A Monjur Legal Guide

The Master Services Agreement Legal Guide for MSPs

What belongs in your master services agreement, and what most templates leave out.

Looking for an MSP contract template, or a master services agreement template? Start here. A generic template can leave out the provisions that do the most to protect your business. This is a working legal guide to the 11 provisions we consider most important, in plain English, from the attorneys who manage contracting for 1,000+ MSPs.

The Monjur document family: a Master Services Agreement at the center, connected to the Order/Quote, Service Attachments, Schedule of Services, Third-Party Services, Data Processing Agreement, AI Attachment, and Order. Everything is connected, everything is covered.
Part 01 How to use this guide
Part 01

How to use this guide

A quick disclaimer first. This is an educational guide, not legal advice. It is here to help you understand what a strong master service agreement contains and to pressure-test your own.

Who this is for.
MSP owners and operators running recurring-revenue businesses who want their contracts to keep up with how fast they move. If you came looking for a free template to copy and move on, this guide will probably change your mind about why that is a risk.

When our attorneys build and review an MSA, the work runs well beyond the provisions in this guide, because a contract we can stand behind has to account for the things a downloaded template never can: the states you operate in, the clients you serve, the industries they work in, the regulations they live under, the tools you run, and the services you sell. A template cannot know any of that about your business. That is why we are not believers in generic templates.

Use this guide two ways

Pressure-test your own MSA. Read it against the provisions below and mark each place it is silent, vague, or one-sided. That list is your starting point. Treat it as a checklist.

Have an attorney who knows your world review it. Submit your MSA for a free review and get specific, prioritized recommendations on what to change. If you would rather skip the self-audit, you can work directly with us. Submit your MSA for a free review →

One note on using AI here. AI is good at a first read and a fast draft, and you should use it for that. What it tends to miss is the last ten or fifteen percent, the judgment calls, and on a contract that is the part that saves you. It is not yet legal-grade on its own. Treat an AI pass as a draft, keep a human in the loop, and have an attorney who knows the MSP channel review anything that matters before you rely on it.

Part 02

What is a master services agreement?

A master services agreement, or MSA, is the document that governs your entire relationship with a client. It sits above everything else you sign, and it is deliberately service-agnostic. It covers the legal relationship, not any one service.

Notice what is not in it. There is nothing about managed IT, security, or backup in the master itself, because the master is built to sit over any service you might ever sell.

The other defining trait of an MSA is that it does not expire. It stays in effect until someone specifically terminates it. In practice a client almost never says "I want to terminate my MSA," they say "I want to cancel this service," and the master keeps governing everything that remains. One of our attorneys describes it as "always and forever and amen." That permanence is the point. It is what lets the protections you negotiated once keep applying for the life of the relationship, as long as the document is built so that ending a service does not quietly end the master.

An MSA does not work alone. A healthy contract is a small stack of documents that all point back to it.

How the documents work together
ControlsThe Order / Quotewhat the client accepts; overrides what sits beneath it
The masterMaster Services Agreementoverarching legal terms · never expires · no service specifics
Service Attachmentseach recurring service line you sell
Schedule of Servicesthe menu your quotes draw from
Schedule of Third-Party Servicesthe outside vendors you run on
Data Processing Agreementregulated data, when it applies
AI Attachmenthow AI is used in the environment
Orderone-off projects, each on its own order
Everything binds to the MSA by incorporation by reference, through live links. If a link breaks or points at stale terms, the protection does not travel.

The order, or quote, the client accepts sits on top of all of it. Whatever the order says controls. That is what lets you sell different things to different clients off one consistent foundation, and it is also where care matters most. A custom term typed onto an order can override a protection the MSA gave you.

How does a client become bound to all of this without signing each document? Incorporation by reference. When the client accepts the quote, they accept the terms it links to, and the links carry the current version of each document. That mechanism is what makes the whole stack live, and it is fragile. If a link breaks or points at stale terms, the protection does not travel.

