The UAE has positioned itself as a regional technology hub, with cloud computing, artificial intelligence, and software services driving significant economic growth. For businesses providing or procuring software in this market, understanding the legal framework that governs these arrangements is essential.

Software and SaaS contracts in the UAE must navigate multiple legal layers: contract law principles under the Civil Code, intellectual property protection under the Copyright Law, data protection requirements under the PDPL, electronic transaction rules, and sector-specific regulations that impose data localization obligations. Getting any of these wrong can result in unenforceable terms, regulatory penalties, or disputes that could have been avoided with proper drafting.

This guide explains how these legal frameworks interact and provides practical guidance for structuring software licensing agreements, SaaS subscriptions, and custom development contracts that work under UAE law.

The Legal Framework for Software Contracts in the UAE

No Single "Software Law"

The UAE does not have a dedicated statute governing software licensing or SaaS arrangements. Instead, these contracts are governed by a combination of:

General contract law under Federal Law No. 5 of 1985 (the Civil Code), which establishes the rules for contract formation, performance, breach, and remedies.

Copyright protection under Federal Decree-Law No. 38 of 2021 on Copyrights and Neighboring Rights, which protects software as an intellectual work.

Data protection under Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), which governs how personal data may be collected, processed, stored, and transferred.

Electronic transactions under Federal Decree-Law No. 46 of 2021 on Electronic Transactions and Trust Services, which validates electronic contracts and signatures.

Consumer protection under Federal Law No. 15 of 2020, which applies to software provided to consumers and restricts certain contract terms.

For businesses operating in the Dubai International Financial Centre (DIFC) or Abu Dhabi Global Market (ADGM), separate common law frameworks apply, including their own data protection regulations.

Why This Matters for Contract Drafting

Many software providers use standard international contracts, often governed by US or English law. While parties can choose foreign governing law for commercial contracts, certain UAE law provisions cannot be contracted out of, and enforcement of foreign judgments in UAE courts can be challenging.

More practically, if your customer is a UAE entity and disputes arise, you may find yourself litigating or arbitrating in the UAE regardless of what your contract says. Understanding how UAE courts interpret key contract terms, and where UAE law imposes mandatory requirements, allows you to draft contracts that actually protect your interests.

Electronic Contracts and E-Signatures

Federal Decree-Law No. 46 of 2021: The Foundation

The Electronic Transactions and Trust Services Law, which came into force on 2 January 2022, replaced the earlier 2006 electronic transactions law and modernized the UAE's approach to digital contracting.

Key principles:

A contract does not lose its validity or enforceability simply because it was formed by electronic messages. Contracts may be concluded between automated electronic systems without personal intervention, and such contracts are valid.

Electronic signatures have legal effect equivalent to handwritten signatures, provided they meet the requirements set out in the law.

Electronic records cannot be denied legal effect solely because they are in electronic form.

Three tiers of electronic signatures:

Signature Type Requirements Legal Effect
Electronic Signature Any electronic method signifying consent (letters, numbers, symbols, voice, fingerprint, or electronic processing) Basic legal recognition; may require additional evidence of identity and intent
Advanced Electronic Signature (AES) Uniquely linked to signatory; capable of identifying signatory; created using data under signatory's sole control; linked to data in way that detects subsequent changes Higher evidentiary weight; presumption of authenticity
Qualified Electronic Signature (QES) Advanced signature supported by qualified certificate from TDRA-authorized Trust Service Provider Equivalent to handwritten signature; highest evidentiary weight

Trust Service Providers:

The Telecommunications and Digital Government Regulatory Authority (TDRA) licenses Trust Service Providers who issue digital certificates and authentication services. Platforms like DocuSign and Adobe Sign are available in the UAE, and UAEPASS (the national digital identity platform) provides QES capability for UAE residents.

Exclusions from Electronic Execution

Not all contracts can be executed electronically under UAE law. The following still require traditional paper execution:

  • Real property transactions (sale, purchase, transfer of interests)
  • Certain civil status documents (marriage, divorce, inheritance)
  • Documents requiring notarization under specific laws
  • Powers of attorney for certain purposes

Software and SaaS contracts do not fall within these exclusions and can be validly executed electronically.

