For SaaS startups, software licensing is rarely just a commercial template exercise. In Turkey, it sits at the intersection of copyright law, contract law, consumer law, data protection, trade secrets, and sometimes competition law. A startup may think it is simply “selling subscriptions,” but the legal reality is more complex: the code may belong to individual developers unless ownership and usage rights are structured correctly, the customer contract may be formed online but still need to satisfy Turkish contract and consumer-law standards, the service may process personal data and therefore trigger security, disclosure, registry, and cross-border transfer obligations, and reseller or channel arrangements may raise competition-law questions if exclusivity or online-sales restrictions are drafted poorly. The core statutory framework is split mainly between Law No. 5846 on Intellectual and Artistic Works for copyright, Law No. 6098 Turkish Code of Obligations for general contract law, Law No. 6502 on Consumer Protection for consumer-facing SaaS offerings, and Law No. 6698 on the Protection of Personal Data for data processing.
That legal layering matters especially for startups because SaaS businesses often scale before their legal architecture matures. A company may onboard users quickly, outsource development, rely on standard online terms, store customer data abroad, and license its platform through resellers or implementation partners, all before it has seriously reviewed whether the Turkish legal basis of those steps is solid. In Türkiye, that can create avoidable risk. WIPO and TÜRKPATENT’s launch of IP Management Clinics for entrepreneurs and SMEs in October 2025 reflects this broader policy direction: IP and intangible-asset planning are increasingly treated as part of early-stage business design, not just as a late-stage compliance task.
Why SaaS licensing is legally different from software sales
A SaaS arrangement is not the same thing as a one-off software sale. In legal and commercial terms, the provider usually grants controlled access to software functionality, related documentation, support layers, interfaces, and sometimes data-processing capacity, rather than transferring ownership of the software itself. Turkish copyright law strongly supports this distinction. Law No. 5846 expressly treats computer programs expressed in any form, together with preparatory designs leading to a program, as protected literary and scientific works. The same law also states that transfer of ownership of an original or reproduced copy of a work does not transfer intellectual rights unless otherwise agreed. For SaaS startups, this is foundational: giving the customer access to the platform, code output, APIs, dashboards, or downloaded components does not by itself transfer copyright or broader exploitation rights.
This distinction has several downstream effects. First, the provider should describe the deal as a license or access right rather than casually using “sale” language where that would blur the IP position. Second, the contract should specify exactly what the customer gets: access, user seats, environments, support, update rights, API usage, and any local installation rights. Third, the provider should decide whether the license is exclusive or non-exclusive, because Turkish copyright law states that a license is exclusive only if granted to a single person and that, unless law or contract points the other way, licenses are deemed non-exclusive. In other words, Turkish law defaults toward non-exclusivity; if the SaaS startup wants exclusivity, the contract should say so clearly.
Copyright ownership: who actually owns the code?
For SaaS startups in Turkey, one of the most serious legal risks is not infringement by outsiders but weak ownership inside the company. Turkish copyright law begins from authorship. It recognizes the creator of the work as the author, but it also contains a crucial rule for employment relationships: the authority to exercise economic rights in works created by civil servants, employees, and workers during the execution of their duties belongs to the persons who employ or appoint them, unless a special contract or the nature of the work indicates otherwise. This is especially important in software businesses. If the platform code was created by employees as part of their assigned duties, Turkish law gives the employer a strong position regarding the exercise of economic rights.
But that rule does not solve every SaaS ownership problem. First, it is tied to works created during the execution of duties, so the startup should still be able to show what the employee’s duties were. Second, the rule does not erase the distinction between employee-created code and code produced by freelancers, agencies, consultants, founders before incorporation, or offshore teams. For those categories, the contract remains central. Turkish law is strict on form: contracts and disposals concerning economic rights must be in writing, and the rights forming their subject matter must be specified individually. The same law also states that a person acquiring an economic right or a license from someone without authority is not protected even if acting in good faith, and a person who grants a license without authority may be liable for resulting damages. For SaaS startups, that means outsourced code, contractor-built modules, design systems, documentation, onboarding videos, and templates should all be backed by clear written rights language.
