The master service agreement, not the order form, controls roughly 80 percent of a software contract risk, yet most buyers negotiate the price on the order and accept the MSA as boilerplate. MSA negotiation is the work of fixing the master terms that govern every order placed under them: liability, indemnity, data protection, audit rights, termination, IP ownership, and price protection. These terms outlive any single order and decide what happens when something goes wrong. Negotiating them once, at the start of the relationship, is worth more than negotiating price on every renewal. This guide sets out the terms that matter and the buyer target on each.
What the MSA governs
A master service agreement is the umbrella contract that sets the terms for all transactions between the buyer and vendor. Individual purchases happen on order forms or statements of work that incorporate the MSA by reference, so the MSA terms apply to every order whether or not anyone reads them again. This structure is efficient for repeat buying, but it means the MSA terms, negotiated once, govern the entire relationship, including orders placed years later under conditions no one anticipated.
Because the MSA is presented as standard and the order form carries the price, buyers concentrate on the order and treat the MSA as non-negotiable boilerplate. This is the central error. The MSA is where the risk lives, and it is negotiable, especially before the first order when the vendor wants the relationship. The price on the order is recoverable at renewal; a bad liability cap or audit clause in the MSA is not, which is why our software contract negotiation guide treats the MSA as the priority.
The terms that matter most
A handful of MSA terms carry most of the risk. Limitation of liability caps what the vendor owes when its product fails or its breach causes loss; the vendor default caps it at fees paid, often for a trailing twelve months, which is rarely adequate for a critical system. Indemnification allocates who covers third-party claims, including intellectual-property infringement and data-breach claims. Data protection governs how the vendor handles buyer data, increasingly including AI-training rights. Audit rights set how and how often the vendor can examine compliance.
Termination and exit terms decide whether and how the buyer can leave, including transition assistance and data return. Price protection caps how much the vendor can raise prices at renewal. IP ownership decides who owns custom work product. Each of these is a place where the vendor default favors the vendor and where a buyer with bargaining power can improve the term materially. The IP and price dimensions are covered in our IP ownership clauses and price uplift caps guides.
Negotiate the MSA before the first order: Vendor flexibility on master terms is highest before the first purchase, when it wants the relationship, and lowest at renewal, when it has the installed base. Buyers who accept the MSA to close the first deal quickly pay for that haste on every subsequent order. Spend the bargaining power on the master terms first.
Liability and indemnity in detail
The limitation-of-liability clause is the single most important MSA term, because it decides the buyer recovery when the vendor causes serious loss. The vendor standard caps total liability at fees paid, excludes consequential and indirect damages entirely, and sometimes caps at a fraction of annual fees. For a system whose failure could cost far more than its license fee, this cap leaves the buyer exposed. The buyer target is a higher cap, a super-cap or uncapped treatment for data breach and IP infringement, and narrower exclusions.
Indemnification works alongside the cap. The vendor should indemnify the buyer against third-party claims that the product infringes intellectual property and, increasingly, against data-breach claims arising from the vendor handling of buyer data. These indemnities should sit outside or above the general liability cap, because an IP or breach claim can dwarf the contract value. Negotiating these protections is standard advisory work and a core part of our software licensing advisory practice.
Buyer target on each term
The table sets out the vendor default and the buyer target on the key MSA terms.
| MSA term | Vendor default | Buyer target | Why it matters |
|---|---|---|---|
| Liability cap | 12 months fees | 2x to 3x fees, super-cap on breach | Recovery when it fails |
| IP indemnity | Capped or excluded | Uncapped, vendor-controlled defense | Infringement claims are large |
| Audit rights | Broad, annual | Bounded scope, notice, frequency | Limits audit exposure |
| Price uplift | Uncapped or vendor index | Capped at CPI or fixed percent | Controls renewal cost |
| Termination | Vendor convenience | Buyer exit, transition assistance | Keeps the exit open |
| Data rights | Broad vendor use | Buyer owns, narrow vendor license | Protects buyer data and value |
Each target is a standard, winnable position when raised before signature with a credible alternative. The audit-rights row connects directly to our audit scope limitation guide, which details how to bound the audit clause so a future audit cannot expand without limit. Settling these terms at the MSA stage prevents the most expensive surprises later.
