The Common Paper

2022 Benchmark Report

Image of someone reading a report on an iPad

Contracting can be difficult, especially without a baseline for creating your agreement.

What is a normal, or market, position to take on any given term? How do you increase the chances your customer will sign your contract with minimal redlines?

To help answer these questions, we’ve put together the Common Paper Benchmark Report. We used two sources to create this report. First, we analyzed data from the contracts from more than 150 US-based B2B SaaS companies, managed through the Common Paper platform. We coupled that with the experience of the Common Paper Committee, which is made up of over 35 attorneys from large enterprises, startups, big law firms, and boutique specialists.

We’ve published insights below about the terms within the Mutual NDA and Cloud Service Agreement (CSA). Note that the CSA is also often referred to as an MSA, and regardless of the name, we’re talking about contracts covering the sale and use of a SaaS or cloud product.

The NDA and CSA are two of the most commonly signed agreements by SaaS companies, and we’re looking forward to covering additional contract types in future reports.

Mutual NDA

A mutual non-disclosure agreement allows for the exchange of confidential information between two parties. In the case of SaaS companies, NDAs are often signed early on in the conversations between a vendor and prospective customer or between potential partners. They might be needed in order to share security information, a SOC 2 audit report, or a product roadmap.

Some of the most commonly varying terms in NDAs have to do with locations and lengths of time.


There are two concepts that use location in an NDA: governing law and chosen courts (also known as jurisdiction).

Each state (or province, country, etc.) has different laws. Setting the governing law clarifies the set of laws under which the contract will be interpreted. Chosen courts specify where a lawsuit related to the contract can be filed in the event of a dispute. 

More than 96% of NDAs choose the same state for both governing law and chosen courts. The most commonly chosen states are:

  • Delaware: 46%  
  • California: 22%
  • New York: 12%


There are two terms related to time in an NDA: NDA term (also known as agreement term) and term of confidentiality.

NDA term is the length of time for which the contract is valid. Practically, this is the time period for sharing confidential information under the NDA. The most common NDA term lengths are: 

  • 1-year: 51% 
  • 2-years: 17% 
  • 3-years: 8%

About 25% of NDAs have no fixed expiration but may be terminated at any time.

Term of confidentiality refers to how long the parties are subject to confidentiality obligations and must protect confidential information.

68% of NDAs have the same NDA term and term of confidentiality, 52% of NDAs have a 1-year confidentiality period, and 15% have no expiration period so the confidentiality obligations last forever.

There is a downside to proposing NDAs with indefinite terms of confidentiality. Agreements proposed with a finite term of confidentiality are 15% more likely to get signed.

Beyond the Benchmark Data

We often hear questions from founders about terms that don’t appear in Common Paper agreements, or about why certain terms were set the way they are. Here’s the committee’s point of view on a few of these terms:

Residuals in NDAs can be a contentious topic. As is mentioned above, NDAs are about safely sharing confidential information. The agreement typically prevents each party from using the information shared by the other for other purposes. A residuals clause is an exception, which allows one or both parties to use information they happen to  remember, despite the restrictions in the NDA that would otherwise prevent them from using that information. After much discussion, the Common Paper Committee decided to omit the concept of residuals from the standard terms.  Although some large companies and most VCs insist on having them, the committee agreed they are not common for day-to-day NDAs for B2B SaaS companies.

Conversely, the Common Paper NDA Standard Terms allow companies to keep confidential information in record retention and backup systems. This reflects consensus among the committee about the reality modern companies face when they must return or destroy confidential information while also maintaining necessary system redundancies.

Cloud Service Agreement

A cloud service agreement is a contract used to sell cloud services or SaaS in a vendor-customer relationship. The CSA includes the business terms of the sale, like the product and fees, as well as the legal terms that govern the relationship between the vendor and the customer.

Subscription details

Subscription period is the length of the contract, and it relates to whether there is an automatic renewal. 95% of CSAs use a 1-year subscription period. 90% of CSAs include automatic renewal, and 21% include an automatic fee increase upon renewal (most commonly 7-8%).

In 95% of auto-renewed contracts, customers agree to a 30-day non-renewal notice period, which is the date before which customers must let the vendor know that they are churning. The non-renewal notice period is calculated backward from the renewal date.


Payment period defines how long a customer has to pay the vendor. You might also hear this called Net30 (a 30-day payment period), Net60, etc. Larger companies with more complex finance processes often require longer payment periods to account for internal processing, and this also gives them the benefit of better cash flow by paying later. Smaller companies have less leverage and tend to be more agile, and often accept shorter payment periods.

Users choose “30 days from customer’s receipt of invoice” most often in Common Paper, accounting for 62% of signed CSAs.

