Business Services for SaaS Companies in Lithuania

AT A GLANCE

Lithuania offers SaaS companies a favourable IP box regime, competitive corporate tax, and a growing technology talent pool — making it one of the most practical EU jurisdictions for software-based businesses.
GDPR compliance is not optional for any SaaS company processing personal data of EU users — fines of up to 4% of global annual revenue apply under active enforcement across EU member states.
We provide five service areas for SaaS companies: accounting, legal services, outsourcing, data protection and GDPR compliance, and terms of service and privacy policy drafting.
SaaS-specific accounting covers subscription revenue recognition, deferred income treatment, multi-currency SaaS billing, and the Lithuanian IP box regime for qualifying software income.
Our SaaS clients range from pre-revenue startups setting up their first legal documentation to scaling companies preparing for investment or EU market expansion.

SaaS companies operating from Lithuania need accounting, legal, and compliance support calibrated to the specific characteristics of software-as-a-service: recurring revenue recognition, GDPR obligations for user data, enforceable SaaS subscription agreements, data processing frameworks for B2B clients, and — where relevant — the Lithuanian IP box regime for qualifying intellectual property income. We cover all five service areas under one engagement, in English, for foreign-founded and locally incorporated SaaS businesses selling to EU and global markets.

Why SaaS Companies Choose Lithuania

Lithuania’s combination of competitive corporate tax, an accessible IP box regime, strong digital infrastructure, and a concentrated technology talent pool in Vilnius and Kaunas makes it a practical choice for SaaS companies entering the EU market. The country’s position as a full EU member state means a Lithuanian SaaS company can sell to EU clients, sign EU-standard data processing agreements, and access EU funding programmes without the operational friction of being based outside the single market.

Corporate tax — 5% or 15%

A Lithuanian SaaS company that qualifies as a small company — up to 10 employees and annual revenue below €300,000 — pays corporate income tax at 5%. Above those thresholds, the standard 15% rate applies. For SaaS companies with early-stage revenues and a small team, the 5% rate represents a significant advantage over the 19–25% rates applicable in most Western European jurisdictions. The rate applies automatically to qualifying companies — no special application is required.

The IP box regime

Lithuania’s IP box regime allows qualifying intellectual property income — income derived from patents, software copyright, and certain other protected rights — to be taxed at a reduced effective rate. For SaaS companies that hold their software IP in Lithuania and derive revenue from licensing or using it commercially, the IP box regime creates a meaningful tax planning opportunity. The regime is available only to companies that created the qualifying IP themselves or acquired it and further developed it — passive IP holding does not qualify. We structure the IP ownership and accounting correctly for SaaS companies seeking to access the IP box from incorporation.

Technology talent pool

Vilnius and Kaunas have established technology communities — software engineers, product designers, data scientists, and DevOps specialists — with salaries that are competitive by EU standards but significantly below those in Berlin, Amsterdam, Stockholm, or London. For SaaS companies that plan to build engineering or operations teams in Lithuania, the labour market is accessible and the quality of candidates is high. We support the recruitment and employment documentation side of building a Lithuanian tech team as part of our legal and outsourcing services.

EU single market access

A Lithuanian SaaS company is a full EU legal entity. It can contract with EU clients under EU law, sign GDPR-compliant data processing agreements that satisfy EU regulatory requirements, and access EU funding programmes including Horizon Europe and the European Innovation Council. For SaaS founders based outside the EU who want a credible EU legal presence — without the complexity and cost of incorporating in Germany, France, or the Netherlands — Lithuania provides a straightforward entry point.

Digital infrastructure

Lithuania ranks among the top EU member states for internet speed, digital public services, and e-government infrastructure. The country’s .lt domain and Lithuanian business register are fully digital. Bank account opening, VAT registration, and company filings can all be handled electronically. For a SaaS company that operates digitally and values administrative efficiency, Lithuania’s digital infrastructure removes many of the friction points that affect business establishment in less digitally advanced jurisdictions.