Your recurring revenue lives in the Service Attachments. Project work gets its own order. The MSA underneath it all is the part that has to survive every change, which is why the attorneys who build these will tell you that nearly every sentence in a good MSA is there because of a fight someone had over it once.

Part 03

Why a static contract leaves you exposed

The risk is rarely that no contract exists. It is that the contract stops matching the business the day after you sign it, and then keeps drifting.

Think about what happens in your operation in a normal quarter. Your sales team takes a redline from a prospect and agrees to a change to close the deal. An engineer swaps a backup product or adds a new security tool to the stack. You launch a new service line. A client rolls out a new application, or starts letting their team use AI, and creates a new kind of exposure. A state privacy law takes effect, or a framework like HIPAA or CMMC changes the rules. You move upmarket and start serving bigger clients with serious compliance obligations.

Every one of those is normal, healthy growth. Every one of them also opens a gap between what you now do and what your paper covers.

A static MSA is like an unpatched system. It runs fine right up until the day someone finds the gap, and by then it can be too late to fix quietly. You would not let a client operate on software you last updated in 2019. Your most important contract is no different, except the gap stays invisible until a claim, an audit, or a buyer's diligence team goes looking for it.

Writing your master service agreement is not a project you finish once. It is a practice you keep, because the contract has to move at the speed your business moves.

Two MSPs with identical revenue can be worth very different amounts when it comes time to sell, and that difference often lives in the contract. How you run the business day to day drives your profit. What is in your paper drives what the business is worth, and that is the part easiest to underinvest in.

It is the whole reason we built Monjur, dynamic, attorney-maintained agreements that stay current. See where yours stands →

The 11 Core Provisions · 1 to 5

The clauses that protect you when a dispute comes up

The foundational terms, scope, fees, term, IP, and the rest, are covered in a separate guide to the foundations of an MSP MSA. Beyond those foundations, 11 provisions decide how protected you are. Across the thousands of MSP agreements our attorneys have reviewed over 25-plus years, these are the places where exposure tends to concentrate, and where a generic template or a general-practice lawyer can leave a gap.

These five do two jobs. They cap what a claim can cost you if one ever lands, and they make a claim less likely to land at all. For many MSPs, simply having to defend a sizable claim, win or lose, is the catastrophe.

1

Limitation of Liability

What it does

Sets a ceiling on the most you would ever have to pay if a client blames you and brings a claim. With it, your worst case is a known, capped number instead of everything you have built.

Why it matters to your MSP

You run the technology a client's whole business depends on, so the dollars at stake can dwarf what they pay you in a year. The strongest version ties the cap to your insurance, set at the greater of your professional liability proceeds or a stated window of fees, so what you could owe lines up with what your policy pays. Two pieces are easy to miss. The first is spelling out that "proceeds of insurance" means what your policy pays out, not a number the client can come after you for directly. The second is a carrier-denial provision, so that if your own insurer wrongly denies a claim, you are not personally left fighting them.

When it comes up

A client gets breached and says your team should have caught it. A server goes down in their busy season and they claim lost sales. A prospect's lawyer turns to this clause first.

Where it falls short

A flat fee-only cap with no link to your insurance, leaving a gap you cover yourself, or, worse, no cap at all.

2

Forum and Dispute Resolution

What it does

Decides where and how a disagreement gets settled, in private arbitration or open court, in which state, under whose rules. A strong version channels disputes into arbitration and keeps the scope airtight, so a dispute does not split into two fights, part in arbitration and part in court.

Why it matters to your MSP

The catastrophe is not losing a case, it is having to defend one at all. Routing disputes to arbitration and keeping the terms tight adds friction so a disagreement is more likely to resolve quietly than to become a court fight that drains months and legal fees.

When it comes up

A client stops paying and you need a fast, private way to collect. A dispute heats up. A client in another state tries to pull you into their home court.

