MSP client MSA review.
Liability, IP, and data handling.
Unlimited data breach liability. IP in custom configurations that's technically the client's. No transition assistance obligations defined. Kontractually reviews managed service agreements against your standard playbook before you sign.
No credit card required. First 3 reviews free.
What changes when you review every client MSA.
A new enterprise client sends their MSA. You sign it to close the deal. Six months later, a contractor causes a data incident at the client site. The MSA has unlimited indemnity for data breaches. Your cyber insurance covers $1M. The claim is $2.3M.
Kontractually flags unlimited data breach indemnity before signing. You negotiate a cap at 24 months of fees - aligned with your cyber insurance coverage. The same incident stays within your insured limits.
You build custom monitoring scripts, automation playbooks, and integration configurations for a client over 18 months. The client terminates. Their MSA assigned all IP created during the engagement to them. You can't reuse any of it for other clients.
Kontractually flags IP assignment clauses that transfer ownership of MSP-created tools and configurations. You negotiate a license-back clause - the client gets a perpetual license to use the work, but you retain IP ownership for reuse.
A client's scope gradually expands from managed infrastructure to ad-hoc application support. No change orders are raised. At year-end review, you realize you've delivered $40,000 in out-of-scope work at no charge because the MSA had no formal change order process.
Kontractually checks every MSA for explicit change order and scope management clauses. Missing or vague scope boundaries are flagged. You include a written change request requirement with pricing before any out-of-scope work begins.
6 provisions to review in every MSP client agreement.
Common MSP market positions: 12 months of fees for most categories of claim, with exclusions for death/personal injury, fraud, and IP indemnity (often uncapped). Some MSPs cap data breach liability separately at a higher level (e.g., 24 months of fees) given the specific insurance they carry. The critical question: does your PI and cyber liability insurance align with the liability cap in your client agreements? Kontractually flags MSP agreements where the cap structure creates uninsured exposure.
For MSPs handling client data, the agreement should address: data processing terms that comply with the Australian Privacy Act (and GDPR if the client has EU customers), breach notification obligations within specified timeframes, data return or deletion on termination, restrictions on using client data for any purpose other than service delivery, and security standards (ISO 27001 or equivalent). Where the MSP holds sensitive personal data, a formal Data Processing Agreement (DPA) should be annexed.
Transition assistance is the work required when a client moves to another provider or brings services in-house. Without explicit terms, MSPs can be forced into open-ended handover obligations. Key provisions to define: the transition period length (typically 30-90 days), whether transition assistance is billable at standard rates or included, scope of documentation and knowledge transfer required, data export format and timeline, and access to systems during the transition period. The MSA should also specify that transition assistance is conditional on the client being current on all invoices. Kontractually flags MSAs that lack transition assistance terms or that impose obligations without time limits or compensation.
MSPs routinely use subcontractors for specialist work - security audits, network cabling, application development. The client MSA often makes the MSP liable for all subcontractor acts and omissions as if they were the MSP's own. This is standard, but the MSP must ensure: subcontractor agreements include back-to-back liability provisions (the subcontractor indemnifies the MSP for the same obligations the MSP owes the client), subcontractor insurance requirements match or exceed client MSA requirements, and the MSP's liability cap in the client MSA accounts for subcontractor risk. Kontractually checks whether subcontractor liability clauses in the client MSA align with the MSP's standard subcontractor terms.
Market standard for MSP retainer invoicing is monthly in advance for recurring managed services, with ad-hoc project work invoiced monthly in arrears or on milestone completion. Payment terms typically range from 14 to 30 days. Key provisions to check: whether the client can withhold payment for disputed invoices (and if so, whether undisputed amounts must still be paid on time), late payment interest rate (typically RBA cash rate plus 2-4%), right to suspend services for overdue invoices exceeding 30 days, and whether the MSP can adjust retainer pricing annually with notice. Kontractually flags payment terms that deviate from your standard position - particularly extended payment periods, missing late payment interest, and absence of suspension rights.
Related