Vendor Contract Health Check Assessment

"Best efforts" and "commercially reasonable" are vendor-protective phrases that eliminate your remedies when performance degrades. Require specific percentage uptime guarantees (99.9% minimum for production systems) with defined measurement windows, exclusion lists and a named SLA owner on the vendor side.

Many enterprise SLAs define uptime targets but limit remedies to notification rights with no automatic credit mechanism. Negotiate credit structures that activate automatically on breach — 10% monthly fee credit per hour of unplanned downtime is a reasonable starting position for mission-critical systems.

Without price escalation caps, vendors can increase pricing at renewal without restriction. Oracle, SAP and Microsoft have increased list prices 10–20% annually since 2022. CPI-linked caps (currently 3–4%) limit exposure significantly. Fixed caps of 5% maximum are achievable in well-negotiated agreements and save material cost over a 3-year term.

Multi-year agreements often include termination-for-cause-only provisions, meaning you can only exit if the vendor materially breaches. Termination for convenience protects against vendor financial distress, product discontinuation and strategic pivots. Negotiate this right into all agreements over $500k/year.

Data ownership clauses are among the most negotiated and most frequently omitted terms in SaaS agreements. Vendors occasionally claim rights to anonymised or aggregated usage data derived from your inputs. Require explicit data ownership language, standard export format guarantees and vendor obligations to provide data export within 30 days on request.

AI governance in vendor contracts is the fastest-growing contract risk area. Several major SaaS vendors have inserted clauses permitting use of customer data to train AI models in general T&C updates. Audit AI data usage clauses in all tier-1 contracts and require opt-out rights or explicit prohibitions on shared model training.

Implementation and customisation work product ownership is frequently ambiguous in vendor agreements. Vendors may claim rights to configurations, trained models or integration code developed at customer expense. Require explicit IP assignment for all custom deliverables and retain right-to-use licences for any vendor-retained IP incorporated into your environment.

Audit rights clauses vary enormously. Some entitle vendors to use third-party auditors whose findings are contractually binding. Understanding your contractual audit obligations — frequency, notice period, data scope — shapes both your compliance investment and your audit response strategy before a notice arrives.

Source code escrow provides continuity rights if a vendor ceases operations or discontinues a product you critically depend on. The Broadcom VMware acquisition and resultant product discontinuations illustrate why escrow provisions matter. Require escrow for any mission-critical application where no viable substitute exists within 90 days.

The Broadcom acquisition of VMware is the defining example of acquisition risk in enterprise software. Without change-of-control protections, acquiring entities can impose new pricing, discontinue products or alter support terms. Negotiate change-of-control clauses that trigger termination rights or price-freeze periods for a defined post-acquisition window.

Standard SaaS agreements cap vendor liability at 12 months of fees paid with a blanket exclusion for consequential and indirect loss. For mission-critical systems, negotiate caps upward (2–3× annual fees) and carve out data breach, IP infringement and gross negligence from consequential loss exclusions to preserve meaningful recourse.

Post-COVID, vendors increasingly seek broad force majeure exclusions covering cyber incidents and supply chain disruption. Negotiate mutual force majeure with carve-outs for data security obligations and SLA credits — force majeure should not extinguish vendor liability for security failures or breach notification obligations.

GDPR, HIPAA and CCPA impose obligations on data processor subcontracting. Vendors who add offshore processors without customer notification breach data processing agreements. Require a subcontractor register, 30-day advance change notification and a right to object to material subcontractor changes.

Vendors design renewal terms to their advantage: short notice periods (30 days) and auto-renewal at list price are standard. Missing the notice window forces renewal at above-market rates. Calendar all renewal dates at contract signature and begin negotiation engagement at 180 days for contracts over $500k to maintain leverage.

Vendor agreements drafted in US or Irish jurisdiction impose legal costs and process complexity on non-US organisations pursuing disputes. Negotiate governing law aligned with your principal place of business. Tiered dispute resolution (informal negotiation → mediation → arbitration) is preferable to immediate litigation for commercial disputes.