Where it falls short

No arbitration step, or carve-outs that reopen the split-forum problem this clause is meant to close.

3

Customer Insurance

What it does

Requires the client to carry their own coverage, including first-party cyber, and to have it respond first, before your own policy is ever touched.

Why it matters to your MSP

When an incident hits both of you, you do not want to be the only one with coverage in the room. The strongest version makes the client's policy primary over your E&O and adds a waiver of subrogation, so the client's insurer cannot pay out and then turn around and come after you to recover it. It also screens clients, since a business that carries proper coverage tends to be a safer client, and it is one of the better levers for moving legacy clients onto current paper.

When it comes up

A client is hit with ransomware that started on their side. A lawsuit names both of you. Your insurer asks at renewal whether your contracts require client coverage.

Where it falls short

No requirement at all, no primary-coverage language, or no waiver of subrogation, so the carriers argue over who pays first and you get pulled in.

4

Claim Limitations and Service Warranty

What it does

Puts a clock on how long a client has to bring a claim, and names the one specific fix you owe if service falls short, instead of leaving both open-ended.

Why it matters to your MSP

The law gives clients a long window to sue. Shortening it and naming a single remedy keeps stale grievances from resurfacing as claims years later.

When it comes up

A client surfaces a complaint about work you did two years ago, or argues a small slip entitles them to large damages.

Where it falls short

The default statutory window, often far longer than you would want, and unlimited remedies you never agreed to.

5

Criminal Acts and Force Majeure

What it does

Protects you when something outside your control causes the problem. The operative idea is criminal acts of third parties, ransomware, a breach, business email compromise, phishing, not just the old fires-and-floods list. This is also where AI-specific risks now get addressed.

Why it matters to your MSP

MSPs get blamed for harm they did not cause. A modern clause names the events you actually face today, and carves back your own negligence, so it reads as "we are not liable for a criminal's act," not a blanket disclaimer of everything. A blanket version is both unfair to the client and weaker in front of a court.

When it comes up

A client is hit by ransomware and looks to you to pay. A major outage takes services down. A new law forces a change neither of you chose.

Where it falls short

A decades-old clause that lists fires and floods but never names a cyberattack, or a version written so broadly that it tries to disclaim your own negligence.

The 11 Core Provisions · 6 to 10

How to stop your revenue from leaking out

Where Protect keeps a claim from costing you, Lock keeps your own revenue from leaking out. These defend the recurring revenue you have already earned from the everyday things that drain it: a client who leaves mid-term, a security failure you warned against, a backup gap that was the client's job, a regulated-data leak, or a vendor's mistake. Without them, your top line is real but your margin is not safe.

6

Early Termination Fee

What it does

Spells out what a client owes if they walk mid-term, set at a level a court will enforce.

Why it matters to your MSP

Your business runs on predictable recurring revenue, so leaving early should be a real decision, not a free exit. But the fee has to be enforceable, and this is where many agreements overreach. Demanding 100% of the remaining term tends to read as a penalty a court will strike down, which leaves you with nothing. The approach that holds up is more measured. Recover on the order of half the remaining fees, plus the full out-of-pocket costs you cannot get back, the vendor commitments, licenses, and circuits you bought for that client and cannot reassign.

When it comes up

A client tries to leave eight months into a three-year term. A competitor poaches an account. A client slow-walks payments.

Where it falls short

Either no real fee at all, so the revenue walks out the door, or an over-aggressive full-term penalty that a court will not enforce.

7

Security Recommendations

What it does

Gives you a way to recommend security controls in writing and shift the risk to the client when they decline. The mechanism even has a name, a Declination of Service.

Why it matters to your MSP

You see risks your clients do not. When a client refuses a control, MFA, security awareness training, privileged access management, you should not own the fallout when that specific gap is later exploited. Keep this focused on security and regulatory compliance, not routine hardware or capacity advice, which is a place the clause can get diluted until it no longer covers what matters.

