa if reasonable (Magna Alloys v Ellis). | Before first sale |
| Independent contractor agreement | A genuine contractor engagement with IP assignment. | Avoids a disguised-employment finding under LRA s 200A. | When it applies |
Which customer contract should a SaaS company use?
How you sell decides the contract. Pick the row that matches your motion.
| If you sell… | Use | Why |
|---|---|---|
| Self-serve, online, standard terms | Cloud Services Agreement (clickwrap) | Accepted electronically at sign-up; ECTA-enforceable; no negotiation. |
| Negotiated enterprise / B2B deals | MSA + order form | Bespoke, signed commercial terms; the addenda hang off it. |
| Consumer app / per-user licence | EULA (clickwrap) | An end-user licence rather than a hosted-service contract. |
| Resellers / channel partners | Reseller & distribution agreement | Governs onward sale of your product and the sublicence granted. |
| Early access / unpaid trials | Beta & pilot agreement | Limits liability and protects IP during testing. |
| Any of the above + personal data | + Data Protection Addendum | Layers POPIA s 21 operator terms on top of the contract. |
| Any of the above + an uptime promise | + SLA addendum | Adds availability commitments and service credits. |
Which documents come first?
If you do nothing else, get the Day-one column in place before you write a line of production code or sign a customer.
| Stage | Must-have Day one | Before first sale | Before fundraise |
|---|---|---|---|
| Formation | Incorporation, customised MOI, founders’ agreement, subscription + register, cap table, BO filing | — | Vesting, directors’ service agreements |
| IP | Founder IP assignment, employee confidentiality + IP, NDA | Contractor IP assignment, trade mark | — |
| Customers | Cloud Services Agreement (clickwrap) | MSA, Website Terms | SLA addendum |
| Data / POPIA | DPA, Information Officer | Privacy policy, breach procedure, PAIA manual | Cross-border transfer terms |
| Fundraising | — | — | SAFE/convertible, subscription, ESOP, updated MOI/BO |
| People | — | Employment agreement, policies pack, restraint | — |
Common founder mistakes & myths
“We paid the freelancer, so we own the code.”
No. Under the Copyright Act the contractor is the author and first owner; ownership transfers only by a written, signed assignment (s 22(3)). Payment gives, at most, an implied licence.
“US ‘work made for hire’ covers us.”
That doctrine is not South African law. Only true employees auto-vest IP (s 21(1)(d)), and even then side-projects can fall outside the “course of employment”.
“Our shareholders’ agreement handles vesting and buy-backs.”
A shareholders’ agreement term that conflicts with the MOI or the Act is void (Companies Act s 15(7)). A company buy-back of unvested shares must be executable under the amended s 48 (special resolution since 27 December 2024) and pass the s 4 solvency-and-liquidity test.
“Beneficial-ownership filing is for big companies.”
There is no startup exemption. CIPC hard-stops your annual return without a BO filing, and you lose good standing.
“A standard CIPC MOI is fine.”
It has one share class and lacks current buy-back machinery, so vesting and investor rights become unenforceable — forcing a rushed amendment on a financing’s critical path.
“POPIA only matters once we’re big.”
POPIA applies from your first customer record. You need an operator agreement (s 21), a privacy notice (s 18) and a breach procedure (s 22) — and an Information Officer — regardless of size.
“Free downloaded contracts are good enough.”
Template terms, privacy policies and employment contracts routinely miss POPIA s 21, ECTA acceptance mechanics, the 2025 Dismissal Code, and the post-Van Wyk parental-leave position.
“We’ll sign the founders’ agreement once we’re bigger.”
By then a departed co-founder keeps a dormant stake forever and the cap table is un-investable. It is cheapest to fix on Day one.
Frequently asked questions
What legal documents does a SaaS startup in South Africa need first?
