MSA Red Flags Checklist: Vendor Contract and SaaS Agreement Review
Use this checklist to turn a long MSA, order form, SLA, and DPA bundle into a focused set of deal issues before signature.
Last reviewed: May 26, 2026 by the BizLeaseCheck Editorial Team
General information, not legal advice.
Overview
The highest-risk MSA clauses are usually the ones that decide money, control, data, exit, and dispute leverage. This checklist is a starting point for founders, operators, procurement teams, and vendor-side sales or legal operations.
A checklist cannot replace legal review. It can help you find the clauses that deserve a redline, business approval, or counsel escalation.
Topics to check
Flag low fees-paid caps, broad uncapped carve-outs, all-indemnity carve-outs, consequential-damages waivers without super-caps, unilateral price increases, usage true-ups without notice, and renewal increases without a formula.
For a customer, the question is whether the remedy matches dependency on the service. For a vendor, the question is whether exposure is proportionate to fees and control.
UCC § 2-719 — limitation of remediesFlag vendor ownership of customer data, unrestricted AI training rights, vague aggregated-data rights, no subprocessor notice, breach notice that starts too late, no deletion timeline, and security promises that are either too weak or impossible.
Where personal data is involved, check whether the DPA actually matches the product workflow and privacy role.
GDPR Regulation (EU) 2016/679Flag auto-renewal opt-out windows, no transition assistance, no post-term data export, immediate suspension rights, distant venue, one-sided injunction carve-outs, arbitration costs that exceed deal size, and deemed acceptance of material changes.
If the deal is operationally important, exit mechanics should be reviewed before the customer is locked in.
9 U.S.C. § 2 — arbitration agreementsKey takeaways
- Read the order form, MSA, SLA, DPA, security exhibit, support policy, and online terms as one bundle.
- Prioritize liability, indemnity, data, IP, security, renewal, pricing, termination, dispute, and warranties.
- Calendar renewal and notice dates immediately.
- Escalate privacy, data-security, arbitration, auto-renewal, and uncapped-liability issues to counsel.
- Use Counterparty to extract red flags and evidence excerpts before redline review.
Official resources
Legal-review notes
Guide confidence marker: Medium confidence.
- Checklist items are general issue-spotting prompts, not jurisdiction-specific enforceability conclusions.
- Auto-renewal, privacy, security, arbitration, warranty, and liability-cap conclusions require counsel review for the actual contract and governing law.
Frequently asked questions
What should I review first in an MSA?
Start with the order form and business deal, then liability caps, indemnity, data and IP rights, security/DPA, SLA, renewal, pricing, termination, dispute forum, and warranties.
What is the biggest SaaS contract red flag?
There is no universal biggest red flag, but low liability caps combined with broad customer obligations, weak data rights, auto-renewal, and limited exit rights often create the most practical risk.
Should vendors use the same checklist?
Yes, from the opposite angle. Vendors should check for obligations they cannot operationally satisfy, uncapped exposure, vague security promises, customer dependency issues, and payment or misuse risk.