Contract Review Checklist

SaaS contracts.

What to check first

Term length: prefer 12 months over 36. The vendor wants the long term; you want flexibility.

Auto-renewal: cap at 30 days. "Auto-renews unless cancelled 90 days prior" is a trap.

Pricing escalators: cap at 5% per year. Anything above that compounds; 8% over 3 years is 26%.

Data and security clauses

Data ownership: explicit. "Customer retains ownership" should be in the contract, not just the privacy policy.

Subprocessors: list with right to object. Vendor changes a subprocessor; you should be able to terminate.

Breach notification: 72 hours, written. Anything longer and you're paying for a vendor that hides incidents.

Liability and indemnity

Liability cap: at minimum 12 months of fees, ideally unlimited for data breach and IP indemnity.

Indemnity: vendor indemnifies you for IP claims on their software. Mutual is fine; one-sided in their favour is not.

Force majeure: war, pandemics, AWS outages. Read the list; weird ones (vendor-side strikes) are red flags.

Exit and portability

Data export: 30 days of read access after termination. Specify format (CSV, JSON, Parquet) in the contract.

Transition assistance: 60 days of consulting hours included. Most vendors give it free if asked.

No "perpetual license" of your data after termination. Some vendors slip this in; strike it.

Apply per contract

Use a contract review checklist. The same 20 items apply to most SaaS contracts.

Have legal counsel sign off on contracts above $50k/year. Below that, engineering review is enough if the checklist is followed.

Track contract terms in a CRM or spreadsheet. Renewals creep up; surprises cost money.