SaaS Companies and Permanent Establishment Risk

Your SaaS company doesn’t need a physical office abroad to trigger a multimillion-dollar tax bill. With authorities expanding the definition of permanent establishment, unprepared employers often realize the risk too late.

Expert Contributors:

Jeffrey Zhou

CEO & Founder of Fig Loans

Nikita Sherbina

Co-Founder & CEO of AIScreen

When Netflix received a $59 million tax bill from Italy in 2022, it wasn’t due to opening offices in the country or hiring local staff. Rather, it was because authorities determined streaming to Italian customers through digital infrastructure triggered a permanent establishment (PE).

Google has faced similar challenges outside the U.S., paying over $600 million in Italy across two tax cases, and settling for over $1 billion in France in 2019 for local PE obligations.

These examples mark a clear shift in how countries tax digital commerce.

However, not every company has the resources or influence to navigate such disputes.

As software-as-a-service (SaaS) business models allow revenue to flow across borders without physical presence, governments are increasingly asserting taxing rights over these activities.

Permanent establishment risk has become a strategic consideration for SaaS companies expanding globally. Recognizing where your operations might create a taxable presence is central to scaling without triggering costly audits and even more expensive penalties.

What is Permanent Establishment?

Permanent establishment, or PE, is a cornerstone of international taxation.

Governments use PE to decide whether a business has enough presence in a country to be taxed there.

It first emerged in the early 20th century, when cross-border business operations were mostly physical. Therefore, traditionally, it’s linked to brick-and-mortar activities, such as having a physical office or employees abroad.

However, a century later, the application of PE has grown increasingly more complex.

With the rise of digital and cloud-based business models, companies can generate significant economic activity in a country without any physical footprint.

This shift has blurred the traditional boundaries of permanent establishment, creating uncertainty for businesses and tax authorities.

The Meaning of Permanent Establishment for SaaS Companies

The software-as-a-service industry is expanding remarkably fast, with the global market expected to reach $1.13 trillion by 2032. According to Statista, the U.S. remains the leading SaaS region, as companies increasingly scale across borders to capture international demand.

A business may sell subscriptions, deliver applications through the cloud, or host customer data internationally while operating from a single location, without establishing a physical office or direct workforce abroad.

However, this disconnect between where a digital business generates value and its staff or infrastructure location creates uncertainty and taxation complexity.

Understanding the meaning of permanent establishment is essential in this context.

Global Tax Reforms Affecting SaaS Permanent Establishment Risk

SaaS companies are faced with increased scrutiny under permanent establishment rules as digital business models challenge traditional taxation frameworks.

Unlike physical businesses, these firms can generate significant revenue in a country without a local office or employees, making it difficult for tax authorities to establish a taxable nexus.

According to the European Parliamentary Research Service briefing (EPRS 2021), digital businesses often rely on intangibles such as software, algorithms, and user data, which can easily be moved across borders, allowing companies to minimize their tax exposure.

This mobility complicates applying the PE concept and increases the risk of retroactive tax liabilities.

Regulatory developments, including the Organisation for Economic Co-operation and Development (OECD) two-pillar solution and EU digital taxation initiatives, referenced in the same EPRS briefing, aim to address these challenges.

OECD’s Pillar One focuses on companies with global revenue of €20 billion and a profit margin above 10%; it reallocates taxing rights to market jurisdictions based on where customers are located, regardless of physical presence
Pillar Two introduces a 15% global minimum tax on companies with revenue above €750 million to reduce profit-shifting incentives
Meanwhile, EU member states have implemented Digital Services Taxes (DST) that target revenues generated from local users, even when the company has no physical presence, further increasing compliance obligations

Managing permanent establishment risk for SaaS companies, particularly larger or multinational firms, now requires a strategic approach beyond monitoring local hires.

Companies must review where they generate their revenue from and assess whether local authorities might consider them to have a permanent establishment.

While the OECD Pillars may not directly apply to smaller companies, national digital taxes could trigger taxable presence without a physical office.