Practical Implications for SaaS Providers

Click-wrap and browse-wrap agreements are generally enforceable in the UAE, provided there is clear evidence of offer and acceptance. For click-wrap agreements, ensure the user must take an affirmative action (clicking "I Accept") to proceed, and that the terms are clearly accessible before acceptance.

Automated contract formation is recognized. SaaS platforms that automatically provision services upon payment or sign-up are forming valid contracts under UAE law, provided the essential elements (offer, acceptance, consideration) are present.

Record-keeping matters. Maintain records of when and how users accepted terms, including timestamps, IP addresses, and the version of terms presented. This evidence may be critical if disputes arise about contract formation.

Intellectual Property Protection for Software

Federal Decree-Law No. 38 of 2021: Copyright Protection

Software is protected as a copyrightable work under UAE law. Article 2 of the Copyright Law explicitly includes "smart applications, software and software applications, databases and similar works" in the list of protected works.

Key features of software copyright protection:

Automatic protection. Copyright arises automatically upon creation of the work. Registration with the Ministry of Economy is not required but is advisable as it provides prima facie evidence of ownership in disputes.

Duration. Economic rights in software last for 50 years from the date of first publication or, if unpublished, 50 years from the date of creation.

Scope of protection. The copyright holder has exclusive rights to reproduce, translate, adapt, distribute, rent, publicly communicate, and make the software available to the public.

Work-for-Hire and Employee-Created Software

Article 28 of the Copyright Law codifies the "work-for-hire" doctrine:

Commissioned works: If software is created for the benefit of another person (i.e., commissioned work), copyright belongs to the person who commissioned it, unless otherwise agreed.

Employee-created works: If an employee creates software during employment that is related to the employer's activities and is directly or indirectly mandated by the employer, or uses the employer's expertise, information, tools, or materials, the economic rights vest in the employer. The law notes that the "intellectual effort of the worker" should be taken into account, which may affect compensation but not ownership.

Personal projects: If an employee creates software unrelated to the employer's business and without using the employer's resources, the employee retains the copyright.

Practical drafting point: Despite the statutory position, it is advisable to include explicit IP assignment clauses in employment contracts and development agreements. The statutory language leaves room for interpretation, and clear contractual terms provide certainty.

Penalties for Software Infringement

The Copyright Law significantly increased penalties for infringement:

Violation Penalty
General copyright infringement Fine AED 10,000 to AED 100,000
Manufacturing or importing counterfeit works Imprisonment minimum 6 months and/or fine AED 100,000 to AED 700,000
Downloading or storing software without licence Imprisonment minimum 6 months and/or fine AED 100,000 to AED 700,000
Disrupting electronic rights management data Imprisonment minimum 6 months and/or fine AED 100,000 to AED 700,000
Repeat offences Higher penalties apply

The increased penalties for unlicensed software downloading are particularly relevant for enterprise software customers. Organizations should conduct regular software audits to ensure licence compliance.

Software Licensing Structures

UAE law does not prescribe specific licensing models. Common structures used in the market include:

Perpetual licences: One-time fee for indefinite use rights, often with separate maintenance and support fees.

Subscription licences: Time-limited use rights, typically annual, with ongoing fees.

Per-user/per-seat licences: Rights tied to number of authorized users.

Enterprise licences: Unlimited use within a defined organization or group.

Open-source licences: Governed by the applicable open-source licence terms (GPL, MIT, Apache, etc.), which UAE courts would generally enforce as contractual terms.

Each structure carries different implications for revenue recognition, liability exposure, and termination rights. The contract should clearly specify the licence scope, permitted uses, restrictions, and what happens to the software upon termination.

Data Protection Requirements

Federal Decree-Law No. 45 of 2021: The PDPL

The UAE Personal Data Protection Law, which came into effect on 2 January 2022, established the country's first comprehensive federal data protection framework. While Executive Regulations are still being finalized as of early 2026, businesses are expected to comply with the law's principles.

Scope: The PDPL applies to any entity that processes personal data of individuals in the UAE, regardless of whether the processing occurs inside or outside the country. It also applies to controllers and processors located in the UAE processing data of individuals anywhere.

