Home  ›  Blog  ›  MSA Key Clauses
Strategy · MSA · Contracts

The Master Services Agreement — the clauses that compound.

The MSA is the document most enterprise buyers spend the least time on and pay the highest price for. Where the order form contains the visible commercial terms, the MSA contains the structural ones — indemnification scope, IP ownership, limitation of liability, governing law, audit reservation — that determine exposure across every subsequent order. The MSA is also the document the vendor's legal team has tuned over thousands of deals to favour the vendor. Negotiating it once, at the start of the relationship, prevents the same fight at every renewal.

Updated: June 2026 Reading time: 13 min Audience: CIO, CFO, General Counsel, Procurement
MSA negotiation
Why the MSA matters

Once signed, the MSA frames everything that follows.

A typical enterprise MSA is signed at the first major engagement with a vendor and then incorporated by reference into every subsequent order form, statement of work, and amendment for the duration of the relationship. Five years later, the buyer is still bound by terms negotiated by a different team, often under time pressure, with the vendor's template as the starting position. Renegotiating the MSA mid-relationship is hard. Negotiating it well at signature is the highest-leverage hour of legal work the procurement team will do.

The MSA vs. order form dichotomy

Vendors structure their commercial documents so that the order form contains negotiable commercial terms (price, term, quantity) while the MSA contains "standard" legal terms (indemnification, liability, IP, governing law). The framing implies that order form terms are subject to negotiation and MSA terms are not. That framing is incorrect at enterprise scale. The MSA is fully negotiable — vendors maintain pre-approved redline alternatives for every major clause. The question is whether the buyer asks.

Reviewing a new MSA before signature?

This is the highest-leverage hour of contract work in the relationship. The structural terms set five years of exposure.

Contact Us →
The clause set

The MSA clauses that matter.

01 — Limitation of liability

Default vendor language caps liability at 12 months' fees and excludes consequential, indirect, and special damages. For enterprise deployments, the standard carve-outs to negotiate: data breach and confidentiality breach (uncapped or enhanced cap, typically 3x annual fees), IP infringement indemnification (uncapped), gross negligence and wilful misconduct (uncapped), and confidential information breach (enhanced cap). Each carve-out is achievable at enterprise scale; the default template is the negotiating start, not the end.

02 — IP indemnification

The vendor's IP indemnification clause should cover third-party IP infringement claims against the buyer arising from use of the software, with defence-and-settle obligations on the vendor. Standard vendor templates limit scope through exclusions (modified software, use with third-party products, use outside specifications). The exclusions matter; they should be narrowed to genuine misuse, not to ordinary enterprise deployment patterns.

03 — Customer data ownership and use

The MSA must establish that the buyer owns its data, that the vendor's use is limited to providing the service, and that vendor use for product improvement, AI training, or analytics requires explicit buyer authorisation. The 2025–2026 wave of AI-features-built-on-customer-data has made this clause materially more important than it was previously.

04 — Confidentiality and information security

Confidentiality obligations should be mutual, perpetual for the duration of confidentiality, and survive contract termination. Information security obligations should reference a defined standard (SOC 2, ISO 27001, NIST CSF) with audit rights to verify. Standard templates often invert these — short confidentiality periods, vague security obligations.

05 — Data residency and sub-processors

For SaaS and cloud deployments, contractual commitments on data residency (specific country or region), data processing locations, and sub-processor disclosure are routinely waived in vendor templates. They are material for GDPR, Schrems II, and analogous frameworks. Add them, with notification and approval rights for sub-processor changes.

06 — Audit rights

Vendor audit clauses in the MSA grant broad rights to audit deployment, usage, and compliance. Default terms allow audit "during the term and for one year thereafter," with 30 days' notice, at the vendor's election of tooling. Negotiate: 60–90 days' notice, mutual selection of tooling, frequency cap of one per 24 months, and a mediation-before-escalation step. See our detailed treatment in audit clause negotiation.

07 — Governing law and jurisdiction

Vendor templates default to favourable jurisdictions — Delaware, Ireland, vendor home state. Negotiate either home-state jurisdiction or neutral arbitration (AAA, ICC, LCIA). For US buyers contracting with European vendors (or vice versa), neutral arbitration is often the path of least resistance.

08 — Termination for convenience and breach

Standard MSAs permit termination only for material breach uncured within 30 days. Enterprise carve-outs: termination for convenience after year one with pro-rata refund, termination for chronic SLA failure, and termination for change in vendor product direction (specific to mission-critical deployments).

Download the CIO Contract Governance Guide.

The MSA clause checklist, redline language, and escalation playbook.

Get the guide →

09 — Assignment and change of control

Default templates permit vendor assignment to affiliates and successors but restrict buyer assignment. The clause should be mutual: the buyer should retain assignment rights to affiliates and to successor entities in M&A scenarios. See our detailed treatment in contract red flags.

10 — Insurance requirements

For high-stakes deployments, the MSA should specify minimum insurance coverage the vendor must maintain — cyber liability, professional liability, general liability. Standard templates either omit insurance entirely or specify minimal coverage; the gap is meaningful for enterprise risk.

11 — Force majeure

Post-pandemic, force majeure clauses have evolved. The clause should clearly define excused events, the duration of permissible delay, and the parties' obligations during a force majeure event. Mutual force majeure that allows the buyer to terminate after a defined period of vendor non-performance is the standard enterprise position.

12 — Survival

The survival clause determines which obligations continue after termination — confidentiality, IP, indemnification, payment obligations, dispute resolution. Default templates often define survival narrowly. For enterprise buyers, survival should explicitly include data return obligations, confidentiality, IP, indemnification, and limitation of liability.

An MSA review before signature can save five years of dispute exposure.

Two weeks of legal work for a long-term commercial relationship is the right ratio.

Negotiation service →
Vendor-specific patterns

How major vendors structure the MSA.

MSA conventions vary materially by vendor:

Internal next steps

Three steps make MSA negotiation effective. First, build an internal MSA redline checklist organised by the twelve clauses above. Second, separate the MSA negotiation from the commercial negotiation — different documents, different tracks, different teams — which is exactly where dedicated software contract negotiation support earns its fee. Third, never sign the MSA under commercial deadline pressure; the MSA outlives the deal that produced it.

FAQ

Common MSA questions.

Can the MSA be renegotiated after signature?
Partially, usually at renewal of major deals or via amendment for specific clauses. The negotiation window is widest at initial signature; mid-term renegotiation is the hardest case.
Do vendors actually accept MSA redlines?
At enterprise scale, yes — routinely. Vendors maintain pre-approved redline language for the major clauses. The buyer who asks gets the redline; the buyer who accepts the template doesn't.
Who should lead the MSA negotiation — legal or procurement?
Both, paired. The MSA blends commercial and legal terms; either group operating alone produces gaps. The most effective structure pairs a procurement lead with a licensing-experienced lawyer.
How long should MSA negotiation take?
Two to six weeks for a major enterprise MSA. Compressed timelines favour the vendor; the MSA outlasts the deal pressure that produces it, so a deliberate timeline is worth defending.

MSA on the desk for signature?
This is the highest-leverage hour of legal work in the relationship.

Our pre-signature MSA review combines commercial and legal redline. Former vendor licensing executives, working only for buyers.

The Compliance Brief

The price-book changes, audit triggers, and negotiation levers we see across 340+ engagements, in one short email — before they reach you as a vendor proposal.