THE HANDSHAKE may seal the deal, but the master service agreement (MSA) defines the relationship between you and your new client. Before signing your next customer, make sure your MSA and accompanying service level agreement (SLA) are complete, error-free, and limit your liability while providing flexibility to grow the customer partnership as technology changes.
“Your MSA has one purpose,” says Marc Bodner, COO of Cohere Cypher, a New York-based security and IT management firm focused on financial services and other regulated industries. “It provides a framework for a fair and equitable working relationship for a long-term partnership.” The fair part is important to Bodner.
“In football, the rules are the same for home and visiting teams, and the MSA is the referee that applies them,” he explains. Just like a referee’s call, the MSA is nonnegotiable for Bodner, and is stored on Cohere Cypher’s website for access by the customer. Every other agreement, such as the SLA, statement of work, or change request falls under the MSA.
Bradley Gross, a former programmer and principal of the business technology law firm Bradley Gross PA, believes an MSA’s primary purpose is to protect the service provider. “It must limit the service provider’s liabilities,” he says. At the same time, “it must also educate the customer about certain situational realities inherent in the managed IT service industry and discuss how those realities will be handled.”
What to Include in Your MSA
Standard areas of responsibility contained in virtually all business agreements must be spelled out in your MSA, Gross explains. Examples include:
- How services will be agreed upon to prevent misunderstandings
- How scope creep will be managed
- How payment-related matters will be handled
- When and how services can begin and end
- How disputes will be addressed
“The MSA should address everything from payment terms, ownership of intellectual rights, nondisclosure arrangements and renewal intervals, termination provisions, and even specifying a fee if the client hires one of your employees,” says Thomas Fafinski, co-founder of Virtus Law, which has a large MSP client base.
Rob Scott, managing partner and chief disruption officer of tech law firm Scott & Scott LLP, says his firm’s MSAs, offered as a service to MSPs for a monthly subscription, include a data processing agreement before working with any regulated documents. This covers XYZ, because “what if I make a security request the client doesn’t follow?”
Common Mistakes When Drafting MSAs
Mistakes in MSAs cover a wide range, starting with not having a written agreement at all, says Fafinski.
Another mistake is trying to incorporate too much, observes Scott. “They focus on details that should be in service attachments and inadequately address risk.”
Too few details can also be a mistake. Scott recalls the case of a client who protected a company that suffered encrypted data after a breach, and the ransom was only $800. The client refused to pay, and the MSP had to fund the entire cost of remediation—over $15,000.
Scott & Scott’s MSA agreements “keep our MSPs out of the ransom process, and any extra remediation is above scope and billed to the customer,” he says. Details like these are missing from every MSA Scott has examined.
Virtus Law’s clients sometimes try to use a one-size-fits-all generic document they purchase off the shelf. However, these lack the most important terms that your MSA must cover, adds Fafinski, such as “limitation of liability, warranties/disclaimer of warranties, and termination. These terms make it so the value of the business is not being risked on every opportunity.”
Some MSAs try to limit liability to $1, or perhaps a month’s worth of service, Fafinski says, but judges won’t uphold those. Define warranties applicable to your service, but also illustrate how product warranties will follow the MSP’s client, he advises. Termination guidelines spell out how the process is handled when parties conclude their relationship.
An area of dispute Scott deals with regularly is an MSP client who forgets all the work the MSP did to stabilize their network and searches for a lower-priced provider. Scott uses the MSAs to manage the transition. “We outline what is confidential and which intellectual property belongs to the MSP provider, such as all the network configuration, scripting, and firewall settings,” he says. “All the IP stays with the MSP, and this helps keep the customer from moving.”
If a client wants to transfer to another MSP at the end of a contract term, the MSP will provide transition services only to clients in full compliance with all terms of the MSA and after they pay any applicable early termination fees.
Critical Elements of the SLA
When it comes to defining SLAs, Scott prefers to use the term “service level attachment” linked to the MSA. The SLAs cover managed services, backup, access control, managed print, and all other services. “Our SLA is more like a SOW [statement of work],” he says.
Fafinski, for his part, doesn’t think a separate SLA is necessary, adding noting that clients care far less about a credit they receive because of a service interruption than resolving the issue. “If you sent it out as an objective or as an average, most clients will be satisfied,” Fafinski says.
Gross believes the term “SLA” is a misnomer, and MSPs should only have one agreement, their MSA. Service levels are not for the customer’s benefit, but for the MSP to lay out the ground rules on sufficient time to receive and respond to technical issues while educating the customer on the time in which issues will be addressed, he says.
“Service levels define the technical issues reported to the MSP, meaning the intake process—which party categorizes the severity of the technical problem,” Gross says, as well as “the time period for a response, the responsibilities of the customer in the diagnostic process, and the remedy if a service level is missed.” Since an MSP can never forecast the solution time to a problem when it arises, the time in the SLA is for a response, not resolution, he stresses.
That why Gross advises agains including resolution time in an SLA. For example, “Let’s say an MSP promises that a ‘critical’ problem will be resolved in one business day. In this hypothetical, the critical problem is that the customer’s network has been crypto-locked,” he says. “There is no MSP on earth that can guarantee that the issue will be ‘resolved’ in one business day; however, that is the promise that the MSP made.”
For these situations, Scott requires all end users to carry first-party cyber liability insurance regardless of risk, “so the MSP never gets sued by the customer.” The customer’s insurance fights with the MSP’s insurance provider, so the MSP and customer don’t fight directly.
Protecting Your Future
Having a well-drafted MSA in place is critical to protect your MSP and define the business relationship with your customer. While some MSPs worry that an MSA may disrupt the sales process, Gross notes, “they fail to understand that without a solid MSA in place, the company may not be around in the future to conduct sales.”