Contract Templates: Customer & Vendor Agreements

Disclaimer: This page is general information, not legal advice. Have counsel review before use.

This pack is designed to help you ship revenue quickly without stepping on legal landmines. It’s optimized for Seed–Series B teams that need sensible defaults, short negotiation cycles, and audit‑friendly paperwork that won't give your future investors a headache.

What You’ll Find Here​

This guide is broken down into three main categories of legal documents, providing templates and context for each.

• Customer-Side (When You Sell):

  • Clickwrap Terms of Service: For self-serve SaaS products.
  • Customer MSA (Master Services Agreement): The main legal framework for negotiated deals.
  • Order Form: The one-page document capturing all the commercial details.
  • SLA (Service Level Agreement): Your uptime promise and service credits.
  • DPA (Data Processing Addendum): Required when you handle personal data.
  • Security Exhibit: Your technical and organizational security controls.
  • SOW (Statement of Work): For professional services or specific projects.
  • Change Order: A simple form to modify an existing SOW.

• Vendor-Side (When You Buy):

  • Vendor MSA: A template to use when you're procuring services.
  • Insurance Schedule: Standard insurance requirements for your vendors.
  • Procurement Due-Diligence Checklist: A guide for vetting new vendors.

• Cross-Cutting Documents:

  • Mutual NDA (Non-Disclosure Agreement): For protecting confidential discussions.
  • Negotiation Playbook: A guide with common clauses, fallbacks, and checklists.

Quick Start Guide​

Not sure where to begin? Find your scenario below and use the recommended document stack.

• For Self-Serve SaaS Products:

  • Use: Clickwrap Terms of Service + a public Privacy Policy + a link to your DPA during the signup flow.
  • Proof: Ensure your system keeps a time-stamped record of each user's acceptance and the specific version of the terms they agreed to.

• For Enterprise SaaS (Typical Deal):

  • Use: MSA + Order Form + SLA + DPA + Security Exhibit.
  • Flow: Start the conversation with the logo and high-level commercial terms on the Order Form. Only introduce the MSA if the customer requests it or the deal size warrants it. Have the DPA and Security Exhibit ready, as these are standard requests from larger customers.

• For Services or Consulting Engagements:

  • Use: MSA + SOW. Use Change Orders to formally document any scope adjustments.

• For Buying from Vendors:

  • Use: Your Vendor MSA + the vendor's Order Form or SOW + their DPA and Security Exhibit. Always verify their insurance coverage.

The Negotiation Playbook: Defaults & Fallbacks​

Here are startup-friendly positions on common contract clauses. Start with the "Default" and use the "Fallback" as a pre-approved compromise to speed up negotiations.

• Payment & Taxes

  • Default: Net 30 payment terms, with invoices sent upon signature or service go-live.
  • Fallbacks: Agree to Net 45 if needed. For larger deals, consider staged billing (e.g., 40% on signature, 40% on go-live, 20% after 30 days).
  • Late Fee: Charge 1.5% per month or the maximum rate allowed by law, whichever is less.
  • Taxes: Clearly state that the customer is responsible for all applicable sales, use, and other taxes, while you are responsible for taxes on your own income.

• Term & Renewal

  • Default: A 12-month initial term that auto-renews for subsequent 12-month periods.
  • Out: Allow termination for a material breach that isn't cured within a 30-day notice period.
  • Prepaid Refunds: Offer a prorated refund if you terminate for convenience (if you offer it) or if the customer terminates due to your uncured material breach.

• Intellectual Property (IP)

  • SaaS: You retain all IP in your platform. You grant the customer a non-exclusive, non-transferable license to use the service during their subscription term.
  • Services: The customer owns the final Deliverables (e.g., a report or custom code). You retain ownership of all your Background IP (your tools, frameworks, and pre-existing code) and grant the customer a license to use it as part of the Deliverables.

• Confidentiality

  • Default: Make the obligations mutual. The duty of confidentiality should survive the agreement's termination for 2–5 years. Include standard carve-outs for information that is public, already known, or independently developed. Outline a clear process for compelled disclosure if required by law.

• Security & Privacy

  • DPA: Always use a Data Processing Addendum when you process personal data on behalf of a customer.
  • Breach Notice: Commit to providing notice of a security breach within 72 hours or, more flexibly, "without undue delay."
  • Subprocessors: Maintain a public list of your subprocessors and give customers a right to object to new ones (subject to commercial reasonableness).
  • Data Handling: Commit to returning or deleting customer data at the end of the term.

