Technology Contracts in Hong Kong: SaaS, Outsourcing, and IT Service Agreements

Introduction

Technology contracts—whether for software-as-a-service (SaaS) platforms, IT outsourcing arrangements, or managed services—have become central to the way businesses operate in Hong Kong. Yet these agreements are often negotiated with insufficient attention to the legal risks involved: data protection obligations, service continuity, intellectual property ownership, liability for system failures, and exit rights.

This article provides a practical guide to the key legal considerations in technology contracts for businesses in Hong Kong, with a focus on SaaS agreements, IT outsourcing contracts, and managed service arrangements.

SaaS Agreements

A software-as-a-service (SaaS) agreement grants the customer the right to access and use software hosted by the supplier on a subscription basis, without the customer acquiring ownership of the software. The supplier retains ownership of the software, is responsible for hosting and maintaining it, and delivers it as a service over the internet.

Key Terms to Review

Scope of the licence: The agreement should clearly define what the customer is permitted to do with the software—the number of authorised users, permitted use cases, and any restrictions on use (e.g., prohibitions on sublicensing or using the software for third-party services).

Service levels: SaaS agreements should include a service level agreement (SLA) specifying minimum uptime commitments (e.g., 99.9% availability measured monthly), scheduled maintenance windows, response times for technical issues, and the remedies available to the customer if service levels are not met. Credits against subscription fees are a common remedy, but customers should consider whether credits are sufficient compensation for serious outages.

Data ownership and portability: Customer data uploaded to or generated through the SaaS platform should remain the property of the customer. The agreement should confirm this and provide for the export and return of data on termination in a portable, machine-readable format.

Data security and privacy: The supplier will inevitably process personal data on behalf of the customer if the SaaS platform holds customer records, employee data, or other personal information. The agreement should include a data processing agreement (DPA) that addresses the supplier's obligations as a data processor under the PDPO, including data security measures, notification of data breaches, and restrictions on sub-processors.

Intellectual property: Any customisations or configurations made to the SaaS platform may be owned by the supplier unless the agreement provides otherwise. Customers who invest in significant customisation should negotiate for ownership or a perpetual licence to those customisations.

IT Outsourcing Agreements

IT outsourcing involves transferring responsibility for managing IT systems, infrastructure, helpdesk services, or software development to a third-party service provider. Outsourcing can deliver cost savings and access to specialist expertise, but creates significant dependencies that must be carefully managed in the contract.

Key Terms to Address

Scope of services: A detailed scope of services schedule should define precisely what the supplier is responsible for, what remains the customer's responsibility, and the boundary between the parties' obligations. Ambiguity about scope is one of the most common sources of disputes in IT outsourcing arrangements.

Transition and knowledge transfer: The agreement should include a detailed transition plan covering the migration of systems, data, and processes from the customer to the supplier (and from any incumbent supplier). The transition plan should include milestones, acceptance testing criteria, and the consequences of delay.

Governance: For long-term outsourcing arrangements, a governance framework is essential—including regular service reviews, escalation procedures, change management processes, and a mechanism for updating the scope as the customer's needs evolve.

Benchmarking and continuous improvement: Long-term contracts should include benchmarking rights enabling the customer to compare the supplier's pricing and service levels against the market, and a continuous improvement obligation requiring the supplier to invest in upgrading systems and processes over the contract term.

Exit and transition assistance: The customer must be able to exit the arrangement—whether at the end of the contract term, following a breach, or for convenience. The agreement should include detailed exit provisions covering the supplier's obligations to assist the customer in transitioning to a new supplier or bringing services back in-house, the duration of transition assistance, and the cost.

Managed Service Agreements

Managed service agreements (MSAs) typically cover the ongoing management and monitoring of specific IT systems or services (such as network infrastructure, cloud environments, or cybersecurity monitoring). Key considerations include:

• Service catalogue: A clear definition of the services included and excluded
• Monitoring and reporting: The supplier's obligations to monitor service performance and provide regular reports
• Incident response: Defined response and resolution times for incidents of different severities
• Security obligations: The supplier's security obligations, including vulnerability management, access controls, and incident reporting

Liability and Risk Allocation

Technology contracts typically include significant limitations on the supplier's liability—often capping liability at the fees paid in the preceding 12 months and excluding liability for indirect or consequential loss (such as lost profits or reputational damage). Customers should carefully review these limitations and assess whether they provide adequate protection if the supplier fails to perform.

For mission-critical systems, customers should negotiate for carve-outs from liability caps for certain serious breaches, such as data breaches, wilful misconduct, and breaches of data protection obligations.

Compliance with Hong Kong Law

Technology contracts involving the processing of personal data must comply with the PDPO. Key requirements include ensuring that the customer has a lawful basis for processing personal data, that the supplier acts only on the customer's instructions, and that appropriate security measures are in place. The PCPD has issued guidance on cloud computing and outsourcing arrangements that is directly relevant to technology contracts.

Conclusion

Technology contracts are among the most commercially significant agreements a business will enter into, yet they are frequently signed without adequate legal review. The risks—data breaches, service failures, vendor lock-in, and IP disputes—can be material. Businesses in Hong Kong should engage experienced technology lawyers to review and negotiate these agreements, ensuring that the contract reflects the commercial arrangements intended and provides adequate protection against foreseeable risks.

Alan Wong LLP advises businesses on technology contracts, IT outsourcing, SaaS agreements, and data protection compliance in Hong Kong. Contact us to discuss your technology contracting requirements.