This is where many startup licensing files become vulnerable. Founders often assume that if they paid for code, the company necessarily owns or fully controls it. Turkish copyright law is more formal than that. It expects a real written rights structure, and it does not fully rescue parties who take rights from someone without actual authority. In a due diligence or dispute setting, a startup with clean written copyright and licensing documentation is in a far stronger position than one relying on informal assumptions.
The license grant: what Turkish SaaS contracts should define
A Turkish SaaS contract should not merely say that the customer receives “a license to use the software.” Under Law No. 5846, the scope of the license matters, and some rights are not implied. The statute expressly states that, unless otherwise agreed, the transfer of an economic right or the grant of a license does not extend to translation or other adaptation of the work. In practical SaaS terms, that means modification, localization, code adaptation, white-label reconfiguration, interface customization, or derivative use should be addressed expressly if the customer is to receive them. The same law also states that ownership of copies does not transfer IP rights, which reinforces the need to separate access rights from copyright rights clearly.
For startups, the drafting implication is straightforward. The agreement should define at least the licensed environment, number or type of users, usage metrics, access channels, whether affiliates may use the platform, whether subcontractors may access it, whether local copies may be made, whether APIs may be used beyond internal operations, what support and update rights exist, how trial environments are treated, and what happens to data and access on termination. Turkish law gives the broad legal frame, but the commercial risk is managed inside the contract. A vague SaaS license can create disputes over scope even where the startup clearly owns the software.
Another common issue is sublicensing and transfer. If the customer is an enterprise group, a systems integrator, a managed-service provider, or a platform reseller, the contract should address whether it can extend use rights onward and on what conditions. Turkish copyright law’s non-exclusive default is not enough to solve that. A SaaS startup should decide whether it is licensing to a single customer, a group, or a channel partner structure, because each scenario carries different IP and liability implications.
Online contract formation and assent under Turkish law
SaaS contracts are often concluded online, through dashboards, order forms, clickwrap flows, or direct electronic communications. Turkish contract law is capable of accommodating that. The Turkish Code of Obligations states that a contract is formed when the parties declare their intentions mutually and consistently, and that declarations of intent may be express or implied. It also states that, in direct communication through tools such as the telephone or computer, the proposal is treated like one made between persons who are “present.” That means Turkish law does not require a paper contract for every SaaS subscription merely because the product is digital.
However, “possible” does not mean “evidentially easy.” In practice, SaaS startups should treat online assent as a proof issue. Clear clickwrap design, version-controlled terms, acceptance logs, payment-linked order flows, and records showing when the user accepted which terms are all valuable. Turkish law recognizes electronic contract formation, but when a dispute arises, the startup still needs to prove what was offered, what was accepted, and which legal text governed the relationship. That is especially important where the provider later wants to rely on limits of liability, usage restrictions, forum clauses, or termination rights.
B2B versus B2C SaaS: consumer law can change the analysis
Not every SaaS startup in Turkey sells only to businesses. If the customer is a consumer, Turkish consumer law becomes relevant very quickly. Law No. 6502 states that it covers all consumer transactions and consumer-oriented implementations, and it defines a service as the subject matter of any type of consumer transaction other than the supply of goods. The Ministry of Trade’s official consumer information page further explains that a distance contract is a contract concluded without the simultaneous physical presence of the seller or provider and the consumer, through remote communication tools, and that such contracts are regulated by Article 48 of Law No. 6502 and the Distance Contracts Regulation. That is directly relevant to many consumer-facing SaaS, app, subscription, and digital-service offerings.
This creates real legal risk for B2C SaaS businesses using aggressive or poorly drafted standard terms. Official Ministry text on unfair terms in consumer contracts states that a term inserted without negotiation and causing an imbalance contrary to good faith against the consumer is an unfair term, and such terms are absolutely null and void. The same official text also stresses that written terms must be clear and understandable, and ambiguous terms are interpreted in favor of the consumer. For SaaS startups, that means auto-renewal provisions, unilateral feature-change clauses, vague service disclaimers, overbroad liability waivers, or hard-to-exit pricing mechanics should be reviewed carefully if the platform is sold to consumers rather than only enterprises.
