Commercial agreements

MSA Playbook: Clause-by-Clause Positions for Reviewing a Master Services Agreement

Also known as: MSA playbook, services agreement playbook

ByArshita Anand

A master services agreement playbook is a pre-decided set of positions you take on each clause before the vendor's paper ever hits your desk. It tells you what to ask for first, how far you can move, and the line you will not cross. This one is written mainly from the customer side, because that is who usually reviews the other side's MSA. Where the answer flips if you are the vendor, we say so. This is general information for building your own playbook, not legal advice for a specific deal.

The market has been moving toward shared reference points, with standardized commercial agreement sets like Common Paper and the World Commerce and Contracting community publishing what "market" looks like clause by clause. A playbook is how you turn that into a repeatable in-house position instead of re-negotiating from scratch each time.

The one idea that separates good MSA review from checklist review: the cap, the indemnity, the IP clause, the consequential-damages waiver, the insurance minimums, and the DPA breach remedy are not six independent clauses. They are one risk system. A concession you make in the damages waiver can silently cancel a win you fought for in the indemnity. Every position below is written with that interaction in mind.

TL;DR

  • Uncapped liability for the whole agreement is a walk-away. A cap tied to fees paid, with narrow super-capped carve-outs for data and IP, is the position to hold.
  • One-way indemnity is a deal-breaker. If the vendor indemnifies only itself, or you indemnify with no reciprocal cover for their IP infringement, push back hard.
  • The vendor owning your deliverables is a deal-breaker. You paid for the work product; you should own it, with the vendor keeping only its pre-existing background IP.
  • The SOW should control commercial terms; the MSA should control legal terms. Get the order of precedence in writing so a stray SOW line cannot rewrite your liability cap.
  • Auto-renewal with a price escalator and a long notice window is an escalation trigger. So is termination for convenience that only the vendor can use.
  • Read the cap, the indemnity, and the IP clause together. In isolation each looks fine; the risk lives in how they interact.

How to use this playbook

For each clause you get five things. Preferred position is what you ask for first, before any concession. Acceptable range is what you can sign without escalating. Fallback ladder is the ordered list of concessions, best for you first, so you trade in the right sequence. Walk-away is the floor: below this, you either escalate to a business owner who can accept the risk or you kill the deal. Escalation trigger is the specific language that has to go to a senior reviewer no matter what else is agreed.

The point of a playbook is speed with consistency. Reviewers stop re-litigating the same clause on every deal, and the business gets a predictable answer.

A word on how to trade. Give the cheap things first: notice periods, invoice timing, a certificate of insurance, cure-period length. Hold the three that carry the deal's real cost, which are the liability cap, the IP indemnity, and deliverable ownership. Two vendor redlines are usually posturing rather than principle, in my experience: a first-pass demand for uncapped payment obligations, and a broad "any breach" carve-out that quietly guts the cap. Both tend to soften once you name them. (If you run this on volume, Vaquill AI can apply the positions below automatically and flag the escalation triggers for you.)

Playbook at a glance

ClausePreferredWalk-away
Order of precedenceMSA governs legal terms, SOW governs commercial terms, conflicts resolved in that orderSOW silently overrides the MSA's liability, IP, or indemnity terms
Fees and paymentNet 45 to 60, no auto price increases, expenses pre-approvedPayment triggers with no acceptance right; uncapped pass-through costs
Term and terminationTermination for convenience on 30 days' notice, mutualNo exit for convenience; vendor can terminate for convenience but you cannot
Limitation of liabilityCap at 12 months' fees, super-cap for data and IP, standard uncapped carve-outsUncapped general liability, or a cap so low it is symbolic
IndemnificationMutual, vendor covers IP infringement, defense plus indemnityOne-way indemnity, or no IP infringement cover from the vendor
WarrantiesServices in a workmanlike manner, conforming to the SOWFull "as is" disclaimer with no performance warranty at all
IP and deliverablesYou own deliverables, vendor keeps background IP, license-back if neededVendor owns the deliverables you paid for
ConfidentialityMutual, survives termination, standard carve-outsOne-way NDA, or no survival
InsuranceNamed coverages with stated minimums, you as additional insuredNo insurance requirement, or coverage far below the risk
Data protectionDPA attached, security standard named, breach notice within a fixed windowNo DPA, no security commitment, vendor free to use your data
Assignment and change of controlConsent required, carve-out for internal reorganizationsFree assignment to anyone, including a competitor, on a change of control
Governing law and disputesYour home state, courts of that stateA remote forum with mandatory arbitration and a class-action waiver you did not want