The Role of International Tax Treaties

Tax treaties, also known as double tax agreements (DTAs) or double tax avoidance agreements (DTAA), are bilateral agreements designed to prevent or reduce double taxation on the same income.

They clarify which jurisdiction has the right to tax specific types of income and outline how cross-border business activity should be treated for tax purposes.

These treaties often reference PE as the threshold for taxation.

However, many of them were drafted before the rise of the digital economy, which may create gray areas for SaaS companies.

Even with these treaties in place, global reforms like OECD Pillars and national DSTs can create additional obligations that companies must navigate.

Why SaaS Companies Face Unique Permanent Establishment Risks

SaaS companies operate under a fundamentally different model than traditional businesses, yet they are subject to tax rules designed initially for physical commerce.

This mismatch creates vulnerabilities that often go unnoticed until a compliance issue arises.

The borderless nature of software delivery allows SaaS companies to serve customers anywhere without a physical office. Still, this perceived freedom from geographic constraints can mask significant legal and tax exposure.

Even without a conventional physical office, core business operations can establish a taxable presence in foreign jurisdictions.

“SaaS leaders often underestimate the risk in human touchpoints that seem harmless, such as local customer success representatives visiting clients, account managers conducting on-site training, or contractors managing integrations,” says Jeffrey Zhou, CEO and Founder of Fig Loans.

He explains that companies see these as operational necessities rather than tax triggers.

This exposure is exacerbated by digital services taxes and varying local tax laws, which may consider remote work to create a fixed place of business or agency PE.

Therefore, the first step in mitigating an unintended tax liability is to recognize the specific triggers that can create these risks.

Otherwise, Zhou warns about the possible consequences.

“The cost can be surprisingly high, including unexpected permanent establishment audits, back taxes, penalties, and even strained client relationships while the company works to resolve compliance issues.

The common thread is assuming that small, everyday interactions or local tech deployments are invisible to tax authorities.

Ignoring these details can turn routine growth into expensive surprises that could have been avoided with a proactive PE review,” concludes Zhou.

Jeffrey Zhou CEO & Founder of Fig Loans

Common PE Triggers for SaaS Companies

Even though SaaS companies often operate digitally, permanent establishment risk usually arises when these operations take on a physical or human presence in another jurisdiction.

“The most common underestimation I see is assuming that ‘digital-first’ means ‘location-free’,” explains Nikita Sherbina, Co-Founder and CEO of AIScreen.

“In reality, even something as simple as hosting data or negotiating contracts from a specific jurisdiction can create exposure,” adds Sherbina.

Understanding these triggers helps businesses assess and mitigate permanent establishment tax exposure. While each jurisdiction applies its standards, specific patterns consistently create risk across multiple countries.

Physical Presence Triggers	Human Activity Triggers
A fixed place of business (e.g., office, branch, or coworking space)	Employees or agents authorized to negotiate, conclude, or materially influence contracts
Company-owned infrastructure or equipment used to deliver services locally (e.g., servers, data centers, specialized hardware)	Staff performing customer-facing activities integral to contract execution or revenue generation
Long-term on-site projects, such as software deployment, integration, or implementation	Contractors acting under company direction with decision-making authority
Storage of inventory or software for distribution	Presales, technical, or support teams whose work is directly linked to contract performance

Activities that are short-term, purely preparatory, or performed through third-party providers typically do not create PE.

Jurisdictions differ on the thresholds for human authority and physical infrastructure, so clearly defining roles, documenting responsibilities, and maintaining evidence of third-party involvement are essential to managing the risk of permanent establishment.

“The most common underestimation I see is assuming that ‘digital-first’ means ‘location-free’. In reality, even something as simple as hosting data or negotiating contracts from a specific jurisdiction can create exposure.”

Nikita Sherbina Co-Founder & CEO of AIScreen

What are the Consequences of Mismanaging Permanent Establishment?

What happens when companies miss the triggers?

