A Warsaw-based software company had built a capable SaaS platform and signed its first enterprise clients. The contracts, drafted quickly and without specialist review, looked standard. Eighteen months later, a dispute over data residency, liability caps, and IP ownership brought the relationship to the edge of litigation – and nearly cost the company its largest client.
SaaS contracts governed by Polish law must address a specific set of mandatory and commercially critical clauses to be enforceable and commercially safe. Polish consumer and B2B protection rules, Rozporządzenie o Ochronie Danych Osobowych (General Data Protection Regulation, GDPR) as implemented in Poland, and emerging AI Act obligations all interact with standard SaaS terms. A contract that omits any of these layers exposes the provider to liability that cannot be cured after the fact.
This case study walks through the background of the matter, the legal strategy applied, the negotiation process, and the transferable lessons for any SaaS provider or enterprise buyer operating in Poland. The structure follows four stages: the commercial context, the clause-by-clause analysis, the resolution, and the practical takeaways.
What was the commercial background of this SaaS dispute?
The client – a mid-size Polish SaaS provider registered with the National Court Register (KRS) – had deployed a workforce management platform to three enterprise clients. Each contract ran to roughly 12 pages. None of them contained a data processing agreement (DPA) as a separate annex, which Polish supervisory practice under the Office for Personal Data Protection (UODO) treats as a distinct legal requirement. The liability cap clause referred to "fees paid in the preceding month" without specifying whether that meant net or gross, or which calendar month applied if the dispute arose mid-cycle.
The trigger was a data residency request. One enterprise client, itself subject to sector-specific rules enforced by the Polish Financial Supervision Authority (KNF), demanded written confirmation that all personal data remained within the European Economic Area. The SaaS provider could not produce that confirmation. Its sub-processors included a US-based infrastructure vendor whose Standard Contractual Clauses had never been countersigned by the Polish entity. The client threatened to terminate for material breach and claimed damages exceeding PLN 800,000.
Our team was engaged at that point. The first task was to assess whether the termination right was actually triggered under Polish contract law – and whether the liability cap, ambiguous as it was, could be read in the provider's favour.
Which clauses created the greatest legal exposure?
Three clauses – or rather their absence – concentrated the risk. First, the DPA gap: without a standalone data processing agreement, the provider had no documented basis for processing personal data on behalf of the client. Under GDPR Poland enforcement practice, this is not a technical defect. It is a ground for regulatory action by UODO, with administrative fines reaching EUR 20 million or four percent of global annual turnover, whichever is higher.
Second, the liability cap ambiguity. Polish courts interpret ambiguous limitation clauses against the party that drafted them – a principle embedded in the Kodeks cywilny (Civil Code, KC). The provider had drafted the contract. That meant the court would likely read "fees paid in the preceding month" as the gross amount for the most recent full calendar month, which in this case was PLN 140,000. The client's damages claim of PLN 800,000 far exceeded that figure, but the cap – if enforceable – would have limited recovery significantly.
- Missing or unsigned DPA annex
- Ambiguous liability cap formula
- No IP ownership clause covering client-specific customisations
- Absent SLA with defined remedies for downtime
Third, IP ownership. The provider had built several custom modules at the client's request. The contract was silent on whether those modules belonged to the provider or the client. Under Polish copyright law, software is protected as a work, and the default rule does not automatically transfer rights to a commissioning party in a services context. This created a secondary dispute about whether the client could continue using those modules after termination.
We also identified a DORA compliance gap relevant to the financial-sector client. The Digital Operational Resilience Act (DORA) requires financial entities to include specific contractual provisions with ICT third-party service providers – including exit strategies, audit rights, and incident notification timelines of no more than 72 hours. None of these appeared in the contract.
How was the matter resolved?
We secured a negotiated settlement that avoided litigation and preserved the commercial relationship. The provider retained the client, avoided the PLN 800,000 damages claim, and agreed to a contract remediation programme completed within 90 days. The settlement included a retroactive DPA, a restated liability cap formula, and a confirmed IP assignment for the custom modules – in exchange for a 10 percent fee reduction for the following 12 months.
Our team obtained a written confirmation from the US sub-processor's EU entity that Standard Contractual Clauses were in place and covered all processing activities, resolving the data residency issue within 30 days. This was the fastest element to fix – and the one that mattered most to the KNF-regulated client. For further guidance on cross-border data transfer mechanisms applicable to Polish entities, see our analysis of data transfer from Poland to Cyprus – legal mechanisms.
