When a Managed Services Provider begins a relationship with a new client, it is important they agree on certain terms and conditions by which business will be conducted. This is known as the Master Services Agreement (MSA). These are the foundational terms that all business will adhere to unless expressly superseded by a subsequent agreement. Our hosted Master Services agreement has been developed over 15 years of industry experience is designed to protect the MSP from a variety of liability risks.
Using our contracts-as-service platform, any Orders or Service Agreements signed by the client will refer to the MSA and indicate that the client acknowledges and reaffirms its terms and conditions. This is important as the MSA will change over time due to changes in the industry. Each time the client signs a new Order they are provided an opportunity to review the latest version of the MSA. If there are new terms and conditions the client cannot agree to, they should resolve those issues before proceeding with the order. With this solution, we are able to put all of the MSP’s customer on the same contract at all times.
There are several key provisions of our Master Services Agreement template that every Managed Service Provider should address at the start of a new relationship.
Learn More → Termination Clauses in IT Managed Services Contracts
Definition of Statements of Service
Managed Service Providers offer different varieties of service. These are specifically defined in Orders and Service Attachments. Most commonly, these define the monthly recurring services provided by the MSP. The MSA clarifies that, if any conflict between the language in the MSA and that in the Order or Service Attachment occurs, the language in the Order or Service attachment controls.
Additionally, MSPs provide “one-off”, emergency, or project services that are outside the scope of any Order or Service Attachment. The MSA defines those services and explains the process by which those services will be contracted.
Fees and Payment Terms
Our Master Services Agreement indicates that fees for services are defined within subsequent Orders or Statements of Work. In the absence, of an Order or SOW, the client agrees that services will be performed on a time and materials basis at current rates.
Our MSA template also defines exceptions whereby the MSP may adjust or charge additional fees. These include changes in the number of users or devices, surcharges, off-boarding, pass-through fees, and delays caused by the client.
Our MSA also defines escalators for the contract. The MSP reserves the right to increase fees at any time. The MSP may set a threshold over which the client has the option to terminate the contract without penalty.
Payment due dates and any penalties for late payment are articulated in the MSA as well. The MSP also reserves the right to suspend the delivery of services and withhold confidential information for non-payment by the client. The MSP may impose a “reactivation fee” to restore service.
Declaration of the Use of Third-Party Vendors
All MSPs make use of third-party services in the delivery of the services they provide. These may include services from vendors such as Microsoft, Datto, Kaseya, and many others. Our MSA makes clear to the client that the MSP uses these services and that the MSP is not responsible for any acts or omissions of the third-party vendor. The client’s rights are governed by the third-party vendor’s End User License Agreement (EULA) or Terms and Conditions. A schedule of third-party vendors, created last fall in the wake of the Kaseya ransomware attacks accompanies, the MSA as an attachment. Our Schedule of third-party service providers includes the name of the vendor, the service provided, and links to the vendors End User License Agreement and Privacy policies. The MSA instructs the client to review the policies of the third-party vendors. Most importantly it contains a clear and unequivocal waiver of the right to sue the MSP for any failure of a third-party service provider.
Term and Termination
The term of the agreement is defined in the MSA. The term begins on the Order Effective date on the agreement and continues until the contract is terminated by either party. The MSA is an “evergreen” contract, meaning that it has no set expiration date. The MSA can be terminated at any time with or without cause by either party.
All subsequent Orders and Service Attachments will have their own term and termination clauses. Those clauses will have expiration dates and renewal language. Although the MSA can be terminated at any time, that does not terminate any Orders or Service Attachment agreements. By default, the terms and conditions of the MSA will remain in effect until all subsequent Orders or Service Attachments expire.
Intellectual Property Rights
Managed Service Providers must protect their Intellectual Property (IP). In our MSA template, any writing or work of authorship created by the MSP or the client while providing the services, referred to as “Provider Work”, is owned by the MSP. For any IP that resides on client’s devices, the MSP grants license to the client to use. That license automatically expires upon termination of the related Order or Service Attachment.
