What Your MSP Contract Should Actually Say

A Gulf Shores HOA management company signed an MSP contract that was 28 pages long. They skimmed it. They signed it. Two years later, when they wanted to leave, they discovered:

• A 90-day notice requirement buried on page 19
• An automatic renewal clause that had already triggered
• An early termination fee equal to six months of payments
• A clause stating all documentation was "proprietary" to the MSP

They were locked in for another 18 months. The MSP knew that. The contract was written that way.

The contract problem

MSP contracts are written by MSPs. They reflect what MSPs want. That doesn't make them evil—it makes them business-savvy.

Most SMB owners don't read contracts closely. Many discover problems only when they need to leave.

Here's what a contract should say if you're the client.

Must-have clauses

1. Clear ownership of your credentials

What to look for: Language stating that admin credentials, documentation, and system access belong to you.

What it should say (roughly): "All credentials, access keys, and administrative access to client systems shall remain the exclusive property of the client. Provider shall maintain credentials in a format accessible to client upon request and shall transfer all credentials to client within 5 business days of contract termination."

Why it matters: Without this, they hold your systems hostage when you want to leave.

2. Documented exit process

What to look for: A specific section explaining how termination works.

What it should include:

• How to terminate (written notice? Portal request?)
• How much notice is required (30 days is reasonable; 90+ is aggressive)
• What you'll receive upon exit (credentials, documentation, data export)
• Timeline for transition assistance
• What happens to data after termination

Why it matters: You need to know how to leave before you sign.

3. Defined scope of services

What to look for: Specific list of what's included. Not "IT support"—specific services.

What it should cover:

• Which devices are covered
• What monitoring is included
• What backup is included
• What security is included
• What support is included (hours, channels, response times)
• What training is included

What should not be included: "And other services as needed" without definition. That's a scope leak.

4. Response time commitments

What to look for: Specific response times for different severity levels.

What it should say (roughly):

• Critical (system down affecting business): 1 hour response
• High (significant impact on productivity): 4 hours response
• Medium (moderate impact): Next business day
• Low (questions, minor issues): 3 business days

Why it matters: "We'll respond as soon as possible" means nothing.

5. Service credits (not just liability caps)

What to look for: Real remedies for missed SLAs, not just small credits.

What it should include:

• Specific credits when response times are missed
• Credits when uptime falls below threshold
• A remedy process (not just "contact us")

Why it matters: A $25 credit for missing a 1-hour response is worthless. A credit equal to one month's service fee for repeated misses gets attention.

6. Data portability

What to look for: Explicit right to export your data.

What it should say (roughly): "Upon termination, client may request export of all client data in standard formats (CSV, JSON, or SQL). Provider shall deliver complete data export within 10 business days of request at no additional charge."

Why it matters: Your data is yours. You should be able to take it.

7. No auto-escalation without notice

What to look for: Pricing that stays fixed, or clear limits on increases.

What it should say: Either flat pricing for the contract term, or limits on annual increases (e.g., "price increases shall not exceed 5% annually").

Why it matters: "Market adjustments" can double your costs in a year.

8. Subcontractor disclosure

What to look for: Whether the MSP uses subcontractors, and if so, what their role is.

What it should say: "Provider may engage subcontractors for specialized services. Subcontractors performing work on client systems shall be subject to provider's standard security requirements."

Why it matters: You might be trusting your security to someone you've never vetted.

9. Insurance requirements

What to look for: Minimum insurance coverage the MSP must maintain.

What it should include:

• General liability ($1M+ minimum)
• Professional liability/errors & omissions ($1M+)
• Cyber liability coverage

Why it matters: If they cause a breach, you want them insured.

10. Transition assistance

What to look for: The MSP's obligation to help you leave.

What it should say (roughly): "Upon termination, provider shall cooperate with client's transition to a new provider, including providing documentation, transferring credentials, and answering reasonable questions for up to 30 days at no additional charge."

Why it matters: You need their help to leave. Some MSPs make it hard.

Should-have clauses

Right to audit

The right to audit their work, security practices, and compliance. Every year or upon request.

Staff background checks

MSP staff handling your systems should have background checks.

Confidentiality

Their obligation to keep your business information confidential.

Non-solicitation

They can't hire your employees during and shortly after the contract. (Though enforceability varies by state.)

Problem clauses to watch for

"Client shall maintain minimum monthly spend"

You're locked into a minimum regardless of your actual needs.

"All documentation is proprietary to provider"

They wrote it, but about your systems. You should have access.

"Provider may assign contract without consent"

They can sell your contract to a competitor without asking.

"Client waives right to jury trial"

Forces arbitration in their preferred location.

"Limitation of liability excludes consequential damages"

If they cause damages, they only cover direct costs. Lost business doesn't count.

What to do with this

Before signing: Review your contract against this list. If something's missing, ask for it.

During negotiation: Many clauses are negotiable, especially for larger deals. If they won't add critical protections, that's information.

If you already signed: Know what's in your contract. Plan around the bad parts. Next time, negotiate better upfront.

What it costs

Getting an attorney to review: $500-$2,000 for a standard MSP contract.

Not getting it reviewed: Potentially very expensive if problems arise.

Questions to ask

• Can we add specific language about credential ownership?
• What does the exit process look like?
• How are service credits calculated and enforced?
• Who has access to our systems, and are they background-checked?
• Can you provide references from clients who've left?

The bottom line

A good MSP contract protects both parties. A great one protects you specifically, because the MSP is confident enough in their service to accept those terms.

If an MSP won't negotiate on basic protections—credential ownership, data portability, clear exit process—ask yourself why. What are they protecting against?

A confident, quality MSP should have no problem with these terms. They're terms that make sense for any professional relationship.

The ones who resist? They're telling you something.