Data protection: the unavoidable SaaS risk in Turkey
For many SaaS startups, the biggest legal exposure is not copyright but personal data processing. Turkey’s Personal Data Protection Law No. 6698 states that its purpose is to protect fundamental rights and freedoms, especially privacy, with respect to the processing of personal data, and that it applies to natural persons whose personal data are processed and to natural or legal persons processing such data by automated means or as part of a filing system. For a SaaS company handling user accounts, employee records, CRM data, analytics, or customer-uploaded information, this law is often unavoidable.
The law also imposes concrete obligations on the data controller. Article 10 requires the controller, at the time personal data are obtained, to inform data subjects of the controller’s identity, the purpose of processing, possible recipients and transfer purposes, the method and legal basis of collection, and the rights available to the data subject. Article 12 requires the data controller to take all necessary technical and organizational measures to prevent unlawful processing, prevent unlawful access, and ensure the protection of personal data, and it makes the controller jointly responsible with processors acting on its behalf for taking those measures. These obligations are directly relevant to SaaS vendors that act as controllers, processors, or both depending on the service model.
Registry obligations can also matter. Article 16 states that the Data Controllers’ Registry is kept publicly under the Board’s supervision and that natural and legal persons who process personal data must register before data processing begins, subject to exemptions that the Board may create by taking objective criteria into account. The KVKK’s official guidance on the obligation to register similarly explains that VERBIS is the public system used for registration and that exemptions exist. For SaaS startups, this means VERBIS should not be ignored simply because the company is “digital.” The question is functional: does the startup act as a data controller in a way that triggers registration, or does it fall within an exemption?
The sanctions risk is also real. The current official English text of Law No. 6698 states that administrative fines may be imposed for failure to fulfil the information obligation under Article 10, failure to satisfy data-security obligations under Article 12, failure to comply with Board decisions, and failure to comply with registry and notification obligations under Article 16. The current text also includes a separate administrative-fine line for failure to fulfil the notification obligation under amended Article 9(5). In a SaaS business, data protection is therefore not only a privacy policy issue; it is an exposure area that can produce formal enforcement and fines.
Cross-border data transfers after the 2024 reform
Cross-border data flows are one of the hardest Turkish law issues for SaaS startups, especially those using foreign cloud infrastructure, non-Turkish support teams, or overseas group companies. In August 2024, the Turkish Data Protection Authority announced English translations of the new by-law on the transfer of personal data abroad and of the new standard contract texts, noting that Article 9 of Law No. 6698 had been amended by Law No. 7499. The official by-law text then states that personal data may be transferred abroad where there is an adequacy decision, or, in the absence of adequacy, where one of the appropriate safeguards specified in the law is provided, and, failing both, only in certain exceptional cases where the transfer is incidental. The same by-law also states that processors acting abroad must follow the controller’s instructions and implement appropriate technical and organizational measures, and it emphasizes that the controller remains responsible for compliance.
For SaaS startups, this is not a background issue. It directly affects hosting, support ticketing, analytics, CRM infrastructure, customer success tooling, outsourced DevOps, and international group reporting. A startup that markets to Turkish customers but sends personal data abroad through its platform stack must be able to explain which transfer route it is using and why. Since the Authority now provides official standard contract texts for cross-border transfers, startups should consider whether their data-transfer architecture needs formal contractual upgrading rather than relying on legacy assumptions.
Confidentiality, trade secrets, and source-code control
Not every SaaS asset belongs in a copyright file. Source code, infrastructure diagrams, training data, deployment workflows, feature roadmaps, pricing logic, and customer-implementation methods often matter because they are secret, not because they are registered. The Turkish Code of Obligations is identified by WIPO as containing provisions on undisclosed information in Article 396 and non-compete provisions in Articles 444 and following, while the Turkish Commercial Code is identified by WIPO as containing provisions on unfair competition and undisclosed information. This matters for SaaS businesses because the real value may lie in the know-how around the software, not just the software as a work.
