Should You Trust Claude to Write Your MSA?

An MSP had Claude draft his MSA, then sent it to an attorney for review. Here's what the AI got right, and what it never knew to include.

Recently, an MSP submitted his Master Services Agreement to me for legal review. He had drafted it with Claude and spent considerable time refining it through iterative prompting. He described the result as looking "pretty professional." He wasn't wrong.

The document was well-structured. The section headings were appropriate. The language read like a legal agreement. When I scored it against the eleven canonical protections in the Monjur Legal Maturity Framework, it scored 36%. Level 0: Unprotected.

I want to explain what that means, because this case illustrates something the legal technology community needs to be clearer about. The frontier labs building AI legal tools are building them for lawyers. When non-lawyers use them as a substitute for lawyers, the result is a document that passes a visual inspection but fails the test that matters, which is what happens when something goes wrong.

What the AI Got Right

Before we get into what was missing, credit where it's due. Several provisions were functionally present in the submitted agreement:

  • A limitation of liability clause with a six-month fee cap and a consequential damages exclusion
  • An implied warranty disclaimer
  • A deemed-acceptance mechanic
  • A prevailing-party attorneys' fees provision

These are meaningful. The AI produced them because they're well-documented in publicly available legal templates and commercial agreements.

The Gap Between Appearance and Function

What the AI could not do was apply the judgment required to know what was missing. That judgment comes from adversarial legal experience, from watching clauses fail in real disputes, from knowing the specific litigation patterns in a particular industry vertical. It is not in the training data. It's in the attorney.

The Data Protection "Framework," in One Sentence

The submitted agreement's entire data protection, privacy compliance, and cybersecurity governance structure was this:

"Client is responsible for accurate information, current contacts, backups, disaster recovery, licenses, privacy notices, PCI DSS obligations, and legal or regulatory compliance unless [Provider] expressly assumes a specific obligation in a signed Service Order."

Here is what that one sentence does not do:

  • Require clients to carry cyber liability insurance
  • Gate regulated data environments behind a Data Processing Agreement
  • Allocate Florida FIPA breach notification obligations between provider and client
  • Create a signed Security Recommendations Acknowledgment and Declination mechanic
  • Require clients to maintain an independent backup of critical data

This MSP's clients range from independent restaurants to multi-property hotel groups handling payment card data across POS systems, hotel management platforms, and reservation infrastructure. PCI DSS compliance obligations sit with the client, but when the managed service provider has network-level access to those environments, contractual silence on scope, responsibility allocation, and breach response is not a neutral position. It is an exposure.

If a client suffers a breach triggering Florida's Information Protection Act (Fla. Stat. § 501.171), the agreement does not specify who notifies affected individuals, who manages the regulatory response, or who funds it. The provider will be the first call. The agreement gives them nothing to point to.

The Ransomware Gap

The force majeure clause read as follows:

"Neither party is liable for delay caused by events beyond reasonable control, including utility, internet, carrier, supply-chain, labor, weather, government, or civil-disruption events."

Ransomware. Intrusions. Unauthorized network access. POS skimmers. Credential stuffing. None of these appear in the clause. They are the most common incident vectors in the hospitality technology vertical, and they are entirely unaddressed.

A well-drafted MSP agreement includes a dedicated Third-Party Criminal Activity clause, an affirmative hold-harmless for ransomware, intrusions, and unauthorized access that is independent of the force majeure standard and not contingent on a gross negligence inquiry. The AI-generated agreement had neither.

Revenue Protection, or the Absence of It

The termination provision read:

"Either party may terminate this Agreement on thirty (30) days' written notice. A Service Order may have its own term, renewal, cancellation, or early-termination provisions."

No early termination fee formula in the master terms. No liquidated damages designation. No floor. A client on a 24-month managed support subscription can terminate the master agreement with 30 days' notice. Unless the individual service order independently contains a defensible ETF, explicitly designated as liquidated damages rather than a penalty, the provider may have no remedy beyond the notice period.

The AI produced what it had seen: a standard mutual termination provision from general commercial services agreement context. What it did not produce was an ETF framework that would hold up, because producing that requires judgment about MSP-specific revenue structures, not pattern-matching on legal language.