SaaS in Lithuania — key numbers

5% CIT — qualifying small companies (≤10 employees, revenue ≤€300,000) · 15% CIT — standard rate above thresholds · IP box — reduced effective rate on qualifying IP income · 21% VAT — Lithuanian standard rate; OSS for cross-border B2C digital services · €2,500 — minimum share capital for UAB · €51 — state registration fee · 1–3 business days — company registration timeline

Our Services for SaaS Companies

SaaS companies have specific accounting, legal, and compliance needs that differ materially from standard commercial businesses — subscription revenue recognition, IP ownership structures, GDPR data processor obligations, and SaaS-specific commercial terms all require specialist expertise. We provide five service areas covering the full lifecycle of a Lithuanian SaaS company.

Accounting Services for SaaS

SaaS accounting differs from standard bookkeeping in two critical areas: revenue recognition and IP accounting. Subscription revenue must be recognised over the service period — not at the point of cash receipt — following the accrual accounting principle. Prepaid annual subscriptions create deferred income liabilities that must be correctly unwound monthly. For companies with the Lithuanian IP box, qualifying IP income must be tracked and reported separately. We provide SaaS-specific accounting on a fixed monthly retainer, with VAT, OSS, and annual filings included.

Monthly bookkeeping — subscription revenue recognition, deferred income treatment, and multi-currency SaaS billing
Lithuanian VAT return and EU OSS quarterly return — for digital services sold cross-border to EU consumers
IP box income tracking — separate accounting for qualifying IP income where the regime is applied
Payroll and SoDra declarations for Lithuanian engineering and operations staff
Annual financial statements and corporate income tax return — with SaaS-specific revenue and IP disclosures
Monthly management report — MRR, ARR, churn, gross margin, deferred revenue, and cash runway

Legal Services for SaaS

SaaS legal work centres on the contracts that govern software access and the protections that secure the company's intellectual property. A SaaS subscription agreement that is ambiguous on service level, data handling, liability, or termination creates disputes when those scenarios arise — and they always arise. Employment contracts for engineers without explicit IP assignment clauses mean the code they write may not legally belong to the company. We prepare the core legal documentation for SaaS companies at fixed fees, in English, with Lithuanian versions where required.

SaaS subscription agreements — governing software access, SLA, acceptable use, liability caps, and termination
Data processing agreements (DPAs) — GDPR-compliant DPAs for B2B clients who process personal data through the platform
Employment contracts for engineers — with explicit IP assignment clauses covering all work done in scope of employment
Contractor and freelancer agreements — IP assignment and confidentiality for externally sourced development work
IP assignment agreements — assigning pre-incorporation or contractor-created IP to the company
NDAs and confidentiality agreements — for partner discussions, investor conversations, and due diligence
Investment documentation review — term sheets, SHA, and cap table implications for SaaS-specific structures

Outsourcing Services for SaaS

Early-stage and growing SaaS companies frequently need senior expertise — CFO oversight, legal counsel, data protection officer — that does not justify a full-time hire at their current stage. Outsourced functions provide senior coverage at a fraction of the full-time cost, scaling with the business as revenue grows. We provide outsourced CFO, legal counsel, and DPO functions specifically for SaaS companies — with a team that understands recurring revenue models, SaaS-specific financial metrics, and the GDPR obligations of a data processor.

Outsourced CFO — monthly MRR/ARR reporting, investor reporting, financial planning, and board-level financial oversight
Outsourced legal counsel — ongoing contract review, IP management, regulatory monitoring, and ad hoc legal advisory
Outsourced DPO (Data Protection Officer) — GDPR compliance programme management, SDPI liaison, and data subject rights handling
Virtual general counsel — comprehensive legal coverage combining legal counsel and IP advisory under one retainer
Board advisory services — preparing financial and legal materials for board and investor meetings

Data Protection and GDPR Compliance

Every SaaS company that processes personal data of EU users — which means every SaaS company with an EU user base — is subject to GDPR in full. For SaaS companies that sell to businesses, the GDPR obligations are doubled: as a data processor handling their clients' data, the SaaS company must have compliant data processing agreements in place with each client, implement appropriate technical and organisational security measures, and have a documented incident response procedure. Fines for GDPR violations reach up to 4% of global annual revenue under active enforcement across the EU.