Likewise, the MSP may provide equipment and software required to perform the services they provide. Our MSA articulates that the ownership of the equipment and software remains with the MSP. Our MSA stipulates that the MSP may switch out equipment or software at their sole discretion. The MSA also states that all equipment will be returned and software removed when the agreement is terminated.
Non-disclosure and Confidentiality
During a managed services relationship both the MSP and the client will inevitably encounter confidential or proprietary information belonging to the other party. Both parties agree in the MSA to keep that information in strict confidence.
Scott & Scott’s MSA defines what information is considered confidential such as passwords, audit and security reports, MSP pricing, configuration information, etc. Our MSA also defines what constitutes non-confidential information such as publicly available information, information either party possessed prior to the relationship, and information that must be disclosed pursuant to a court order or by law. The MSA itself is considered confidential information
Client Covenants and Obligations
In the MSP-Client relationship the client has certain obligations to assist the MSP in the delivery of service. The Client must agree to assist the MSP by providing adequate and timely access to the facilities and equipment and provide a suitable work environment for MSP personnel. This may also include assigning a dedicated point person or project manager as the interface. The client also agrees to perform simple procedures to assist in the diagnosis of issues including reboots and power downs.
The Client is responsible for providing remote access to the MSP via VPN to covered equipment. The client must maintain an environment suitable for the equipment housed including adequate cooling, electrical service, air circulation, and power surge protection.
The Client must agree to maintain proper licensing on all Software in use. The client will not use software that is no longer supported by the manufacturer. The client holds the MSP harmless for any damages caused by the use of unsupported software. Likewise, the client agrees to maintain warranties and maintenance agreements on all hardware. The MSP may designate equipment obsolete when it reaches end-of-life as specified by the manufacturer.
Although the MSP may implement security features as a part of the services they provide, it is ultimately the responsibility of the client to ensure the security of their network. Among other countermeasures, the client agrees to have a firewall in place, ensure the wireless network is encrypted, and the employees are trained on security awareness, and maintain physical security. The MSP is not responsible for any unauthorized access to the client’s network. If a security service is included in the MSP’s package of services, the MSP will make commercially reasonable efforts to secure the client’s network against hackers and malicious activity. However, the client agrees that no security system can guaranty complete protection. The client agrees to hold the MSP harmless from loss, injury or damage to the client caused by malicious activities.
Though the MSP may offer backup and recovery services as part of their services package, it is the client’s responsibility to maintain its own independent off-site backup of the data stored on their network. The client must verify that backups are made regularly. The MSP is not liable for any data loss due to a backup failure.
The MSP is not responsible for any criminal activity by hackers, phishers, crypto-locker, or others. The client agrees to either pay any ransom demands or hold the MSP harmless for any activity affecting network security. The client also agrees to ensure that an anti-virus solution is in place, updated, and properly licensed. The MSP is not responsible for harm caused by viruses or malware. The client agrees to pay any fees associated with the servicing or rebuilding of systems due to malicious activity or virus infection.
It is common for the MSP to provide password management services for the client. However, the client is responsible for the proper use of the password management system. The client must hold the MSP harmless from any loss or damage due to unauthorized access or the misuse of the password management system.
Provider Representation and Warranty
Many things can go wrong in the Information Technology business. The MSA makes clear that the MSP does not guaranty the services will be delivered error-free or that the service will be completely secure. Our MSA states that there are inherent risks associated with connecting to the internet that may result in business interruption.
Scott & Scott’s Master Services Agreement articulates the remedy available to the client should the MSP breach the warranty and is unable to correct the issue that caused the breach. This is typically limited to a refund of the fees pre-paid for the deficient service and the opportunity for the client to terminate the deficient service.
Read More → Managed Service Provider Sources of Risk
Compliance with Laws
Managed Service Providers have clients in many different industries. Some industries are bound by specific regulations and requirements. For instance, healthcare organization are bound by HIPAA. Financial institutions must adhere to GLBA. Some regulations are based on geographical circumstances. Any company processing data on European citizens must follow GDPR guidelines, those processing data for California citizens must follow CCPA.