Invoice period is how frequently a vendor will send invoices to the customer. 76% of CSAs use annual invoices, which mirrors the most common 1-year subscription period.

Dispute resolution

Governing law refers to which state’s laws a court will apply to resolve a dispute about the contract, while chosen courts represent where a lawsuit related to the contract can be filed. The concept of chosen courts is also called jurisdiction or venue. These terms are also present in the NDAs discussed above and many other types of contracts.

CSAs usually use the same state for both governing law and chosen courts. 73% of contracts choose Delaware for governing law, while 82% choose Delaware for chosen courts. The next most common state for both terms is California.

The general cap amount, or limitation of liability, describes the maximum amount of damages a vendor or customer can receive as the result of a lawsuit. 95% of CSAs use a cap equal to the fees paid by the customer in one year under the contract.

Increased and unlimited claims deal with breaches of certain contract terms that can result in damages for more than the general cap. Typically, these might be related to privacy, security, confidentiality, gross negligence, or willful misconduct. Only 14% of CSAs include increased claims.

Risk mitigation

Also known as indemnity, covered claims are a contractual promise by one company to pay for certain kinds of losses experienced by the other company that result from a lawsuit by a third party. When drafting the CSA, the Common Paper Committee decided to include default covered claims for providers and customers:

  • The provider will pay for the customer’s losses caused by a lawsuit about the product violating a third party’s intellectual property rights.
  • The customer will pay for the provider’s losses caused by:
    • A lawsuit about the content they upload to the product violating a third party’s intellectual property rights.
    • A lawsuit about the customer breaching the restrictions of using the product, such as using it for an illegal purpose.

78% of CSAs included these default positions on covered claims.

Insurance minimums are a commitment to hold corporate insurance, often requested by customers as a way to mitigate risk. In signed Common Paper CSAs:

  • 100% of contracts include commercial general liability insurance
  • 72% include cyber insurance
  • 72% include errors and omissions insurance

For startups, policies with $1M minimums are most common across all types. Commercial general liability policies may include higher aggregate coverage amounts, like $2M or higher.


A service level agreement or SLA defines the level of service expected from a vendor, lays out the metrics by which service is measured, and the penalties if agreed-on service levels are not achieved. SLAs are common in SaaS agreements: 64% of CSAs include one.

Some Cloud Service Agreements include acceptable use policies, which can govern things like how a vendor or customer handles user-generated content. As an example, a video collaboration app would likely have an acceptable use policy, and it would be less common for a data infrastructure product. 14% of Common Paper CSAs include an acceptable use policy.

Including a security policy isn’t always necessary for early-stage companies, as they become more common when companies start to scale or sell into larger enterprises. 23% of CSAs include a security policy. It’s also likely that some of the companies that are not including a security policy in their contract separately provide their security policies to customers. 

Publicity rights give a vendor the right to talk about a company as a customer. This could be limited to certain types of publicity (like reference calls) or more wide-ranging (like featuring a customer’s logo on the vendor’s website). 59% of signed CSAs include some form of publicity rights.

Beyond the Benchmark Data

We often hear questions from founders about terms that don’t appear in Common Paper agreements, or about why certain terms were set the way they are. Here’s the committee’s point of view on a few of these terms:

Late payment penalties

Late payment penalties can appear in software contracts as a vendor’s way to ensure timely payment. After much discussion, the Common Paper Committee decided to omit the concept of late payment penalties from the CSA Standard Terms. Although many off-the-shelf contracts include this, few companies actually enforce a late payment penalty. These penalties are often a contentious item in initial negotiations, elongating negotiations over a term that is very rarely used.

Based on the experience of the committee, non-payment was most commonly an oversight and their clients reached quicker and cheaper resolution by handling late payment as a business matter rather than a penalty enforcement. Additionally, in the context of SaaS, and under the terms of the CSA, vendors have the option to disable access if a customer doesn’t pay their bill.

Representations and warranties

The CSA Standard Terms includes a few baseline representations and warranties from both vendor and customer. These include being a properly organized and registered company and complying with applicable laws. In addition, vendors make baseline warranties about their products or services, and customers make a baseline warranty about any content they upload to a product. These reflect what the committee felt was most common for a cloud service or SaaS sale. Although the CSA can accommodate additional warranties, this is very rarely used.

Termination for convenience

The right to terminate for convenience allows one or both parties to terminate a contract at any time for any reason or no reason at all. The committee agreed that, on balance, the CSA Standard Terms shouldn’t include a right to terminate for convenience. Although companies regularly request this, not having termination for convenience garners many benefits to both sides. For example, a customer preserves access to a product or service, and vendors simplify revenue processes.

Get started with Common Paper

Our SaaS Agreement Toolkit offers a collection of guided interviews that walk you through how to set up Common Paper agreements term-by-term.