• Limitation of Liability (LoL)

  • Base Cap: Limit each party's total liability to the fees paid or payable by the customer in the 12 months preceding the claim.
  • Exclusions: Exclude liability for all indirect, consequential, special, or punitive damages, including lost profits.
  • Super-Cap: For high-risk areas, offer a higher liability cap (a "super-cap") of up to 3 times the base cap. Common carve-outs for this include data breaches, IP infringement claims, and breaches of confidentiality.

• Indemnities

  • Your Indemnity: You indemnify the customer against third-party claims that your product infringes on their intellectual property.
  • Customer Indemnity: The customer indemnifies you for issues arising from their data or their illegal use of your service.
  • Process: The indemnified party must provide prompt notice, and the indemnifying party gets to control the defense and any settlement.

• Publicity

  • Default: Include an optional clause allowing you to use the customer's name and logo on your website and in sales materials.

• Governing Law & Venue

  • Default: A common, business-friendly choice for U.S. startups is Delaware law with the venue in New York, NY, or the San Francisco Bay Area.
  • Disputes: Consider optional arbitration but always carve out the right to seek injunctive relief from a court.

• Insurance (For Vendors You Hire)

  • Minimums: Commercial General Liability ($1M per occurrence), Tech E&O/Cyber ($2M aggregate), and Workers’ Compensation as required by law. Where appropriate, require them to name you as an additional insured.

Red Flags to Push Back On​

If you see these terms in a customer's or vendor's paper, push back firmly.

• Uncapped liability or vague language like indemnification for "all losses."
• Most Favored Nation (MFN) pricing clauses, unlimited audit rights, or the right for them to unilaterally change policies that affect you.
• IP assignment of your core platform, tools, or generic know-how.
• Auto-renewals that are longer than 12 months or require more than a 90-day notice to cancel.
• "Step-in" rights that allow a customer to take over your service or hire your staff.
• Personal guarantees, overly broad non-competes, or uncapped damages for data breaches.

Checklists for Execution​

"Before You Send" Checklist ✅​

• Commercials are complete: Price, term, start date, and billing schedule are all filled in.
• Order Form matches your quote and the data in your CRM.
• Policies (like Privacy Policy, SLA) are linked with immutable URLs that include version numbers.
• DPA, SLA, and Security Exhibit are attached or linked if required for the deal.
• Signature blocks contain the correct legal entity names for both parties.
• File names are versioned clearly: CustomerName_MSA_v2_2025-08-17.pdf.

"Before You Sign" Checklist ✍️​

• Redline review is complete. All tracked changes have been resolved, and any open issues are logged and consciously accepted.
• Order of precedence is set. The typical, vendor-friendly order is: Order Form > MSA > SOW > Exhibits > Policies.
• Auto-renewal and notice periods are noted in your CRM with calendar alerts.
• Termination, refund, and data-return processes are clear and operationally feasible for you.
• Proof of insurance has been received (when signing on a new vendor).

Clause Library (Copy-Paste, Then Tailor)​

Here are a few common clauses you can adapt.

Limitation of Liability — Base

EXCEPT FOR LIABILITY THAT CANNOT BE LIMITED BY LAW, EACH PARTY’S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT SHALL NOT EXCEED THE AMOUNTS PAID OR PAYABLE BY CUSTOMER TO COMPANY UNDER THIS AGREEMENT IN THE TWELVE (12) MONTHS BEFORE THE EVENT GIVING RISE TO LIABILITY. IN NO EVENT WILL EITHER PARTY BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR LOST PROFITS, REVENUE, GOODWILL, OR DATA, EVEN IF ADVISED OF THE POSSIBILITY.

Super-Cap Carve-outs (Optional Add-on)

THE ABOVE CAP DOES NOT APPLY TO A PARTY’S (A) BREACH OF CONFIDENTIALITY, (B) INFRINGEMENT OR MISAPPROPRIATION OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS, OR (C) VIOLATION OF THE DATA SECURITY OBLIGATIONS IN THE SECURITY EXHIBIT OR DPA. FOR SUCH CLAIMS, THE TOTAL LIABILITY IS LIMITED TO THREE (3) TIMES THE AMOUNTS PAID OR PAYABLE IN THE PRECEDING TWELVE (12) MONTHS.

IP — Services Deliverables

Customer owns all Deliverables expressly identified in an SOW upon full payment. Company retains all Background IP (pre-existing materials, tools, frameworks) and grants Customer a perpetual, worldwide, royalty-free license to use Background IP solely as incorporated in the Deliverables.