Permanent establishment risks extend far beyond the immediate tax bill.

Many companies only discover PE problems when audits or compliance reviews reveal them. By then, the resulting liabilities have usually accumulated, making operations more complex.

Early mismanagement transforms what could have been manageable compliance issues into substantial financial and legal burdens that threaten business continuity.

Tax Implications

Once local authorities confirm PE, the main risks arise from tax obligations and related penalties.

Non-compliance can result in substantial back taxes and interest on corporate income tax and VAT.

Total liabilities may reach millions of dollars and can be applied retroactively to the company’s initial activities in the country, often spanning multiple years.

In such cases, the tax calculation becomes even more complex because authorities must determine what portion of global profits to attribute to the PE. This analysis rarely favors the taxpayer, notably when documentation is lacking.

If a permanent establishment involves employees or other local personnel, the company may be considered a local employer for tax purposes.

This classification can trigger obligations such as payroll taxes, social security contributions, and compliance with employment laws.

Additionally, overlapping rules can result in double taxation in cases where multiple jurisdictions assert taxing rights, further increasing the financial burden and complicating compliance.

Business Impact

Non-compliance with local laws, even unintentionally, can damage relationships with authorities and clients, and may signal a lack of respect for local regulations.

The company’s brand and trustworthiness in the market can also be affected, potentially influencing customer perception.

Strategically, a permanent establishment shapes how a business hires, assigns staff, structures operations, and approaches market entry. Proactively managing these risks ensures the company maintains credibility while operating across borders, balancing compliance with operational flexibility.

Practical Risk Assessment for SaaS Companies

Every SaaS company should regularly evaluate its permanent establishment risk.

This process does not always require external consultants at the initial stage. Companies can begin with a structured internal assessment to identify obvious exposures and flag areas where professional review is needed.

A practical starting point is mapping where employees and contractors are physically located.

Maintain a simple spreadsheet noting each individual’s location, role, level of authority, and duration in that location. This exercise alone often uncovers risks that leadership may have overlooked.

The next step is to determine the key questions to guide the risk assessment and establish clear indicators for evaluating the level of PE exposure.

Risk Assessment Questions

SaaS companies should ask targeted questions that expose structural and operational risks to evaluate potential vulnerabilities.

The following examples clarify how and where business activities create a presence that local authorities could view as a permanent establishment.

Do we have employees or contractors working abroad, and under whose direction do they operate?
Do we own, lease, or have access to infrastructure or equipment in foreign markets?
Does our staff negotiate or sign contracts locally, even on a limited basis?
Where are our servers and customer data hosted, and does this create a meaningful digital footprint in a specific country?
How do we source and acquire customers in different jurisdictions, and who leads these actions?
Are any employees or representatives conducting in-person sales or promotional activities abroad?
Where will we hire or expand operations in the next 12 months?
Will any of these roles have the authority to negotiate or conclude contracts on behalf of the company?
Are our intercompany arrangements, such as management or licensing agreements, clearly documented and aligned with actual functions performed?

Asking these questions helps management distinguish between low-risk operational activities and those that may signal a taxable or regulatory presence in specific jurisdictions.

The answers form a foundation for a more detailed review and guide whether external professional input is needed.

Risk Level Indicators

The level of PE risk varies depending on how integrated foreign operations are into the company’s revenue model.

High-risk indicators require immediate attention and often have clear, direct human and infrastructure triggers. Examples include remote employees or contractors abroad who have the authority to negotiate or sign customer agreements, in-country sales or implementation teams, or using locally maintained servers or offices.

These factors suggest a significant degree of presence and control in the market.

Medium-risk indicators may not create a PE immediately, but can evolve into one if activities become more regular or strategic. These include senior employees working abroad without signing authority but managing regional operations, or close collaboration with local distributors or partners that perform core business functions.

Low-risk indicators generally require monitoring rather than immediate mitigation, like a SaaS delivery model where independent third parties manage hosting.

