Contract Review Checklist

SaaS contracts.

What to check first

Contract review is the discipline of catching the predictable traps before signing. Term length, auto-renewal, and pricing escalators are the daily three; the rest of the contract usually negotiates around them.

• Term length. Twelve-month preference over thirty-six per contract. The vendor wants the long term for revenue predictability; the buyer wants flexibility for the same reason.
• Auto-renewal. Thirty-day cap on opt-out window per contract. "Auto-renews unless cancelled ninety days prior" is a trap that turns into a year of unwanted licence.
• Pricing escalators. Five-percent-per-year cap per contract. Anything above compounds; eight percent over three years is twenty-six percent on the original price.
• Renewal-calendar entry. Calendar reminder per contract. Catches forgotten cycles before the auto-renewal locks the next year.

Data and security clauses

The data and security clauses are where regulated buyers spend their time. Ownership, subprocessors, and breach notification each protect against contingencies that the headline price does not cover.

• Data ownership. Explicit "Customer retains ownership" clause per contract. Should be in the contract itself rather than the privacy policy; privacy policies change unilaterally.
• Subprocessors. Listed subprocessors with right to object per contract. When the vendor changes a subprocessor, the buyer needs the option to terminate rather than discover the change in an audit.
• Breach notification. Seventy-two-hour written notification rule per contract. Anything longer means paying for a vendor that hides incidents until they are public.
• Audit rights. Customer audit clause per contract. Supports compliance reviews and creates an actual lever rather than a polite request.

Liability and indemnity

Liability and indemnity are where the contract pays out when things go wrong. Liability cap, indemnification, and force majeure each shape the recovery if the relationship breaks.

• Liability cap. Twelve-months-of-fees minimum per contract, ideally unlimited for data breach and IP indemnity. The cap is the buyer's recovery ceiling; negotiate it deliberately.
• Indemnity. IP-claim indemnification per contract. Mutual is fine; one-sided in the vendor's favour is not, and the redline should make it mutual.
• Force majeure. Listed events per contract (war, pandemics, AWS outages). Read the list carefully; unusual entries like vendor-side strikes are red flags worth striking.
• Named legal reviewer. Legal sign-off per contract. Catches buried clauses that the procurement team would not flag and the vendor's lawyer hopes the buyer's lawyer does not read.

Exit and portability

Exit and portability are where the next-vendor migration becomes possible. Data export, transition assistance, and absence of a perpetual licence each protect against lock-in at termination.

• Data export. Thirty-day post-termination read access per contract. Specify format (CSV, JSON, Parquet) in the contract; "we will provide an export" is not enforceable.
• Transition assistance. Sixty-day consulting hours included per contract. Most vendors give it free if asked at contract time and try to bill for it if asked at termination time.
• No perpetual licence of customer data. No-perpetual-licence clause per contract. Some vendors slip this into derivative-data clauses; strike it explicitly.
• Data-deletion attestation. Post-termination deletion certificate per contract. Supports compliance and creates an audit trail for the buyer's GDPR-style records.

Apply per contract

Apply the discipline by running every contract through a checklist, gating legal review by threshold, and tracking terms in a place that survives personnel changes.

• Contract review checklist. Same twenty-item checklist per contract. Applies to most SaaS contracts and prevents inconsistent review depending on who happens to read the redline.
• Legal sign-off threshold. Fifty-thousand-dollar-per-year threshold per contract. Below that, engineering review is enough if the checklist is followed; above, legal must sign.
• Track contract terms. CRM or spreadsheet entry per contract. Renewals creep up quietly; the surprise costs money the team did not budget.
• Quarterly contract review. Active-contract audit per quarter. Catches drift between intended terms and current operating reality.