Publicity (Opt-in)

Customer permits Company to use Customer’s name and logo in customer lists, websites, and presentations. Any press release requires prior written consent.

Assignment

Neither party may assign this Agreement without the other’s consent, except to an affiliate or in connection with a merger, acquisition, or sale of substantially all assets, provided the assignee assumes all obligations.

Templates (Short, Founder-Friendly)​

1) Mutual NDA (Short Form)​

MUTUAL NON-DISCLOSURE AGREEMENT

This Mutual NDA (“Agreement”) is between [COMPANY LEGAL NAME], a [STATE/COUNTRY] [ENTITY TYPE] at [ADDRESS] (“Company”) and [COUNTERPARTY LEGAL NAME] at [ADDRESS] (“Counterparty”), effective [DATE].

1.  **Confidential Information.** Non-public information disclosed by a party and marked confidential or that should reasonably be understood as confidential.
2.  **Use & Care.** Receiving party will use Confidential Information only to evaluate a business relationship and protect it using reasonable measures.
3.  **Exclusions.** Information that is public, already known, independently developed, or rightfully received without duty of confidentiality.
4.  **Compelled Disclosure.** May disclose if legally required, with prompt notice and cooperation.
5.  **Term.** 2 years from Effective Date; confidentiality obligations survive 3 years (trade secrets survive as long as protected).
6.  **No License.** No IP rights granted.
7.  **No Obligations.** No duty to proceed with any transaction.
8.  **Miscellaneous.** Governing law: [STATE]. Entire agreement; counterparts; electronic signatures.

Signed by duly authorized representatives:

[COMPANY NAME]                       [COUNTERPARTY NAME]
By: ___________________               By: ___________________
Name/Title: __________________        Name/Title: __________________
Date: __________________________      Date: ________________________

2) Customer MSA (SaaS; Core Terms)​

MASTER SUBSCRIPTION AGREEMENT (MSA)

Between [COMPANY LEGAL NAME] (“Company”) and [CUSTOMER LEGAL NAME] (“Customer”). Effective [DATE].

1.  **Services.** Company provides the hosted software described in the Order Form (“Services”).
2.  **Access.** Non-exclusive, non-transferable right to use Services during the Term, subject to this MSA and the Order Form.
3.  **Customer Data.** Customer retains all rights. Company uses Customer Data only to provide and improve the Services and as permitted by the DPA.
4.  **Support & SLA.** Company will provide support and uptime commitments per the SLA attached or linked in the Order Form.
5.  **Security & Privacy.** Company maintains administrative, physical, and technical safeguards as set out in the Security Exhibit and DPA.
6.  **Fees & Payment.** Fees per the Order Form. Invoices due Net [30] days. Late fees at [1.5%/mo] or max allowed. Taxes excluded.
7.  **IP & Feedback.** Company owns the Services and all related IP. Feedback may be used by Company without obligation.
8.  **Restrictions.** No reverse engineering, no circumventing usage limits, no unlawful or high-risk use.
9.  **Confidentiality.** Mutual; survival [3] years.
10. **Warranties.** Services will perform materially per documentation. No malware; comply with law. Disclaimer: “as is” for betas, evaluations, or free tiers.
11. **Indemnities.** Company indemnifies for third-party IP claims alleging the Services infringe; Customer indemnifies for data/content and illegal use.
12. **Liability.** As stated in the Clause Library (base cap + exclusions; optional super-cap carveouts).
13. **Term & Termination.** Term per Order Form; renewals per Order Form. Either party may terminate for material breach after [30] days’ cure. On termination, Customer may export data; Company will delete per DPA.
14. **Publicity.** [Opt-in/out language].
15. **Governing Law & Venue.** [STATE/COUNTRY]; venue [CITY, STATE].
16. **Order of Precedence.** Order Form > this MSA > SLA > DPA > Security Exhibit > Documentation.

Signed by authorized representatives.