When it comes up

A client refuses a security upgrade, then gets breached through that hole. An insurer asks whether you warned them.

Where it falls short

No mechanism at all, or one written so broadly it covers ordinary hardware recommendations instead of the security declines that actually create exposure.

8

Independent Backup

What it does

Makes the client responsible for keeping a backup of their own data outside your systems, and protects you if they did not.

Why it matters to your MSP

If you are the only one holding a client's data, you become the single point of failure for their entire business. There is no such thing as a fail-proof backup, which is why the principle is a tertiary copy, the same redundancy logic you preach to your own clients. This is one we built from a real case.

When it comes up

Data gets corrupted or deleted and the client expects you to have the only copy. Ransomware encrypts everything and recovery depends on backups.

Where it falls short

Language that makes you the sole insurer of the client's data, with no obligation on them.

9

Data Processing Framework

What it does

Requires a signed data processing agreement before any regulated data moves through your systems, and names the rules that apply.

Why it matters to your MSP

Touching regulated data without the right paperwork takes on exposure that can dwarf the account. Treat the DPA as a gate you present, not a document you wait for the client to hand you. When a client sends their own version, you can stand on the agreement regulators actually recommend rather than reacting to theirs. It is also the most-changed document in the stack, because the underlying laws keep moving.

When it comes up

A healthcare or finance client starts sending regulated data your way. A new privacy law takes effect. An auditor asks how you handle it.

Where it falls short

No gate at all. Regimes worth naming include HIPAA, GLBA, CCPA, GDPR, and CMMC, plus the newer state privacy laws.

10

Third-Party Vendor Waiver

What it does

Passes the liability limits of the outside vendors you rely on through to your client, so a vendor's failure lands on the vendor, not on you.

Why it matters to your MSP

You assemble the tools you sell, but to the client you are the single throat to choke. The legal heart of this is easy to get wrong. A vague "we are not responsible for our vendors" line tends not to hold up. What does hold up is a clear and unequivocal waiver of a known right, and that requires naming the vendors in a schedule the client can see, with the structure built so that vendors you add later stay covered too.

When it comes up

A major platform has an outage. A security tool you resell suffers a breach. A vendor changes its own terms and a client points upstream. (The CrowdStrike outage and various security-tool breaches are recent real-world versions of this.)

Where it falls short

No vendor schedule, or a vague blanket disclaimer that does not meet the known-right standard, so you become the liability sponge for your whole stack.

The 11 Core Provisions · Provision 11

How to increase your valuation

Many MSP owners are building toward a sale someday, whether they say so out loud or not, and the market they will sell into is consolidating fast. The analyst firm Omdia tracked 169 announced MSP M&A transactions in 2025, with private equity involved in roughly 69% of them, as PE-backed platforms roll up a fragmented channel.

169announced MSP M&A deals tracked in 2025
~69%of disclosed deals involved private equity
>90%client retention is where the premium multiples live
Sources: Omdia, MSP M&A 2025 · Aventis Advisors, MSP Valuation Multiples

What those buyers pay for has narrowed. According to the M&A advisory Aventis Advisors, the MSPs that earn the highest valuations are the ones with strong recurring revenue and customer retention above 90%, while smaller or weakly-contracted firms sit well below on the multiple. A clean, transferable book of contracts is part of what separates the two, and this last provision decides whether your agreements add to that number or drag it down.

11

Assignment and Change of Control

What it does

Lets you transfer your agreements to a new owner when you sell, merge, or restructure, without collecting every client's permission first.

Why it matters to your MSP

When you sell, a buyer is really buying your contracts. If each one needs client sign-off to transfer, the buyer faces renegotiating your whole book. That is not a footnote in diligence. As Potomac Law Group partner Laurent Campo put it, change-of-control provisions in a target's contracts "are not a diligence item. They are a deal term," and mishandling them is "how transactions get repriced, restructured, or killed." The cleaner approach is not a blanket "no consent ever," but consent scoped to an equity transfer above a stated threshold, so ordinary changes of control pass through without a renegotiation.