While delivering services the MSP is in a position to have access to the data stored and processed by the client. As such, if the client is subject to any of these regulations the MSP should have a separate Data Processing Agreement (DPA) in place with client. However, it is the client’s responsibility to make the MSP aware of the existence of the regulated data.
Our MSA template states that, unless there is a DPA in place, the provider is not responsible for compliance with any laws applicable to the client’s industry.
The labor market today is tight, especially in the IT industry. It is important to prevent clients from hiring employees away. Scott & Scott’s Master Services Agreement addresses this by declaring a period after the termination of the contract during which the client cannot hire an employee of the Managed Service Provider. Typically, this is twelve months.
Should the client hire the employee within the restricted period, the MSA stipulates a payment that must be made by the client to the MSP. For example, one year of base salary for the employee hired.
In every relationship, there is always the potential for a dispute to arise. Master Services Agreement template describes how those disputes will be handled. It identifies the rules of arbitration and the location where the arbitration will take place. It addresses how expenses will be handled and states that the decision of the arbiter is final.
The MSA also places a limit on the period a complaint can be lodged after a failure of service has occurred. For example, complaints for issues that occurred greater than six-month prior will not be addressed.
The MSA articulates that the client will defend and hold the MSP harmless against all costs and expenses related to certain situations. These may include copywrite or patent infringement based on the use or modification the MSP has made to software at the client’s request, software licensing compliance issues, or any infringement of data processing laws the client is subject to.
The MSA also states that the MSP will indemnify and hold harmless the client for damages or loss caused by actions of the MSP. These might include errors, omissions, negligent acts, or misrepresentation. Scott & Scott customizes each clients Master Services Agreement to mirror the indemnification language contained in their professional liability insurance to make sure there are no caps between the insurance coverage and the indemnity provisions in the MSA.
Limitation of Liability
In order to define the limits of damages a client may recover in the event the client brings a lawsuit against the MSP, the MSA define the limitation of liability. The liability is limited to actual direct damages.
The Master Services Agreement puts into financial terms the maximum amount of money the MSP will pay the client in the event of a breach of contract. For instance, the client may be offered the greater of six months of revenue for the services giving rise to the claim or the available proceeds from the MSPs Professional Liability Insurance.
The Limitation of liability specifically prohibits either party from recovering indirect costs such as lost profits, lost savings, lost productivity, loss from business interruption resulting from a failure of the service. Scott & Scott’s MSA template identifies several types of issues for which the MSP is not liable including, backup failures, security breaches, and failures brought on by third-party services.
Our MSA template requires the client to hold a minimum level of insurance coverage for general commercial liability, workers comp, and first party cyber liability insurance.
The Managed Service Provider also identifies their insurance coverage in the MSA as well. Our MSA also states that the client’s insurance will act as the primary insurance over the MSPs.
Finally, the MSA addresses several standard contract terms including:
Both parties agree on how notices, demands and requests will be conveyed.
This is the general disclaimer for failures of service due to extreme circumstances such as fire, flood, pandemics (yup!), and such. Rules of engagement are defined to handle such situations.
The agreement cannot be assigned to others without the written consent of both parties. However, the MSP may transfer it rights in the event they are acquired.
Certain provisions within the MSA remain in effect after the termination of the agreement. These include intellectual property rights, non-disclosure, and confidentiality.
If any provision of the contract is deemed invalid by a court of law, the reminder of the contract remains in effect.
Both parties agree they will not tarnish the reputation of the other.
This clause binds the MSA to all subsequent orders, service attachments, and descriptions. The combination constitutes the MSP’s entire understanding of the agreement between the two parties.
If you are practicing managed services, the risk landscape is changing quickly and taking a fresh look at your approach to customer contracting makes good sense. If you would like to schedule a demo of our solution, please contact us today.