Most businesses don't negotiate their MSP contracts. They get a proposal, shake hands, sign, and discover the contract's terms when something goes wrong — which is the worst possible time to read them. Here are the 10 clauses that matter most.
1. Auto-Renewal with Long Notice Windows
The most common trap: the contract auto-renews for a full term (often 12 months), and you must give notice 60–90 days before the renewal date. Miss that window by a day and you're locked in for another year with no leverage.
What to demand: 30-day notice to cancel, effective at any time, or auto-renewal into month-to-month rather than a full term. Most MSPs will accept 30-day notice requirements from month-to-month after the initial term.
2. IP Ownership of Your Infrastructure
Some contracts give the MSP ownership of — or exclusive access to — configurations, scripts, documentation, network diagrams, and automation tools they create in your environment. When you leave, you can't take this work product with you.
What to demand: Explicit language that all work product, documentation, configurations, and automation created in your environment belongs to you and must be transferred upon termination at no cost.
3. Vague SLA Language
"Best efforts," "reasonable response time," "industry standard" — these phrases mean nothing in practice and create no legal obligation. SLAs must have specific numeric commitments: response time by severity level, resolution target, and contractual remedy for violations.
What to demand: Specific SLA numbers in the contract itself (not referenced in a separate document that can be changed). P1: 15–30 min response. Remedy: credit formula per hour of SLA miss.
4. Liability Cap at One Month's Fees
Most MSP contracts cap their liability at one month's fees — often $5,000–$10,000. In a ransomware scenario where downtime costs you $100,000 in lost revenue and recovery costs, that's meaningless.
What to demand: For regulated industries or businesses where downtime has high impact, negotiate a liability cap of 3–6 months' fees minimum. Add errors and omissions insurance requirements for healthcare or financial services clients.
5. License Bundling That Traps You
If your Microsoft 365 licenses are assigned to the MSP's tenant or billed through the MSP's account, you may own the licenses but not the tenant configuration. When you leave, you need to migrate to a new tenant — a painful and expensive process that many businesses avoid by staying with a bad provider.
What to demand: Your M365 licenses should be in your own tenant, billed directly to you or easily transferable. Ask specifically: "If I terminate today, can I point my domain to a different provider in 24 hours?"
6. No Performance Exit Clause
A confident MSP agrees to an exit right if they miss SLAs for two consecutive months. A provider who won't include this knows they can't consistently hit their SLA commitments.
What to demand: Add language that allows termination with 30 days notice if the MSP misses defined SLA thresholds for two consecutive calendar months, with documentation requirements on both sides.
7. Broad Out-of-Scope Definitions
Some contracts define out-of-scope work so broadly that routine activities — hardware troubleshooting, vendor calls on your behalf, onboarding a new application — trigger separate project invoices. This destroys the predictability of managed IT pricing.
What to demand: A specific list of what's in scope, and a specific list of activities that would trigger a project fee. "Time and materials" for anything not explicitly defined in scope should require advance approval in writing.
8. Unilateral Pricing Changes
Some contracts give the MSP the right to increase prices annually by a defined percentage (often CPI+5%) without renegotiation. This can result in 20–30% rate increases over a multi-year term that you can't exit due to the auto-renewal clause.
What to demand: Annual increases capped at CPI only, or a fixed rate for the initial term with renegotiation at renewal. Any increase above CPI should require 90 days notice and trigger a termination right.
9. Inadequate Data Return on Termination
What happens to your data when you leave? How long does the MSP retain your backups? When are they deleted? Who verifies deletion? Inadequate termination language can mean your confidential data lives on the MSP's infrastructure indefinitely after you leave.
What to demand: Return of all data and credentials within 5 business days of termination, deletion of all copies within 30 days with written certification, and continued access to your own cloud environments throughout the transition.
10. Third-Party Subcontracting Without Notice
Some MSPs subcontract work to offshore teams, partner networks, or individual contractors without telling you. If you have compliance requirements (HIPAA, CMMC), this can create Business Associate Agreement violations or CUI exposure without your knowledge.
What to demand: Written approval required before any subcontracting of work on your account, with all subcontractors subject to the same confidentiality and compliance terms as the primary MSP. For HIPAA clients, explicit language that subcontractors must sign BAAs.
The IT Contract Scanner can identify red flags in any MSP contract language before you sign.