Regular monitoring of cross-border operations allows SaaS companies to identify early signs of PE exposure and manage risks before they escalate.

Strategies to Mitigate Permanent Establishment Risk

Governments are more actively reviewing how multinational companies operate and where they report income.

According to PwC’s Global Tax Controversy and Dispute Resolution survey, 71% of businesses reported a rise in tax inquiries.

With 43% of these inquiries evolving into prolonged disputes, the risk of permanent establishment is a growing concern for many companies. Multiple tax authorities in the same jurisdiction and changing rules, such as the global minimum tax, amplify this complexity.

The strategies below offer practical guidance for SaaS companies to proactively manage PE exposure, ensure compliance, and minimize the risk of costly disputes.

1) Structure International Operations Strategically

Effective international expansion begins with a clear operational structure that balances control, efficiency, and compliance. Centralizing key decision-making and contract execution in the home country or designated regional hubs helps reduce exposure to regulatory and operational risks.

Practical examples highlight the importance of structure and functional clarity.

In Spain, a Dell case showed that even formal hierarchies cannot prevent risk when local teams perform core business activities under the parent’s direct control.

Conversely, the Roche Vitamins case in the same country demonstrated that clear functional separation and arm’s length remuneration can significantly reduce risk.

While neither case directly involves SaaS, the principles apply: maintaining operational autonomy and structured roles is paramount for managing exposure.

In some cases, regional hubs offer a middle ground.

A single entity in a key location, such as Singapore for Asia-Pacific or the U.K. for EMEA, can support multiple markets while ensuring centralized oversight, operational efficiency, and compliance.

2) Leverage Employer of Record (EOR) Solutions

An Employer of Record (EOR) service allows a company to hire staff in a foreign country without establishing a local entity. The EOR acts as the legal employer, handling payroll, benefits, taxes, and regulatory compliance, while the company retains operational control over employees’ work.

When structured correctly, this arrangement can significantly reduce, but not eliminate, permanent establishment risk. Local authorities generally do not treat the company as having a taxable presence if it does not directly employ staff or make binding business decisions.

However, PE exposure may still arise if employees under the EOR can conclude contracts, negotiate pricing, or otherwise act in ways that legally bind the company.

Alternatively, companies can manage multi-state payroll obligations through outsourced payroll services. Global payroll providers can support compliance, but do not mitigate PE risk alone.

The key remains ensuring that employee authority and local operational activities do not create a taxable presence.

Top 3 Employer of Record Services

Deel

Velocity Global

Multiplier

3) Implement Robust Remote Work Policies

As remote and hybrid work models blur the lines of jurisdiction, companies must have clear policies that can answer questions like “Where are employees physically performing their work?” or “What authority do they have there?”.

These remote work guidelines should also outline approval procedures for cross-border work and limit high-risk activities such as contract negotiation or local client representation.

Monitoring and enforcement matter as much as policy creation.

Some employees will work from foreign locations without requesting permission, either by accident or on purpose. Proactive oversight prevents this potential PE exposure and shows authorities that the company takes compliance seriously.

Finally, clear communication completes the policy. When workers understand why these measures exist, they are more likely to cooperate. Framing geographic restrictions as risk management, not control, helps build trust and keeps teams aligned with global tax strategy.

4) Partner with International Tax and Legal Experts

The challenge of international tax stems from the wide variation in rules across countries.

For example, Canada relies on a fixed place of business, such as offices or factories, to determine PE. At the same time, the United States expands the concept beyond physical presence with an “effectively connected income” rule. Brazil lacks general domestic PE rules, leaning on treaties and agency-specific definitions, whereas Singapore includes digital presence and agents with decision-making authority.

Navigating these differences requires guidance from professionals with deep local knowledge.

Tax and legal experts can interpret ambiguous treaty language to identify PE risks and advise on structuring international operations to stay within compliance boundaries.

While it might seem expensive, the cost of expert advice is low compared to the expense of remediating permanent establishment tax violations.