Adjust the playbook to the deal type

The positions below are the default. The right cap, DPA, IP stance, and insurance minimum are not identical across every MSA, so tune them to what the engagement actually risks.

  • Low-risk professional services (advisory, staffing, no data or deliverables). A general fees-based cap is fine, the DPA can be light or absent, and you can skip the IP-ownership fight. Spend your leverage on payment terms and the convenience exit.
  • Software implementation or systems integration. IP ownership of the configuration and any custom code becomes the main event, alongside a real acceptance-testing right in the SOW. Insist on a workmanlike-manner warranty tied to the specification.
  • Data-processing vendor (the vendor stores or handles your records). The DPA, the data super-cap, and cyber insurance move to the front. A general fees cap that ignores breach exposure is the classic mistake here.
  • Custom development. Deliverable ownership and the IP indemnity are non-negotiable, and the background-IP license must be broad enough that you can actually use and maintain what you paid for.
  • AI vendor. Add explicit terms on training use of your data and inputs, ownership of outputs, and indemnity for third-party IP claims arising from generated content. Silence on training rights is the position to escalate. Expect real pushback: vendors commonly want broad model-improvement rights, carve their own liability out for anything you put in a prompt, and resist open-ended indemnity for how you use the outputs. Trade the low-risk model-improvement ask for a firm no-training-on-my-data commitment and a workable output indemnity.

MSA playbook negotiation positions by clause

Structure and order of precedence

An MSA sets the standing legal terms; each SOW sets the scope, price, and timeline for a specific engagement. Whichever document wins a conflict controls the outcome.

  • Preferred position. The MSA governs legal terms (liability, indemnity, IP, confidentiality); the SOW governs commercial terms (scope, fees, schedule). Where they conflict, the MSA controls on legal terms and the SOW controls on commercial terms.
  • Acceptable range. A single precedence order (MSA over SOW, or SOW over MSA) is workable as long as it is explicit and you review every SOW against it.
  • Fallback ladder. First, split precedence by subject matter as above. Second, MSA controls unless the SOW says in writing that it overrides a named MSA section. Third, SOW controls but only for the specific engagement.
  • Walk-away. A SOW that can silently override the MSA's liability cap, IP ownership, or indemnity. I have seen a routine SOW "additional terms" block quietly reinstate a consequential-damages waiver the MSA had carved out, because SOW-controls precedence let a project manager's template win. That turns every SOW into an unreviewed amendment.
  • Escalation trigger. Any clause letting a SOW amend the MSA's risk-allocation terms without a signed amendment.

If you are the vendor, you want the SOW to control so you can price and scope each job cleanly, while keeping your master legal terms protected from casual SOW edits.

Fees, payment terms, and expenses

This clause decides your cash timing and whether costs can creep. It is usually the easiest to move on.

  • Preferred position. Net 45 to 60 from receipt of a correct invoice. No automatic price increases during the term. Expenses reimbursed only if pre-approved in writing and documented.
  • Acceptable range. Net 30. An annual increase capped at a fixed low percentage or a published index, with notice. A modest expense allowance without line-item approval.
  • Fallback ladder. First, hold net terms and block auto-increases. Second, allow a capped annual increase with advance notice and a right to terminate if you reject it. Third, accept an expense cap you can budget around.
  • Walk-away. Payment triggered on the vendor's say-so with no acceptance or dispute right, or uncapped pass-through costs.
  • Escalation trigger. Any auto-renewal tied to a price escalator, and any interest or late-fee rate above the statutory maximum in your state.

