2 full contract analyses, no credit card.

Analyze free
Back to Resources

What to look for in a vendor MSA

Vendor MSAs repeat a lot of the same structure. Once you know what to look for, you can scan for the pieces that actually move the needle.

Term and renewal. How long is the initial term? Does it auto-renew? Notice to cancel—30, 60, or 90 days? Put the notice deadline on the calendar the day you sign. Missing it is one of the most common (and avoidable) mistakes.

Fees and changes. Is the price fixed for the term? If the vendor can change fees, how much notice do you get, and is there a cap (e.g. a few percent per year)? Watch for language that lets them pass through new taxes or add fees without real notice.

Liability. There’s usually a cap (e.g. 12 months of fees or the amount paid in the last year). Then come the carve-outs. Indemnity, confidentiality, and sometimes IP or data breaches are often uncapped. If the list of carve-outs is long, the cap may not mean much in practice.

Indemnity. What do you have to indemnify them for? What do they indemnify you for? Typical gaps: they indemnify IP infringement but not data breaches; you indemnify “use of the service” in a way that can be read very broadly. Skim both sides so you know what’s mutual and what’s one-sided.

Data and security. Where does data live? What subprocessors or regions are involved? Do they commit to a standard (e.g. SOC 2) or a DPA you can accept? If you have compliance or residency needs, this section is where they get reflected—or missed.

Termination and data return. Can you exit without a big penalty? After exit, how long do you have to get your data, and in what format? Thirty days is common; shorter windows can be tight.

IP and license. Who owns what you build or upload? Do they get a license to use it to run the service, or something broader? For product and customer data, narrow is better.

You don’t have to be a lawyer to spot these. You do need to look. For a structured view of risk on a specific vendor MSA, you can get a free risk analysis or see an example report. For the full workflow, how it works. This is not legal advice; use it to prepare for conversations with counsel.