“To balance compliance with growth, I encourage companies to build tax strategy into their expansion planning, not as a postscript,” advises Nikita Sherbina, agreeing that “using entity-light structures and working with local advisors early saves massive headaches later.”

5) Maintain Detailed Documentation

Maintaining meticulous documentation is a key defense against PE claims.

Companies should keep records showing where their workforce is located, the scope of their authority, and how they make decisions.

If the business already has entities in multiple countries, maintain transfer pricing documentation that explains the precise allocation of revenue and costs.

Tax authorities may challenge the profit allocation between the PE and the rest of the company, arguing that more profit should be attributed to the foreign jurisdiction.

Defending these adjustments requires extensive documentation that shows tax authorities that the profit allocation reflects legitimate business functions, not tax avoidance.

6) Perform Cross-Functional Compliance Reviews

Annual reviews of permanent establishment risk should become standard practice as your SaaS company grows. They help identify new compliance gaps, check whether current mitigation strategies are still effective, and determine if expansion into new markets requires structural adjustments.

The review process should be a cross-functional effort, involving finance, legal, human resources, and senior leadership.

Finance contributes expertise on financial and tax implications, while legal ensures compliance with local and international regulatory requirements.

Human resources provides detailed insight into employee locations and roles, which are critical for assessing operational exposure.

Lastly, senior leadership delivers strategic oversight as it evaluates and determines acceptable levels of operational risk.

By merging these perspectives, the review process delivers a thorough assessment that aligns operational practices with corporate strategy and regulatory compliance.

Remote Work, AI, and the New PE Landscape

The pandemic-driven shift to remote work has fundamentally changed how companies assess permanent establishment risk. What began as a temporary arrangement has evolved into a structural change in how SaaS businesses operate, and tax authorities worldwide are responding accordingly.

Employees working remotely from foreign jurisdictions can inadvertently trigger PE exposure for their employers.

Most value-creating activities in a country may establish a taxable presence regardless of the company’s headquarters. For example, a developer working from home in Portugal on a U.S.-based product could trigger Portuguese PE.

However, as organizations grapple with this somewhat recent challenge, another emerges: the rapid integration of artificial intelligence into SaaS solutions.

Research shows that AI software revenue could reach $118.6 billion by 2025, up from $9.5 billion in 2018.

With 35% of SaaS businesses already deploying artificial intelligence and 42% planning implementation, it is becoming standard infrastructure across the industry.

This convergence creates a perfect storm for PE exposure.

AI development inherently involves distributed teams, from data scientists training models in one country to engineers refining algorithms in another. Given the vast differences in AI regulation worldwide, each point in this network represents a potential risk.

Still, despite the challenges, the solution isn’t avoiding remote work or tech advancements, as both are competitive necessities.

Instead, SaaS companies must build PE risk into hiring decisions and establish tax structures before problems arise, not after audits begin.

Building a Future-Proof Compliance Model for SaaS

The SaaS industry’s growth trajectory shows no signs of slowing, but neither does regulatory scrutiny. Companies that treat permanent establishment as a reactive concern rather than a strategic priority will face mounting financial and operational costs.

Avoiding this requires building a future-proof strategy on three foundational elements:

Visibility, or knowing where your workforce operates and what authority they hold
Structure, or deliberately designing operations to minimize exposure through centralized decision-making and accurate documentation
Adaptability, or recognizing that tax rules will continue evolving, particularly as remote work and AI reshape traditional notions of physical presence

As digital taxation models mature and enforcement expands, managing permanent establishment risk will define the difference between proactive leadership and costly reaction. SaaS companies expanding internationally face the choice of building compliance infrastructure now or funding it later through back taxes and constrained operational flexibility.

The framework exists, and the risks are quantifiable. What remains is execution.

Written by tamara jovanovska

Content Writer at Shortlister

Sources

Payroll Companies

Browse our curated list of vendors to find the best solution for your needs.

Stay Informed

Subscribe to our newsletter for the latest trends, expert tips, and workplace insights!