SaaS Customer Contract Assignment and Change-of-Control in M&A

SaaS acquisitions are fundamentally acquisitions of recurring revenue, and recurring revenue is only as durable as the contracts that underlie it. A buyer that acquires a SaaS business without systematically reviewing the assignability, change-of-control, and consent provisions in every material customer agreement may close on a portfolio of contracts that customers can exit the day after announcement. The legal analysis required to assess this risk is not complex in its individual elements, but it is granular: it requires reading every material customer agreement, mapping the specific contractual language against the transaction structure, and resolving consent obligations through a coordinated outreach process before closing conditions are satisfied.

This sub-article is part of the Tech and Software M&A Legal Guide. It addresses assignability clause analysis, change-of-control clause mechanics, the structural distinction between stock and asset deals for assignment purposes, anti-assignment defaults under state contract law, customer concentration and consent risk, most favored customer clause exposure, SLA carryover, data processing agreement novation under GDPR Article 28 and CCPA, data portability on termination, audit rights transfer, consent collection strategy and timing, closing conditions tied to customer consent thresholds, and post-closing customer communications and retention.

Acquisition Stars advises buyers, sellers, and strategic acquirers on SaaS M&A contract diligence, customer consent processes, and post-closing integration. Nothing in this article constitutes legal advice for any specific transaction.

Assignability Clause Analysis: Permitted Transfers, Affiliate Carve-Outs, and Successor Language

The assignability provision in a SaaS customer agreement governs whether the vendor's rights and obligations under the contract can be transferred to another party without the customer's consent. The baseline rule in most commercial contracts, codified in Restatement (Second) of Contracts section 317, is that contract rights are freely assignable unless assignment would materially change the duty of the obligor, materially increase the burden or risk imposed on the obligor, or impair the obligor's chance of obtaining return performance, or unless assignment is prohibited by law or by express agreement. In enterprise SaaS agreements, the express agreement typically modifies this default in one of three directions: outright prohibition of assignment without consent, permission for assignment to affiliates without consent, or permission for assignment to a successor entity in connection with a merger or sale of substantially all assets.

The affiliate carve-out is the narrowest of the permitted assignment categories. An affiliate is typically defined in the agreement as an entity controlled by, controlling, or under common control with the contracting party, where control means ownership of more than 50 percent of the voting securities. An assignment to an affiliate allows the vendor to transfer the contract to a subsidiary, a sister company, or a parent entity without triggering the consent requirement, but it does not permit assignment to the acquiring entity in a third-party acquisition unless that acquirer becomes an affiliate through the transaction. A buyer that acquires a controlling but not majority interest in the target may find that the affiliate carve-out does not apply, and that assignment to the acquirer requires customer consent even under an agreement that facially appears to permit affiliate assignments.

The successor carve-out is broader and specifically addresses M&A transactions. A well-drafted successor clause permits assignment to any entity that acquires all or substantially all of the assets or business of the assigning party, or that acquires the assigning party through a merger or consolidation. The key phrase "substantially all" introduces interpretive uncertainty: it is not a defined term in most agreements, and the threshold for what constitutes a sale of substantially all assets is a fact-specific determination that varies by jurisdiction. In a partial asset acquisition where the acquirer purchases a product line, a geographic region, or a business unit that constitutes less than all of the vendor's operations, the successor carve-out may not apply, and customer consent may be required for each agreement in the acquired portfolio. Diligence should identify not only which agreements contain successor carve-outs but how broad those carve-outs are and whether the contemplated transaction structure falls within their scope.

Change-of-Control Clauses: Deemed Assignment, Termination Rights, and Consent Requirements

A change-of-control clause is a distinct contractual mechanism from an anti-assignment provision and operates on a different legal theory. An anti-assignment clause restricts the transfer of the contract itself. A change-of-control clause restricts changes in ownership or control of the contracting party, regardless of whether any contract transfer occurs. The two clauses are often found in the same agreement and their interaction must be analyzed together, but they protect different customer interests. Anti-assignment restrictions protect the customer's right to know and approve its contractual counterparty. Change-of-control restrictions protect the customer's interest in the ownership, strategy, and competitive positioning of the company that holds and processes its data and delivers its services.