Key definitions:

  • Personal data: Any data relating to an identified or identifiable natural person
  • Sensitive personal data: Data revealing racial or ethnic origin, political opinions, religious beliefs, criminal record, biometric or genetic data, or health data
  • Controller: The entity that determines the purposes and means of processing
  • Processor: The entity that processes data on behalf of the controller

Legal Bases for Processing

The PDPL makes consent the default legal basis for processing personal data, but recognizes several alternatives:

  • Performance of a contract with the data subject
  • Compliance with legal obligations
  • Protection of the data subject's vital interests
  • Performance of a task in the public interest
  • Archival, scientific, historical, or statistical purposes
  • Employment, social security, or social protection obligations
  • Medical diagnosis, treatment, or health insurance services

Consent requirements: When consent is required, it must be specific, informed, and unambiguous. The controller must be able to prove that valid consent was obtained. Data subjects must be informed of their right to withdraw consent at any time, and withdrawal must be as easy as giving consent.

Data Subject Rights

The PDPL grants individuals the following rights:

  • Right of access to their personal data
  • Right to rectification of inaccurate data
  • Right to erasure (with exceptions)
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right not to be subject to automated decision-making

Controllers must respond to data subject requests within the timeframes specified in the law (generally 30 days, with possible extensions).

Data Processing Agreements

When a controller engages a processor (such as a SaaS provider), the PDPL requires:

  • The processor must provide sufficient guarantees to implement appropriate technical and organizational measures
  • Processing must be governed by a contract that sets out the subject matter, duration, nature, and purpose of processing
  • The processor must act only on the controller's documented instructions
  • The processor must ensure confidentiality commitments from personnel
  • The processor must assist the controller in responding to data subject requests
  • The processor must delete or return data at the end of the relationship
  • The processor must allow and contribute to audits

Practical implication: SaaS providers must offer Data Processing Agreements (DPAs) to UAE customers. Standard international DPAs may need modification to address PDPL-specific requirements.

Cross-Border Data Transfers

The PDPL permits transfers of personal data outside the UAE in the following circumstances:

Adequacy: The recipient jurisdiction has adequate data protection laws recognized by the UAE Data Office.

Appropriate safeguards: In the absence of adequacy, transfers may proceed with:

  • Standard contractual clauses
  • Binding corporate rules
  • Codes of conduct
  • Certification mechanisms

Derogations: Transfers are also permitted based on:

  • Explicit consent of the data subject
  • Necessity for contract performance
  • Legal claims or proceedings
  • Public interest
  • Vital interests of the data subject

As of early 2026, the UAE Data Office has not published an adequacy list or standard contractual clauses. Organizations typically rely on contractual safeguards or explicit consent for cross-border transfers.

Penalties

The PDPL provides for administrative penalties including:

  • Orders to suspend or restrict processing
  • Fines ranging from AED 50,000 to AED 5,000,000

The UAE Data Office has enforcement authority, though its capacity is still developing.

Sector-Specific Data Localization Requirements

While the PDPL does not impose general data localization requirements, sector-specific regulations require certain data to remain in the UAE.

Healthcare

Federal Law No. 2 of 2019 on the Use of Information and Communications Technology in Health Fields requires electronic health data to be stored in the UAE. This applies to healthcare providers, health authorities, and insurance providers.

Implication for SaaS: Healthcare SaaS platforms serving UAE customers must ensure health data is hosted on UAE-based infrastructure. Cross-border transfers require health authority approval.

Financial Services

The UAE Central Bank's Consumer Protection Standards (2021) require licensed financial institutions to store customer and transaction data within the UAE. Cross-border transfers may require Central Bank approval and customer consent.

The Retail Payment Services and Card Schemes Regulation (2021) requires personal and payment data to be stored and maintained in the UAE for entities providing retail payment services.

Implication for SaaS: Fintech and banking SaaS providers must offer UAE data residency options. Standard global deployments may not be compliant.

Government Data

Government entities and contractors handling government data may be subject to additional localization requirements under various regulations and tender conditions.

Free Zones: DIFC and ADGM

The DIFC and ADGM have their own data protection regimes:

DIFC Data Protection Law No. 5 of 2020: Closely aligned with GDPR. Permits transfers to jurisdictions with adequate protection or with appropriate safeguards. Notably, the DIFC does not recognize mainland UAE as having adequate data protection, meaning transfers from DIFC to mainland UAE require safeguards.

ADGM Data Protection Regulations 2021: Also GDPR-aligned. Similar transfer restrictions apply.