One caveat worth conceding: an uncapped obligation to pay undisputed fees for services actually delivered is fair, and vendors are right to insist on it. The line is that the payment obligation should reach only undisputed amounts, with a good-faith dispute process for the rest.

Term and termination

Termination decides how you get out and what it costs. The two mechanics are termination for cause (the other side breached) and termination for convenience (either side just wants out).

  • Preferred position. Termination for convenience by either party on 30 days' written notice. Termination for cause on a material breach uncured after 30 days' notice. On termination, the vendor delivers work in progress and your data in a usable format, and refunds prepaid unused fees.
  • Acceptable range. Convenience with 60 to 90 days' notice. A wind-down fee limited to work actually performed. For-cause cure periods of 10 to 30 days.
  • Fallback ladder. First, mutual convenience right on short notice. Second, longer notice or a reasonable early-termination fee tied to committed work. Third, convenience only at the end of a SOW rather than mid-engagement.
  • Walk-away. No convenience exit at all when the term auto-renews, or a one-sided right letting the vendor terminate for convenience while you are locked in.
  • Escalation trigger. Auto-renewal with a long opt-out window, any termination fee not tied to actual work, and loss of your data on termination.

Limitation of liability and the cap

This clause moves more risk than the indemnity, the warranty, and the SLA combined. It caps total recoverable dollars and excludes whole categories of damages. For the full mechanics, see the limitation of liability clause guide.

  • Preferred position. A general cap at the fees paid in the 12 months preceding the claim. A higher super-cap (a fixed figure or a multiple of fees) for data-breach and IP claims. Standard uncapped carve-outs for fraud, gross negligence, willful misconduct, and death or bodily injury.
  • Acceptable range. Cap at 12 months' fees for general claims, with a negotiated super-cap for the sensitive risks. A mutual consequential-damages waiver, provided it does not swallow your own indemnity.
  • Fallback ladder. First, push data and IP outside the cap entirely. Second, put them at a fixed super-cap (for example, 2x to 3x annual fees, or a stated dollar floor if fees are small). Third, keep the general cap at 12 months' fees and hold the uncapped carve-outs (fraud, gross negligence, willful misconduct, bodily injury) even if the super-cap shrinks.
  • Walk-away. Uncapped general liability, a cap set below one year of fees so it is effectively symbolic, or a one-sided cap that limits only the vendor's liability to you while leaving your exposure to the vendor uncapped. On a $40,000 implementation, a 12-month-fees cap with no data super-cap is close to meaningless the moment the vendor mishandles a database: your breach costs can dwarf the cap many times over.
  • Escalation trigger. Any super-cap, any fully uncapped category, and a consequential-damages waiver drafted so broadly it erodes your indemnity recovery.

Sample preferred language: liability capped at the fees paid in the 12 months preceding the claim, with data-breach and IP-infringement liability capped separately at a stated super-cap. If you are the vendor, you want everything inside one fee-linked number with no carve-outs; expect to concede the standard uncapped ones.

Here is the interaction that catches teams out. Suppose you win a strong IP indemnity, but the consequential-damages waiver a few lines up excludes "lost profits and lost revenue for any claim." A third party sues you for infringing its patent, and most of your loss is the revenue you lost while the deliverable was pulled. The indemnity looks intact, but the waiver has already removed the category of damages you most need to recover, so the indemnity pays out very little. Read the cap, the carve-outs, the consequential-damages waiver, the insurance minimums, and the DPA breach remedy as one system, because a concession in one can quietly cancel a win in another.

Indemnification

Indemnity shifts the cost of third-party claims. The one that matters most in an MSA is IP infringement: if the vendor's deliverable infringes a patent or copyright, you should not pay to defend it. See the indemnification clause guide for the mechanics.