Change-of-control clauses take three principal forms in enterprise SaaS agreements. The first form deems a change of control to constitute an assignment and subjects the transaction to the same consent mechanics that govern voluntary assignments. Under this structure, if the assignment restriction requires customer consent for any assignment, the change of control triggers a consent obligation; if the assignment restriction contains a successor carve-out, the change-of-control clause may incorporate that carve-out by reference. The second form grants the customer a right to terminate upon a change of control without any obligation to provide or withhold consent. A termination right without a consent requirement means the customer cannot block the transaction, but it can exit the relationship after the transaction closes, which creates churn risk rather than closing risk. The third form requires the vendor to notify the customer of the change of control and grants the customer a defined period, typically 30 to 90 days after notice, to elect to terminate the agreement or allow it to continue. During this election period, the customer has full optionality; the agreement continues unless and until the customer exercises the termination right.

The triggering threshold in a change-of-control clause determines which transactions activate the provision. Common thresholds include: acquisition of more than 50 percent of the outstanding voting securities; any merger, consolidation, or reorganization resulting in the voting securities of the vendor immediately before the transaction representing less than 50 percent of the combined entity immediately after; and any transaction resulting in a single person or entity gaining the ability to direct the management or policies of the vendor. Buyers should resist the assumption that a change-of-control clause will be triggered by their specific transaction without reading the definition carefully, because some clauses are drafted to exclude internal reorganizations, subsidiary acquisitions, or transactions where the vendor's current shareholders retain majority control.

Stock vs. Asset Deal Impact on Assignability

The choice between a stock purchase and an asset purchase has significant but often misunderstood implications for SaaS customer contract assignability. In a stock purchase, the buyer acquires the equity of the target entity, not the assets of that entity. The target entity remains the legal counterparty to all of its customer agreements. No assignment of any contract occurs as a matter of law, because the contracting party has not changed: the same legal entity that signed the customer agreement continues to be bound by it after the transaction closes. This means that pure anti-assignment clauses, which restrict the transfer of the contract itself, are not triggered by a stock purchase, because no transfer of the contract occurs.

The practical protection afforded by the stock purchase structure is narrower than buyers sometimes expect, for two reasons. First, as discussed above, many enterprise SaaS agreements contain change-of-control clauses that operate independently of the anti-assignment provision and are triggered by a majority ownership transfer regardless of whether any contract transfer occurs. A stock purchase that results in the buyer owning more than 50 percent of the target directly triggers a change-of-control clause that grants consent or termination rights. Second, some anti-assignment clauses are drafted broadly enough to encompass a transfer of the contracting party itself, not just a transfer of the contract. Language such as "this agreement may not be assigned, directly or indirectly, by operation of law or otherwise, without prior written consent" can capture a stock purchase as an indirect assignment or an assignment by operation of law, even though no formal contract transfer occurs.

In an asset purchase, the buyer acquires the target's assets and assumed liabilities. Customer contracts are among the assets to be transferred, and each transfer constitutes an assignment of the vendor's rights under the agreement to the buyer. This means that every anti-assignment clause in every assigned customer agreement is directly triggered. The buyer must obtain customer consent for any agreement that requires consent and lacks a successor carve-out, cannot assign, or cannot cause the target to assign, any agreement that expressly prohibits assignment regardless of circumstances. In practice, most large SaaS acquisitions are structured as stock purchases or mergers precisely to minimize the scope of required customer consent, but asset purchases remain common in carve-out transactions, distressed acquisitions, and situations where tax or liability allocation considerations favor an asset structure.

Anti-Assignment Defaults Under State Contract Law

Where a SaaS customer agreement is silent on assignment, the applicable state contract law supplies the default rule. Under common law, the right to receive performance under a contract is generally freely assignable, but the duty to perform a contract that involves personal skill, discretion, or a relationship of trust is not delegable without the obligee's consent. Enterprise SaaS agreements typically do not involve personal services in the common law sense: the software is delivered algorithmically, the support is provided by a team rather than a named individual, and the performance obligations do not depend on a specific person's unique skill or discretion. For this reason, courts have generally held that SaaS and software license agreements are assignable absent an express prohibition, because the identity of the vendor is not material to the customer's performance expectations in the way it would be for a professional services or creative services agreement.

