IT

IT & Technology

System development contracts, SaaS and cloud, AI development and cyber-incident response—preventive lawyering that translates technical uncertainty into sound contract structures.

Introduction

Legal work in the IT field is an area where a deep understanding of both technology and law is indispensable. Even a single set of SaaS terms of use interweaves multiple issues: (1) governing law and jurisdiction; (2) limitation of liability and indemnity; (3) data ownership and deletion obligations; (4) service level agreements (SLAs); and (5) termination and data migration.

Our firm provides seamless support from the upstream of system development (requirements definition and choice of contract form), through the operational phase (incident response and contract amendments), and on to disputes and litigation. Our clients include SaaS providers, contract development companies, the IT departments of operating companies, and startups building data-driven businesses.

Especially important is the ability to legally organize the "ambiguity" that is characteristic of IT contracts. Situations in which development proceeds before requirements are fixed, specification changes are made orally, or the allocation of responsibility is technically unclear are breeding grounds for disputes. Our firm's strength lies in preventive lawyering that translates such technical uncertainty into contract structures and heads off future disputes.

In recent years, demand has surged in new areas such as AI development contracts (rights in training data, liability for outputs, and warranties of model accuracy) and cyber-incident response (ransomware damage and response to supply-chain attacks), and we handle these as well.

Areas of Practice

1. System Development Contracts - Choosing between a contract for work (ukeoi) and a quasi-mandate (jun-inin), and designing the contract structure - Contract models suited to agile development (a master agreement plus individual sprint orders) - The scope and duration of defect liability (liability for nonconformity) - Designing acceptance clauses, additional orders, and specification-change management - Ownership of development deliverables (copyright, know-how, and third-party OSS)

2. SaaS / Cloud Services - Drafting and reviewing SaaS terms of use and privacy policies - Designing MSA (Master Service Agreement) templates for B2B SaaS - Drafting data processing agreements (DPAs) and SCCs (Standard Contractual Clauses) - SLA design, uptime guarantees, and service credits - Data return and deletion obligations on termination, and avoiding vendor lock-in

3. Data Breach and Cyber-Incident Response - Immediate response upon discovery of a breach (evidence preservation and coordinating forensic investigation) - Reporting to the Personal Information Protection Commission and notifying data subjects - Ransomware response (including the legal issues surrounding ransom payment) - Explanations to business partners and customers, and damages negotiations - Formulating measures to prevent recurrence and revising internal rules

4. AI Development and Use Contracts - Licensing of training data and data provision agreements - Ownership of AI-generated works and allocation of liability - The scope of warranties for model accuracy and limitation of liability - Formulating corporate guidelines for generative AI use - Responding to AI regulatory trends (the EU AI Act and Japan's AI Business Operator Guidelines)

5. IT Services Generally - APPI and GDPR compliance (see the "Data Protection" practice area for details) - Compliance with the Telecommunications Business Act, the Act on Specified Commercial Transactions, and the Act against Unjustifiable Premiums and Misleading Representations - Stealth-marketing regulation compliance and the legal issues of operating UGC platforms - API terms of use and developer TOS - M&A and due diligence of IT assets and IP

Representative Matters (Illustrative Examples)

Example 1: Building Global Contract Templates for a B2B SaaS Provider

A Series B–stage B2B SaaS startup transitioned from bespoke contracts for mid-sized domestic companies to standardized MSA operations for the global market. Until then, it had drafted each contract from scratch for every deal, and challenges had become apparent in both sales efficiency and legal risk.

Our firm provided integrated support: (1) creating industry-standard MSA, DPA, and SLA templates (bilingual Japanese/English); (2) building an internal matrix of negotiation fall-back positions; (3) delivering contract-negotiation training for sales and customer success; and (4) setting policy for the choice of governing law and jurisdiction across the major jurisdictions (the U.S., EU, U.K., and Singapore). As a result, we cut the average contract-execution lead time by 60% and reduced legal review hours by 50%.

Example 2: Settlement of a Large-Scale System Development Dispute

At a mid-sized operating company, a dispute arose with a vendor over unmet requirements and delivery delays in a core-system renewal project. As the customer, the company faced the challenge of reconciling contract termination and damages claims with the early recovery of the system and a switch to an alternative vendor.

Our firm carried out: (1) an organization of the facts of the project's history (reviewing several thousand minutes and emails); (2) an analysis of the contractual allocation of responsibility; (3) obtaining the opinion of a technical expert; and (4) settlement negotiations with the vendor. Ultimately, on condition that the vendor make a partial refund and cooperate with the migration, we concluded a settlement agreement including a mutual waiver of rights. In parallel, we redesigned the contract structure for the successor project (staged acceptance of deliverables, a rationalized limitation of liability, and clearer governance clauses).

Example 3: Emergency Response to Ransomware Damage

A mid-sized manufacturer suffered a ransomware attack, and its internal systems were encrypted. The attacker demanded a ransom payment, and a response decision was needed within 24 hours.