Practical implication: Contracts serving customers in DIFC or ADGM must comply with those frameworks in addition to (or instead of) the federal PDPL. Data flows between free zones and mainland UAE require careful structuring.

Contract Law Considerations Under the UAE Civil Code

Formation Requirements

Under the Civil Code, a valid contract requires:

  • Offer and acceptance: Clear offer by one party and unqualified acceptance by the other
  • Capacity: Parties must have legal capacity to contract
  • Lawful purpose: The contract's object must not be contrary to public order or morals
  • Consideration: Something of value exchanged between the parties

Software contracts typically satisfy these requirements without difficulty. However, be aware that UAE law does not require consideration in the same way common law systems do; the concept is framed more broadly as the "subject matter" of the contract.

Language Considerations

While contracts may be drafted in any language, Arabic is the official language of UAE courts. If a dispute proceeds to litigation:

  • Courts will require Arabic translations of all documents
  • In case of conflict between Arabic and English versions, the Arabic version typically prevails

Best practice: For significant contracts, prepare both Arabic and English versions with a clause specifying which prevails. Alternatively, specify that the English version governs and provide for arbitration in English.

Limitation of Liability: The Article 390 Issue

One of the most significant differences between UAE law and common law systems concerns limitation of liability clauses.

Article 390 of the Civil Code provides:

"(1) The contracting parties may fix in advance the amount of compensation either in the contract or in a subsequent agreement, subject to the provisions of the law.

(2) The judge may in all cases, upon the request of either of the parties, vary such agreement so as to make the compensation equal to the loss, and any agreement to the contrary shall be void."

What this means: Even if your contract contains a cap on liability, a UAE court may, upon request by the aggrieved party, increase the compensation to equal the actual loss suffered. The parties cannot contract out of this judicial power.

How courts have applied Article 390:

  • Courts have reduced excessive liquidated damages to reflect actual loss
  • Courts have also increased compensation beyond contractual caps where actual loss exceeded the cap
  • The application has been inconsistent, with some courts showing more deference to commercial bargains than others

Practical implications for software contracts:

  1. Liability caps are not guaranteed. Do not assume your AED 1 million liability cap will hold if actual damages are AED 10 million.
  2. Commercial Code principles may help. Some courts have held that under Commercial Code principles, liability may be excluded or limited by express agreement in commercial contracts. This creates uncertainty but provides an argument for enforceability.
  3. Structure matters. Rather than a single global cap, consider:
    • Separate caps for different types of liability
    • Insurance requirements
    • Indemnification structures
    • Exclusions for specific types of loss (which may be more enforceable than caps)
  4. Carve-outs for fraud and wilful misconduct. Liability for fraud (deceit), wilful misconduct, and gross negligence cannot be excluded under UAE law. Ensure your limitation clause expressly carves out these categories.

Exclusion of Liability for "Harmful Acts"

Article 296 of the Civil Code provides that "any agreement purporting to provide exemption from liability for a harmful act shall be void."

"Harmful acts" refer to tort-based (non-contractual) liability. This means:

  • You cannot exclude liability for negligent acts that cause harm to third parties
  • You cannot exclude liability for damage caused by defective products to persons other than the contracting party

For software providers: Product liability for software defects that cause physical harm or property damage cannot be excluded. This is particularly relevant for software controlling physical systems (IoT, industrial control, autonomous vehicles).

Force Majeure

The Civil Code recognizes force majeure (Article 273), which excuses performance when it becomes impossible due to an extraneous cause beyond the debtor's control.

COVID-19 led to significant force majeure litigation in the UAE. Courts generally required:

  • The event was genuinely unforeseeable
  • The event made performance impossible (not merely more difficult or expensive)
  • The party seeking relief did not contribute to the impossibility

For SaaS contracts: Include a detailed force majeure clause specifying:

  • What events qualify (with examples)
  • Notification requirements
  • Obligations during the force majeure period
  • Rights if force majeure extends beyond a specified period
  • That mere economic hardship does not constitute force majeure

Key Clauses for Software and SaaS Contracts

Licence Grant

The licence grant is the heart of a software contract. It should clearly specify:

Scope of rights:

  • What the licensee may do with the software (use, copy, modify, distribute)
  • Number of users, seats, or instances permitted
  • Whether the licence is exclusive or non-exclusive
  • Geographic restrictions (if any)
  • Field-of-use restrictions (if any)