UCC Article 2, which governs the sale of goods, provides a somewhat different default: a party may assign its rights under a contract unless assignment would materially change the duty of the other party, materially increase the burden or risk imposed on the other party, or materially impair the other party's chance of obtaining return performance. For SaaS agreements, the application of UCC Article 2 versus common law depends on whether the agreement is characterized as a sale of goods (software license), a service agreement, or a hybrid, and this characterization varies by jurisdiction and by the specific terms of the agreement. In states that apply common law to software agreements, the assignability default is more permissive; in states that apply UCC Article 2, the material change standard applies. In either case, diligence should not rely on default rules for material customer agreements. Any agreement without an express assignability provision that is material to the transaction should be reviewed by counsel to assess the applicable default and whether assignment in the contemplated transaction structure would be enforceable without consent.

Some states have adopted specific rules modifying the common law default for software licenses or data agreements. California, for example, applies a strong public policy against unreasonable restraints on the alienation of contract rights, which can affect the enforceability of anti-assignment clauses in agreements governed by California law. Delaware courts have generally enforced anti-assignment clauses as written but have been receptive to arguments that successor carve-outs should be construed broadly to effectuate the reasonable expectations of the parties. Buyers who face ambiguous assignment language in material customer agreements should obtain a jurisdiction-specific legal opinion on enforceability before relying on the successor carve-out or the common law default to proceed without consent.

Customer Concentration and Consent Risk

Customer concentration is a standard due diligence risk category in any acquisition, but in a SaaS transaction where material customer agreements contain consent or termination rights, customer concentration carries a specific and quantifiable legal dimension. If a customer representing 20 percent of annual recurring revenue holds a consent right under its agreement, and that customer refuses to grant consent or elects to terminate upon a change of control, the buyer loses 20 percent of the ARR it paid to acquire at closing. This revenue loss may not be recoverable through indemnification if the agreement itself contemplated and permitted the customer's election to terminate. The seller's representation that the agreement is in full force and effect does not preclude the customer from exercising a contractually granted termination right: the agreement was in full force and effect, and the termination right was part of what was in full force.

Consent risk analysis during diligence requires three parallel workstreams. First, a contract review workstream identifies every material customer agreement that contains an assignment restriction or change-of-control clause, maps the specific triggering language and consent mechanics, and determines whether the contemplated transaction structure triggers the provision. Second, a revenue concentration workstream maps the customer agreements identified in the contract review to the revenue contributed by each customer, producing a consent risk matrix that shows the ARR at risk from each agreement requiring consent. Third, a relationship intelligence workstream assesses the likelihood that each at-risk customer will grant consent, based on the strength of the vendor-customer relationship, the customer's renewal history, the customer's competitive sensitivity to the acquirer's identity, and any known concerns the customer has raised about the transaction.

The consent risk matrix produced by these three workstreams informs both the deal economics and the purchase agreement structure. If the consent risk matrix shows that customers holding agreements that require consent represent a material percentage of ARR, the buyer must decide whether to address that risk through pre-closing consent solicitation, through purchase price adjustment mechanisms, through closing condition thresholds, or through seller indemnification for post-closing customer churn attributable to the triggering event. Each of these mechanisms has different implications for deal timing, seller cooperation, and post-closing economics, and the right structure depends on the specific risk profile of the target's customer portfolio.

Most Favored Customer Clauses Triggered by Acquisition

Most favored customer clauses obligate the SaaS vendor to offer the MFC-protected customer pricing and terms no less favorable than those offered to any other customer for comparable services. In a pre-acquisition context, MFC clauses are priced and managed against the vendor's existing customer book. In an M&A context, the acquisition introduces new variables that can trigger MFC adjustments in ways that were not anticipated at the time the MFC clause was negotiated. The acquirer's existing customer relationships, the combined entity's pricing strategy, and the acquirer's practice of offering promotional terms, volume discounts, or strategic pricing to new or retained customers can all create MFC exposure if the combined entity's pricing to other customers becomes more favorable than the MFC-protected customer's existing terms.

