Vendor Agreement Checklist: 12 Clauses to Review Before Signing

1. Service Level Agreement (SLA)

Uptime guarantees (99.9% = 8.7 hours downtime/year), response times, resolution times. Check: (a) Is planned maintenance excluded? (b) Is the measurement period monthly or annually? (c) Is the remedy a meaningful credit or a token amount? A 5% credit on a $200/month contract is $10 — not meaningful. Push for: 2x credit for repeated misses, termination right if SLA missed 3+ months in a row.

2. Data Security and Breach Notification

Require: (a) SOC 2 Type II or ISO 27001 certification, (b) breach notification within 72 hours of discovery, (c) vendor covers notification costs (legal fees, credit monitoring, PR) if the breach is on their side, (d) annual penetration testing with summary results shared.

3. Data Ownership and Portability

You own your data — period. Upon termination: export in standard format (CSV, JSON, SQL) within 30 days at no charge. No "transformation fees." If the vendor processes your data for analytics, opt out — "vendor shall not use Customer Data for any purpose other than providing the Services."

4. Price Protection

Lock in pricing for the initial term. Renewal increases capped at 5% or CPI+3%, whichever is lower. No "market rate adjustment" without defined methodology. Multi-year deals: negotiate "most favored nation" clause — if vendor offers lower price to a similar customer, your price adjusts down.

5. Termination and Transition

Mutual termination for convenience with 30-90 days notice. Vendor must provide transition assistance (data export, API continuity, knowledge transfer) for up to 6 months post-termination. Transition services billed at the same rate as the agreement — no "offboarding fee" surprises.

6. Audit Rights

Right to audit vendor's security and compliance once per year (at your cost) or after a security incident (at vendor's cost). If audit finds material non-compliance, vendor pays for the audit and fixes issues within 30 days.

7–12: The Quick Hits

7. Insurance: Vendor carries cyber liability insurance of at least $2M. 8. Subcontractors: Vendor liable for subcontractors; you must approve any change. 9. Business continuity: Vendor has a tested disaster recovery plan with RPO under 24 hours. 10. No poaching: Mutual non-solicit of employees for 12 months. 11. Publicity: Vendor cannot use your logo without written permission. 12. Governing law: Your home state. Not theirs.

Try PactLens free — upload a contract for AI risk analysis in 30 seconds.

Related Articles

SaaS Contract Review: 9 Hidden ClausesService Agreement Checklist: 10 Clauses

PactLens · Try Free · Privacy · All Guides