  • Preferred position. Mutual indemnities. The vendor defends and indemnifies you against third-party IP-infringement claims arising from the deliverables, plus claims from its own gross negligence or willful misconduct. Defense obligation plus indemnity, with your right to approve any settlement affecting you.
  • Acceptable range. Vendor covers IP infringement and its own misconduct; you cover claims arising from your data or your misuse of the deliverables. Reasonable notice and cooperation conditions.
  • Fallback ladder. First, hold a full IP indemnity with defense. Second, accept a "repair, replace, or refund" remedy for infringement alongside the indemnity. Third, narrow the IP indemnity to exclude claims caused by your modifications or combinations, which is standard.
  • Walk-away. A one-way indemnity running only to the vendor, or no vendor cover for IP infringement in the vendor's own product.
  • Escalation trigger. Any indemnity that is not mutual, any indemnity capped at fees paid (it should sit outside the general cap), and an infringement clause with no defense obligation.

If you are the vendor, you want to indemnify only for your product's infringement, exclude customer-caused claims, and keep control of the defense.

Warranties

The warranty sets the promised quality of the work. The market-standard services warranty is modest but essential: it gives you a contract remedy when the work is done poorly.

  • Preferred position. The vendor warrants the services will be performed in a professional and workmanlike manner by qualified personnel, and that deliverables will conform to the SOW specifications for a stated period. See the warranty clause guide.
  • Acceptable range. Workmanlike-manner warranty with a re-performance remedy for a fixed cure window. A limited conformance warranty on deliverables.
  • Fallback ladder. First, hold both the performance and the conformance warranty. Second, accept re-performance as the sole remedy for defective services. Third, shorten the warranty period, but keep the workmanlike-manner floor.
  • Walk-away. A full "as is" disclaimer with no performance warranty at all, so you have no remedy when the work is defective.
  • Escalation trigger. A disclaimer that also strips implied warranties tied to a specific outcome you are relying on, and any warranty whose sole remedy is capped below your actual re-work cost.

Vendors will disclaim implied warranties (merchantability, fitness for a particular purpose), which is normal; the line is keeping an express workmanlike-manner warranty.

Intellectual property and ownership of deliverables

This is where an MSA silently transfers value. You are paying for work product, and the default in many vendor drafts is that the vendor keeps it.

  • Preferred position. You own the deliverables created specifically for you, to the extent they are eligible as work made for hire, and otherwise by a present assignment of all rights. That belt-and-suspenders wording matters, because many commissioned works do not qualify as works made for hire under the US Copyright Act unless the statutory conditions are met, and the assignment is what actually carries ownership. The vendor keeps its pre-existing background IP and grants you a broad license to use it as embedded in the deliverables.
  • Acceptable range. You own the custom deliverables; the vendor retains generic tools, libraries, and know-how and licenses them to you. A license-back to the vendor of your feedback or of de-identified improvements.
  • Fallback ladder. First, full ownership of custom deliverables plus a background-IP license. Second, a perpetual, irrevocable, royalty-free license to the deliverables if outright assignment is refused. Third, joint ownership, which is workable but messy and should be a last resort.
  • Walk-away. The vendor owning the deliverables you paid to have built, or granting you only a revocable or time-limited license to your own work product.
  • Escalation trigger. Any deliverable ownership sitting with the vendor, any license to your deliverables that is not perpetual and irrevocable, and a license-back broad enough to let the vendor resell your custom work.

Be realistic about scope. On a platform implementation (you are configuring the vendor's software, not commissioning new software), full customer ownership of "the deliverables" is often the wrong ask, because the platform is theirs. There, aim to own your configurations, data, and any bespoke code, and take a durable license to the rest. If you are the vendor, you want to retain reusable IP and license deliverables rather than assign them; that is reasonable for tools and libraries, not for bespoke work product.

Confidentiality

Confidentiality in an MSA should be mutual and should survive termination. Keep it tight here and negotiate the detail in your standalone position.

