Selling and Customer Contracts
in South Africa

A Master Service Agreement is the framework contract that governs every engagement between a supplier and a customer over time. Rather than negotiating every commercial term afresh for each project, the MSA sets the liability regime, intellectual-property ownership rules, confidentiality, payment mechanics, warranty and indemnity architecture, governing law, and dispute-resolution pathway once. Each individual engagement is then captured in a short Statement of Work that incorporates the MSA by reference and simply adds a scope, deliverables, timeline, and price.

In South Africa, the MSA must be drafted against three statutes simultaneously. Where the customer is a consumer or a juristic person with an annual turnover below the R2 million CPA threshold, section 48 of the Consumer Protection Act prohibits unfair, unreasonable or unjust contract terms; section 51 voids blanket exclusions of supplier liability for gross negligence. Where personal information passes between the parties, POPIA section 21 requires a written operator provision. Where the services are delivered electronically, the Electronic Communications and Transactions Act section 22 confirms the contract is valid despite being signed by electronic means.

The well-drafted MSA caps aggregate liability at a multiple of fees paid (commonly 12 months), excludes consequential loss, preserves statutory rights where they cannot lawfully be excluded, and contains a clean IP-assignment clause where the supplier is creating deliverables for the customer. It should also nominate a forum — arbitration under AFSA rules is the modern default for commercial deals above R1 million — and carve out urgent relief for the courts.

POPIA creates two categories of party whenever personal information is in motion: the responsible party, which determines the purpose and means of processing, and the operator, which processes personal information for the responsible party under a mandate. Section 21 of the Act is the operative provision — a responsible party may only engage an operator in terms of a written contract that requires the operator to treat the information as confidential and to maintain the section 19 security safeguards.

Section 19 in turn requires the operator to identify reasonably foreseeable internal and external risks to the information, establish and maintain appropriate safeguards, regularly verify the effectiveness of those safeguards, and update them in response to new risks. In practice this means encryption in transit and at rest, access controls, breach detection, and documented incident-response procedures. The Data Processing Agreement annexed to an MSA or SaaS ToS must flow these duties down to every sub-processor the operator uses.

Cross-border transfers engage section 72, which prohibits sending personal information outside South Africa unless the recipient is subject to a law, binding corporate rules, or a binding agreement providing an adequate level of protection. For cloud-hosted SaaS where servers sit in AWS Cape Town, the analysis is straightforward. For products hosted in the EU or the United States, the DPA must contain contractual equivalents — often the EU SCCs plus South African addenda — to satisfy section 72(1)(a). A mandatory breach-notification clause under section 22 completes the operator stack.

The Electronic Communications and Transactions Act 25 of 2002 regulates the formation of contracts concluded electronically. Section 22 is foundational — an agreement is not without legal force and effect merely because it was concluded wholly or partly by means of data messages. This is the provision that makes clickwrap, browsewrap, and e-signature-driven SaaS enrolments enforceable in South Africa, provided the assent to the terms is unambiguous.

Section 43 imposes affirmative disclosure duties on every supplier offering goods or services to consumers through an electronic transaction — the supplier must make its legal name, physical address, contact details, manner of payment, security mechanisms, and terms and conditions available on the website before the transaction is concluded. Section 43(5) goes further: where a supplier fails to comply, the consumer may cancel the transaction within 14 days of receiving the goods or services and obtain a full refund. This is distinct from the section 44 cooling-off right.

Section 44 grants a consumer the right, without reason or penalty, to cancel an electronic transaction for the supply of goods or services within seven days of delivery or conclusion. The right is limited — it does not apply to auctions, perishables, newspapers, audio or video recordings that have been unsealed, or services that have begun with the consumer's express consent. Crucially, section 44 applies only to natural-person consumers, not to business customers. B2B SaaS vendors should make this distinction explicit in their terms.

Sections 55 and 56 of the Consumer Protection Act impose a statutory implied warranty of quality on every transaction within the Act's scope. Goods must be reasonably suitable for the purposes for which they are generally intended, of good quality, in good working order, free of defects, usable and durable for a reasonable period. If they are not, the consumer may within six months of delivery return them for repair, replacement, or refund at the consumer's election. This warranty cannot be contracted out of. Attempts to cap remedies, disclaim durability, or shift the cost of defective goods onto the consumer are void under section 51.

Section 14 applies to fixed-term agreements with natural-person consumers. It limits the term to a maximum period (currently 24 months for most deals), allows the consumer to cancel at any time on 20 business days' written notice subject to a reasonable cancellation penalty, and forces the supplier to notify the consumer between 40 and 80 business days before expiry of the fact that the contract will renew on a month-to-month basis unless cancelled. A SaaS contract that auto-renews annually without this notice is unenforceable against a consumer.

Sections 40 and 48 round out the picture. Section 40 prohibits unfair, unreasonable, or unjust marketing; section 48 prohibits unfair, unreasonable, or unjust terms. The Tribunal has repeatedly struck down clauses that reverse the burden of proof, purport to waive statutory rights, or impose penalties disproportionate to the supplier's actual loss. Every commercial template should be pressure-tested against section 48 before it is signed.

Section 21 of the Copyright Act 98 of 1978 is the default rule that catches every developer who fails to contract properly. Where a work is made by an author in the course of employment under a contract of service, copyright vests in the employer. Where a work is commissioned and the commissioner pays, copyright in photographs, portraits, cinematograph films, or sound recordings vests in the commissioner — but for computer programs the default is the opposite. Custom software commissioned by a customer from an independent agency remains the property of the agency unless expressly assigned.

This is the single most common source of IP disputes in South African SaaS and custom-development engagements. The Professional Services Agreement or Statement of Work must contain an express present-tense assignment of all right, title, and interest in the deliverables to the customer on payment — typically drafted as a "hereby assigns" clause rather than an "agrees to assign" clause, which under South African law creates only a contractual obligation and not an effective transfer.

Where the supplier wishes to retain rights in its pre-existing code libraries, the correct pattern is to distinguish between "Background IP" (owned by supplier, licensed to customer for use in the deliverables) and "Foreground IP" (created for this engagement, assigned to customer on payment). A residual licence allowing the supplier to re-use generic patterns and know-how — but not customer-specific code — is standard. Open-source components must be catalogued with their licences disclosed and indemnities limited accordingly, particularly where copyleft licences such as GPL could infect the customer's proprietary stack.