How to redline a SaaS MSA: a clause-by-clause guide

Most vendor Master Services Agreements arrive looking polished and final. They are not. Vendor counsel writes them to start the negotiation in the vendor’s favor — and they expect counter-redlines. If you sign without pushing back, you are leaving real money, leverage, and protection on the table.

This guide walks through the eleven clauses that matter most in a SaaS MSA, what the vendor’s default position usually looks like, and the redline most buyers should propose. It is not legal advice — every deal has context — but it gives you a defensible baseline you can adapt to your situation.

Before you start: read the order of operations

An MSA is a master agreement. The order documents (Order Forms, SOWs, DPAs) sit underneath it and reference it. If a clause is loose in the MSA, every downstream order inherits the same looseness. That is why redlining the MSA matters far more than redlining the SOW — you fix the MSA once and protect every future order.

Always read these three documents together as one contract: MSA, Order Form / SOW, and DPA. Conflicts between them are common, and the order-of-precedence clause decides which one wins.

1. Limitation of Liability

Vendor default: caps total liability at the fees paid in the prior six or twelve months, with broad carve-outs that protect the vendor more than they protect you.

Why it matters: a six-month look-back on a $200k/year contract caps your recovery at $100k. Real damages from a vendor breach — data loss, regulatory fines, downstream contract failures — vastly exceed that.

Redline: push for a twelve-month look-back with a dollar floor (commonly $1M or 2× annual fees, whichever is greater). Carve out from the cap entirely: indemnity obligations, breach of confidentiality, breach of data security obligations, gross negligence, and willful misconduct. Most vendors above $50k ARR accept this without escalation.

2. Indemnification

Vendor default: vendor indemnifies you for third-party IP claims arising from the service, but with broad carve-outs (you modified it, you combined it with other software, you used it in an unintended way).

Why it matters: IP indemnity is the most common reason buyers actually use the indemnity clause. If the carve-outs swallow the rule, the indemnity is theater.

Redline: narrow the carve-outs to material modifications and unauthorized uses. Add a mutual indemnity for breach of confidentiality and data security obligations. Require the vendor to provide a remedy (replace, modify, or refund) if a covered claim succeeds — not just defense.

3. Intellectual property and license grants

Vendor default: vendor retains all IP in the service. You get a non-exclusive, non-transferable license to use it during the term. Your data is yours, but feedback you give about the product becomes the vendor’s property.

Why it matters: the feedback clause is the sneaky one. If you tell the vendor “your product needs to handle X,” and the vendor builds X based on your input, the feedback clause means they own it free and clear — and can sell it back to your competitors.

Redline: accept the basic IP allocation, but limit the feedback license to a non-exclusive, non-transferable right for the vendor to use feedback internally to improve the service. Reject any assignment of feedback IP. Also confirm your data is owned by you and that any AI features cannot train on your inputs without explicit opt-in.

4. Data ownership, security, and the DPA

Vendor default: vendor commits to industry-standard security “commensurate with the sensitivity of the data” — a phrase that means nothing legally. The DPA, if one is attached, may not meet your jurisdiction’s requirements.

Why it matters: this is the clause that will keep you up at night if there is ever a breach. “Commensurate” gives the vendor full discretion. You want specific commitments you can enforce.

Redline: require specific named controls — SOC 2 Type II (or ISO 27001), encryption at rest and in transit, MFA on admin access, annual penetration testing, and a documented incident response process. Require breach notification within 48–72 hours (not the vendor’s preferred “without undue delay”). Make the DPA an exhibit to the MSA so it cannot be replaced unilaterally.

5. Auto-renewal and termination for convenience

Vendor default: contract auto-renews for successive twelve-month terms unless you give 90+ days’ notice. No termination for convenience — only for material breach with a long cure period.

Why it matters: auto-renewal is a procurement trap. If a stakeholder leaves, the renewal notice gets missed, and you are locked in for another year. No termination for convenience means you have to fabricate a breach to leave, which is expensive and adversarial.