On Day one: company incorporation (a (Pty) Ltd under the Companies Act 71 of 2008), a customised MOI, a founders’/shareholders’ agreement, founder IP assignments under the Copyright Act 98 of 1978, a CIPC beneficial-ownership filing, and a clickwrap customer agreement. Everything else stacks on top, stage by stage.
Who owns the code if a contractor builds my MVP?
The contractor does, by default. The Copyright Act 98 of 1978 makes the author the first owner of copyright, and an assignment is only effective if it is in writing and signed (s 22(3)). Without a signed assignment, your company is selling software it does not legally own.
Is a clickwrap "I agree" SaaS contract legally binding in South Africa?
Yes. The Electronic Communications and Transactions Act 25 of 2002 (ECTA) recognises electronic agreements; section 22 confirms a contract is not without legal force merely because it was concluded electronically, provided the terms were accessible and the customer assented.
Do I need a data processing agreement for my SaaS?
Yes. If you process personal information on a customer’s behalf you are an "operator", and POPIA section 21 requires a written operator (data-processing) agreement. You also need a privacy notice (s 18) and a breach-response procedure (s 22).
What is the CIPC beneficial-ownership filing, and does my startup have to do it?
It identifies the natural persons who ultimately own or control 5% or more of the company. Every company must file it, and CIPC blocks your annual return without it — so there is no startup exemption.
How should founder vesting be structured in South Africa?
Usually as reverse vesting: shares are issued up front, but the company or co-founders can buy back the unvested portion if a founder leaves early. A buy-back by the company is a Companies Act s 48 repurchase — generally requiring a special resolution since 27 December 2024 — and must pass the section 4 solvency-and-liquidity test, which is why many deals route the repurchase to the co-founders instead.
Is a restraint of trade enforceable against a departing co-founder or employee?
Yes, if it is reasonable. South African courts treat restraints as prima facie enforceable (Magna Alloys & Research v Ellis 1984 (4) SA 874 (A)), with the person resisting bearing the onus, weighing the protectable interest against the right to work.
When does hiring my first developer trigger employment law?
Immediately. The BCEA requires written particulars (s 29), dismissals must follow the Code of Good Practice: Dismissal (in force 4 September 2025), parental leave follows the post-Van Wyk v Minister of Employment and Labour [2025] ZACC 20 position, and you become a POPIA responsible party for employee data.
Can a US SaaS template just be adapted for South Africa?
Not safely. US templates miss POPIA s 21 operator terms and breach rules, ECTA acceptance mechanics, the CPA limits on liability clauses, and SA-specific IP assignment (s 22(3)) and employment law. "Work made for hire" is not South African law. The structure usually needs to be rebuilt, not translated.
Can I put the whole stack in place in one engagement?
Yes. The SaaS / Commercial Starter package bundles the core customer and data documents — a clickwrap cloud services agreement plus the data-protection, anonymised-data, AI-features, SLA, support and professional-services addenda, with your website terms and privacy policy — as one fixed-fee engagement.
Sources & authorities
- 1.Companies Act 71 of 2008 (ss 4, 40, 48, 50, 76)
- 2.Companies Amendment Act 16 of 2024 (s 48 share buy-backs, in force 27 December 2024)
- 3.Copyright Act 98 of 1978 (ss 1, 21, 22(3))
- 4.Protection of Personal Information Act 4 of 2013 (ss 18, 19, 21, 22, 69, 72)
- 5.Electronic Communications and Transactions Act 25 of 2002 (ss 11, 22, 43, 44)
- 6.Consumer Protection Act 68 of 2008 (ss 48–54)
- 7.Basic Conditions of Employment Act 75 of 1997 (s 29)
- 8.Labour Relations Act 66 of 1995
- 9.Code of Good Practice: Dismissal, Government Gazette 53294 (in force 4 September 2025)
- 10.Van Wyk v Minister of Employment and Labour [2025] ZACC 20 (parental leave)
Every authority above was checked against its primary source in June 2026. This page is general information about South African law, not legal advice.