  • Preferred position. Mutual obligations, a standard definition with the usual carve-outs (public, independently developed, rightfully received), and survival for a defined period after termination.
  • Acceptable range. Mutual, with a fixed survival term (commonly three to five years) and perpetual protection for trade secrets.
  • Fallback ladder. First, hold mutuality and survival. Second, accept a shorter survival window. Third, accept a narrower definition, but keep trade-secret protection perpetual.
  • Walk-away. A one-way NDA that binds only you, or no survival so the obligations end the moment the contract does.
  • Escalation trigger. Any right for the vendor to use your confidential information for its own product development or model training.

For the full treatment, see the confidentiality clause guide and, for a standalone agreement, the NDA playbook at /playbooks/nda-playbook.

Insurance requirements

Insurance is your backstop when the indemnity and the cap are not enough to make you whole. The requirement should match the risk, not a boilerplate number.

  • Preferred position. Named coverages with stated minimums: commercial general liability, professional liability (errors and omissions), and cyber liability where the vendor handles your data. Size cyber to the data at stake, not a token figure; a low-data vendor at $1M looks different from one holding regulated records at $5M or more. You named as an additional insured on the general liability policy, with a certificate on request.
  • Acceptable range. The core coverages at commercially reasonable limits, with cyber sized to the data volume, and notice of cancellation.
  • Fallback ladder. First, hold all named coverages with additional-insured status. Second, drop additional-insured status but keep the minimums. Third, accept lower limits for a low-data, low-risk engagement.
  • Walk-away. No insurance requirement at all, or coverage so far below the exposure that a real claim would exhaust it immediately.
  • Escalation trigger. No cyber coverage where the vendor processes sensitive or regulated data, and limits visibly smaller than your negotiated liability super-cap.

Data protection and security

If the vendor touches your data, the MSA needs a data-protection layer, usually a DPA attached as an exhibit. This clause carries regulatory and breach exposure that the general cap often will not cover.

  • Preferred position. A data processing agreement attached, a named security standard the vendor must meet, breach notification within a fixed short window, and a bar on using your data for anything outside providing the services.
  • Acceptable range. A DPA with a recognized security framework, breach notice within a defined period, and audit or attestation rights (a current SOC 2 report, for example).
  • Fallback ladder. First, attach a full DPA with your security terms. Second, accept the vendor's DPA if it names a real standard and a firm breach-notice window. Third, accept an attestation in place of an audit right for a low-risk data set.
  • Walk-away. No DPA, no security commitment, or a right for the vendor to use your data for its own purposes.
  • Escalation trigger. Any use of your data to train models, sub-processing without notice or a right to object, and breach-notice windows measured in weeks rather than hours or days.

For the standalone treatment, see the DPA playbook at /playbooks/data-processing-agreement-playbook.

Assignment and change of control

Assignment decides who you can end up doing business with. You signed with this vendor, not with whoever acquires it. See the assignment clause guide.

  • Preferred position. Neither party may assign without the other's prior written consent, with a carve-out letting either assign to an affiliate or to a successor in a merger or sale of substantially all assets, provided the successor assumes the agreement.
  • Acceptable range. Consent not to be unreasonably withheld, with the affiliate and successor carve-outs.
  • Fallback ladder. First, hold consent for any third-party assignment. Second, allow assignment to a successor but keep a right to terminate if control passes to your direct competitor. Third, allow free assignment but require notice.
  • Walk-away. Free assignment to anyone, including a competitor, with no notice and no termination right on a change of control.
  • Escalation trigger. Any change-of-control provision with no notice or exit right, especially where the vendor holds your confidential data or custom IP.

Governing law, venue, and dispute resolution

This clause decides where and how a fight happens, and it is often conceded too quickly. A remote forum can make a valid claim too expensive to bring.

  • Preferred position. Governing law and exclusive venue in your home state, litigated in the state and federal courts sitting there. See the governing law and dispute resolution guides.
  • Acceptable range. A neutral, mutually convenient state. A tiered process (good-faith negotiation, then mediation, then litigation or arbitration) with a carve-out letting either side seek injunctive relief in any court.
  • Fallback ladder. First, hold your home-state law and venue. Second, accept a neutral forum. Third, accept arbitration only if the seat, rules, and cost allocation are fair and injunctive relief is preserved.
  • Walk-away. A distant forum paired with mandatory arbitration and a class-action waiver you did not intend to accept, which together can neutralize a real claim.
  • Escalation trigger. Any mandatory arbitration clause, any class-action or jury-trial waiver, and a fee-shifting term that makes losing ruinous.