3) Order Form (One-Page)​

ORDER FORM # [NUMBER]

Customer: [LEGAL NAME]       Company: [YOUR LEGAL NAME]
Effective Date: [DATE]       Term Start: [DATE]     Initial Term: [12] months

Services: [Plan / Modules / Seats / Environments]
Fees: [USD $X per month/year]; Billing: [annual upfront / monthly]; Overages: [describe]
SLA Tier: [Standard / Enhanced]
DPA & Security Exhibit: [linked URLs + version]
Professional Services (if any): [scope summary] at [rate]
Special Terms: [discounts, ramp, EAP, custom obligations]
Renewal: Auto-renews for [12]-month periods unless notice [30] days prior.
Purchase Order: [required? Y/N]   Invoicing: [email/AP portal]

Order of Precedence: This Order Form controls over the MSA in case of conflict.
Signatures: [blocks]

4) SLA (Lean)​

SERVICE LEVEL AGREEMENT

Uptime: 99.9% monthly, excluding planned maintenance (≤4 hours/mo with 48 hours’ notice) and force majeure.

Credits:
- 99.0–99.9% → 5% of monthly fee
- 98.0–99.0% → 10%
- <98.0% → 25%
Apply as credits on next invoice upon claim within 30 days. Credits are sole remedy for SLA failures.

Support:
- Priority 1 response within 1 business hour; workaround or mitigation updates every 4 hours.
- Support hours: [timezone, hours]. Channels: [email/portal].

5) DPA (Skeleton)​

DATA PROCESSING ADDENDUM

Parties: Company (Processor) and Customer (Controller).

1.  **Subject Matter & Duration:** Processing Customer Personal Data to provide the Services for the Term.
2.  **Nature & Purpose:** Hosting, storage, transmission, analysis as needed to deliver features.
3.  **Categories:** [employees, customers, end-users]; Data Types: [contact info, usage logs, identifiers]; Sensitive Data: [if any].
4.  **Instructions:** Processor acts only on documented instructions from Controller.
5.  **Security Measures:** As listed in Security Exhibit (annexed).
6.  **Subprocessors:** Listed at [URL]; Processor remains liable; provide notice of changes; Customer may object on reasonable grounds.
7.  **International Transfers:** Use appropriate safeguards (e.g., SCCs) where required.
8.  **Assistance:** Data subject requests, DPIAs, breach notifications without undue delay.
9.  **Return/Deletion:** On termination, return data in [format] and delete within [X] days, unless law requires retention.
10. **Audit:** Provide SOC 2/ISO report or equivalent; on-site audits with reasonable notice and limits.

Standard Contractual Clauses (if applicable) annexed.

6) Security Exhibit (Summary)​

SECURITY EXHIBIT

-   **Governance:** Security owner, annual risk assessment, policies (access control, incident response, vendor management).
-   **Access:** SSO/MFA; least privilege; quarterly reviews; secure key management.
-   **Data:** Encryption in transit (TLS 1.2+) and at rest; backups; retention schedule.
-   **Development:** Secure SDLC, code review, dependency scanning, vulnerability management (patch P1 ≤ 7 days).
-   **Infrastructure:** Network segmentation; logging & monitoring; endpoint protection; change management.
-   **Incidents:** 24/7 monitoring; notify Customer w/in 72 hours; provide incident report and remediation plan.
-   **Compliance:** SOC 2 Type II or ISO 27001 (if applicable) or roadmap dates.

7) SOW (Services Work) & Change Order​

STATEMENT OF WORK # [NUMBER]

Project: [Name]
Scope: [deliverables, exclusions]
Milestones & Schedule: [dates]
Customer Responsibilities: [access, data, approvals]
Fees: [fixed fee / T&M rates], Expenses: [cap, pre-approval threshold]
Acceptance: [criteria, review period]
Change Control: Written change orders signed by both parties.
Dependencies & Assumptions: [list]
Contacts & Governance: [weekly standup, demo cadence]

Change Order (One-Liner):

CHANGE ORDER # [x] to SOW # [y]

Change: [describe]
Impact: [timeline, fees, scope]

All other SOW terms unchanged. Signatures: [blocks]