Restrictions:

  • Prohibited uses (reverse engineering, competitive purposes, illegal activities)
  • Restrictions on modification or derivative works
  • Restrictions on transfer or sublicensing

Example clause:

"Licensor grants Licensee a non-exclusive, non-transferable licence to use the Software solely for Licensee's internal business purposes, subject to the user limits specified in the Order Form. Licensee shall not: (a) sublicense, sell, or transfer the Software to any third party; (b) modify, adapt, or create derivative works based on the Software; (c) reverse engineer, decompile, or disassemble the Software except to the extent expressly permitted by applicable law; or (d) use the Software for the benefit of any third party or for service bureau purposes."

Service Level Agreements (SLAs)

For SaaS contracts, SLAs define the provider's performance commitments:

Availability commitments:

  • Uptime percentage (e.g., 99.9%)
  • Measurement methodology (monthly, excluding scheduled maintenance)
  • What constitutes "downtime"

Remedies for failure:

  • Service credits (the standard remedy)
  • Right to terminate if SLA failures are persistent
  • Whether service credits are the exclusive remedy

Support commitments:

  • Response times for different severity levels
  • Resolution time targets
  • Support hours and channels

UAE-specific consideration: Unlike limitation of liability clauses, service credit provisions are generally enforceable as they represent a price adjustment rather than a limitation on damages.

Data Protection Clauses

Given PDPL requirements, SaaS contracts should include:

Roles and responsibilities:

  • Identification of controller and processor
  • Scope of processing authorized

Security obligations:

  • Technical measures (encryption, access controls)
  • Organizational measures (personnel training, incident response)
  • Compliance certifications (ISO 27001, SOC 2)

Sub-processing:

  • Whether sub-processors are permitted
  • Notification requirements for new sub-processors
  • Liability for sub-processor acts

Data subject rights:

  • Provider's obligations to assist with requests
  • Response timeframes
  • Cost allocation

Data breach notification:

  • Notification timeframes (PDPL requires immediate notification to the Data Office)
  • Content of notification
  • Cooperation obligations

Data location:

  • Where data will be processed and stored
  • Restrictions on cross-border transfers
  • Compliance with sector-specific localization requirements

End of contract:

  • Data return or deletion obligations
  • Transition assistance
  • Certification of deletion

Intellectual Property Ownership

For standard software licences:

"Licensor retains all right, title, and interest in and to the Software, including all intellectual property rights therein. Nothing in this Agreement transfers any ownership rights to Licensee. Licensee acknowledges that the Software contains valuable trade secrets and proprietary information of Licensor."

For custom development:

Specify whether:

  • The customer owns all IP in the deliverables
  • The developer retains ownership and grants a licence
  • The developer retains rights to pre-existing materials and tools
  • The developer may reuse general knowledge, skills, and non-confidential techniques

UAE-specific consideration: Given Article 28 of the Copyright Law (work-for-hire), explicitly state the intended ownership outcome rather than relying on the statutory default.

Warranties and Disclaimers

Common warranties in software contracts:

  • The software will perform substantially in accordance with documentation
  • The software will not infringe third-party intellectual property rights
  • The provider has the right to grant the licence
  • Services will be performed with reasonable skill and care

Disclaimers:

Standard international disclaimers of implied warranties (merchantability, fitness for purpose) may not have the same effect under UAE law, which does not recognize these common law concepts in the same way.

Under the Civil Code, a seller generally warrants that goods are free from defects. Article 544 provides that the seller is liable for latent defects that diminish the value of goods or make them unfit for their intended purpose.