The scope of the MFC comparison obligation is determined by the specific language of the clause. A broadly drafted MFC clause that requires the vendor to offer the customer pricing no less favorable than pricing offered to "any other customer" creates exposure across the entire customer portfolio of the combined entity after closing. A more narrowly drafted clause that limits the comparison to customers receiving "comparable services" or "similar volumes" creates a factual question about which customers fall within the comparison class, and whether post-closing pricing variations fall within or outside the class. Buyers should review MFC clauses not only for their existence but for the breadth of the comparison class, the frequency of the MFC check (some clauses require periodic certification of MFC compliance), and the remedy available to the customer if MFC compliance is not maintained.

Post-closing integration planning must account for MFC obligations. If the acquirer plans to offer promotional pricing to new customers as part of a post-acquisition growth strategy, or to honor existing discounts offered by the acquirer to its pre-existing customers for products that now overlap with the acquired SaaS platform, the combined entity may trigger MFC adjustments for protected customers across the target's entire portfolio. Quantifying this exposure requires modeling the acquirer's existing pricing book against the MFC-protected customers' current terms, identifying any pricing differential, and estimating the revenue impact of reducing the protected customers' fees to match the lower pricing. This analysis should be completed during diligence, not after closing, because it can affect the acquisition price and the representation and warranty framework.

Uptime and SLA Carryover

SaaS customer agreements routinely include service level agreements that specify minimum uptime commitments, response times for support incidents, resolution times for critical issues, and remedies for SLA failures, typically in the form of service credits applied to future invoices or, in enterprise agreements, the right to terminate for material breach if SLA failures persist below a defined threshold. SLA obligations are not separate from the customer agreement: they are integrated provisions that transfer with the agreement in an asset purchase or remain binding on the acquired entity in a stock purchase. A buyer that closes without assessing whether its infrastructure and operations can meet the SLA thresholds of the acquired customer portfolio may face immediate SLA failures during the integration period, triggering service credit obligations and, in the most severe cases, customer termination rights based on repeated SLA breaches.

The operational assessment of SLA carryover involves reviewing each material customer agreement's SLA terms and comparing those terms to the acquirer's existing infrastructure capabilities and planned post-closing integration timeline. If the target's uptime commitments are supported by infrastructure that will be migrated to the acquirer's platform during integration, there is a period of migration risk during which uptime guarantees may be harder to maintain. If the target's support SLAs require response times that the acquirer's support organization is not staffed to meet for the acquired customer base, the acquirer must either hire sufficient support personnel before closing or negotiate SLA transition provisions with customers as part of the consent process. In some transactions, parties agree to SLA carve-outs or modification periods during integration, either incorporated into the purchase agreement as an operational covenant or negotiated directly with individual customers as part of the consent solicitation.

A seller's compliance history with its own SLA commitments is itself a diligence item. If the target has a pattern of SLA failures prior to the acquisition, those failures represent both a potential liability (service credits that should have been issued but were not) and an indicator of operational deficiencies that may persist post-closing. Diligence should include a review of SLA credit logs, customer support ticket histories, incident reports, and any customer complaints or formal notices of SLA breach to assess the target's actual SLA compliance record against its contractual commitments.

Data Processing Agreement Novation Under GDPR Article 28 and CCPA Service Provider Terms

SaaS vendors that process personal data on behalf of their customers typically operate as data processors under GDPR and as service providers under the CCPA. In both frameworks, the processing relationship must be governed by a written agreement that satisfies specific legal requirements. GDPR Article 28 requires that processing by a processor on behalf of a controller be governed by a contract that sets out the subject matter, duration, nature, and purpose of the processing; the type of personal data and categories of data subjects; and the obligations and rights of the controller. The Article 28 contract must include specific mandatory provisions, including requirements that the processor process personal data only on documented instructions from the controller, impose confidentiality obligations on authorized persons, implement appropriate technical and organizational security measures, and assist the controller in responding to data subject rights requests.

In an M&A transaction that changes the legal identity of the data processor, the existing data processing agreement must be novated to reflect the acquiring entity as the new processor, because the original agreement was executed between the customer as controller and the target as processor. Novation is a three-party agreement that substitutes a new party for an original party, releasing the original party from its obligations and binding the new party to the same terms. Under GDPR, novation of a DPA is not merely a contractual formality: it is required to ensure that the customer as controller has a valid Article 28 contract with the entity that is actually processing its data post-closing. A gap in DPA coverage, even a brief one during the transition from target to acquirer, means that processing of personal data is occurring without a compliant legal basis, which constitutes a GDPR violation that the supervisory authority can investigate and fine regardless of whether any data breach occurs.