The IP dispute was resolved by agreeing that the provider retained ownership of all modules but granted the client a perpetual, royalty-free licence for internal use. This preserved the provider's ability to commercialise the same functionality for other clients – a result worth considerably more than any short-term concession on fees. We also assisted in drafting a DORA-compliant addendum, including a 72-hour incident notification clause and a documented exit strategy with a 6-month transition period.
We had handled a comparable contract remediation for a SaaS provider in the Mazowieckie region (autumn 2025), where ambiguous IP clauses had similarly created a dispute with an enterprise client. In that matter, we restructured the IP ownership framework and avoided a threatened claim exceeding PLN 500,000. The pattern repeats: standard templates drafted without Polish-law review consistently fail on the same three or four clauses.
What are the transferable lessons for SaaS contracts in Poland?
The lessons from this matter are directly applicable to any SaaS provider or enterprise buyer operating under Polish law. The most important is structural: a SaaS contract is not a single document. It is a bundle – master services agreement, DPA, SLA, acceptable use policy, and (where relevant) a DORA addendum. Missing any element forfeits the legal protection that element was meant to provide.
For providers building an IP protection strategy alongside their SaaS offering, the interaction between software copyright, trademark registration, and contract terms is worth reviewing early. Our article on IP protection strategy for Luxembourg tech companies in Poland covers the structural choices relevant to any tech company entering or operating in the Polish market.
Liability caps deserve particular attention. A well-drafted cap should specify the calculation period (rolling 12 months is market standard), the measurement basis (net fees), and the carve-outs – typically for data protection breaches, IP infringement, and fraud. A cap that omits carve-outs may be read as limiting liability even for GDPR violations, which Polish courts and UODO are unlikely to accept.
- Treat the DPA as a mandatory annex, not an optional add-on
- Define liability caps with explicit carve-outs for GDPR and IP claims
- Resolve IP ownership for custom work before delivery, not after
- Include DORA-compliant clauses if any client is a financial entity
- Review sub-processor chains for SCCs before signing enterprise deals
For SaaS companies that also offer equity or incentive arrangements to their development teams, the contractual structure interacts with employment and IP assignment obligations. Our guide on ESOP structuring for Polish startups and tech companies addresses how to align IP ownership, vesting, and employment contracts. Getting this right at the outset prevents the same kind of post-dispute remediation this case required.
The AI Act Poland dimension is emerging but real. SaaS platforms that incorporate AI-driven decision-making – particularly in HR, credit, or access-control contexts – will need contract terms that reflect AI Act obligations, including transparency requirements and human oversight clauses. Providers who address this now, before enforcement begins, avoid the contract remediation cycle entirely.
A specific situation involving your SaaS contracts requires individual assessment. Ambiguous clauses and missing annexes create irreversible consequences once a dispute is triggered – retroactive fixes are always more expensive and less certain than upfront drafting.
To receive an expert assessment of your SaaS contract structure under Polish law, contact info@kordeckipartners.com.
Frequently asked questions
Q: Does a SaaS contract in Poland always need a separate data processing agreement?
A: Yes, where the provider processes personal data on behalf of the client, a standalone data processing agreement is required under GDPR as implemented in Poland. UODO treats its absence as a breach of the controller-processor relationship, regardless of whether the main contract contains some data protection language. The DPA must specify the subject matter, duration, nature, and purpose of processing, as well as the categories of data and data subjects involved.
Q: How should a liability cap be structured to be enforceable under Polish law?
A: A liability cap should specify the calculation period (typically 12 rolling months), the fee basis (net, excluding VAT), and explicit carve-outs for GDPR violations, IP infringement, wilful misconduct, and fraud. Polish courts apply the Civil Code rule that ambiguous limitation clauses are read against the drafter. A cap without carve-outs risks being interpreted as covering even intentional harm, which Polish law does not permit parties to exclude in advance.
Q: When does DORA apply to a SaaS contract in Poland?
A: DORA applies when a SaaS provider qualifies as an ICT third-party service provider to a financial entity regulated in Poland – including banks, insurers, investment firms, and payment institutions supervised by KNF. The financial entity must ensure the contract includes provisions on service levels, audit rights, incident notification within 72 hours, and a documented exit strategy covering at least a 6-month transition period. Providers who serve even one KNF-regulated client should review their standard terms for DORA compliance now.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to technology contracts, IP protection, and digital compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.