Our firm supported: (1) organizing whether contact with the attacker was permissible and the legal issues of ransom payment (economic sanctions regulation, the Foreign Exchange Act, and prevention of terrorist financing); (2) an initial assessment of whether personal data had leaked; (3) drafting a prompt report to the Personal Information Protection Commission; (4) draft notices to business partners and customers; (5) liaison with the police and JPCERT/CC; and (6) reviewing the post-recovery forensic report. As a result, the ransom was not paid, and by recovering from backups and providing a highly transparent explanation to business partners, reputational damage was minimized.

How to Engage Us

  1. Initial Consultation (30–60 minutes / available online): We hear your challenges and current situation and organize the issues. A confidentiality agreement can be concluded before the consultation.
  2. Estimate and Proposal: We present the scope, timeline, and fees. We accommodate time-charge, per-matter, and retainer arrangements alike.
  3. Commencement and Progress Sharing: We report progress regularly and make the issues visible. Where coordination with technical experts is needed, we arrange it.
  4. Completion and Aftercare: We can provide continued support on related ongoing issues (contract amendments, rule updates, and the like).

Fee Guide (Reference Figures / Subject to Discussion)

  • Initial consultation: Free for the first 30 minutes; time charge thereafter
  • Contract review (standard SaaS agreements, etc.): Estimated JPY 50,000–150,000
  • Contract drafting (templates such as MSAs and DPAs): Estimated JPY 300,000–800,000
  • Incident response (emergency): Time charge plus retainer
  • Retainer: Estimated JPY 150,000–400,000 per month (designed according to workload)
  • Litigation and dispute response: Individual estimate

Contact

For consultations in the IT field, please reach out via our contact form. If you require emergency incident response, please note this and we will prioritize your matter.

Frequently Asked Questions

Q.In a system development contract, should we choose a contract for work (ukeoi) or a quasi-mandate (jun-inin)?
As a rule, choose a contract for work when the requirements are fixed and the deliverable is clear, and a quasi-mandate when the requirements are fluid and development is agile. In practice, however, a hybrid model—treating the master agreement as a quasi-mandate while clarifying deliverables in individual sprints—has also become common. We design the structure according to your business characteristics and risk tolerance.
Q.When requesting a review of SaaS terms of use, what should we prepare?
It goes more smoothly if you share: (1) your current terms of use and privacy policy; (2) an overview of the service's features and data flows; (3) your main customer segments (B2B/B2C, domestic/overseas); and (4) anticipated issues or examples of past complaints.
Q.A personal data breach has come to light. What should we do, and within how many hours?
A preliminary report to the Personal Information Protection Commission is required "promptly" (in practice, within a few days), and notification to the data subjects is also required "promptly." The first 72 hours are critical, during which we advance in parallel: (1) identifying the scope of the damage; (2) preventing secondary harm; (3) preserving evidence; and (4) preparing the report and notifications. Our firm can also provide hotline support in emergencies.
Q.In an AI development contract, how should we organize the rights relating to training data?
We clarify in the contract: (1) the scope of the data provider's rights; (2) ownership of derived data and the trained model; (3) whether the model may be repurposed; and (4) rights in the outputs. In Japan, Article 30-4 of the Copyright Act broadly permits use for information analysis, but contractual restrictions are a separate issue.
Q.In contract development, the customer is making unreasonable specification-change demands. How should we respond?
First, we check whether the contractual specification-change management process (change requests, impact assessment, and additional estimates) is functioning. Where oral change instructions have become routine, we recommend reinstating the rule that changes be put in writing and amending the contract (strengthening the change-management clause).
Q.We promise 99.9% uptime in our SLA—how far does our risk extend?
We need to scrutinize the contract clauses to confirm that the remedy for an SLA breach is limited to "service credits (fee refunds)" and that damages beyond that are excluded. Exclusion clauses for planned outages and force majeure, and a clear definition of the measurement method, are also important.
Q.We are delivering a system that uses open-source software—what should we watch out for?
The central issues are: (1) taking inventory of the OSS used and confirming its licenses (especially the contagiousness of GPL-family licenses); (2) disclosing the OSS used to the customer; (3) clarifying the contractual scope of warranty (for example, providing the OSS portions "as is" without warranty); and (4) preparing an SBOM (Software Bill of Materials).
Q.Which suits us better—a retainer or spot engagements?
A retainer is well suited if you (1) have a steady legal need of several matters or more per month; (2) want a rapid consultation channel; or (3) wish to supplement your in-house legal function. If you have only a few spot matters per year, per-matter engagements are sufficient.
Q.When offering an AI service, what clauses must we include in the terms of use?
The minimum essential items are: (1) the scope of use of input data; (2) rights in and liability for outputs; (3) disclaimer of warranties as to accuracy and correctness; (4) prohibition of illegal and harmful uses; (5) the right to modify the model or suspend the service; and (6) governing law and jurisdiction.
Q.In the IT field, what are the strengths of a New York–admitted attorney?
They include: (1) practical instinct for Silicon Valley–style SaaS and investment contracts; (2) handling of U.S. data protection regulation (CCPA, HIPAA, etc.); (3) the ability to draft and negotiate English-language contracts; and (4) cultural fluency in contract negotiations with U.S. technology companies.
Free Initial Consultation

Consult us on it & technology

The initial consultation is free and strictly confidential. The earlier you reach out, the more options remain available.

Contact us

Other Areas of Expertise