Redline: shorten notice to 30 days for SMB deals, 60 for enterprise. Add a termination-for-convenience right with a reasonable wind-down (often 30–60 days). If the vendor refuses convenience termination, at minimum negotiate a termination right for a material price increase at renewal (more than CPI or 5%).

6. Service Level Agreement (SLA) and remedies

Vendor default: 99.9% uptime guarantee with service credits as the “sole and exclusive remedy.” Service credits are typically capped at one month of fees.

Why it matters: 99.9% uptime allows ~8.76 hours of downtime per year. If your business depends on the service, that is a real number. And “sole and exclusive remedy” means you cannot sue for actual damages from downtime, even if it costs you a million dollars in lost revenue.

Redline: for critical services, push for 99.95% or 99.99% uptime. Negotiate a tiered credit schedule that gets meaningful (10–25% of monthly fees) at real-world downtime levels. Add a chronic-failure termination right: if the vendor misses SLA in any three consecutive months, you can terminate for cause and get a refund of prepaid fees.

7. Confidentiality

Vendor default: mutual NDA-style confidentiality with a survival period (often 3–5 years).

Why it matters: this clause is usually fine, but the survival period is worth checking. Trade secrets should remain protected for as long as they are secrets — not just five years.

Redline: add an exception for trade secrets that survives indefinitely (or as long as the information remains a trade secret under applicable law). Confirm the residuals clause — if there is one allowing the vendor’s employees to “use what they remember” — is removed or narrowly scoped.

8. Audit rights

Vendor default: no buyer audit rights. The vendor may audit your usage but you cannot audit their security or compliance.

Why it matters: if you are in a regulated industry (financial services, healthcare, government), you need contractual audit rights to satisfy your own regulators. SOC 2 reports help but are not always enough.

Redline: add a right to receive the vendor’s most recent SOC 2 Type II report annually. For regulated buyers, add a right to conduct (or have a third party conduct) an on-site audit once per year on reasonable notice, at the buyer’s expense.

9. Assignment and change of control

Vendor default: vendor can freely assign the contract to an affiliate, acquirer, or successor. You cannot assign without consent.

Why it matters: if the vendor gets acquired by a competitor of yours — or by a company you cannot do business with for regulatory reasons — you are stuck.

Redline: make assignment mutual, or add a termination right if the vendor is acquired by a named competitor or sanctioned entity. Also add a flow-down requirement: any assignee must accept all obligations of the original vendor.

10. Order of precedence

Vendor default: the Order Form controls over the MSA in case of conflict.

Why it matters: vendor sales teams love Order Forms because they can slip in single-sentence changes that override months of MSA negotiation. If the Order Form wins, your MSA redlines do not stick across new orders.

Redline: flip it. The MSA controls over the Order Form unless the Order Form explicitly identifies a specific MSA section it is modifying. This forces sales teams to surface deviations rather than burying them.

11. Governing law and forum

Vendor default: vendor’s home state, with exclusive jurisdiction in vendor’s county.

Why it matters: if a dispute reaches litigation, having to fly across the country and hire local counsel is a real cost that makes you less likely to enforce your rights.

Redline: if you have the leverage, push for your home state. If not, compromise on a neutral state (Delaware and New York are common) with non-exclusive jurisdiction so either party can sue where the breach occurred.

Bringing it together: build a playbook

Doing this analysis once is exhausting. Doing it twenty times a year is unsustainable. The leverage move is to write your playbook — your company’s standard positions on each of these clauses — and apply it consistently.

A good playbook does three things: (1) defines your ideal position (what you ask for first), (2) defines your fallback (what you accept under pressure), and (3) defines your walk-away (what you will not accept under any circumstance). Once you have a playbook, every contract review collapses from “read 60 pages and think” to “check against the playbook and flag the gaps.”

That is what CounterClause is built to do. Upload a contract, paste your playbook, and get back a redlined version flagging every clause that violates your standard positions — with proposed alternative language and a counter-proposal email you can send to the vendor. It is the same workflow an experienced contracts lawyer runs, just compressed from three days into ninety seconds.