The CCPA service provider framework imposes parallel requirements. A service provider under the CCPA is a business that processes personal information on behalf of a business pursuant to a written contract that prohibits the service provider from retaining, using, or disclosing personal information for any purpose other than the specific business purpose specified in the contract, or for any commercial purpose outside the direct business relationship. If the target is a CCPA service provider to its customers, the written contract establishing that service provider relationship must identify the contracting entity. An acquisition that changes the contracting entity requires either novation of the service provider agreement or a written acknowledgment from the customer that the acquirer assumes the service provider designation and the associated use restrictions. Without this formalization, the acquirer may be processing California personal information as a third party rather than a service provider, eliminating the service provider exception to the CCPA's data sharing restrictions and creating exposure for both the acquirer and the customer.

Data Portability on Termination and Audit Rights Transfer

Enterprise SaaS agreements routinely include data portability provisions that obligate the vendor to provide the customer with its data in a usable format upon termination of the agreement. The scope of this obligation varies: some agreements specify the format in which data must be provided, the timeframe within which data must be delivered after termination, and whether data portability is available during or only upon expiration of the agreement. Under GDPR Article 20, data subjects also have an independent right to data portability that applies when processing is carried out by automated means and is based on consent or contract, which creates a regulatory overlay on the contractual data portability obligation. In an M&A context, the acquirer inherits the data portability obligations attached to every assigned or assumed customer agreement and must ensure that its post-closing systems are capable of fulfilling those obligations in the format and within the timeframe specified.

Audit rights provisions grant customers the right to audit the vendor's systems, processes, and records to verify compliance with security, data protection, and contractual obligations. These provisions are particularly common in enterprise SaaS agreements with financial services, healthcare, and government customers who have regulatory obligations to ensure that their data processors and service providers maintain adequate controls. Audit rights typically specify the frequency of audits, the notice required before an audit, the scope of systems and records subject to audit, the allocation of audit costs between the parties, and whether the customer may conduct the audit directly or must use a mutually agreed third-party auditor.

In a stock purchase, audit rights remain obligations of the acquired legal entity and transfer automatically. In an asset purchase where the customer agreement is assigned, audit rights transfer with the assigned agreement, provided the assignment is valid. Post-closing, the acquirer must be operationally prepared to fulfill audit obligations on the terms specified in each material customer agreement. This may require maintaining legacy systems or records from the target during a transition period, ensuring that the acquirer's security and compliance documentation covers the systems used to process the acquired customers' data, and training the acquirer's compliance and legal teams on the audit procedures required by each significant customer agreement. Some acquirers use the customer consent solicitation process as an opportunity to propose amendments to audit provisions, modernizing the audit scope or notice requirements to align with the acquirer's standard enterprise contract terms, in exchange for granting consent to the assignment or change of control.

Consent Collection Strategy and Timing: Pre-Signing vs. Post-Signing

The strategic question of when to solicit customer consent is one of the most consequential process decisions in a SaaS acquisition. The choice between pre-signing and post-signing consent collection involves a direct tradeoff between closing certainty and deal confidentiality, and the right approach depends on the specific characteristics of the target's customer portfolio, the concentration of revenue among customers holding consent rights, and the acquirer's risk tolerance for post-signing uncertainty.

Pre-signing consent solicitation, where the buyer and seller approach key customers on a confidential basis before the transaction is publicly announced, provides the highest level of closing certainty because the parties enter into the purchase agreement knowing that anchor customers have already granted consent or indicated their intent to do so. The primary risks of pre-signing solicitation are confidentiality and relationship disruption. Approaching a customer about a pending acquisition before the deal is signed requires disclosing the transaction to a third party whose discretion cannot be legally compelled. If the customer discloses the transaction to competitors, suppliers, or the press, the announcement sequence is disrupted and the parties lose control of the deal narrative. Some customers respond to pre-signing outreach by pausing renewal negotiations, deferring expansion discussions, or engaging competitors while they assess the pending change of control, which creates commercial disruption independent of any legal consent issue.

