Managed service agreements for IT companies

A Managed Service Agreement (MSA) is an agreement between an IT managed services provider (MSP) and its client.   An MSP will manage and provide a defined set of services to its client as set out in the MSA.  Some common services that are provided by MSPs are systems and application management, managed communications, data backup and recovery, data storage, cloud services, network monitoring, management and security and software support and maintenance, authentication services, as well providing any necessary hardware.

Contents of an MSA

The contents of an MSA varies according to the services provided, the relationship of the MSP and the client, and the contents of related service documents, but common clauses include:

• Description of services

The MSP agrees to deliver its services in accordance with an agreed scope of work which should clearly set out the type of services, specifications and any assumptions, exclusions and dependencies.  MSP’s need to carefully set these out so that there is no misunderstanding with its clients about any exclusions and to avoid any liability where the MSP relies on specified assumptions and dependencies.  For example, the provisions of the services might be dependent on the client not changing its network architecture because by doing so certain services, such as applications, may not operate or interoperate in accordance with any interoperability specifications.

• Payment models

MSAs can contain quite complex pricing matrices as they often need to cover multiple options for each service.  For example, support may be provided on a monthly or yearly basis with payment in arrears or in advance, or it may be offered by way of pre-paid blocks of time per month (which do not carry forward to the next month) or on an ad hoc basis.

• Service levels

Depending on the tier of the MSP, it may offer basic service levels from email support during business hours or a complicated set of service levels with a range of levels, such as gold, silver and bronze, with gold being the highest level with the shortest response and resolution times.  Accordingly, the pricing schedule must reflect the service level ranges.

• Interoperability

Often the client will require the MSP ensure that any software provided will interoperate with the client’s systems.  This can create risks of failure if the clause is drafted too broadly where the MSP is required to ensure that the software interoperates with all of the client’s systems.  Such broad clauses are often found in large enterprise procurement agreements and need to be carefully reviewed.

• Scalability

A nimble MSP will often have the technology to allow relatively seamless up-scaling and down-scaling of services, however care must be taken to ensure that a large down-scaling does not amount to a right to terminate for convenience where this is not the intention of the MSP and pricing has been calculated with discounts based on large volumes over a fixed term over a number of years.

• Third-party services

Where third party services are provided by the MSP, the MSA needs to clearly specify that the MSP is not liable for any service interruption in the event of an interruption to the services caused by such third-party services, nor for any loss or damage caused, such as a virus in the The client’s system or causing it to crash.

• Liability

Careful consideration needs to be given when drafting the limitation of liability clause in the MSA so that liability risk in the event of a breach does not outweigh the commercial advantage of the MSA.  Over multi-year contracts it is important to limit the liability each year for all claims in the aggregate to the amount the client has paid for the services in each year, with no unused cap being applied to following years.  A further nuance to this is to limit the liability for each service, like a silo, to the amount the client has paid for the service giving rise to the liability.

• Exclusion of consequential losses

Exclusions for loss of profits, income, revenue, business, reputation goodwill and data whether such losses are direct or indirect should be inserted and a general exclusion of indirect and consequential losses.  Where the clients push for liability of loss of data, this should be rejected, even where the MSP is providing data storage and back-up services, particularly as very often it is difficult or impossible to re-constitute or value the data, especially where the client is the one inserting the data and the MSP can’t ensure the integrity of the data.

• Intellectual property considerations

An MSP may customise software as part of the managed services.  An MSP who wishes to utilise the software code for other the clients should ensure that the MSA clearly states that the MSP owns the copyright in the literary work that is the software code, otherwise the MSP will be prevented from a potential revenue stream.  In this scenario, the MSP grants the client a non-exclusive, non-transferrable, non-sublicensable licence to use the software for the term of the provision of the services.

• Security

Security is increasingly becoming important, particularly with the rise of cyber attacks.  Therefore, it is important for the clients that an MSA contain a thorough plan outlining how security is handled, such as firewall settings and encryption, and where the data is stored and how it is backed-up.  For example, whether the backup is hosted on a public or private cloud server.

Takeaways

The above are just some of the common key clauses to be included in an MSA.  It is important that care is taken when architecting such an agreement to ensure that it captures not only the services provided but adequately addresses the risks presented to the MSP.

Links and further references

Legislation

Competition and Consumer Act 2010 (Cth)

Further information about managed service agreements

If you need advice on drafting or entering into a managed service agreement, please feel free to contact me for a confidential and obligation free discussion.

Disclaimer

This article contains general commentary only.  You should not rely on the commentary as legal advice.  Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.

---

Related insights about managed service agreements