How Does SaaS Work? Architecture and Delivery Explained

SaaS (Software as a Service) is a software delivery model where applications are hosted by a provider and made available to customers over the internet. Unlike traditional software that you install on your own computer or server, SaaS runs entirely on the provider's infrastructure. You access it through a web browser or a thin client, and you pay a recurring subscription fee rather than a one-time license cost.

The key difference lies in ownership and responsibility. With traditional software, you buy a license, install the software on your hardware, and manage updates, security patches, and backups yourself. With SaaS, the provider handles all of that. You simply log in and use the software. This model eliminates the need for upfront hardware investment, reduces IT maintenance costs, and ensures you always have the latest version.

From a legal perspective, SaaS is governed by a subscription agreement (often called a Terms of Service or SaaS Agreement) rather than a perpetual license. Under Indian law, this is a service contract, not a sale of goods. The Indian Contract Act, 1872, and the Information Technology Act, 2000, govern these agreements. The provider retains ownership of the software, and you get a right to use it for the subscription period.

SaaS architecture is typically multi-tenant, meaning a single instance of the software serves multiple customers (tenants). Each tenant's data is logically separated, but they share the same application and infrastructure. This is what makes SaaS cost-effective for providers and affordable for customers.

The architecture usually includes these layers:

• Presentation layer: The user interface you see in your browser or app.
• Application layer: The core logic and features of the software.
• Data layer: The database where your data is stored, isolated from other tenants.

When you log in, your browser sends a request to the provider's server. The server authenticates you, identifies your tenant, and serves only your data. All processing happens on the provider's servers, not your device. This is why SaaS works even on low-powered devices like tablets or older laptops.

Under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, SaaS providers are classified as intermediaries. They must comply with data localisation requirements for certain categories of data, as specified by the Reserve Bank of India and MeitY. For example, payment data must be stored in India. Providers must also have a grievance officer and a physical contact address in India.

SaaS is delivered over the internet using standard web protocols like HTTPS. You access it through a URL, and the provider manages all the backend infrastructure—servers, storage, networking, and security. The delivery model is typically subscription-based, with pricing tiers based on features, number of users, or storage limits.

The delivery process works like this:

1. You sign up for a SaaS product (e.g., a CRM, accounting software, or project management tool).
2. The provider creates an account for your organisation and provisions a tenant environment.
3. You receive login credentials and can start using the software immediately.
4. The provider handles all updates, patches, and security fixes automatically.
5. You pay monthly or annually, and can usually scale up or down as needed.

From a compliance standpoint, SaaS delivery in India must adhere to the IT Act, 2000, and the IT Rules, 2021. If the SaaS product processes personal data, the provider must comply with the upcoming Digital Personal Data Protection Act, 2023. This includes obtaining consent, providing data access, and ensuring data security. Providers must also have a privacy policy that clearly states how data is collected, stored, and shared.

While most SaaS is public cloud-based, there are variations depending on security and compliance needs:

• Public SaaS: The most common model. The provider hosts the software on shared infrastructure (e.g., AWS, Azure, Google Cloud). Multiple tenants share the same resources, but data is isolated. This is the most cost-effective option.
• Private SaaS: The provider hosts a dedicated instance for a single customer. This is used for organisations with strict compliance requirements (e.g., banks, government agencies). It costs more but offers greater control.
• Hybrid SaaS: Some features run on the provider's cloud, while sensitive data or processes remain on the customer's on-premise servers. This is common in regulated industries like healthcare and finance.

In India, the Reserve Bank of India (RBI) mandates that certain financial data must be stored within the country. For SaaS providers serving Indian banks or NBFCs, this often means using a private or hybrid model with data centres in India. MeitY's data localisation guidelines also apply to critical personal data.

If you are a SaaS provider or a customer in India, you need to be aware of these legal aspects:

• Data localisation: As per RBI and MeitY guidelines, certain categories of data (payment data, critical personal data) must be stored in India. SaaS providers must ensure their infrastructure complies.
• Grievance redressal: Under the IT Rules, 2021, SaaS providers must appoint a grievance officer and publish their contact details. Users must have a mechanism to report violations.
• Contract terms: The SaaS agreement should clearly define service levels (uptime, support), data ownership, termination rights, and liability limits. Under Indian contract law, ambiguous terms are interpreted against the drafter.
• Intellectual property: The provider retains IP rights to the software. The customer gets a limited, non-transferable right to use it. Any customisations or integrations should be addressed in the agreement.
• Taxation: SaaS is treated as a service under GST. The provider must charge GST at 18% (or applicable rate) on subscriptions. For cross-border SaaS, reverse charge mechanisms may apply.

If you are evaluating a SaaS product for your business, review the provider's data security practices, compliance with Indian data localisation laws, and the terms of the subscription agreement. For complex requirements (e.g., handling sensitive customer data, integrating with existing systems), consult a legal professional who specialises in technology contracts and data protection.

---

This page provides preliminary information. It is not legal advice. For your matter, consult a qualified professional.