GDPR compliance programme — full assessment and implementation of GDPR obligations specific to SaaS data processing
Data processing agreements (DPAs) for B2B clients — GDPR-mandatory agreements for all clients whose user data flows through the platform
Records of processing activities (ROPA) — internal data map covering all data processing operations
Privacy notice and cookie policy — GDPR-compliant user-facing documentation
Data breach response procedure — 72-hour notification obligations to SDPI and affected data subjects
Technical and organisational measures (TOMs) documentation — security framework required in all DPAs
Sub-processor management — managing DPAs with infrastructure providers (AWS, GCP, Stripe, etc.)
Outsourced DPO service — where mandatory or commercially appropriate

Terms of Service and Privacy Policy Drafting

Terms of service and privacy policies for SaaS products are not the same documents as general e-commerce or website terms. A SaaS terms of service governs ongoing software access — covering uptime obligations, feature changes, data ownership, termination and data portability, and the liability framework when the software fails. A SaaS privacy policy must specifically describe the categories of personal data collected, the purposes and legal bases for processing, third-party sharing (analytics tools, infrastructure providers), and user rights. Generic templates produce terms and policies that do not reflect the actual product and create liability gaps that surface during client due diligence or regulatory inspection.

SaaS terms of service — software access terms, acceptable use policy, SLA, liability cap, termination, and data return provisions
Privacy policy — GDPR-compliant, specific to SaaS data processing activities; covers all data collected by the product
Cookie policy and consent banner specification — for SaaS products with web interfaces that use analytics or tracking cookies
Acceptable use policy (AUP) — defining permitted and prohibited uses of the software
Data processing addendum (DPA) — embedded or standalone; for B2B clients requiring GDPR-compliant data processor terms
Sub-processor list — published list of sub-processors as required by most enterprise client DPAs
End-user licence agreement (EULA) — for SaaS products with a software download or desktop component

Key Compliance Obligations for SaaS Companies in Lithuania

SaaS companies face a specific set of compliance obligations — distinct from those of physical product businesses or service companies — that arise from the nature of software delivery and the data processing that accompanies it.

VAT on digital services to EU consumers

SaaS subscriptions sold to EU consumers (B2C) are taxed at the VAT rate of the consumer’s country — not Lithuania’s rate. A subscription sold to a French consumer is subject to French VAT at 20%; to a German consumer, German VAT at 19%; to a Polish consumer, Polish VAT at 23%. The EU One Stop Shop (OSS) scheme allows a Lithuanian SaaS company to report and pay all EU cross-border B2C VAT through a single quarterly return filed with VMI — eliminating the need for separate VAT registrations across the EU. OSS registration applies once cross-border B2C digital services exceed €10,000 annually.

GDPR as a data processor

When a SaaS company processes personal data on behalf of its business clients — user records, activity logs, customer data entered into the platform — it is acting as a data processor under GDPR, and its clients are the data controllers. This creates specific obligations: the SaaS company must have a signed data processing agreement with each B2B client before processing begins; it must implement appropriate security measures; it must notify clients of any data breaches affecting their data; and it must cooperate with the client’s GDPR compliance obligations. Most enterprise clients require a DPA before signing a contract. Not having a compliant DPA ready delays sales cycles and creates regulatory exposure.

IP ownership — ensuring the company owns its code

For SaaS companies, the most valuable asset is the software itself. The legal ownership of that software depends on whether the code was written by employees under employment contracts with IP assignment clauses, by contractors under agreements that explicitly assign ownership to the company, or by founders before the company was incorporated — in which case an IP assignment agreement is required. A SaaS company that has been operating for two years but has not executed IP assignments from its founding developers or early contractors does not have clean IP ownership — which becomes a serious problem during investor due diligence or an acquisition process.

Lithuanian IP box — qualifying conditions

Lithuania’s IP box regime allows income derived from qualifying intellectual property — including software protected by copyright — to be taxed at a reduced effective rate. The regime requires that the qualifying IP was created or significantly developed by the company itself (the nexus approach), and that the income is separately tracked and attributable to the qualifying IP. SaaS companies that qualify can apply the IP box to the subscription revenue attributable to the software licence component of their service. We advise on IP box qualification and set up the accounting framework from incorporation to ensure the benefit is accessible from the first tax year.

