Vendor contract review
checklist

Contract value and payment schedule are clearly stated

Look for any ambiguity around payment milestones, currency, and whether prices include VAT.

Price increase mechanism is defined and capped

Many vendor contracts allow annual price increases of up to 10–15% with minimal notice. Check for a cap or a CPI-linked formula.

Scope of services is unambiguous

Vague scope leads to disputes. Every deliverable, SLA, and exclusion should be explicit.

Invoicing terms and late payment penalties are acceptable

Standard is 30 days net. Watch for 14-day terms or daily interest clauses.

Auto-renewal clause identified and notice period noted

The most common contract trap. If auto-renews, mark the notice deadline in your calendar today.

Notice period for cancellation is reasonable (30–90 days is normal)

Notice periods longer than 90 days for SaaS tools are a red flag. Vendor contracts with 6-month notice deserve hard negotiation.

Early termination clause and any exit fees understood

Some contracts penalise early exit with 3–6 months of remaining fees. Know this before you sign.

Renewal price protections (if any) are in writing

If the vendor promises a renewal rate, get it in the contract. Verbal commitments don't hold.

Governing law and jurisdiction are acceptable

Contracts governed by a foreign jurisdiction can be expensive to enforce. Try to negotiate your own country's law.

Liability cap is present and proportionate

The liability cap should be at least equal to 12 months of fees. Caps below this significantly limit your recourse.

Indemnification provisions are mutual (or acceptable one-way)

Broad indemnification clauses that are one-sided in the vendor's favour are common. Get them mutual.

Force majeure clause doesn't exclude routine service failures

Some vendors use broadly drafted force majeure to excuse poor performance. Check what it covers.

Data processing agreement (DPA) in place if vendor processes personal data

Required under GDPR for any vendor that touches your customer or employee data. This is a legal obligation, not optional.

Data residency and transfer mechanisms confirmed

If data leaves the EU, you need a valid transfer mechanism (SCCs, adequacy decision). Ask explicitly where data is stored.

Security obligations (encryption, access controls, incident notification) are defined

The vendor should commit to specific security standards and notify you within 72 hours of any breach.

Data deletion / return on termination is specified

What happens to your data when the contract ends? Ensure you can export it and that it is deleted within a defined period.

SLA commitments (uptime, response times) are measurable and enforceable

99.9% uptime sounds good — that's 8.7 hours of downtime per year. Know what the SLA actually means for your operations.

Vendor's right to change or discontinue the product/service is limited

Some SaaS contracts let vendors deprecate features or change pricing with 30 days notice. Push for longer or require material change protections.

Sub-processors and third-party dependencies are disclosed

If the vendor uses third-party infrastructure that could affect your service, you need to know. Relevant for SLAs and data protection.

Change management process is agreed (for professional services contracts)

Without a formal change process, scope creep is inevitable. All changes to scope should require a written change order.