Post-signing consent solicitation, which is more common in practice, preserves confidentiality through signing and allows the parties to control the public announcement. The transaction is signed with a closing condition tied to obtaining consent from customers above a defined revenue threshold, and consent solicitation begins immediately after public announcement. This approach transfers the consent risk to the period between signing and closing: if key customers refuse consent or elect to terminate during this period, the parties face a choice between renegotiating the closing condition threshold, extending the timeline to allow further consent efforts, or invoking the failure of the closing condition to walk away from the transaction. Post-signing consent solicitation also creates an opportunity for key customers to use the consent process as negotiating leverage to extract better pricing, expanded rights, or contractual modifications from the vendor before granting consent.

Closing Conditions Tied to Customer Consent Thresholds

Where customer consent is required for a meaningful portion of the target's ARR, the purchase agreement should include a closing condition that addresses the consent risk explicitly. The structure of this condition varies based on the customer portfolio's characteristics. In a transaction where revenue is highly concentrated in a small number of customers, the closing condition may specify consent from each customer above a defined annual contract value, or from a list of specifically named anchor customers, as a condition to closing. This structure gives the buyer a binary right to decline to close if any named customer withholds consent, regardless of the aggregate revenue percentage affected.

In a transaction with a more diversified customer base, the closing condition is typically framed as a percentage of total ARR or total annual contract value held by customers who have granted valid consent. The threshold is negotiated based on the buyer's assessment of how much post-closing churn from non-consenting customers it can absorb while still achieving the acquisition's financial objectives. A threshold set at 80 percent of ARR means the buyer will close if customers representing at least 80 percent of the target's ARR have granted consent, accepting the risk that some of the remaining 20 percent may exit post-closing. The threshold should be set at a level that reflects the buyer's actual economics, not a number negotiated for its optics, because the buyer's obligation to close at the threshold is unconditional once the condition is satisfied.

The purchase agreement should also address what constitutes "valid consent" for purposes of the closing condition. Consent that is conditioned on the vendor accepting material contract modifications, such as price reductions, SLA improvements, or expanded termination rights, may or may not satisfy the closing condition depending on how the agreement defines consent. A buyer who closes relying on consents that are conditioned on future concessions it has not yet agreed to grant may find that the post-closing consent process results in renegotiated terms that alter the economics of the acquired customer relationships. The definition of valid consent in the closing condition should specify that consent must be unconditional or should enumerate the categories of conditions that will be deemed acceptable.

Post-Closing Customer Communications and Retention

Post-closing customer communications are as important to the success of a SaaS acquisition as the legal consent process that precedes them. Customers who granted consent did so based on representations about how the acquirer will operate the product, support the customer base, and maintain the service levels they rely on. Customers who held termination rights and chose not to exercise them made that choice based on their assessment of the acquirer's intentions. Both groups are evaluating whether to remain customers through the first renewal cycle, and the post-closing communication program is the primary mechanism through which the acquirer shapes that evaluation.

The post-closing communication plan should be developed before closing and executed immediately upon announcement. Key messages should address product continuity (the product roadmap, the team responsible for it, and the commitment to continued development), support continuity (the support organization, response times, and escalation paths), integration timeline (when and how the product may be integrated with the acquirer's platform, and what that means for existing customers), and executive accountability (the specific person at the acquiring organization who is responsible for the acquired customer relationships). Communication should be delivered through the channel most meaningful to each customer segment: large enterprise customers warrant personal outreach from senior executives; mid-market customers may be addressed through a combination of direct outreach and organized webinar communications; smaller customers may be reached through email and in-product notifications.

Customer retention programs should be designed and resourced before closing. At-risk customers, identified during diligence based on consent resistance, renewal timing, or relationship quality indicators, should receive dedicated retention attention from the acquirer's customer success organization in the first 90 days post-closing. Contractual levers for retention, such as multi-year renewal incentives, usage expansion rights, or product enhancements requested by key customers, should be evaluated and deployed strategically for customers where the relationship is salvageable but at risk. Customers whose contracts are up for renewal within six months of closing are the highest-priority retention category, because the renewal cycle represents the natural decision point at which customers will evaluate whether to continue the relationship under the new ownership. A disciplined retention program in the first post-closing renewal cycle is the clearest indicator of whether the acquisition will deliver the ARR durability that supported its valuation.

Frequently Asked Questions