Practical approach:

  • Provide express warranties covering what the software will do
  • Disclaim warranties for matters outside your control (customer modifications, third-party systems)
  • Set time limits for warranty claims
  • Define exclusive remedies for warranty breach (repair, replacement, refund)

Indemnification

Indemnification clauses allocate risk for third-party claims:

Provider indemnities (typical):

  • IP infringement claims
  • Breach of data protection obligations
  • Personal injury or property damage caused by gross negligence

Customer indemnities (typical):

  • Claims arising from customer data or content
  • Claims arising from customer's use of software in violation of the agreement
  • Claims arising from customer's products or services built using the software

UAE-specific considerations:

  • Indemnities for third-party claims are generally enforceable
  • Indemnities cannot extend to matters that would otherwise be prohibited exclusions (fraud, wilful misconduct, harmful acts)
  • Ensure indemnification procedures (notice, control of defence, cooperation) are clearly specified

Term and Termination

Term provisions:

  • Initial term duration
  • Renewal (automatic or manual)
  • Notice periods for non-renewal

Termination rights:

  • Termination for material breach (with cure period)
  • Termination for insolvency
  • Termination for convenience (if permitted, with notice period)
  • Immediate termination for specific events (data breach, regulatory violation)

Post-termination obligations:

  • Cessation of use
  • Data return or deletion
  • Payment of outstanding fees
  • Survival of certain provisions (confidentiality, liability, dispute resolution)

Wind-down period: For critical SaaS systems, consider a mandatory transition period during which the provider must continue service to allow the customer to migrate.

Governing Law and Dispute Resolution

Governing law options:

  1. UAE federal law: Appropriate when both parties are UAE entities or the contract will primarily be performed in the UAE. Provides certainty if disputes go to UAE courts.
  2. DIFC or ADGM law: Common law frameworks that may be more familiar to international parties. Requires connection to the relevant free zone.
  3. Foreign law (English, New York, etc.): Permissible for commercial contracts but enforcement in UAE courts may be challenging. Works best combined with international arbitration.

Dispute resolution options:

  1. UAE courts: Proceedings in Arabic, Civil Code applies, may be slower for complex technical disputes.
  2. DIFC or ADGM courts: English-language common law courts, experienced with commercial disputes, but jurisdiction must be established.
  3. Arbitration: Often preferred for technology contracts. Common choices include:
    • Dubai International Arbitration Centre (DIAC)
    • Abu Dhabi Commercial Conciliation and Arbitration Centre (ADCCAC)
    • DIFC-LCIA Arbitration Centre
    • ICC International Court of Arbitration

Recommended approach for significant contracts:

"This Agreement shall be governed by and construed in accordance with the laws of the United Arab Emirates. Any dispute arising out of or in connection with this Agreement shall be finally resolved by arbitration under the Rules of the Dubai International Arbitration Centre. The tribunal shall consist of one arbitrator appointed in accordance with the Rules. The seat of arbitration shall be Dubai. The language of arbitration shall be English."

Practical Compliance Checklist

For SaaS Providers Entering the UAE Market

Legal structure:

Data protection:

  • Assess PDPL compliance obligations
  • Determine if sector-specific data localization applies
  • Establish UAE data hosting capability if required
  • Prepare Data Processing Agreement for UAE customers
  • Update privacy policy to address PDPL requirements
  • Implement processes for data subject rights requests

Contract documentation:

  • Review standard terms for UAE law compatibility
  • Address Article 390 limitation of liability concerns
  • Ensure electronic contract formation is properly documented
  • Prepare Arabic translations for key contracts
  • Include appropriate governing law and dispute resolution clauses

Intellectual property:

  • Register copyrights with the Ministry of Economy (optional but advisable)
  • Ensure employee and contractor agreements include IP assignments
  • Review open-source licence compliance

For UAE Businesses Procuring Software/SaaS

Due diligence:

  • Verify provider's legal status and financial stability
  • Review provider's security certifications and audit reports
  • Confirm data hosting location and transfer practices
  • Assess provider's PDPL compliance

Contract negotiation:

  • Negotiate appropriate SLAs with meaningful remedies
  • Ensure data protection terms meet regulatory requirements
  • Secure audit rights for data security and compliance
  • Negotiate appropriate liability protections
  • Include clear exit provisions and transition assistance

Implementation:

  • Conduct privacy impact assessment if processing sensitive data
  • Train staff on data handling requirements
  • Establish vendor management and monitoring processes
  • Maintain records of processing activities

Common Pitfalls and How to Avoid Them

Pitfall 1: Assuming International Terms Work in the UAE

Many software providers use US or UK-style contracts without modification. These contracts may include:

  • Warranties and disclaimers based on common law concepts that don't exist under UAE law
  • Limitation of liability clauses that may be unenforceable under Article 390
  • Jurisdiction clauses that are impractical for UAE disputes

Solution: Have your standard terms reviewed by UAE counsel. Understand which provisions may not be enforceable and adjust expectations accordingly.