EU digital services VAT — a practical note
A Lithuanian SaaS company selling subscriptions to EU consumers needs OSS registration once cross-border B2C revenue exceeds €10,000/year. For B2B sales — selling to VAT-registered businesses in other EU member states — the reverse charge mechanism applies: the client accounts for VAT in their country, and the Lithuanian company issues a VAT-free invoice with a ‘reverse charge’ notation. The VAT treatment of B2B cross-border SaaS sales is therefore simpler than for B2C. Most early-stage SaaS companies are primarily B2B, which reduces the OSS urgency — but the moment B2C sales begin, OSS registration should follow promptly.

Services by Company Stage

The services a SaaS company needs evolve as the business grows. The table below maps our five service areas to the stage of the company at which each becomes most relevant.

Company Stage	Priority Services	Key Deliverables
Pre-incorporation	Legal — IP structure and founder agreements	Founder SHA, IP assignment plan, entity structure recommendation
Incorporation (Day 1–30)	Accounting setup · Legal — founding documents and IP assignments	Accounting system configured; IP assignment agreements; employment contracts for early team
Product launch (Month 1–6)	Legal — SaaS terms and privacy policy · GDPR — DPAs for first clients	Terms of service, privacy policy, DPA template; OSS registration if B2C sales begin
Early revenue (Month 6–18)	Accounting — revenue recognition and OSS · GDPR — full compliance programme	Monthly MRR reporting; deferred income accounting; ROPA; sub-processor list; DPAs with all B2B clients
Growth and scaling	Outsourcing — CFO, legal counsel · IP box — qualifying income tracking	MRR/ARR investor reporting; IP box income segregation; legal retainer for commercial contracts
Pre-investment	Legal — IP ownership audit and data room · GDPR compliance verification	IP chain of title review; clean DPA portfolio; GDPR audit for investor due diligence
Post-investment	All five service areas — ongoing operational support	Full accounting, legal, GDPR, and outsourcing coverage as the company scales

GDPR for SaaS: Controller vs. Processor Obligations

The GDPR framework distinguishes between two roles: the data controller (the entity that determines why and how personal data is processed) and the data processor (the entity that processes data on the controller’s behalf). For SaaS companies, both roles typically apply — creating a layered compliance obligation that is more complex than for most other business types.

As a data controller — your own user data

When a SaaS company collects and processes data about its own users — account information, usage analytics, marketing email addresses, support ticket content — it is acting as a data controller. It determines the purpose and means of that processing. As a controller, it must have a lawful basis for each processing activity, provide a GDPR-compliant privacy notice, honour data subject rights requests, maintain records of processing activities, and implement appropriate security measures. The privacy policy on the SaaS website is the primary mechanism for fulfilling the controller transparency obligation.

As a data processor — client user data

When a B2B SaaS company’s platform processes personal data that belongs to its clients’ users — names, email addresses, payment data, health records, or any other information that its clients’ customers enter into the system — the SaaS company is a data processor, and each client is a data controller. As a processor, the SaaS company must: sign a data processing agreement with each controller client before processing begins; process data only on the client’s documented instructions; implement appropriate technical security measures; notify the client of any data breaches; ensure any sub-processors it uses are also bound by adequate data protection obligations; and delete or return all data at the end of the contract.

Sub-processors — the chain extends

As a data processor, the SaaS company also uses sub-processors — AWS, Google Cloud, Stripe, SendGrid, Datadog, and any other third-party services that receive or access client user data as part of the SaaS infrastructure. Every sub-processor must be covered by a data processing agreement that imposes GDPR-equivalent obligations. The SaaS company must maintain a sub-processor list that is disclosed to clients, and must notify clients before adding new sub-processors — allowing clients the opportunity to object. Enterprise clients routinely audit sub-processor lists during procurement. Not having one ready creates friction and delays.