For licensing practice, the implication is clear. A Turkish SaaS agreement should not rely only on copyright clauses. It should also contain robust confidentiality language covering code, documentation, internal logic, pricing, security architecture, and operational know-how. It should define access restrictions, employee and subcontractor flow-down obligations, return or deletion duties after termination, and security standards for shared materials. In a dispute, those clauses can be as important as the copyright provisions themselves, especially where the customer has learned more about the provider’s business method than the public-facing platform alone would reveal.
Competition-law issues for reseller and channel models
Many SaaS startups in Turkey do not license only to end users. They also work through resellers, implementation partners, distributors, or managed-service providers. Once that happens, competition law becomes relevant. The Turkish Competition Authority’s Block Exemption Communiqué on Vertical Agreements states that vertical agreements are block-exempted if the relevant conditions are met, including the rule that the provider’s market share in the relevant market does not exceed 30%. The same communiqué also states that vertical agreements involving IP-right transfers or use can benefit from block exemption only where those IP rights directly concern the use, sale, or resale of the goods or services forming the substantial subject of the agreement, and only where the IP provisions are not the main purpose of the agreement and do not reproduce non-exempt vertical restraints.
That means SaaS startups should be careful with territorial exclusivity, channel restrictions, and online-sales control in reseller agreements. Turkish competition practice treats internet sales as generally passive sales, and an official Competition Authority decision applying the Vertical Agreements framework states that restrictions on internet sales can be hardcore vertical restrictions that take the agreement outside the scope of block exemption. For software and SaaS businesses growing through partners, an aggressive distribution clause may therefore create competition-law exposure even if it looks commercially attractive on paper.
Disputes, enforcement, and forum planning
If licensing disputes escalate, Turkish law gives software and copyright claims a specialized judicial path. The current WIPO text of Law No. 5846 states that specialized courts established by the Ministry of Justice are competent for litigation arising from legal relationships regulated by that law, regardless of the amount in dispute, and until specialized courts are established, designated first-instance civil and criminal courts perform that role. The same law also contains criminal provisions for certain copyright-related acts and recognizes customs-related measures for relevant infringing copies. For SaaS startups, this means that software and content disputes can move beyond private contract arguments into a structured IP-enforcement environment.
Still, the most valuable enforcement step is often prevention rather than litigation. A startup with clean chain of title, well-drafted license scope, reliable online assent records, consumer-law screening for B2C offerings, data-protection compliance, and careful confidentiality design is far easier to defend and far easier to diligence. In Turkey, software licensing risk usually becomes severe not because the law is missing, but because the legal architecture was never built in time.
Final thoughts
Software licensing in Turkey is not governed by a single “SaaS Act.” It is a composite legal problem. Copyright law determines whether the startup actually owns or controls the code and related works, and Turkish law is clear that software is a protected work, that employee-created works follow a special rule, that economic-rights contracts must be in writing and specify the rights individually, and that licenses are non-exclusive unless clearly made exclusive. Contract law recognizes online formation, but startups still need solid proof of assent and clear drafting. Consumer law can reshape the analysis if the SaaS is offered to consumers through distance contracts and standard terms. Data protection law can impose transparency, security, registry, and cross-border transfer duties that are often more operationally demanding than the IP clauses themselves. And competition law can matter where SaaS is licensed through partners or distributors with online-sales or exclusivity restrictions.
For SaaS startups, the practical rule is simple: do not wait until the first enterprise customer, first investor diligence request, or first platform dispute to ask whether the software licensing model is legally sound in Turkey. By that point, the startup is no longer designing its legal architecture; it is reacting to its weaknesses. The stronger approach is to build the licensing structure early, with ownership, access scope, data protection, confidentiality, consumer exposure, and channel design all aligned from the beginning.
Yanıt yok