Your business data is one of your most valuable strategic assets. Enterprise software contracts routinely contain provisions that give vendors broad rights over that data — to use it for AI training, to retain it after termination, to export it only in proprietary formats, and to delete it before you can migrate. Negotiating strong data provisions is not optional — it is fundamental to maintaining strategic autonomy.
This article is part of our IT Contract Negotiation Strategy guide. Data rights provisions are among the most important software contract red flags to identify and address at the time of contract negotiation — they are extremely difficult to renegotiate once a vendor has established data practices under the current agreement. See also our SLA negotiation guide for the related issue of data recovery commitments (RTO/RPO).
A decade ago, data portability provisions were primarily a concern for highly regulated industries — financial services, healthcare, government — where data sovereignty, residency, and access controls were regulatory requirements. Today, every enterprise organisation faces meaningful data-related risk from their software contracts, driven by three intersecting trends.
The AI training rights expansion: SaaS vendors across every category have updated their terms of service to permit use of customer data for training AI models. The commercial value of enterprise business data as an AI training input has created powerful vendor incentives to access and use it — incentives that are now contractually embedded in standard terms if buyers do not actively push back.
The vendor lock-in intensification: As enterprise software has consolidated through acquisition and subscription-based pricing has replaced perpetual licences, vendors have systematically reduced data portability to increase switching costs. Data export in proprietary formats, short post-termination access windows, and costly "data migration" services have all become tools of commercial lock-in.
The regulatory landscape tightening: GDPR in Europe, the UK Data Protection Act, CCPA in California, and a growing number of sector-specific regulations impose obligations on organisations regarding data processing, retention, and international transfer that require corresponding provisions in vendor agreements. Organisations that sign vendor-standard data terms may be inadvertently accepting arrangements that create regulatory compliance risk.
In a 2025 review of 200 enterprise SaaS agreements, specialist IT negotiation advisors found that 68% contained no meaningful data export obligation, 74% included broad AI training rights with no opt-out, and 82% specified post-termination data deletion windows of 60 days or less — a window insufficient for most SaaS migrations.
Not all data categories require the same level of protection, and effective data clause negotiation should be calibrated to the specific categories of data held in the vendor's platform.
| Data Category | Examples | Priority Level | Key Protections Needed |
|---|---|---|---|
| Business Operational Data | Orders, transactions, workflows, records | Critical | Export in open format, extended retention, no AI training |
| Personal / Customer Data | CRM records, HR data, customer PII | Regulatory | GDPR/DPA compliance, data residency, processor terms |
| Configuration / Customisation Data | Workflows, configurations, integrations | High | Export capability, IP ownership, no vendor claim |
| Usage / Telemetry Data | Login patterns, feature usage, performance data | Medium | Anonymisation opt-out, no competitive use, no resale |
| Aggregated / Benchmarking Data | Spend patterns, process benchmarks | Medium | No disclosure of attributable data to competitors or vendors |
| AI-Generated Outputs | Copilot suggestions, AI-generated content within platform | Emerging | Ownership of AI outputs, no model improvement without consent |
Understanding where each major vendor starts on data provisions — and how far they move for enterprise customers — is essential for calibrating your negotiation positions.
| Vendor | Standard Data Export | Standard Retention Window | AI Training Default | Achievable for Enterprise |
|---|---|---|---|---|
| Salesforce | CSV/limited formats | 30 days post-termination | Opt-in to AI training | Extended export + opt-out available |
| Microsoft 365 | Multiple formats, admin export | 90–180 days | Diagnostic data used; negotiable | Strong enterprise data provisions |
| SAP S/4HANA Cloud | SAP format, some open | 90 days | Product improvement data use | Negotiable but complex |
| Workday | Proprietary XSLT export | 45 days | Broad anonymised data use rights | Extended window negotiable |
| ServiceNow | JSON/XML available | 60 days | AI training included in standard terms | Opt-out achievable for enterprise |
| Oracle SaaS | Structured export tools | 90 days | Analytics data use permitted | Strong Oracle data terms available |
A vendor who states that "customers own their data" is not necessarily providing meaningful data portability. Genuine portability requires five specific operational commitments that go beyond broad ownership statements.
Data must be exportable in standard, open formats with complete schema documentation: CSV, JSON, XML, or SQL dump with published field definitions. A data export in a proprietary format readable only by the vendor's own software — or a competing product from the vendor's ecosystem — provides no real portability. Require explicit contractual specification of the export formats and confirm they are processable by standard open-source tools.
The export must include all data categories: operational records, historical data, configuration/customisation data, audit logs, document attachments, integration metadata, and workflow definitions. Standard vendor export tools frequently omit categories of data — particularly configuration and integration data that would be required to recreate the environment on an alternative platform.
Data portability is not only a post-termination concern. Your organisation should be able to export complete data snapshots during the active contract term — without requiring vendor assistance, without extraordinary fees, and without disruption to the live service. This export capability is also essential for backup, compliance, and audit purposes.