Neither side has a natural advantage here; it usually tracks bargaining power, so trade it deliberately rather than giving it away.

The verdict

An MSA is a risk-allocation document dressed up as an operations document. The scope and the fees feel like the deal, but the value moves in the liability cap, the indemnity, and the IP clause, and those three have to be read together rather than one at a time.

Hold the floors and trade the rest. Uncapped general liability, a one-way indemnity, and vendor-owned deliverables are the three lines worth killing a deal over. Everything else has an acceptable range and a fallback ladder, which is exactly what a playbook is for: it lets you move fast on the negotiable clauses so you can spend your attention on the ones that actually decide who pays when the engagement goes wrong.

For the drafting mechanics behind these positions, see how to draft a contract and, for the review workflow, a lawyer's guide to AI contract review. For other contract types, browse the full set of contract playbooks.

FAQ

What is an MSA playbook? It is a pre-decided set of negotiation positions for a master services agreement. For each clause it records your preferred ask, the range you can accept, the ordered concessions you will make, and the floor you will not cross. It lets a team review MSAs quickly and consistently instead of re-arguing the same clauses on every deal.

What is a reasonable liability cap in an MSA? A common starting point for services and SaaS is the fees paid in the 12 months before the claim, but the right number depends on the deal's risk, the fee size, and your bargaining power. High-data or mission-critical engagements often justify a multiple of fees or a fixed floor. Sensitive risks like data breaches and IP infringement usually sit at a higher super-cap or outside the cap, and fraud, gross negligence, willful misconduct, and bodily injury are normally uncapped.

Should indemnification be mutual? Generally yes. A one-way indemnity that protects only the vendor leaves you carrying third-party claims you did not cause. The one indemnity you should insist the vendor gives is cover for IP-infringement claims arising from its own deliverables, since you cannot control what is inside the vendor's product.

Who should own deliverables under an MSA? The customer should own the work product created specifically for it, since the customer paid for it. The vendor keeps its pre-existing background IP and generic tools, and licenses those to the customer as needed. If the vendor will not assign the deliverables, the fallback is a perpetual, irrevocable license to them.

MSA vs SOW: which controls? The cleanest split is that the MSA controls the legal terms (liability, indemnity, IP, confidentiality) and the SOW controls the commercial terms (scope, fees, schedule). Whatever order you choose, write it down. The risk to avoid is a SOW that can silently override the MSA's risk-allocation terms without a signed amendment.

What should you never accept in an MSA? The three hard deal-breakers are uncapped general liability, a one-way indemnity, and the vendor owning the deliverables you paid to have built. Also treat auto-renewal with a price escalator, a vendor-only termination-for-convenience right, and free assignment to a competitor as positions to escalate before signing.

Can AI review an MSA against a playbook? Yes. Vaquill AI applies your playbook automatically: it redlines the vendor's draft toward your preferred positions, flags escalation triggers in the margin, and routes deal-breakers to whoever owns the risk. You set the positions once, and the same standard is applied to every contract that comes through.

Stop enforcing your playbook by hand.
Load your positions into Vaquill AI and it marks up counterparty paper to your preferred position, flags anything past your escalation triggers, and drafts the fallback. Privilege-architected. 7-day free trial.
23 min read
Arshita Anand

Arshita Anand

Co-Founder & CEO ยท Attorney

Arshita leads product and strategy at Vaquill, building the legal AI suite that solo, small-firm, and in-house US lawyers use to run a matter end to end.

Review contracts, check compliance, and draft, all in one workbench.

Vaquill AI is the legal AI suite for in-house counsel and GCs. Load your playbook once and enforce it on every contract. Privilege-architected. 7-day free trial.