8) Vendor MSA (When You Buy)​

VENDOR MASTER SERVICES AGREEMENT

1.  **Services & Deliverables** as per SOW/PO. Vendor warrants professional, workmanlike performance meeting specs.
2.  **Fees & Expenses.** All-in unless pre-approved in writing. Net [30/45].
3.  **Compliance.** Vendor complies with laws, anti-bribery, export, and your Code of Conduct.
4.  **IP.** You own all Deliverables paid for; Vendor retains Background IP with license to you to use the Deliverables.
5.  **Confidentiality.** Mutual.
6.  **Security & Privacy.** If Vendor processes your or your users’ personal data, DPA + Security Exhibit apply; breach notice ≤72 hours.
7.  **Audit & Reports.** Provide SOC 2/ISO (or questionnaire). Limited right to audit with notice; scope & frequency reasonable.
8.  **Indemnity.** Vendor indemnifies for IP infringement, bodily injury, property damage, and Vendor’s breach of law.
9.  **Insurance.** CGL $1M per occurrence; Tech E&O/Cyber $2M aggregate; provide certificates; name you as additional insured where customary.
10. **Liability.** Caps may not apply to Vendor’s IP indemnity, confidentiality breach, or data-security breach (negotiate).
11. **Subcontractors.** Pre-approval for material parts; Vendor remains liable.
12. **Term & Termination.** You may terminate for convenience on [30] days’ notice; pay for work performed. Termination for breach with [30] days’ cure.
13. **Publicity.** Vendor needs your written consent to use your name/logo.
14. **Governing Law & Venue.** [Your preferred forum].

9) Clickwrap TOS (Self-Serve Skeleton)​

TERMS OF SERVICE

Acceptance. By creating an account or clicking “Agree,” you accept these Terms and the Privacy Policy.

Account & Use. You must be 18+. Keep credentials secure. No unlawful or prohibited use.

Subscriptions & Billing. Plans, limits, and pricing posted at signup; recurring billing; cancellation at period end.

Content & IP. You own your content. We own the Service. License granted to operate the Service.

Prohibited Uses. [examples]. We may suspend for abuse, security risk, or non-payment.

Warranties & Disclaimers. Service provided “as is” (except paid tiers may include the SLA).

Liability. As per Limitation of Liability clause.

Data & Privacy. See DPA (if applicable) and Privacy Policy.

Changes. We may update Terms with notice; material adverse changes take effect next billing cycle.

Governing Law; Disputes. [forum]. Contact support first; arbitration optional.

Contact. [legal@yourcompany].

Procurement Due-Diligence Checklist (Use with Vendors)​

• Corporate: Legal name, address, W-9/tax details, any recent ownership changes.
• Services: Clear scope, SLAs, exit plan, and data export format.
• Security: SOC 2/ISO report or security questionnaire; subprocessor list; vulnerability management process; incident response policy.
• Privacy: DPA, data map, data retention and deletion policies, and details on cross-border data transfers.
• Compliance: Checks for sanctions/export controls, anti-bribery policies, accessibility (e.g., WCAG), and open-source software policy.
• Financials: Clear pricing, ramp/discount terms, true-up policies, and auto-renewal windows.
• Insurance: Verification of coverages and limits; confirm if you are named as an additional insured where relevant.

Issue Log (Track Every Redline)​

During a negotiation, use a simple tracking log like this to manage redlines. It keeps the deal team aligned and provides a clear record of what was discussed and agreed upon.

| # | Clause | Customer Ask | Your Position | Status | Owner | Target Date | | --- | --- | --- | -- | - | | - | | 1 | Liability Cap | Customer asks for 24-mo fees | Offer 12-mo fees + 3× super-cap for security/IP | Open | AE | 2025-08-20 | | 2 | Publicity | Remove logo use completely | Accept; will ask for a case study later | Closed | Legal | 2025-08-18 |

Store this log in your CRM or deal room and link it directly to the draft agreement.

Storage & Naming Conventions​

• Central Repository: Create a clear folder structure like /Legal/Contracts/Executed/YYYY/.
• File Names: Use a consistent naming convention: Counterparty_DocType_v#_YYYY-MM-DD_signed.pdf.
• Versions: Keep both the final, executed PDF and the source (.docx) file with all redlines. Attach these to the opportunity record in your CRM.
• Reminders: Set renewal reminders in your calendar and CRM for 60, 30, and 7 days before the term ends.

How to Adapt by Stage​

Your contracting process should evolve as your company grows.

• Pre-PMF: Stick to a simple Clickwrap TOS and a short-form NDA. The goal is to minimize friction and learn from early customers.
• Early Enterprise (First 10+ Customers): Use a one-page Order Form and a lean MSA. Add the DPA and Security Exhibit only when a customer asks for them.
• Scaling (Series A/B and Beyond): Formalize your documents. Have a robust SLA, region-specific DPAs (e.g., for GDPR, CCPA), security attestations (like SOC 2), and a formal vendor-management playbook.

Final Notes​

• Remember to replace all bracketed fields [...] with your specific information.
• Always keep a version history and save redlined copies during negotiation.
• Most importantly, ensure there is alignment between what Sales promises, what the contract legally states, and what your product can actually deliver.