Frequently Asked Questions

For B2B sales to VAT-registered businesses in other EU member states, the reverse charge mechanism applies. The Lithuanian SaaS company issues an invoice without Lithuanian VAT — the client accounts for VAT in their own country under the reverse charge. The Lithuanian company must obtain the client’s VAT number, verify it, and include it on the invoice. This is straightforward and does not require the SaaS company to register for VAT in the client’s country. For B2C sales to non-VAT-registered consumers in other EU member states, OSS registration is required once cross-border B2C digital service sales exceed €10,000 annually — the Lithuanian company charges VAT at the consumer’s country rate and remits it through a single OSS return.

They serve different legal purposes and should be separate documents. The terms of service (or terms and conditions) is the contract between the SaaS company and the user — governing access to the software, acceptable use, liability, termination, and the commercial relationship. The privacy policy is a transparency document required by GDPR — describing how personal data is collected, for what purposes, on what legal basis, and what the user’s rights are. Combining them into a single document is technically permissible but makes GDPR compliance more difficult to demonstrate. Enterprise clients also typically request separate documents during procurement. We recommend — and draft — the two as separate, cross-referenced documents.

Yes, if the SaaS platform processes personal data of the client’s users. GDPR Article 28 requires that processing by a processor on behalf of a controller be governed by a binding contract — the data processing agreement. This is mandatory regardless of the size of the client, the volume of data processed, or the sensitivity of the data. For SaaS companies, the practical approach is to include the DPA as a standard exhibit to the SaaS subscription agreement — so every new client signs both the subscription terms and the DPA as part of the same onboarding process. Alternatively, a standalone DPA can be accepted digitally during account setup.

The Lithuanian IP box allows income attributable to qualifying intellectual property — including software copyright — to be taxed at a reduced effective rate rather than the standard 5% or 15% CIT rate. To qualify, the IP must have been created or significantly enhanced by the company itself (the OECD nexus approach), and the income must be demonstrably attributable to the qualifying IP. For a SaaS company, this typically means the subscription revenue allocable to the software licence component of the service. The regime requires careful accounting setup from inception — we structure the IP ownership and income tracking from incorporation so the benefit is accessible from the first tax year without requiring retroactive reconstruction.

Yes. GDPR requires that a data processor, at the choice of the data controller, either returns all personal data to the controller or deletes it — after the end of the provision of data processing services. This obligation must be reflected in the data processing agreement. SaaS companies must have a documented data deletion or return procedure, and the DPA should specify the timeline within which this occurs after contract termination. Many enterprise clients also include data portability obligations in their procurement requirements — requiring the SaaS company to export data in a machine-readable format before deleting it. We draft DPAs that reflect these obligations clearly, protecting both parties.

Open-source code can be used in a SaaS product, but the licence terms of each open-source component must be reviewed for compatibility with the company’s commercial model. Permissive licences (MIT, Apache 2.0, BSD) allow commercial use with minimal restrictions. Copyleft licences (GPL, LGPL, AGPL) impose conditions that may require the company to open-source its own code if the GPL-licensed component is incorporated in certain ways. AGPL is particularly relevant for SaaS — it requires the source code to be made available to users who interact with the software over a network. We conduct an open-source licence compliance review as part of our IP ownership audit for SaaS companies.

For a company being incorporated from scratch, the core legal and compliance framework — entity registration, terms of service, privacy policy, DPA template, employment contracts for the first hires, and IP assignment agreements — takes 3–4 weeks from instruction to signed documents. The accounting setup and OSS registration run in parallel and are typically in place within the same timeframe. A full GDPR compliance programme — records of processing activities, sub-processor list, data breach procedure, and technical measures documentation — adds another 1–2 weeks. For a company that is already operating but has gaps in its documentation, the timeline depends on what exists and what needs to be created from scratch. We assess the current state and provide a prioritised remediation plan.

Ready to set up your Lithuanian SaaS company?

Contact us to discuss your product, user base, and current stage. We will confirm which services are most urgent, provide fixed-fee quotes for each, and begin work within 24 hours of your instruction. We work with pre-incorporation SaaS founders and scaling SaaS companies at every stage of growth.