Timing and bargaining power
MSA bargaining power is a function of timing. It is highest before the first order, when the vendor wants the relationship and has no installed base to rely on, and it decays with every subsequent order as switching cost rises. A buyer that accepts the MSA to close the first deal quickly forfeits the one moment of maximum bargaining power and spends the rest of the relationship living with terms it could have improved. The discipline is to negotiate the master terms hardest at the start, even at the cost of a slower first close.
Where an MSA is already in place and weak, the next renewal or major new order is the opportunity to reopen it, because the vendor wants the new business and the buyer can condition it on improved master terms. Treating each renewal as a chance to improve the MSA, not just the price, is what compounds the relationship in the buyer favor over time, the approach detailed in our SaaS renewal negotiation guide.
Negotiating the MSA well
Negotiating an MSA well means treating the master terms as the priority and the order price as secondary, because the terms outlast every order and the price is recoverable at renewal. Identify the terms that carry the risk, set the buyer target on each, and spend the bargaining power of the first order on the liability cap, the indemnities, the audit clause, the price protection, the exit terms, and the data and IP rights. Accept a slower first close to get the master terms right, because haste at the start is paid for on every order after.
The buyers who get this right walk into every subsequent order and audit protected by terms they negotiated when their bargaining power was highest. The ones who get it wrong discover the cost when something goes wrong and the boilerplate they accepted leaves them exposed. For firm-side help, MSA review and negotiation is a standard part of the work in our software licensing advisory practice and our contract negotiation guide.
Data protection and security terms
Data protection has moved from a peripheral MSA term to a central one, because the vendor handling of buyer data now carries regulatory, reputational, and competitive risk. The MSA should specify where data is stored and processed, what security standards the vendor maintains, how breaches are notified and remediated, and what happens to the data on exit. The vendor standard form is usually thin on these points, and a buyer in a regulated sector or handling sensitive data needs them strengthened to meet its own compliance obligations.
The newest battleground is secondary use of data, particularly for training machine-learning models. A buyer that accepts the vendor default may grant rights to use its data to improve vendor products, which transfers buyer value into the vendor platform. The MSA should restrict secondary use to what the buyer explicitly permits, exclude model training unless separately agreed, and require deletion on exit. These provisions overlap with the data-ownership points in our IP ownership clauses guide.
Service levels and remedies
An MSA that promises a service level without a meaningful remedy promises nothing. The service-level terms should define the commitment precisely, measure it objectively, and attach a remedy that matters when the commitment is missed. Vendor standard remedies are often token service credits that cost the vendor little and do not compensate the buyer for the business impact of an outage. The buyer target is credits that scale with the severity and duration of the failure, and a termination right where failures persist.
The termination-for-chronic-failure right is the one that gives the service level its force, because it converts a persistent failure into an exit the vendor wants to avoid. Without it, a vendor can miss the service level indefinitely and pay only token credits, and the buyer is stuck. Pairing measurable service levels with a chronic-failure termination right is what makes the commitment real, and it sits alongside the exit terms that our software contract negotiation guide treats as essential.
Reviewing an existing MSA
Many organizations operate under MSAs signed years ago that no longer reflect their risk profile or the current state of vendor terms. A periodic review of the active MSAs identifies the weak terms, the missing protections, and the clauses that have been overtaken by new risks such as AI data use, and it flags which agreements to reopen at the next renewal or major order. The review is inexpensive relative to the exposure a weak MSA carries across a multi-year relationship.
The opportunity to fix a weak MSA comes at the next renewal or significant new order, when the vendor wants the new business and the buyer can condition it on improved master terms. Treating each such moment as a chance to strengthen the MSA, not just to price the order, is what compounds the relationship in the buyer favor over time. For firm-side help reviewing and renegotiating master agreements, the work runs through our software licensing advisory practice.
The order form and the MSA together
The order form and the MSA work as a pair, and a buyer focused only on the order misses where the risk sits. The order form carries the price, quantity, and term, the things buyers naturally scrutinize. The MSA carries the liability, audit, IP, data, and exit terms, the things that decide what happens when the relationship goes wrong. A strong price on the order does not compensate for a weak MSA, because the MSA terms govern every order placed under them and outlast any single negotiation.
The practical discipline is to negotiate the MSA terms first, when the vendor wants the relationship, and to treat the order form price as the later, more routine conversation. A buyer that reverses this order, closing the MSA quickly to get to price, spends its strongest position on the least important document. Getting the sequence right is part of the contract strategy in our software contract negotiation guide and our effective license position work.