What the Frontier Labs Are Actually Building

I don't think the right framing is "AI is dangerous." It isn't. I use AI tools extensively in my practice. Monjur Pilot, the platform we built for MSP legal review, is AI-native. The speed, precision, and consistency AI brings to legal work at the attorney level is genuine and substantial.

The issue is this: Anthropic, OpenAI, and every other frontier lab building legal AI are building tools for lawyers. The tools help attorneys work faster, conduct more thorough analysis, and maintain greater consistency across a high volume of engagements. They are not designed to replace the attorney's judgment, the judgment that comes from knowing which gaps are litigated most often, what those gaps cost in real dollar terms, and how to structure replacement language so it survives a motion to dismiss.

When a non-lawyer uses Claude to draft a Master Services Agreement, the result is a document that looks like what a lawyer would produce. It may even include some of the same provisions. What it cannot include is the institutional knowledge of what's missing. Identifying what's missing requires exactly the legal training and experience that the non-lawyer is trying to avoid paying for.

The Specific Risk Exposure

Here is what the agreement I reviewed creates for the MSP who submitted it, if deployed without revision.

A client suffers a ransomware attack. The liability cap is tied to the prior six months of fees under the specific service order involved. For a break-fix engagement billed at a few hundred dollars a month, the cap is worth approximately that amount, payable from the provider's operating account with no insurance carrier in the primary position and no client cyber insurance requirement in the contract.

A client suffers a breach involving payment card data. Florida's FIPA requires notification to affected individuals and potentially the Florida Attorney General. The agreement says nothing about who manages or funds that process. The provider becomes the de facto incident response coordinator without a contractual right to recover those costs and without a liability shield for the outcome.

A client verbally declines a security recommendation and then suffers the breach that recommendation would have prevented. The provider has no signed documentation of the declination. The entire defense rests on email threads and technician recollection. Discovery to reconstruct that record costs $40,000 to $60,000 before the merits are reached.

These are not edge cases. They are the standard fact patterns in technology services disputes.

The short version
  • An AI-drafted MSA can look professional and still be structurally unprotected. This one read like a lawyer wrote it and scored 36%, Level 0: Unprotected.
  • Claude produced the well-documented clauses: a liability cap, a warranty disclaimer, deemed acceptance, and an attorneys' fees provision.
  • It was missing a cyber insurance requirement, a data processing gate, a security declination mechanic, a ransomware clause, and an enforceable early termination fee.

The Takeaway

If you are an MSP who has used AI to generate your Master Services Agreement, your Service Attachments, or your client-facing terms, have an experienced technology attorney review those documents before you rely on them.

Not because AI is bad. Because the gap between how an AI-generated agreement reads and what it actually does in a dispute is exactly where the liability lives. That gap, the gap that scored this MSP's submission at 36%, is invisible to anyone who doesn't know what to look for.

The tools are extraordinary. The judgment has to come from somewhere. In legal practice, that somewhere is still a trained attorney.

Rob Scott
About the author

Rob Scott

CEO & Co-Founder, Attorney

Attorney with 25+ years of MSP legal experience. Co-Founder of Scott & Scott, LLP and Monjur. Has overseen contracting for 1,000+ MSPs.

Rob Scott is an attorney with more than 25 years of experience in MSP and technology law, and the co-founder of both Scott & Scott, LLP and Monjur. He has overseen customer contracting for more than 1,000 managed service providers and built Monjur to bring attorney-supervised contract intelligence to the MSP industry.

Licensed in Texas since 1999, Rob earned his J.D. from the Maurice A. Deane School of Law at Hofstra University and his B.A. in Economics and Philosophy from Austin College. His practice focuses on software licensing, software audit defense, data privacy, and vendor risk, representing MSPs and enterprise clients in transactions and disputes with major software publishers.

Stop worrying about contracts

See exactly where your MSA stands.

Send us your agreement and an MSP attorney will highlight the gaps, in as little as 48 hours.

Get a free MSA review → Prefer to talk it through? Speak with our team →