Pitfall 2: Ignoring Sector-Specific Data Requirements

A global SaaS provider offers healthcare software to a UAE hospital, assuming PDPL compliance is sufficient. The hospital later discovers that health data must be stored in the UAE under Federal Law No. 2 of 2019.

Solution: Identify the customer's industry and applicable sectoral regulations before finalizing data handling arrangements. Offer UAE data residency options for regulated sectors.

Pitfall 3: Unclear IP Ownership in Development Contracts

A UAE company commissions custom software development but relies on the statutory work-for-hire rules without explicit contractual terms. Disputes arise about who owns specific components.

Solution: Include explicit IP assignment clauses specifying ownership of all deliverables, pre-existing materials, and derivative works.

Pitfall 4: Inadequate Exit Provisions

A customer's SaaS provider is acquired or goes out of business. The contract lacks provisions for data return, transition assistance, or source code escrow.

Solution: Negotiate detailed exit provisions including:

  • Data export in standard formats
  • Transition assistance period
  • Source code escrow for critical applications
  • Termination rights upon change of control

Pitfall 5: Overlooking DIFC/ADGM Complexity

A mainland UAE company contracts with a DIFC-based SaaS provider, assuming UAE federal law applies. The provider later asserts DIFC jurisdiction and DIFC data protection requirements.

Solution: Clarify which legal regime applies and ensure compliance with both if necessary. Understand that DIFC and mainland UAE are effectively different jurisdictions.

Frequently Asked Questions

Are click-wrap software licence agreements enforceable in the UAE?

Yes, click-wrap agreements are generally enforceable under the Electronic Transactions Law, provided there is clear evidence of offer and acceptance. The user should be required to take an affirmative action (such as clicking "I Accept") and the terms should be accessible before acceptance. Maintain records of when users accepted terms and which version they accepted.

Can I exclude all liability in a UAE software contract?

No. Liability for fraud, wilful misconduct, and gross negligence cannot be excluded. Liability for "harmful acts" (tort-based claims) cannot be excluded. Furthermore, under Article 390 of the Civil Code, a court may increase compensation to equal actual loss even if the contract contains a liability cap. Structure your liability provisions with these limitations in mind.

Do I need to store customer data in the UAE for my SaaS product?

For general commercial use, no. The PDPL permits cross-border transfers with appropriate safeguards. However, sector-specific requirements mandate UAE data storage for healthcare data, financial services data, and certain government data. Identify your customers' industries and applicable regulations.

Is software automatically protected by copyright in the UAE?

Yes. Under Federal Decree-Law No. 38 of 2021, copyright protection arises automatically upon creation. Registration with the Ministry of Economy is not required but is advisable as it provides strong evidence of ownership in disputes. Penalties for software piracy were significantly increased in 2021.

Can I use English as the contract language?

Yes, contracts may be drafted in English. However, if disputes proceed to UAE courts (excluding DIFC and ADGM), all documents must be translated into Arabic, and the Arabic version may prevail in case of conflict. For significant contracts, consider preparing dual-language versions with a clause specifying which prevails, or specify arbitration in English.

What happens to customer data when a SaaS contract terminates?

The PDPL requires processors to delete or return data at the controller's choice when processing ends. Your contract should specify data return or deletion procedures, timelines, certification requirements, and any transition assistance obligations. The customer should have the right to export their data in a standard format.

How do DIFC and ADGM data protection laws interact with federal UAE law?

DIFC and ADGM have their own data protection regimes that apply to entities operating within those free zones. These laws are more closely aligned with GDPR than the federal PDPL. Importantly, neither DIFC nor ADGM recognizes mainland UAE as having adequate data protection, meaning data transfers between free zones and mainland UAE require safeguards such as standard contractual clauses.

Should I include a source code escrow arrangement?

For mission-critical software, source code escrow provides protection if the provider becomes insolvent, ceases operations, or materially breaches the agreement. The escrow agreement typically allows release of source code to the customer upon specified trigger events. This is particularly important for on-premise software or SaaS applications where the customer has limited alternatives.

Related Resources

Let’s talk

Your success starts with the right guidance.

Whether it’s business or personal, our team provides the insight and guidance you need to succeed.

contact us