For complex platforms, contractualise the vendor's obligation to provide migration assistance — at no additional charge or at a defined maximum cost — including data transformation services, API access for migration tooling, and dedicated technical resources for a defined period post-termination. Vendors who provide genuine migration assistance have less incentive to complicate your exit.
Enterprise SaaS migrations take time. A realistic post-termination data access window is 12–24 months, not 30–60 days. Even with a complete data export in hand, the time required to procure, configure, and validate a replacement system — and to verify data completeness and integrity — routinely exceeds six months for major platform replacements.
The inclusion of AI training rights in standard SaaS terms of service has accelerated dramatically since 2023. Vendors have strong commercial incentives to train foundation models on enterprise data — the training value of large-scale, high-quality business transaction data is substantial — and they have quietly embedded these rights in terms updates that many enterprise customers did not notice.
The language patterns to watch for include: "improve our products and services," "develop and improve AI models," "use anonymised data for service development," and "aggregate data for benchmarking purposes." Each of these phrases, in a data processing context, may authorise the use of your business data for AI training purposes.
The AI training risk has three dimensions. First, competitive intelligence risk: your transactional data, customer data, and business process data contain competitive intelligence about your pricing, customer relationships, and operational efficiency. If this data trains models available to competitors, you have a commercial problem. Second, regulatory risk: in financial services and healthcare in particular, data used for AI training may implicate regulatory requirements around data use limitation and purpose binding. Third, IP risk: AI-generated outputs trained on your proprietary data may technically be outputs of the vendor's model — creating uncertainty about IP ownership of AI-assisted work product.
Your SaaS vendor may already be training AI on your business data
Post-termination data provisions are among the most commercially consequential — and most routinely inadequate — elements of enterprise SaaS agreements. The typical vendor standard of 30–60 days creates catastrophic risk for buyers who discover a data gap after their access has expired.
A comprehensive post-termination data provision should address four elements:
Access window duration: Minimum 12 months of read-only access to the live system or a data dump equivalent, from the date of contract termination. For complex systems with multi-year historical data, 24 months is appropriate.
Data integrity commitment: The vendor must commit that all data present at termination will be maintained in its original integrity — no purging, archival, or compression — during the access window. Data that is archived to cold storage at termination may technically be "retained" but practically inaccessible within a migration timeline.
Deletion certification: Upon expiry of the access window, the vendor should provide written certification of secure deletion, including any copies in backup systems, disaster recovery replicas, and development/test environments that may hold copies of production data.
Migration assistance: During the access window, the vendor should maintain API access and provide reasonable technical cooperation for migration activities. Vendors have an incentive to obstruct migration; contractual obligations to cooperate counterbalance this.
1. Raise data provisions early and separately. Many buyers negotiate commercial terms and leave data provisions to legal review. This is a mistake — data provisions are commercial provisions with long-term strategic implications. Elevate data portability and AI training rights to the commercial negotiation stage, not just the legal review stage.
2. Use GDPR/DPA compliance requirements as the framing. Vendors are generally more responsive to regulatory compliance requirements than to commercial preferences. Framing data residency, retention, and access requirements as obligations under GDPR, UK DPA 2018, or sector-specific regulation (FCA, ICO) creates a more compelling basis for negotiation than "we prefer open formats."
3. Audit your current agreements before renewing. Renewal is the most effective time to address data provisions because you can cite actual data volumes, extract timelines, and migration complexity based on operational experience. A buyer who has been unable to complete a data export during the current term has specific, evidence-based grounds to demand stronger provisions.
4. Require specific format commitments — not just "standard formats." Vendor agreements that commit to exporting data in "standard formats" are not meaningful if the vendor defines what "standard" means. Specify the formats by name: CSV (with defined character encoding), JSON (with schema), XML (with published DTD/XSD), or SQL dump with data dictionary. Test the export capability before signing.
5. Negotiate AI training opt-outs as a package with pricing. Vendors who benefit commercially from AI training data may be willing to provide an opt-out in exchange for other commercial concessions — or to offer tiered pricing where data-permission products are priced lower than data-restriction products. Understanding this commercial structure helps you negotiate from an informed position.
6. Require a data processing addendum that reflects your negotiated positions. GDPR requires a Data Processing Agreement (DPA) or addendum from vendors who process personal data. Ensure your negotiated positions on AI training, data use restrictions, retention, and sub-processor controls are reflected in the DPA — not just in the commercial agreement — to create a coherent and regulatory-compliant framework.
7. Test data export before contract execution. Where feasible, conduct a data export test during the procurement process — using a sandbox or pilot environment — to verify that the vendor's claimed export capability actually produces usable data in the specified format. Discrepancies between claimed and actual export capability are common and are best discovered before contract signature.
8. Involve specialist advisors for AI and data-heavy platforms. Data rights negotiation for AI-enabled SaaS platforms requires legal expertise that combines commercial contracts knowledge with data protection law and AI governance — a combination not found in most standard IT legal panels. The specialist IT negotiation firms we rank typically have this capability or established relationships with the appropriate specialist lawyers.
Specialist IT negotiation advisors can review your current data provisions, identify gaps, and negotiate the portability, retention, and AI opt-out rights that protect your organisation's strategic data assets.