When it comes up

You get an acquisition offer and diligence begins. You bring on a partner or restructure. A private-equity buyer asks whether your agreements transfer cleanly.

Where it falls short

A broad consent requirement that forces a buyer to renegotiate every client, stalling deals and compressing your valuation.

Those are the 11 provisions that decide how protected you are.

See exactly where yours stands. Get a free MSA review →

Part 07

The AI Effect on your MSA

AI is changing your master services agreement from two directions at once. Your client is reading it, and you are maintaining it. Both matter, and they point the same way.

Your clients can now read your MSA with AI. It used to take a client with a sophisticated, expensive lawyer to pull your agreement apart, clause by clause. That barrier is largely gone. A client can paste your MSA into an AI tool and get back a list of weak clauses, missing caps, and one-sided terms in seconds, then hand that to their own counsel as a redline that shifts risk back onto you. A generic or stale contract does not hold up well to that kind of read.

But you cannot just point AI at your own contract and call it handled. This is the more dangerous half. AI is useful for a first read and a fast draft, and you should use it that way. What it cannot do is exercise judgment, know the specifics of your business, or stay current with the law in your state, and it will state a wrong answer with the same confidence as a right one. An MSP recently sent us an MSA drafted entirely with Claude for review. It read like a lawyer wrote it, and it scored 36% against the provisions in this guide.

The last ten or fifteen percent of a contract, the judgment calls, is the part that protects you, and it is exactly the part a general-purpose model is least equipped to get right. AI will not represent you, stand behind its work, or answer opposing counsel when the redline comes back. The last place you want to learn your paper is not sufficient is in the middle of a claim.

And the ground keeps moving. AI is reshaping the technology your clients run, the tools you resell, the data you touch, and the rules that apply to it, faster than a document signed once can track. Every one of those shifts is a new place for a static MSA to fall behind. It is also why a current agreement now carries AI-specific terms of its own, an AI Attachment that sets out how AI is used in the environment and makes clear the client uses it, including the AI now built into the tools you resell, at its own risk.

All of it points the same way, toward a contract that is maintained, not frozen, with legal judgment behind it. That is what we built. We draft the full set of agreements for how you sell, then put a purpose-built AI on top, one grounded in your own contracts and our library of attorney-approved clauses rather than the open internet, so your owners, operators, and sales team get reliable, day-to-day answers on what they can and cannot commit to. And when a question crosses from guidance into legal judgment, it escalates to a real MSP attorney. Use AI to move fast. Keep a human in the loop where it counts.

When a client sends back a redline, you want two things. A contract built to survive it, and an MSP attorney who can answer with authority. That is the difference between a document and a defense.

Part 08

Your contract should be dynamic, not static

These provisions are a starting point. The right set shifts every time your business does, as you add a service line, swap a vendor, or take on a bigger client. An MSA written once rarely looks broken. It just tends to protect a little less over time, until the day it matters.

You already know this pattern, because it is the same reason your own clients pay you a flat monthly fee instead of calling a computer guy when something breaks. A one-time template, or a one-off attorney project, is the break-fix model of legal. Reactive, frozen, and transactional. We built the managed-services version.

Monjur is attorney-supervised contract intelligence for MSPs. We write and update your client contracts, and protect your business, so you do not have to.

We rebuild your agreements to match what you sell, keep them current through a live link, automatically or after you review and approve each change, give your whole team an AI grounded in your own contracts so they know what they can and cannot commit to, and put an MSP attorney one click away for when a client pushes back.

Your contracts finally keep up with your business, and you stop being the only person who can answer a contract question.

We make updating your MSA simple and pain-free.

Start by sending us your MSA for review, and we will highlight the gaps in as little as 48 hours.

Get a free MSA review → Prefer to talk it through? Speak with our team →